PE file parser fuzzing

Hi everyone,

I am trying to search for bugs in bro file parser using libfuzzer. I found the old branch where you tried to fuzz HTTP protocol. So, I have implemented everything on top this branch. I was able to easily make it work for DNP3 protocol but file analyzers are different. The problem is that I can’t reach the actual PE parser code from my LLVMFuzzerTestOneInput.

The actual code is :

analyzer::file::File_Analyzer *filea = new analyzer::file::File_Analyzer(“TCP”,conn);
filea->DeliverStream(DataSize, Data, true);

I had problems with file handler which I solved by adding the following line in the

— a/src/file_analysis/
+++ b/src/file_analysis/
@@ -427,6 +427,7 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)

mgr.QueueEvent(get_file_handle, vl);
mgr.Drain(); // need file handle immediately so we don’t have to buffer data

  • file_mgr->SetHandle(“random_str”);
    return current_file_id;

In this case, Bro will call “hash” analyzer and ignore PE. It looks like the PE file analyzer is not loaded/initialized, the debug log reports only the following modules being loaded:
[FjjsZfY8GArx2E0Ih] Add analyzer MD5
[FjjsZfY8GArx2E0Ih] Add analyzer SHA1

Probably, I am on completely wrong way to make it work. it would be great if you can suggest me some other ways to make it work without significant modification of bro source code.

Thank you in advance.

I didn't understand how exactly you tried to instrument Bro w/ your
fuzzing code, but here just seems like the problem is you were
expecting Bro to add the PE analyzer unconditionally when in reality
it's only added if the data passed in for file analysis actually looks
like it could be valid PE. You can see that
scripts/base/files/pe/main.bro is what registers the PE analyzer upon
matching the "application/x-dosexec" type whose signature is defined
in scripts/base/frameworks/files/magic/libmagic.sig (e.g. looks for
data starting with "MZ"). If you want the PE analyzer attached
unconditionally, you could try loading your own script that does:

    event file_new(f: fa_file) { Files::add_analyzer(f, Files::ANALYZER_PE); }

- Jon