import pickle
import sys
import random
from ctypes import *
kernel32 = windll.kernel32
# Defines for Win32 API Calls
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
# Open the pickle and retrieve the dictionary
fd = open(sys.argv[1], "rb")
master_list = pickle.load(fd)
ioctl_list = master_list["ioctl_list"]
device_list = master_list["device_list"]
# Now test that we can retrieve valid handles to all
# device names, any that don't pass we remove from our test cases
valid_devices = []
for device_name in device_list:
# Make sure the device is accessed properly
device_file = u"\\\\.\\%s" % device_name.split("\\")[::-1][0]
print "[*] Testing for device: %s" % device_file
driver_handle = kernel32.CreateFileW(device_file,GENERIC_READ|
if driver_handle:
print "[*] Success! %s is a valid device!"
if device_file not in valid_devices:
valid_devices.append( device_file )
kernel32.CloseHandle( driver_handle )
print "[*] Failed! %s NOT a valid device."
if not len(valid_devices):
print "[*] No valid devices found. Exiting..."
# Now let's begin feeding the driver test cases until we can't bear it anymore!
# CTRL-C to exit the loop and stop fuzzing
while 1:
# Open the log file first
fd = open("my_ioctl_fuzzer.log","a")
# Pick a random device name
current_device = valid_devices[ random.randint(0, len(valid_devices)-1 ) ]
fd.write("[*] Fuzzing: %s" % current_device)
# Pick a random IOCTL code
current_ioctl = ioctl_list[ random.randint(0, len(ioctl_list)-1)]
fd.write("[*] With IOCTL: 0x%08x" % current_ioctl)
# Choose a random length
current_length = random.randint(0, 10000) y
fd.write("[*] Buffer length: %d" % current_length)
# Let's test with a buffer of repeating A's
# Feel free to create your own test cases here
in_buffer = "A" * current_length
# Give the IOCTL run an out_buffer
out_buf = (c_char * current_length)()
bytes_returned = c_ulong(current_length)
# Obtain a handle
driver_handle = kernel32.CreateFileW(device_file, GENERIC_READ|
# Run the test case
kernel32.DeviceIoControl( driver_handle, current_ioctl, in_buffer,
current_length, byref(out_buf),
current_length, byref(bytes_returned),
None )
fd.write( "[*] Test case finished. %d bytes returned.\n" % bytes_returned.value )
# Close the handle and carry on!
kernel32.CloseHandle( driver_handle )