• Why NaFl?

  • NaFl means sarcastically: "It is totally Not AFL"
  • NOTE: when I say AFL, I mean AFL v.0.1 alpha ;)

• What is it?

  • It is a prototype of a code coverage fuzzer. I wanted to have something like AFL to use in Windows. Unfortunately everything looked very *NIX centric (AFAIK) so I decided to implement the core principles from the ground up (and learned something on the way)

  • It leverages dynamic binary instrumentation (DBI) to measure code coverage in blackbox Windows binaries.

    • "Fun" fact: adding support for Intel PIN to AFL was actually my original research project but mothran beat me to it, see his (her?) fantastic work here
    • NaFl can be thought as this with some Python core implementing a simple fuzzing logic

• Why does the code suck so much?

  • Don't let physicists do computer science. Or anything else for that matter :)

NaFl is written in Python (Core) and C/C++ (the DBI core). Most of the installation is straightforward:

• Clone the project

• There are two major directories:

  • NaFlCore: nothing to do here at installation time
  • PinTool: contains a single file "MyPinTool.cpp"
  • Compiling your own PinTool is kind of a pain so most of the people I know use this little trick:
    • cd to Pin_directory\source\tools\MyPinTool
    • Overwrite the MyPinTool.cpp file with yours
    • Open the project in Visual Studio (I used VS Community 2013, very recommended to use this one)
    • Build the project
      • NOTE: if you get errors complaining about SafeSEH just deactivate it in the linker options.
      • Right click -> Properties -> Configuration Properties -> Linker -> All Options
      • Search for "Image Has Safe Exception Handlers" and set it to "NO (/SAFESEH: NO)"
    • Move the resulting DLL to a directory of your choice (you can rename it as well)

• That should do it.

• Python 2.7.x (grab it here)

  • Recommended Python 2.7.9+ (includes pip)

• Intel PIN (download it here)

These Python modules are part of the client's core:

• Winappdbg (pip install winappdbg)
  • This is awesome sauce, check more here
• SQLAlchemy (pip install sqlalchemy)

The following Python modules are needed for the server:

• Tornado (pip install tornado)
• Twisted (pip install twisted)

Once currently installed, running is pretty straightforward.

• Run the server for collecting information and crash files

  • python server\xmlrpc-server.py

• Edit the config file

  • Location of PIN and the corresponding PinTool
  • Location of the victim binary to analyze

• Run the core

  • python NaFlCore.py

SO MANY…

• Plugin system

  • Pre- & Post- processing of the mutation
  • Unzip / Zip for formats like DOCX and alike
  • Decrypt / Encrypt...
  • etc.

• Static analysis of the victim binary itself

  • Cannibalize strings
  • Check proximity to str(n)cmp and alike…
    • Maybe implement in JARVIS?

• Analysis of the samples

  • Find high entropy regions (uninteresting)
  • Find ASCII regions
  • Compare samples to find fixed tokens (PNG, etc.)

• Regularly evaluate the quality of mutations in the queue

  • Remove ones not yielding anything interesting in a long time?
  • Trim mutations?

This was done during my work time and therefore paid by my current employer, Siemens AG

Yes we do more than washing machines! ;)

Thanks for allowing this public release.