I got my B.Sc. in computer science and I am familiar with basic assembly language. I want to start learning about how to find vulnerabilities in Windows applications, e.g. buffer overflows, use-after-free, etc. I am looking for a path, i.e., materials for learning basics and then more advanced sources to learn from. Any help is appreciated.
Asked
Active
Viewed 4,664 times
3 Answers
2
The approaches and techniques in the book Windows Stack Exploitation: Bypass Protection are straightforward and well-grounded.
While the book's examples use Sulley, I recommend that you also look at FuzzLabs as an introductory Windows-app fuzz-testing suite. The most-advanced fuzz-testing suite is Driller, which I believe will be released at the DARPA Cyber Grand Challenge in Aug 2016 -- but there are many other valid techniques.
Using the qemu-user framework with pwndbg can allow quick prototyping and execution of Windows executables under a classic Linux environment. The binary.ninja framework is a commercial solution that many are talking about as the next-generation of exploitation development. However, binja is geared towards exploit dev using binary analysis techniques -- still very-valid -- and I recommend some older books such as Identifying Malicious Code Through Reverse Engineering or even The Software Vulnerability Guide.
atdre
- 18,885
- 6
- 58
- 107
-
1AFL for Windows -- https://github.com/ivanfratric/winafl – atdre Jul 13 '16 at 16:07
0
I am not sure if I am allowed to list/promote specific books or courses here in this forum. But I'm sure if you search on the Internet Windows application vulnerabilities and fuzzing, you will be able to find many tutorials. As for suggestion on what to focus on, do you understand:
how stack and heap are allocated in your program address space?
What is the role of your instruction pointer (EIP), stack pointer (ESP) etc.
What are the calling conventions?
How are DLL linked happen at runtime?
What are the Interprocess Communication (IPC) in Windows? What are Named Pipes?
Which Win32 API are called in a typical Windows application to process input, both from user and from network?
How to use a debugger to inspect the context of a running program/process? How debugger works.
Concepts of mutation based fuzzer and generation based fuzzer.
All these are useful to get you started. Once you understand the basic concepts, it won't be too hard for you to follow the materials you can find online. Generally, the same concepts applies to other OSes too. But since you specifically asked for Windows so I mentioned only Windows. At least those concepts are helpful for me in understanding Windows exploit, I hope they can be helpful to you too.
0
Peach is one defacto fuzzer that provides the ability to fuzz just about any application and/or protocol. I'd suggest starting with http://www.peachfuzzer.com/products/peach-platform/
C.J. Steele
- 415
- 2
- 5