A collection of (not necessarily useful) Windows Hypervisor Platform experiments in Rust.
The payloadfuzz project experiments with generating payloads in different ways and then executing them within a bare bones protected mode virtual machine.
The reverse nop generator attempts to generate an x64 nop sled in a manner similar to Opty2 in the Metasploit framework. To ensure that the nop sled can be executed from each offset, the nop sled is generated in reverse starting with the last byte and ending with the first byte. Rather than attempting to do this in a smart way, the reverse nop generator simply attempts to brute force the set of valid bytes that can precede other bytes. This is woefully inefficient, but it's a useful example.
This graph provides an example of the valid nop sled byte sequences that were discovered after running this tool for about 12 hours. The graph can be interpreted as "byte X can precede byte Y" (X -> Y). The graph can be generated by using the nopsled_analyzer tool.
To run payloadfuzz, you need Rust nightly installed and need to install and start a local redis server. The redis server is used to store the collection of valid and invalid payloads for a given payloadfuzz session.
rustup default nightly
wsl sudo apt-get install redis-server
wsl redis-server
Use the following steps to clone and build payloadfuzz.
git clone https://github.com/epakskape/whpexp
cd whpexp
git submodule init
git submodule update
cd payloadfuzz
cargo build
To run payloadfuzz, simply specify the generator you wish to use (via -g <generator>) and the number of VMs to run in parallel (via -v <vm count>).
- The authors of the libwhp crate which provided the basis for building this and from which I used code (e.g. from their demo example).