syzkaller/docs/windows
2020-02-24 16:27:59 +01:00
..
README.md Update README.md 2020-02-24 16:27:59 +01:00

Windows

Windows support is very raw and preliminary (read, non-working).

There is a closed-source port at Microsoft.

There is a more complete closed-source Windows port done by Fritz and zer0mem. The port has found 6 bugs including CVE-2018-8441.

Also, BSoDs in WSL: 1, 2. See BUGS ON THE WINDSHIELD: FUZZING THE WINDOWS KERNEL presentation.

To update descriptions run (assumes cl cross-compiler is in PATH):

syz-extract -os=windows
syz-sysgen

sys/windows/windows.txt was auto-extracted from windows headers with tools/syz-declextract.

To build binaries:

make fuzzer execprog stress TARGETOS=windows
REV=git rev-parse HEAD
cl executor\executor_windows.cc /EHsc -o bin\windows_amd64\syz-executor.exe \
	-DGIT_REVISION=\"$REV\" \
	kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib \
	shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib \
	winmm.lib rpcrt4.lib Crypt32.lib imm32.lib Urlmon.lib Oleaut32.lib \
	Winscard.lib Opengl32.lib Mpr.lib Ws2_32.lib Bcrypt.lib Ncrypt.lib \
	Synchronization.lib Shell32.lib Rpcns4.lib Mswsock.lib  Mincore.lib \
	Msimg32.lib RpcRT4.lib Rpcrt4.lib lz32.lib

To run syz-stress:

bin\windows_amd64\syz-stress.exe -executor c:\full\path\to\bin\windows_amd64\syz-executor.exe

Windows is supported by only gce VMs at the moment. To use gce, create a Windows GCE VM, inside of the machine:

  • Enable serial console debugging (see this for details):
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200 /noumex
  • Disable automatic restart in sysdm.cpl -> Advanced -> Startup and Recovery

  • Setup sshd with key auth, these instructions worked for me. Preferably use non-admin user. Save private ssh key.

Then shutdown the machine, stop the instance and create an image from the disk. Then start syz-manager with config similar to the following one:

{
	"name": "windows",
	"target": "windows/amd64",
	"http": ":20000",
	"workdir": "/workdir",
	"syzkaller": "/syzkaller",
	"sshkey": "/id_rsa",
	"ssh_user": "you",
	"cover": false,
	"procs": 8,
	"type": "gce",
	"vm": {
		"count": 10,
		"machine_type": "n1-highcpu-2",
		"gce_image": "your-gce-image"
	}
}