def PackMute(self):
rdata = ""
rdata += self.DATA[:self.e_lfanew] # DOS_HEADER ~ STUB_CODE
rdata += self.PE_HEADER[0x0:0x4] # Signature
lfh_zzuf = pyZZUF(self.PE_HEADER[IMAGE_FILE_HEADER:IMAGE_OPTIONAL_HEADER])
lfh_zzuf.set_ratio(0.3)
rdata += lfh_zzuf.mutate().tostring() # PE_HEADER 1
loh_zzuf1 = pyZZUF(self.PE_HEADER[IMAGE_OPTIONAL_HEADER:IMAGE_OPTIONAL_HEADER+0x10])
loh_zzuf1.set_ratio(0.3)
rdata += loh_zzuf1.mutate().tostring() # PE_HEADER 2
rdata += struct.pack('<I',self.EP) # EP
loh_zzuf2 = pyZZUF(self.PE_HEADER[IMAGE_OPTIONAL_HEADER+0x14:self.EP])
loh_zzuf2.set_ratio(0.3)
rdata += loh_zzuf2.mutate().tostring() # PE_HEADER 3
rdata += self.PE_HEADER[self.EP:self.EP+0x20] #Save Packer Signature
ep_zzuf3 = pyZZUF(self.PE_HEADER[self.EP+0x20:])
ep_zzuf3.set_ratio(0.3)
rdata += ep_zzuf3.mutate().tostring()
return rdata
def blob_generator(blob):
zzuf = pyZZUF(blob)
yield blob
# Very tricky seed value
zzuf.set_seed(666)
zzuf.set_fuzz_mode(FUZZ_MODE_XOR)
for data in zzuf.mutagen(start=0.0, stop=1, step=0.001):
yield data.tostring()
def blob_generator(blob):
zzuf = pyZZUF(blob)
yield blob
# Very tricky seed value
zzuf.set_seed(666)
zzuf.set_fuzz_mode(FUZZ_MODE_XOR)
for data in zzuf.mutagen(start=0.0, stop=1, step=0.001):
yield data.tostring()
def sevenzip_fuzz(self): # so dirty......
SIGN = self.INPUT[:6]
zzbuf = pyZZUF(self.INPUT[6:])
zzbuf.set_ratio(0.3)
rdata = ""
rdata += SIGN
rdata += zzbuf.mutate().tostring()
return rdata
def zzmutate(seed, ratio, input_file):
ratio = float(ratio) / 100
zzuf = pyZZUF(input_file)
zzuf.set_seed(seed)
zzuf.set_ratio(ratio)
outfile = 's' + str(seed) + "__" + 'r' + str(ratio).replace('.', '_')
with open(outfile, 'wb') as fout:
mut_data = zzuf.mutate()
fout.write(mut_data)
fout.close()
logging.debug("Testcase is %s" % outfile)
file_path = os.getcwd() + '\\' + outfile
return file_path
def thread_it(fuzz_range_start, fuzz_range_end, number_of_samples, data_to_be_flipped, extension):
for x in range(0, int(number_of_samples)):
zzuf = pyZZUF(data_to_be_flipped)
# Random seed (default 0)
zzuf.set_seed(9)
# Bit fuzzing ratio (default 0.004)
zzuf.set_ratio(0.91)
# Only fuzz bytes at offsets within <ranges>
zzuf.set_fuzz_bytes([[fuzz_range_start, fuzz_range_end]])
# zzuf.set_fuzz_bytes([[0, 3], [6, EOF]])
# Fuzzing mode <mode> ([xor] set unset)
zzuf.set_fuzz_mode(FUZZ_MODE_XOR)
with open("generated_samples_folder/" + "sample" + str(x) + "-" + str(fuzz_range_start) + "-" + str(
fuzz_range_end) + extension, 'wb') as output:
output.write(zzuf.mutate())
def gzip_fuzz(self):
length = len(self.INPUT)
SIGN = self.INPUT[:2]
CHECKSUM = self.INPUT[length - 8:length - 4]
FILESIZE = self.INPUT[length - 4:]
zzbuf = pyZZUF(self.INPUT[2:])
zzbuf.set_ratio(0.3)
rdata = ""
rdata += SIGN
rdata += zzbuf.mutate().tostring()
rdata += CHECKSUM
rdata += FILESIZE
return rdata
def Mutation(self):
with open(self.SEED_DIR + self.FILENAME, 'rb') as f:
