WinPE as a stateless harness for Windows driver testing and fuzzing
4 days ago
- #Driver Testing
- #Windows PE
- #Kernel Debugging
- WinPE provides a lightweight, RAM-based environment ideal for Windows driver testing and fuzzing due to minimal resource overhead and lack of unnecessary graphical components.
- Key boot optimizations include BCD settings like 'ignoreallfailures' and 'recoveryenabled no' to enable fast, idempotent CI/CD pipelines and avoid recovery loops.
- For unsigned driver testing, BCD settings such as 'testsigning yes' and 'hypervisorlaunchtype off' disable security features like VBS/HVCI, allowing kernel manipulation.
- QEMU configuration should use the 'pc' (i440FX) profile over 'q35' for stable PCI bus emulation, avoiding complexities of PCIe that can disrupt driver initialization.
- KDNET enables kernel debugging over UDP independently of the network stack, requiring precise PCI bus parameters (e.g., 'busparams 0.16.0') for hardware mapping.
- Deterministic modifications to WinPE involve offline editing of the WIM image via DISM and customizing boot processes (e.g., unattend.xml to disable network initialization).
- Replacing the default shell via 'winpeshl.ini' allows direct execution of test agents, with process termination triggering automatic VM reboot for continuous fuzzing loops.
- The SAC console provides a fallback control channel via serial port emulation when network connectivity is broken, enabling raw system access over TCP.
- Avoiding Hyper-V enlightenments (e.g., 'hv-*' flags) in QEMU CPU configurations is critical to prevent KDNET instability and ensure reliable kernel debugging.