Fuzzing driver

Hi,

I’m developing a WDM driver. I would like to know what methods, strategies, frameworks, tools… you are using to fuzzing drivers. I’m mostly interested in fuzzing IOCTLs but open to learn any kind of fuzzing to test the driver.

Any tip apreciated, thanks!

I’m developing a WDM driver

Why? A WDM driver these days is a pretty rare thing.

Peter

The base WHQL/HCK/HLK tests do some of this, like generating random ioctl codes, or generating lots of ioctls in a short time. It’s a little dangerous to do anything else generically, because they don’t know if a certain ioctl pattern might trigger the detonation sequence on your device.

Hey Peter,

I started the project years ago and I would like to cover it with some test doing fuzzing.

@Tim_Roberts said:
The base WHQL/HCK/HLK tests do some of this, like generating random ioctl codes, or generating lots of ioctls in a short time. It’s a little dangerous to do anything else generically, because they don’t know if a certain ioctl pattern might trigger the detonation sequence on your device.

Thanks Tim, I’ll check it out

The tests to which Mr. Roberts is referring are IoSpy and IoAttack.

The former tool named “Device Path Exerciser” (DevPathExer originally DC2.exe) was excellent for testing drivers… and doing some pretty great fuzzing. A brief write-up here, also. As you’ll note from the date of that latter article, this is pretty ancient shit.

I’m not sure why this tool was discontinued (except for the fact that the code for it was pretty much a mess, the app itself was super complicated between the tests it did and the NUMEROUS sometimes odd and involved logging options, and it was inherited by the folks responsible for the WHQL tests who never did quite understand its full value). If you can find a copy of THAT, I’d recommend it highly. It can even do things like use the I/O Manager to monitor your driver over time to determine what IOCTL function codes it supports, and then POUND those IOCTLs specifically with bad buffers and whatnot. What other tool does stuff like, 20K rapid opens and closes, sometimes specifying really long and weird, path names after the devicename… just to see if your driver can handle it?

Peter

Thank you Peter for such a detailed response.