Requires KVM-VMI setup for VM introspection.
$ mkdir build && cd build
$ cmake ..
- Extract addresses of control flow instructions from your target with
extract-breakpoints.py. - Implement a harness for the target according to
harness.cand copy it to the guest VM.
- Start QEMU with introspection enabled by adding the following parameters.
-chardev socket,path=/tmp/introspector,id=chardev0,reconnect=10
-object secret,id=key0,data=some
-object introspection,id=kvmi,chardev=chardev0,key=key0"
- When the VM is booted, load the target module inside the guest and retrieve the load address.
# insmod module.ko
# cat /proc/modules
- Start bsod-afl on host.
$ afl-fuzz -i input -o output -t 9999 -- ./bsod-afl --socket /tmp/introspector --json <kernel profile> --input @@ --module <module addr> --breakpoints <breakpoints file> --coverage block
- Start harness in guest.
$ ./harness