Skip to content

Latest commit

 

History

History

windows

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

Windows

Windows support is very raw and preliminary (read, non-working).

There is a closed-source port at Microsoft.

There is a more complete closed-source Windows port done by Fritz and zer0mem. The port has found 6 bugs including CVE-2018-8441.

Also, BSoDs in WSL: 1, 2. See BUGS ON THE WINDSHIELD: FUZZING THE WINDOWS KERNEL presentation.

To update descriptions run (assumes cl cross-compiler is in PATH):

syz-extract -os=windows
syz-sysgen

sys/windows/windows.txt was auto-extracted from windows headers with tools/syz-declextract.

To build binaries:

make fuzzer execprog stress TARGETOS=windows
REV=git rev-parse HEAD
cl executor\executor_windows.cc /EHsc -o bin\windows_amd64\syz-executor.exe \
	-DGIT_REVISION=\"$REV\" \
	kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib \
	shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib \
	winmm.lib rpcrt4.lib Crypt32.lib imm32.lib Urlmon.lib Oleaut32.lib \
	Winscard.lib Opengl32.lib Mpr.lib Ws2_32.lib Bcrypt.lib Ncrypt.lib \
	Synchronization.lib Shell32.lib Rpcns4.lib Mswsock.lib  Mincore.lib \
	Msimg32.lib RpcRT4.lib Rpcrt4.lib lz32.lib

To run syz-execprog:

bin\windows_amd64\syz-execprog.exe -executor c:\full\path\to\bin\windows_amd64\syz-executor.exe -stress

Windows is supported by only gce VMs at the moment. To use gce, create a Windows GCE VM, inside of the machine:

  • Enable serial console debugging (see this for details):
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200 /noumex

  • Disable automatic restart in sysdm.cpl -> Advanced -> Startup and Recovery

  • Setup sshd with key auth, these instructions worked for me. Preferably use non-admin user. Save private ssh key.

Then shutdown the machine, stop the instance and create an image from the disk. Then start syz-manager with config similar to the following one:

{
	"name": "windows",
	"target": "windows/amd64",
	"http": ":20000",
	"workdir": "/workdir",
	"syzkaller": "/syzkaller",
	"sshkey": "/id_rsa",
	"ssh_user": "you",
	"cover": false,
	"procs": 8,
	"type": "gce",
	"vm": {
		"count": 10,
		"machine_type": "n1-highcpu-2",
		"gce_image": "your-gce-image"
	}
}