Windows Kernel Fuzzing for Intermediate Learners presented at Shakacon 2014

by Ben Nagy,

Summary : This talk will cover some approaches for kernel instrumentation, including the use of my scriptable dbgeng wrapper (rBuggery) to do local kernel debugging - previously only possible with windbg or cdb/kd themselves. rBuggery is handy for scripting up extraction of kernel structs, Object Directory traversal and such, WITHOUT slow and irritating serial connections. It can also be used to hack up a pretty awful kernel tracer, but one that at least works better than windbg or anything else I found. Next up I'll jump off from Alex Ionescu's SyScan talk this year where he talked about ALPC and some bugs he found. We'll go through how to build a delivery system to expose the ALPC Services to at least basic attack from a client fuzzer. Because there's a lot of internals and boilerplate code required and nobody else uses Go / Ruby, I'll probably also release a simple-to-use tool that exposes the services via REST and lets you deliver tests using any language.
This talk will include a great deal of Tutelary Fail.