Windows storage driver fuzz test using IoAttack from WDK tests issue RRS feed

  • Question

  • Hi

    I want test my storage driver using fuzzing techniques and I choosed Microsoft tool called IoAttack that  is represent as test case in WDK 8.1 and not standalone application like in previous versions of WDK. This tool work with IoSpy tool that gather all IOCTLs and WMI command that are send to driver. IoSpy attach to driver stack as filter driver and record all traffic. Problem occurs after I successfull attach IoSpy, record all data than remove IoSpy and run IoAttack. Because IoAttack do not see my device that is created by my storage driver.

    I will be grateful for any help or advice :)

    [Setup steps for test machine:]

    0. Install driver that created storage device

    1. Install package "WDK Test Target Setup"
    - source: https://msdn.microsoft.com/en-us/library/windows/hardware/hh439627#manual_install_taef
    - default location: C:\Program Files (x86)\Windows Kits\8.1\Remote\x64
    - default location on machine that has WDK 8.1 component installed
    - installation command: msiexec /i "WDK Test Target Setup x64-x64_en-us.msi"

    1.1 If your target computer is running Windows Server, find the DriverTest folder that was just created by WDK Test Target Setup MSI. (Example: c:\DriverTest). Right click the DriverTest folder, and choose Properties. On the Security tab, give Modify permission to the Authenticated Users group.

    2. Install package Test Authoring and Execution Framework (TAEF)"
    - default location: C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes
    - default location on machine that has WDK 8.1 component installed
    - installation command: msiexec /i "Test Authoring and Execution Framework x64-x64_en-us.msi"

    2. Install package "WDTF runtime library"
    - source: https://msdn.microsoft.com/en-us/library/windows/hardware/hh831856#manual_install_wdtf
    - default location: C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes
    - default location on machine that has WDK 8.1 component installed
    - installation command: msiexec /i "Windows Driver Testing Framework (WDTF) Runtime Libraries-x64_en-us.msi"
    - installation verification: 
    - Open a Command Prompt window on the test computer.
    - Run %WDTFDir%\Tools\CheckWDTFInstall.cmd
    - default location: C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\WDTF
    - Open the log file CheckWDTFInstall.log and examine the results which contains information on all installed WDTF components

    3. Setting mode "kernel debugging"
    - source: https://msdn.microsoft.com/en-us/library/windows/hardware/dn553412(v=vs.85).aspx
    - steps:
    - Open a Command Prompt window as Administrator. Enter bcdedit /debug on
    - If the computer is not already configured as the target of a debug transport, enter bcdedit /dbgsettings local
    - Reboot the computer.

    [Test procedure that uses IoSpy and IoAttack:]

    1. Enable IoSpy using WDK test "EnableIoSpy" and application "TAEF"
    - command: 
    Te.exe "%SystemDrive%\Tests\Additional Tests\DeviceFundamentals\ERT\Basic\Devfund_IOSpy_EnableSupport_ERT_Basic.wsc" /select:"@Name='Devfund::EnableIoSpy'" /p:"DQ=INF::OriginalInfFileName='my_storage_driver.inf'" /p:"DFD=%systemdrive%\DriverTest\IoSpy" /rebootStateFile:%SystemDrive%\DriverTest\Logs\DriverTestReboot.xml /enableWttLogging /wttDeviceString:$LogFile:file="%SystemDrive%\DriverTest\Logs\Enable_I_O_Spy_(Quick)_(possible_reboot)_00000.wtl",writemode=append,encoding=unicode,nofscache=true,EnableLvl="WexStartTest|WexEndTest|WexXml|WexProperty|WexCreateContext|WexCloseContext|*" /runas:Elevated

    2. Reboot operating system

    3. Use IOCTL commands for public and private IOCTLs

    4. Verify that IoSpy data file that records the data sent throught IOCTL and WMI requests to drivers for devices enabled for fuzz tests is larger that initial 1 KB size (if not data acquiring failed for specific driver)
    - default location for IoSpy data file: %SystemDrive%\DriverTest\IoSpy

    5. Disable IoSpy using WDK test "DisableIoSpy" and application "TAEF"
    - command:
    te.exe "%SystemDrive%\Tests\Additional Tests\DeviceFundamentals\ERT\Basic\Devfund_IOSpy_DisableSupport_ERT_Basic.wsc" /select:"@Name='Devfund::DisableIoSpy'" /rebootStateFile:%systemdrive%\DriverTest\Logs\DriverTestReboot.xml /enableWttLogging /wttDeviceString:$LogFile:file="%systemdrive%\DriverTest\Logs\Disable_I_O_Spy_(Quick)_(possible_reboot)_00000.wtl",writemode=append,encoding=unicode,nofscache=true,EnableLvl="WexStartTest|WexEndTest|WexXml|WexProperty|WexCreateContext|WexCloseContext|*" /runas:Elevated

    6. Reboot operating system

    7. Run I/O Attack (Quick) fuzzer using WDK test "RunIoAttack" and application "TAEF"
    - command:

    te.exe "%SystemDrive%\DATA\Tests\Additional Tests\DeviceFundamentals\ERT\Basic\Devfund_IOAttack_ERT_Basic.wsc" /select:"@Name='Devfund::RunIoAttack'" /p:"DQ=DeviceID=’my_device_id_that_was_created_by_my_storage_driver" /rebootStateFile:%SystemDrive%\DriverTest\Logs\DriverTestReboot.xml /enableWttLogging  /wttDeviceString:$LogFile:file="%SystemDrive%\DriverTest\Logs\Run_I_O_Attack_(Quick)_00001.wtl",writemode=append,encoding=unicode,nofscache=true,EnableLvl="WexStartTest|WexEndTest|WexXml|WexProperty|WexCreateContext|WexCloseContext|*" /runas:Elevated

    Microsoft fuzzer IoAttack that is run as test from WDK does not see my_storage_driver. Test pass because no devices we found for testing. Output from test:

    StartGroup: Devfund::RunIoAttack
    Property: TAEF: Description [Runs I/O Attack. ]
    WDTF_TARGETS: - Query("IsDevice AND IoSpy::")
    WDTF_TEST: No devices were found for testing
    EndGroup: Devfund::RunIoAttack [Passed]
    Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0

    Command that was used to run test using WDK application "TAEF" (te.xe)
    te.exe "%SystemDrive%\Tests\Additional Tests\DeviceFundamentals\ERT\Basic\Devfund_IOAttack_ERT_Basic.wsc" /select:"@Name='Devfund::RunIoAttack'" /p:"DQ=DeviceID=’my_device_id_that_was_created_by_my_storage_driver’" /rebootStateFile:%SystemDrive%\DriverTest\Logs\DriverTestReboot.xml /enableWttLogging  /wttDeviceString:$LogFile:file="%SystemDrive%\DriverTest\Logs\Run_I_O_Attack_(Quick)_00001.wtl",writemode=append,encoding=unicode,nofscache=true,EnableLvl="WexStartTest|WexEndTest|WexXml|WexProperty|WexCreateContext|WexCloseContext|*" /runas:Elevated

    [Additional information:]
    I tried to address my driver / storage device for fuzzing test using DQ=DeviceID, DQ=INF::OriginalInfFileName (like in IoSpy case) but in the end doesn't work.

    Procedure source for usage of IoSpy and IoAttack is from https://msdn.microsoft.com/en-us/library/windows/hardware/ff547271

    [Test machine setup:]
    - Windows Server 2012 R2 Standard Build 9600 (x64)

    [Software setup:] 
    - WDK 8.1 installed on Windows 7 Professional (x64)

    Friday, April 22, 2016 6:56 AM