ole = f.read()
ole = ole[8:]
ole = pyZZUF(ole)
ole.set_ratio(0.3)
ole_write = ole.mutate().tostring()
try:
with open(self.OUT_DIR + self.FILENAME, 'wb') as f:
f.write(ole_write)
return True
except IOError as error:
print error
return False
def rar_fuzz(self):
SIGN = self.INPUT[:0x5]
HEADER_SIZE = self.INPUT[0x5:0x7]
FILE_CHECKSUM = self.INPUT[0x24:0x28]
BHEADER_SIZE = self.INPUT[0x19:0x1b]
HEAD_TYPE1 = chr(0x73)
HEAD_TYPE2 = chr(0x74)
fuzzed_data = pyZZUF(self.INPUT)
fuzzed_data.set_ratio(0.3)
fuzzed_data = fuzzed_data.mutate().tostring()
rdata = ""
rdata += SIGN
rdata += HEADER_SIZE
tmp_data = HEAD_TYPE1
tmp_data += fuzzed_data[0xa:0x14]
HEADER_CRC = zlib.crc32(tmp_data) & 0xffffffff
rdata += chr(HEADER_CRC & 0xff)
rdata += chr((HEADER_CRC >> 8) & 0xff)
rdata += tmp_data
size = ord(BHEADER_SIZE[0]) + 0xff * ord(BHEADER_SIZE[1])
tmp_data = HEAD_TYPE2
tmp_data += fuzzed_data[0x17:0x19]
tmp_data += BHEADER_SIZE
tmp_data += fuzzed_data[0x1b:0x24]
tmp_data += FILE_CHECKSUM
tmp_data += fuzzed_data[0x28:0x14 + size]
BHEADER_CRC = zlib.crc32(tmp_data) & 0xffffffff
rdata += chr(BHEADER_CRC & 0xff)
rdata += chr((BHEADER_CRC >> 8) & 0xff)
rdata += tmp_data
rdata += fuzzed_data[0x14 + size:-7]
END_CRC = self.INPUT[-7:]
rdata += END_CRC
return rdata
def thread_it(fuzz_range_start, fuzz_range_end, number_of_samples,
data_to_be_flipped, extension):
for x in range(0, int(number_of_samples)):
zzuf = pyZZUF(data_to_be_flipped)
# Random seed (default 0)
zzuf.set_seed(9)
# Bit fuzzing ratio (default 0.004)
zzuf.set_ratio(0.91)
# Only fuzz bytes at offsets within <ranges>
zzuf.set_fuzz_bytes([[fuzz_range_start, fuzz_range_end]])
# zzuf.set_fuzz_bytes([[0, 3], [6, EOF]])
# Fuzzing mode <mode> ([xor] set unset)
zzuf.set_fuzz_mode(FUZZ_MODE_XOR)
with open(
"generated_samples_folder/" + "sample" + str(x) + "-" +
str(fuzz_range_start) + "-" + str(fuzz_range_end) + extension,
'wb') as output:
output.write(zzuf.mutate())
def mutation(self, test_file):
mutation_file = test_file
print '- file name: ', mutation_file
self.ole = olefile.OleFileIO(mutation_file, write_mode=True)
#field1의 특정 오프셋부터 일정 바이트를 field2의 특정 오프셋부터 일정 바이트로 덮어쓸것
field1, field2 = self.hwp_field_select()
print '- selected field: ', field1, field2
#랜덤으로 선택된 필드 읽어들이기
stream1 = self.ole.openstream(field1)
stream2 = self.ole.openstream(field2)
data1 = stream1.read()
data2 = stream2.read()
stream1.seek(0)
stream2.seek(0)
size1 = self.hwp_field_size[field1]
size2 = self.hwp_field_size[field2]
#print size1, size2
if size1 < 5000 and size2 < 5000:
rannum = random.randrange(1, 4)
else:
rannum = random.randrange(2, 4)
if rannum == 1:
if size1 > size2:
#data1이 덮어씌어지기 전에 임시 buf에 저장
temp_buf = data1
temp_stream = stream1
#1) field1 <--- field2
#필드 사이즈 차이 계산해서 같은 크기로 맞추기
num = size1 / size2
data2 = data2 * num
sub = size1 - len(data2)
#data1과 data2의 사이즈가 같아짐
data2 = stream2.read(sub) + data2
