WinPE as a stateless harness for Windows driver testing and fuzzing
a day ago
- #Fuzzing Automation
- #Windows PE
- #Kernel Driver Testing
- WinPE (Windows Preinstallation Environment) is used as a stateless harness for Windows driver testing and fuzzing, addressing inefficiencies in CI/CD environments and dynamic fuzzing of KMDF drivers.
- The classic approach using full Windows runners is resource-intensive, non-deterministic, and slow, while WinPE offers a minimalist environment running the NT kernel with low memory overhead (as little as 512 MB) and runs entirely in RAM.
- Key boot optimizations using BCD (Boot Configuration Data) include setting bootstatuspolicy to ignoreallfailures, recoveryenabled to no, and timeout to 0 for fast, idempotent boots in CI/CD systems.
- For testing unsigned KMDF drivers, essential BCD settings include testsigning yes, hypervisorlaunchtype off, and isolatedcontext no to disable Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
- QEMU hardware topology recommendations favor the older pc (i440FX) machine profile over q35 for simplified PCI bus predictability, avoiding issues with WinPE's built-in network drivers.
- Network debugging via KDNET requires configuring busparams for precise PCI bus mapping (e.g., 0.16.0) and using supported adapters like Intel PRO/1000 (e1000), as KDNET has a limited list of hardware identifiers.
- WinPE's idempotency is ensured by booting from a clean WIM image; permanent changes require offline editing with DISM, while BCD and system image modifications are separate.
- Boot time is minimized by disabling NDIS network initialization via an unattend.xml profile and replacing the system shell with a custom test agent in winpeshl.ini, which triggers an immediate reboot upon termination for automation loops.
- The SAC (Special Administration Console) provides a reliable control channel via serial port emulation in QEMU when network connectivity is broken, bypassing standard protocols.
- Hyper-V enlightenments in QEMU (e.g., hv-relaxed, hv-vapic) destabilize KDNET by interfering with PCI controller interrupts; they should be disabled to maintain kernel debugging stability.