github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/windows/README.md

github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/windows/README.md (about)

     1  # Windows
     2  
     3  `Windows` support is very raw and preliminary (read, non-working).
     4  
     5  There is a [closed-source port at Microsoft](https://github.com/dwizzzle/Presentations/blob/master/David%20Weston%20-%20Keeping%20Windows%20Secure%20-%20Bluehat%20IL%202019.pdf).
     6  
     7  There is a more complete
     8  [closed-source Windows port](https://www.slideshare.net/AnthonyLAOUHINETSUEI/wsl-reloaded)
     9  done by [Fritz](https://twitter.com/anarcheuz) and [zer0mem](https://twitter.com/zer0mem).
    10  The port has found 6 bugs including
    11  [CVE-2018-8441](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8441).
    12  
    13  Also, BSoDs in WSL: [1](https://twitter.com/yoavalon/status/1102563655743406082), [2](https://twitter.com/NetanelBenSimon/status/1102563950221316096).
    14  See [BUGS ON THE WINDSHIELD: FUZZING THE WINDOWS KERNEL](https://www.offensivecon.org/speakers/2020/netanel-ben-simon-yoav-alon.html) presentation.
    15  
    16  To update descriptions run (assumes `cl` cross-compiler is in PATH):
    17  ```
    18  syz-extract -os=windows
    19  syz-sysgen
    20  ```
    21  
    22  `sys/windows/windows.txt` was auto-extracted from windows headers with `tools/syz-declextract`.
    23  
    24  To build binaries:
    25  ```
    26  make fuzzer execprog stress TARGETOS=windows
    27  REV=git rev-parse HEAD
    28  cl executor\executor_windows.cc /EHsc -o bin\windows_amd64\syz-executor.exe \
    29  	-DGIT_REVISION=\"$REV\" \
    30  	kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib \
    31  	shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib \
    32  	winmm.lib rpcrt4.lib Crypt32.lib imm32.lib Urlmon.lib Oleaut32.lib \
    33  	Winscard.lib Opengl32.lib Mpr.lib Ws2_32.lib Bcrypt.lib Ncrypt.lib \
    34  	Synchronization.lib Shell32.lib Rpcns4.lib Mswsock.lib  Mincore.lib \
    35  	Msimg32.lib RpcRT4.lib Rpcrt4.lib lz32.lib
    36  ```
    37  
    38  To run `syz-execprog`:
    39  ```
    40  bin\windows_amd64\syz-execprog.exe -executor c:\full\path\to\bin\windows_amd64\syz-executor.exe -stress
    41  ```
    42  
    43  Windows is supported by only `gce` VMs at the moment.
    44  To use `gce`, create a Windows GCE VM, inside of the machine:
    45  
    46   - Enable serial console debugging (see [this](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-parameters-to-enable-debugging) for details):
    47  ```
    48  bcdedit /debug on
    49  bcdedit /dbgsettings serial debugport:1 baudrate:115200 /noumex
    50  ```
    51  
    52   - Disable automatic restart in `sysdm.cpl -> Advanced -> Startup and Recovery`
    53  
    54   - Setup sshd with key auth, [these](https://winscp.net/eng/docs/guide_windows_openssh_server) instructions worked for me.
    55     Preferably use non-admin user. Save private ssh key.
    56  
    57  Then shutdown the machine, stop the instance and create an image from the disk.
    58  Then start `syz-manager` with config similar to the following one:
    59  
    60  ```
    61  {
    62  	"name": "windows",
    63  	"target": "windows/amd64",
    64  	"http": ":20000",
    65  	"workdir": "/workdir",
    66  	"syzkaller": "/syzkaller",
    67  	"sshkey": "/id_rsa",
    68  	"ssh_user": "you",
    69  	"cover": false,
    70  	"procs": 8,
    71  	"type": "gce",
    72  	"vm": {
    73  		"count": 10,
    74  		"machine_type": "n1-highcpu-2",
    75  		"gce_image": "your-gce-image"
    76  	}
    77  }
    78  ```