self.ole.write_stream(field1, data2)
#2) field2 <--- field1
#data1과 stream1을 원래대로 복구
data1 = temp_buf
stream1 = temp_stream
#stream1을 size2만큼 읽어서 field2에 덮어쓰기
data1 = stream1.read(size2)
self.ole.write_stream(field2, data1)
elif size2 > size1:
temp_buf = data1
temp_stream = stream1
#1) field1 <--- field2
data2 = stream2.read(size1)
self.ole.write_stream(field1, data2)
#2) field2 <--- field1
data1 = temp_buf
sream1 = temp_stream
num = size2 / size1
data1 = data1 * num
sub = size2 - len(data1)
data1 = stream1.read(sub) + data1
self.ole.write_stream(field2, data1)
else:
pass
if rannum == 2:
if size1 < 300 or size2 < 300:
size = min(size1, size2) / 2
rand_offset1 = random.randrange(1, size1 - size - 1)
rand_offset2 = random.randrange(1, size2 - size - 1)
data2_cut = data2[rand_offset2:rand_offset2 + size]
data1 = data1[:rand_offset1] + data2_cut + data1[rand_offset1 +
size:]
self.ole.write_stream(field1, data1)
'''
if size1<20 or size2<20:
size=min(size1,size2)/2
rand_offset1=random.randrange(1,size1-11)
rand_offset2=random.randrange(1,size2-11)
data2_cut=data2[rand_offset2:rand_offset2+10]
data1=data1[:rand_offset1]+data2_cut+data1[rand_offset1+10:]
self.ole.write_stream(field1,data1)
'''
else:
rand_offset1 = random.randrange(1, size1 - 301)
rand_offset2 = random.randrange(1, size2 - 301)
data2_cut = data2[rand_offset2:rand_offset2 + 300]
data1 = data1[:rand_offset1] + data2_cut + data1[rand_offset1 +
300:]
self.ole.write_stream(field1, data1)
if rannum == 3:
if size1 < 300 or size2 < 300:
size = min(size1, size2) / 2
rand_offset1 = random.randrange(1, size1 - size - 1)
rand_offset2 = random.randrange(1, size2 - size - 1)
data1_cut = data1[rand_offset1:rand_offset1 + size]
zzuf = pyZZUF(data1_cut)
zzuf.set_seed(int(random.randrange(0, 255)))
zzuf.set_ratio(0.03)
zzuf_data = zzuf.mutate()
data1 = data1[:rand_offset1] + str(
zzuf_data) + data1[rand_offset1 + size:]
self.ole.write_stream(field1, data1)
'''
if size1<20 or size2<20:
rand_offset1=random.randrange(1,size1-11)
rand_offset2=random.randrange(1,size2-11)
data1_cut=data1[rand_offset1:rand_offset1+10]
zzuf=pyZZUF(data1_cut)
zzuf.set_seed(int(random.randrange(0,255)))
zzuf.set_ratio(0.03)
zzuf_data=zzuf.mutate()
data1=data1[:rand_offset1]+str(zzuf_data)+data1[rand_offset1+10:]
self.ole.write_stream(field1,data1)
'''
else:
rand_offset1 = random.randrange(1, size1 - 301)
rand_offset2 = random.randrange(1, size2 - 301)
#print hexdump(data1)
data1_cut = data1[rand_offset1:rand_offset1 + 300]
zzuf = pyZZUF(data1_cut)
zzuf.set_seed(int(random.randrange(0, 255)))
zzuf.set_ratio(0.03)
zzuf_data = zzuf.mutate()
data1 = data1[:rand_offset1] + str(
zzuf_data) + data1[rand_offset1 + 300:]
self.ole.write_stream(field1, data1)
def test_flipping():
for x in range(100, 200):
print pyZZUF(str(x)).mutate()
def test_flipping():
for x in range(100, 200):
print pyZZUF(str(x)).mutate()
