gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Fuzzing Tools for Windows Kernel & User-Mode

Last updated: 2026-04-10
Related: Debugging, Dynamic Analysis
Tags: kernel-mode, user-mode

Summary

Fuzzing is the most scalable bug discovery technique. For Windows kernel targets, coverage-guided kernel fuzzers (WTF, kAFL) have replaced dumb fuzzers. This page covers the primary fuzzing tools, target setup, and strategies for finding exploitable bugs in Windows.

WTF (What The Fuzz)

Snapshot-based coverage-guided kernel fuzzer. Current best tool for Windows kernel fuzzing.

Architecture

  • Takes a CPU snapshot of the target system at the start of the target function
  • Runs iterations: restore snapshot → mutate input → execute → collect coverage → restore
  • Uses hardware virtualization (Intel PT or ICOUNT via Hyper-V) for coverage
  • Can run thousands of iterations per second

Setup

git clone https://github.com/0vercl0k/wtf
# Requirements: Hyper-V host + target Windows VM

# 1. Create fuzzing snapshot:
# In target VM, run target to interesting point, trigger breakpoint
# WTF captures memory snapshot + register state

# 2. Write fuzzing harness:
# C++ module that maps input into target's memory, triggers function

# 3. Run fuzzer:
wtf.exe fuzz --name target --seed-dir seeds/ --max-len 0x1000

Writing a WTF Harness

// Target: fuzzing an IOCTL handler
bool InsertTestcase(const uint8_t* Buffer, const size_t BufferSize) {
    // Write fuzz data to IOCTL input buffer in snapshot memory
    const uint64_t InputBuffer = g_Backend->GetSymbol("ioctl_input_buf");
    if (!g_Backend->VirtWriteDirty(InputBuffer, Buffer, BufferSize)) {
        return false;
    }
    return true;
}

kAFL

Intel PT-based coverage-guided kernel fuzzer. Original kernel fuzzer from academic research.

Architecture

  • Uses KVM + QEMU + Intel PT for coverage tracing
  • Runs target kernel in VM
  • Agent in target kernel receives inputs, feeds to harness, reports coverage

Comparison with WTF

FeatureWTFkAFL
Coverage mechanismIntel PT or ICOUNTIntel PT
Snapshot restoreSub-millisecondPer-VM-reset
Windows supportPrimary targetSupported
SpeedVery highHigh
Setup complexityMediumHigh

Syzkaller (Linux primary, some Windows)

Google’s coverage-guided syscall fuzzer. Primarily Linux, but has Windows support in development.

For Windows syscall fuzzing, WTF is generally preferred.

LibFuzzer / AFL++ (User-Mode)

For fuzzing Windows user-mode targets:

LibFuzzer on Windows

// Fuzzing harness for a parser function:
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
    ParseInput(Data, Size);  // target function
    return 0;
}
// Compile: clang-cl /fsanitize=fuzzer,address target.c

AFL++ on Windows (WinAFL)

WinAFL: AFL fork for Windows, uses DynamoRIO for instrumentation.

afl-fuzz.exe -i seeds\ -o out\ -t 5000 -- 
    drrun.exe -c winafl.dll -target_module target.exe 
              -target_method ParseInput -fuzz_iterations 5000 
              -- target.exe @@

IOCTL Fuzzer

Specialized tool for fuzzing Windows driver IOCTLs.

Manual IOCTL Fuzzing

// Enumerate device IOCTLs and fuzz them:
HANDLE hDevice = CreateFile("\\\\.\\TargetDevice", ...);

// Fuzz all IOCTL codes in expected range:
for (DWORD ioctl = 0x22000; ioctl < 0x22FFF; ioctl += 4) {
    char inBuf[0x1000] = {0};
    // Fill inBuf with interesting values
    memset(inBuf, 0x41, sizeof(inBuf));  // basic
    *(ULONG*)inBuf = rand();              // random sizes
    
    DWORD bytesReturned;
    DeviceIoControl(hDevice, ioctl, inBuf, sizeof(inBuf), 
                    NULL, 0, &bytesReturned, NULL);
    // Monitor for crashes via WER or kernel debugger
}

ioctlbf (IOCTL Brute Force)

Automated IOCTL fuzzer with built-in interesting value generation.

Fuzzing Targets

High-Value Windows Kernel Targets

TargetComponentAccess
Win32k syscallswin32k.sysAny logged-in user
IOCTL handlersThird-party driversLow-IL via driver
SMB parsingsrv2.sysRemote, no auth
RPC serversVarious servicesNetwork
Font parsingwin32k/atmfdRenderer processes
Image parsinggdiplus, wimgapiAny app
NTFS metadatantfs.sysLocal, file system access
Hyper-V hypercallshvix64.exeGuest VM

Crash Triage

Set up WER (Windows Error Reporting) for automatic crash collection:

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 2
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpFolder /t REG_EXPAND_SZ /d "C:\Crashes"

Kernel crashes: configure kernel crash dumps and analyze with WinDbg !analyze -v.

Coverage-Guided Fuzzing Strategy

Seed Corpus

  • Start with valid inputs (real protocol messages, file samples)
  • Minimized corpus: run afl-cmin or WTF corpus minimization
  • Include edge cases: zero sizes, maximum sizes, empty inputs

Sanitizers

Enable ASAN/UBSAN on user-mode targets. For kernel:

  • Driver Verifier: catches pool corruptions, bad IRPs
  • Special Pool: places each allocation on its own page for immediate OOB detection
  • KASAN (Win11+): kernel address sanitizer, similar to ASAN

Special Pool Setup

verifier /standard /driver targetdrv.sys
// Or for specific pool tag:
verifier /faultinjectionprobability 0 /pooltags TARG

Exploit Relevance

WTF snapshot fuzzing of kernel functions is the current state-of-the-art for kernel bug discovery. A well-written WTF harness targeting an IOCTL handler can run 50,000+ iterations/second and find memory corruption bugs within hours. Investing in fuzzing infrastructure gives multiplicative returns across all targets.

References

  • “WTF — Snapshot Fuzzer” — Axel ‘0vercl0k’ Souchet, GitHub
  • “kAFL: Hardware-Assisted Feedback Fuzzing” — Schumilo et al., USENIX Security 2017
  • “WinAFL” — Google Project Zero / Ivan Fratric
  • “Fuzzing Windows Drivers” — Claroty Team82
  • “Kernel Fuzzing with Driver Verifier” — Microsoft WHDC documentation