Trace memory and directly manipulate memory

0vercl0k / wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).

MIT License

1.47k stars 134 forks source link

Trace memory and directly manipulate memory #180

Closed RosenZhu closed 1 year ago

RosenZhu commented 1 year ago

Hi there!

Thanks for your great work! I have two questions about whv if you can kindly answer them.

Can we directly manipulate memory using whv? For example, for the current use of hevd, testcase is inserted by rdx/../r9. Is it possible to locate the address range of the memory related to the testcase using whv? If so, may ask how to? (In this way, we only need to locate the entry function?)
Can we trace memory using whv? For example, we insert a testcase for hevd, and the testcase is stored in memory in somewhere. Is it possible to trace the change of the memory of testcase? If we change the memory of testcase, memory of somewhere else in the VM will also be changed (let's assume there is). whv already can record the dirty pages. I'm wondering if there is a way to record the changed memory (dirty memory?)? Essentially, I want to trace where the input testcase flow into.

Thanks in advance.

0vercl0k commented 1 year ago

Hello,

Thanks for the kind words 🙏🏽

You can directly manipulate memory with every backend; they all give you virtual or physical memory access (VirtRead/Write, PhyReadWrite)
For this question I am not 100% sure I understand exactly which memory you'd like to trace. But if you would like to trace memory accesses to certain guest memory regions it would be very easy to do with bochscpu as it receives a callback every time memory is accessed. With the hypervisors backend you would have to implement this on your own somehow; like you would need to do it from a hypervisor

Does this answer your questions?

Cheers

RosenZhu commented 1 year ago

Thanks for your quick response. As for the second question. Assume the emulation starts at function func(char *p, ...), and our test cases are inserted by the parameter char *p. If there is another function in the target mend(), which changes the test case (say encrypt) and stores the result into a new memory. In this case, if we change the test case, the encrypted result will also be changed because the source of the encrypting is the test case. The memory that holds the result is the one I want.

Is it possible to trace that?

0vercl0k commented 1 year ago

Based on your description it seems like you know where the 'encrypted' version of the testcase is stored at; in which case you can simply read its content if this is what you want. If you don't know its location in memory, then it seems like you know where mend is so you could instrument the guest by setting breakpoints in mend and dump the address or the content of the 'encrypted' buffer.

Am I understanding the question right this time? 😅

Cheers

RosenZhu commented 1 year ago

Thanks!