Fuzzing Windows Userland Applications

Instructors:  Patrick Ventuzelo & Kylian Boulard de Pouqueville
Dates:  June 23 to 26 2025
Capacity:   25 Seats

This intensive 4-day training equips participants with cutting-edge fuzzing techniques and real-world applications, focusing on Windows environments, structured file fuzzing, and advanced vulnerability research. The training combines theoretical foundations, practical labs, and case studies to prepare participants for professional fuzzing and vulnerability discovery challenges.

KEY LEARNING OBJECTIVES

• Understand snapshot fuzzing techniques for efficiently testing complex applications.

Course Topics

Module 1: Fuzzing Essentials with winAFL

The first day of training introduces foundational fuzzing techniques, emphasizing the use of winAFL on the library. Participants will delve into core fuzzing concepts, including effective corpus generation and advanced techniques to enhance the fuzzing harness. Hands-on exercises will guide participants in creating a basic harness to handle various archive formats. A practical case study on code execution vulnerabilities in WinRAR illustrates real-world applications of fuzzing within Windows environments.

Main Target Applications

• LibArchive: Open-source C library for reading and writing streaming archives.
• WinRAR: Widely-used file archiver for Windows, providing case-study insights.

Key Topics

• winAFL: Windows-based fuzzer for testing applications for vulnerabilities.
• Fuzzing Fundamentals: Concepts, corpus generation, and techniques for optimizing fuzzing outcomes.
• Fuzzing Internals: Deep dive into how fuzzing tools interact with binaries and libraries on Windows.

Learning Objectives

• Understand essential Windows internals relevant to fuzzing.
• Learn introductory fuzzing techniques.
• Develop skills to create a well-structured fuzzing corpus.

Module 2: Vulnerability Discovery, Fuzzing Improvement, and Coverage Analysis Using Jackalope

On the second day, the training focuses on fuzzing IrfanView using tools such as winAFL, Jackalope, and Lighthouse to enhance the analysis and triaging process. Participants will learn essential triaging techniques, conduct coverage analysis, and apply debugging strategies to uncover vulnerabilities. In a hands-on lab, participants will rediscover a remote code execution (RCE) vulnerability in PSP files and expand their fuzzing skills by working with WEBP formats. A comprehensive ZDi report on fuzzing IrfanView provides insights into professional vulnerability research practices.

Main Target Application

• IrfanView: An image viewer application that serves as a learning case for vulnerability research and analysis.

Key Topics

• winAFL: Fuzzing tool tailored for Windows applications.
• Jackalope: Cross-platform fuzzing tool for Windows/Linux/macOS.
• Lighthouse: Code coverage visualizer for analyzing fuzzing effectiveness.

Learning Objectives

• Learn techniques for triaging vulnerabilities found during fuzzing.
• Gain skills in coverage analysis to assess fuzzing completeness.
• Develop effective debugging practices for vulnerability investigation.

Module 3: Structural Fuzzing and Symbol-less Reversing on PDF Applications

Day three emphasizes grammar-based fuzzing techniques, focusing on applications that handle PDF files, such as PDF-XChange and IrfanView's PDF plugin. Participants will explore fuzzing methodologies for complex file structures and gain skills in reversing binaries without symbols—a critical technique in real-world vulnerability research. Key resources include the latest industry reports and an ICSE research paper contextualizing these fuzzing techniques within modern security research.

Main Target Applications

• IrfanView PDF Plugin: Target application for handling PDF file fuzzing within IrfanView.
• PDF-XChange: Popular PDF viewing and editing software.

Key Topics

• Jackalope: Tool for grammar-based fuzzing.
• Grammar Techniques: Methods for fuzzing complex file formats.
• Reversing Without Symbols: Techniques for analyzing binaries without debugging symbols.

Learning Objectives

• Develop skills in grammar-based fuzzing for structured files like PDFs.
• Learn strategies for reversing and analyzing software binaries without the aid of symbols.

Module 4: Snapshot Fuzzing

Day four shifts focus to snapshot-based fuzzing techniques, using video games as a testing ground. The primary target, Assault Cube, provides a practical example for participants to apply snapshot fuzzing concepts with Wtf frameworks. Real-world case studies, including vulnerabilities in Assault Cube's map parser, highlight the practical impact of these techniques.

Main Target Application

• Assault Cube: Open-source, networked first-person shooter game, focusing on map parsing.

Key Topics

• Snapshot Fuzzing: Techniques for creating and analyzing snapshot-based fuzzing cases.
• Wtf: Snapshot fuzzing tools.

Learning Objective

• Understand snapshot fuzzing techniques for efficiently testing complex applications.

Prerequisites

• Basic to intermediate proficiency in C/C++.
• Familiarity with Windows internals and debugging tools.
• Understanding of reverse engineering fundamentals.

HARDWARE REQUIREMENTS

• Virtualization-capable CPU(s).
• Minimum 8GB of RAM (for running one or two guest VM).
• Minimum 80GB free disk space.
• Host CPU: Intel.

SOFTWARE REQUIREMENTS

• Debugging Tools for Windows (IDA Pro, WinDBG) and decompiler recommended.
• Virtualization Software (VMware, VirtualBox).
• System administrator access required on both host and guest OSs.

WHO SHOULD ATTEND

This training is tailored for cybersecurity professionals, researchers, and engineers interested in mastering fuzzing techniques for vulnerability discovery across a variety of applications.

Bio

Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.

Kylian boulard de Pouqueville is a security researcher at FuzzingLabs, specializing in vulnerability research in Windows environment. He began his journey into cybersecurity by diving into malware development (Maldev), which fueled his deep understanding of Windows internals. This expertise led him to FuzzingLabs, where he now focuses on research in both userland and kernel land vulnerabilities in Windows environments.Outside of his research, Kylian enjoys developing low-level software and reverse engineering.

To Register

Click here to register.