Gal Kristal

Statically instrumenting 64-bit Windows binaries with peafl64

Fuzzing has long been used to search for vulnerabilities in complex binaries, and it works best when coupled with code coverage. Code coverage is typically achieved using dynamic or static instrumentation; the latter is preferred for its superior performance. Regarding specifically 64-bit Windows Kernel drivers, there was no tool that supported static instrumentation of those, up until now.

We’re releasing peafl64 – a static instrumentation tool for 64-bit PEs expanding on pe-afl. It enables both Kernel mode (using kAFL) and User mode (using WinAFL) binary-level fuzzing. peafl64 is the most comprehensive and efficient static instrumentation tool for Windows binaries that’s publicly available to the security research community today.

This talk will briefly cover the existing solutions for instrumenting PE files and how peafl64 compares to them. Then, we’ll discuss special considerations for instrumenting 64-bit binaries and the Windows Kernel. We’ll share how we drastically improved the performance of pe-afl and demonstrate Kernel mode fuzzing.

Gal Kristal is a Senior Security Researcher at SentinelOne who specializes in Offensive Security. Previously, he spent five years at Unit 8200, as an officer and team leader of security researchers.