This is the first module that gives an overview over the content of the remaining course and the planned outline.
These are a number of Basic Knowledge Modules that introduce you to the MacOS and iOS platform. They are not specially recorded for this training course and are instead cut from a previously recorded course about another MacOS and iOS userpace topic. They are provided as additional introductory material.
In this modules we learn everything there is to know to executing child programs with enhanced features. We will be able to start programs suspended, disable ASLR in them, inject exception handlers and many other things, too.
In this modules we learn how to use DYLD_INSERT_LIBRARIES to insert libraries into programs, how to perform function interposing and how to patch dyld at runtime to allow injection into e.g. iOS on Mac binaries when SIP is deactivated.
In this modules you will learn everything you should know about dealing with crashes on MacOS. How to activate coredumping, how to read and understand DiagnosticReports and how to write your own Mach Exception handlers.
In this modules we will discuss how to create a corpus of test cases for fuzzing, how to evaluate the best items in the corpus and how mutate or generate new test cases.
In this modules we learn about various methods how to collect code coverage information for binaries. We then describe the design of our own code coverage collector called TrapRecorder and various IDAPython/GHidraPython scripts to help with the coverage analysis.
In this module we introduce the Simple Target. A small file format parser that we will be start our fuzzing journey with before moving on to more advanced targets.
This module describes our first bigger exercise to write our own simple fuzzer that can be used to fuzz our simple target and its solution.
In this module we discuss how to improve our previously designed simple fuzzer 1 and add code coverage support and new path discovery to it.
Within this exercise we learn how to adopt our simple fuzzer to fuzz a real target like libPng. We learn how to surpress the output of a harness and how to deal with CRC checks in the parser, how to add more files into the corpus and how to ensure our fuzzer does not easily get stuck because it went down the wrong way.
In this exercise we take our Simple Fuzzer 3 and adjust it to CoreText Font Parser Fuzzing. We learn how to write a harness for the CoreText API and see how we can easily adjust to fuzzing a totally different target file format.
This modules introduces us to the basic usage of AFL++. We learn how to compile it, how to use it in non instrumented mode, in source instrumented mode and how to use frida_mode for binary only targets.
In this modules we change our Simple Fuzzer to use shared memory for the basic block coverage bitmap and for the actual testcases so that we can eliminate file access and enable ourselves to do in memory fuzzing.
In this modules we change our Simple Fuzzer to use the concept of cycles. Within one cycle each corpus entry is used only once and is then locked from selection until the end of a cycle. Furthermore we learn how to keep track of unsuccesful corpus entries and how to get rid of them after several cycles without measurable progress.
In this module we have a look at the difference between overall code coverage and total cycle code coverage. We also add a function to our simple fuzzer to minimize the current corpus.
In this module we add an mutation undo functionality to the fuzzer that allows it to detect really bad mutation moves and to undo them. Furthermore we protect our cycle system from elimintating test cases that are required for keeping up the code coverage.
In this module we finally make the simple fuzzer configurable via the command line interface. No more hardcoding of the target. Furthermore we restore the functionality to fuzz targets that cannot use SHM and instead read their input from files. We also added code to detect our target hanging. All of this together makes it much more flexible and usable in the real world.
In this module we add exception handling to the simple fuzzer. We will learn how to detect duplicate crashes, how to read the backtrace of a target application and how to deal with Mach Exception messages correctly.
In this module we just give out a new better target for fuzzing image file formats via ImageIO and a small list of librarys to fuzz for different image file formats.
In this module we get an introduction to mach servers. We learn what they are, how they are structured, how we can find them on the file system and how we can find the MIG routines inside binaries in order to learn how we can instrument them.
In this module we get to know how to use DYLD_INSERT_LIBRARIES with LaunchDaemons and how to inject libraries into arbitrary already running processes with the help of a little tool called injectlibhook.
In this module we will learn about ways that allow us to dump the content of Mach Messages in order to build up a corpus for Mach Message fuzzing.
In this module we learn how to analyse the content of Mach Messages and finding out their structure so that we can have a more effective fuzzing.
In this module we will add support for forkservers to simplefuzzer. This means instead of spawning our targets via posix_spawn() we connect to a forkserver via SHM instead. The forkserver is responsible for forking child processes that will then process our testcases. Because the fork of the child processes happens after instrumentation it allows for more testcases being checked per second.
In this module we learn how to add support for custom mutators to the simple fuzzer. This allows us to create arbitrary mutators for input formats like Mach messages or XPC messages in our future exercises.
In this module we learn how to apply the custom mutator and forkserver implementation within our simplefuzzer to fuzz a demo mach server that we provide.
In this module we learn how to adjust our toolset to fuzz real world situations involving mach servers that keep internal state and vulnerabilities that can only be triggered if a certain combination of messages is sent after each other.
