What is Peach
Installing
Tutorials
Methodology
Introduction
Training
Enterprise
FAQ
Support Forums
Peach 3
Peach Pits
 General Conf
 Data Modeling
 State Modeling
 Agents
  Monitors
 Test
  Publishers
  Loggers
Running
Minset
Peach 2.3
License

<< Previouse | Up | Next >>

Agent and Monitor

Now we are ready to configure our agent and monitors. Agents are special Peach processes that can be run locally or remote. These processes host one or more monitors that can perform such actions as attaching debuggers, watching memory consumption, etc. For this tutorial we are going to configure Microsoft WinDbg to monitor mplayer.exe for exceptions and other common issues. Additionally we will enable the HEAP debugging for the target process.

Configure the Agent and Monitor

First lets locate the commented out <Agent> element in the template file, it will look something like this:

<!-- TODO: Configure agent -->
<Agent name="TheAgent" location="http://127.0.0.1:9000"/>

We are going to uncomment this section and remove the "location" attribute. When no "location" attribute is present, Peach will automatically start a local Peach Agent. We will configure three agents, one for Windows, one for Linux and one for OSX. The Windows agent will be comprised of two monitors: WindowsDebugger and PageHeap. The Linux agent will also be comprised of one monitor: LinuxDebugger. The OSX agent will only be comprised of a single monitor: CrashWrangler.

<Agent name="WinAgent">
   <Monitor class="WindowsDebugger">

        <!-- The command line to run.  Notice the filename provided matched up
             to what is provided below in the Publisher configuration -->
        <Param name="CommandLine" value="c:\\mplayer\\mplayer.exe fuzzed.wav" />

        <!-- This parameter will cause the debugger to wait for an action-call in
             the state model with a method="StartMPlayer" before running
             program.
        -->
        <Param name="StartOnCall" value="StartMPlayer" />

        <!-- This parameter will cause the monitor to terminate the process
             once the CPU usage reaches zero.
        -->
        <Param name="CpuKill" value="true"/>

    </Monitor>

    <!-- Enable heap debugging on our process as well. -->
    <Monitor class="PageHeap">
        <Param name="Executable" value="c:\\mplayer\\mplayer.exe"/>
    </Monitor>

</Agent>

<Agent name="LinAgent">
    <!-- Register for core file notifications. -->
    <Monitor class="LinuxDebugger">

        <!-- This is the program we're going to run inside of the debugger -->
        <Param name="Executable" value="mplayer"/>

        <!-- These are arguments to the executable we want to run -->
        <Param name="Arguments"  value="sample.wav"/>

        <!-- This parameter will cause the monitor to terminate the process
             once the CPU usage reaches zero.
        -->
        <Param name="CpuKill" value="true"/>

    </Monitor>

</Agent>

<Agent name="OsxAgent">
    <Monitor class="CrashWrangler">
        <!-- The executable to run. -->
        <Param name="Command" value="mplayer" />

        <!-- The program arguments.  Notice the filename provided matched up
             to what is provided below in the Publisher configuration -->
        <Param name="Arguments" value="fuzzed.wav" />

        <!-- Do not use debug malloc. -->
        <Param name="UseDebugMalloc" value="false" />

        <!-- Treat read access violations as exploitable. -->
        <Param name="ExploitableReads" value="true" />

        <!-- Path to Crash Wrangler Execution Handler program. -->
        <Param name="ExecHandler" value="/usr/local/bin/exc_handler" />

        <!-- This parameter will cause the monitor to wait for an action-call in
             the state model with a method="StartMPlayer" before running
             program.
        -->
        <Param name="StartOnCall" value="StartMPlayer" />

    </Monitor>
</Agent>

Read more about: Agent, WindowsDebugger, PageHeap

Configure Test

Okay, now we just need to enable the agent for our test. Head down to the <Test> element, specifically we are looking to uncomment this line, and add a new parameter to the Publisher indicating an agent has been configured.

<!-- <Agent ref="LocalAgent"/> -->

Leaving us with this:

<Test name="Default">
    <Agent ref="WinAgent" platform="windows"/>
    <Agent ref="LinAgent" platform="linux"/>
    <Agent ref="OsxAgent" platform="osx"/>

    <StateModel ref="TheState"/>

    <Publisher class="File">
        <Param name="FileName" value="fuzzed.wav"/>
    </Publisher>
</Test>

Read more about: Test

Configure Logging

Now that we are using monitors that can detect faults we will want to configure a logging mechanism to capture the results of our fuzzer run.

Todo this add the following to the <Test> element at the bottom of our XML file:

<Logger class="Filesystem">
    <Param name="Path" value="logs" />
</Logger>

So it looks like this:

<Test name="Default">
    <Agent ref="WinAgent" platform="windows"/>
    <Agent ref="LinAgent" platform="linux"/>
    <Agent ref="OsxAgent" platform="osx"/>

    <StateModel ref="TheState"/>

    <Publisher class="File">
        <Param name="FileName" value="fuzzed.wav"/>
    </Publisher>

    <Logger class="Filesystem">
        <Param name="Path" value="logs" />
    </Logger>
</Test>

Read more about: Test, Logger, File Logger

Testing Fuzzer

Lets go ahead and run the fuzzer! Open up a command window and navigate to the location of wav.xml. Now run the following command:

c:\wav>c:\peach\peach.exe -t wav.xml

] Peach 3 Runtime
] Copyright (c) Michael Eddington

File parsed with out errors.

Hopefully you got this output and no problems were found. If a problem was found go back through the prior sections and try and identify the problem.

Running Fuzzer

Now lets actually kick off our fuzzer for real!

c:\wav>c:\peach\peach.exe wav.xml

<< Previouse | Up | Next >>