https://github.com/FSecureLABS/ViridianFuzzer

Kernel driver to fuzz Hyper-V hypercalls
https://github.com/FSecureLABS/ViridianFuzzer

Last synced: 3 months ago
JSON representation

Kernel driver to fuzz Hyper-V hypercalls

• Host: GitHub
• URL: https://github.com/FSecureLABS/ViridianFuzzer
• Owner: FSecureLABS
• Created: 2019-02-14T16:44:49.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2019-02-15T13:15:22.000Z (over 5 years ago)
• Last Synced: 2024-05-19T04:57:24.347Z (6 months ago)
• Language: C++
• Homepage: https://labs.mwrinfosecurity.com/blog/ventures-into-hyper-v-part-1-fuzzing-hypercalls
• Size: 30.3 KB
• Stars: 135
• Watchers: 16
• Forks: 45
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hyper-v-exploitation - Viridian Fuzzer -- Kernel driver to fuzz Hyper-V hypercalls - by Amardeep Chana, MWR Labs (<a name="security_tools" />Security Research Tools)

README

        
# Viridian Fuzzer 

It is a kernel driver that make hypercalls, execute CPUID, read/write to MSRs from CPL0. 

### Requirements

- Requires a scheduled task, start at logon with admin privs

- Requires ViFu3.h defines for share address

- Store credentials of parent UNC in guest credential manager

- Compiled as x64 Debug

- Tested in Win10, with Hypercall Dispatch Table extracted for 1607

### Information

- Every time a fuzz attempt is ran it first writes info to fuzz_logger.txt, and registry data to VIFU_LOG.txt

- On fuzzer start, a datetime is written to fuzz_logger.txt, and checks if log has any data written to it. If so find the latest fuzz entry, and increment to next isFast/isRep, then continue fuzzing

- To start/stop autostart of fuzzer, create/delete file autoStart.txt in the log share.

  * Fuzzer won't start if it can't connect to share

- To add more fuzzing rules:

	UM: add loops to BASIC FUZZER LOOPS, or increment switch() for specific conditions i.e. different GPA mem

	KM: if mod'ing GPA mem, in case IOCTL_HYPERCALL, add new `else if`