9

Suppose I have a program that has two functions, functionA and functionB called sequentially.

functionA requires a significant amount of processing in order to execute, and in the course of the execution sets up and maintains many global variables referenced by functionB.

I want to fuzz input to functionB, but having to run functionA first forces me to wait about 10 seconds before I can see the results of a particular test.

How can I save the program state after executing functionA and resume at functionB when I want to run a set of tests?

Additionally, what mechanisms are there to alter the program variables to reflect the new fuzzing values?

NirIzr
  • 11,765
  • 1
  • 37
  • 87
amccormack
  • 1,326
  • 2
  • 13
  • 29
  • 3
    Intel PIN tool has an API to replay execution by saving/restoring the processor states, memory changes need to be tracked manually. Also have a look at this pdf. However do note that the API has changed than what is mentioned in the pdf, but you will get the general idea. – 0xec May 21 '15 at 16:12
  • As mentioned above, memory accesses can be tricky to follow, as well as things like open file descriptors, etc. If you are doing some in-memory fuzzing and those functions don't have a lot of side effects it is doable. Otherwise it gets really cumbersome very quickly. – Carlos Garcia May 21 '15 at 17:37
  • 1
    Similar with the suggestions above, if the functionA does not have side effects (e.g. open/read/write into files, call system calls), then you can use Context Manipulation API of Intel Pin to write your fuzzer. I have implemented such a "reverse execution" mechanism for my personal project, you can see in (https://github.com/tathanhdinh/PathExplorer/blob/windows_version/version_1/src/base/checkpoint.cpp). I am sorry for the self-advertisement. – Ta Thanh Dinh Oct 01 '15 at 00:00

1 Answers1

2

CreateToolhelp32Snapshot() would help for creating a snapshot of program state, especially fuzzing a la this paper

Also, Peter Van Eeckhoutte covered what you're attempting to do in (in-memory fuzzing) in this blogpost

Both are outlined step by step

NirIzr
  • 11,765
  • 1
  • 37
  • 87
grepNstepN
  • 368
  • 1
  • 13
  • 1
    First paper doesn't even mention CreateToolhelp32Snapshot. Additionally, CreateToolhelp32Snapshot cannot be used to create a process snapshot that is easily useable for the purposes of execution control. – NirIzr Aug 31 '18 at 01:26
  • I said it would help, as in supplemental also its not for execution control its to restore state: https://docs.microsoft.com/en-us/windows/desktop/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot "th32ProcessID: The process identifier of the process to be included in the snapshot. This parameter can be zero to indicate the current process. This parameter is used when the TH32CS_SNAPHEAPLIST, TH32CS_SNAPMODULE, TH32CS_SNAPMODULE32, or TH32CS_SNAPALL value is specified. Otherwise, it is ignored and all processes are included in the snapshot." – grepNstepN Sep 27 '18 at 14:01
  • one can use the Context struct for the values returned in this manner along with CreateThread, GetThreadContext and SetThreadContext last, i mentioned an easier, already writ way via Corelan – grepNstepN Sep 27 '18 at 14:05