feszer 1.0 - An MSVCRT.dll fuzzer
fes@atstake.com
@stake, Inc.

Overview:
The feszer is a pass-through for MSVCRT.dll which allows for logging of parameters on certain functions.  The feszer was designed to help detect format string vulnerabilities and buffer overflows in an auditing environment.

The feszer forwards most functions directly to the real MSVCRT.dll, while trapping some functions according to registry entries.  Information about the parameters to these functions is logged.

For instance, the feszer can be configured to log calls to _snprintf().  The feszer will log the program name, the output buffer address, n, and the format string.  It then passes through to the real _snprintf() function, and logs the output buffer contents on return.

Details:
The feszer currently supports logging the following functions:
fprintf
printf
_snprintf
sprintf
vfprintf
vprintf
_vsnprintf
vsprintf
fwprintf
wprintf
_snwprintf
swprintf
vfwprintf
vwprintf
_vsnwprintf
vswprintf
strcpy
strcat
wcscat
wcscpy
system

feszer registry keys include:
[HKEY_LOCAL_MACHINE\SOFTWARE\feszer]
"LogDir"="d:\\feszer_logs"
"LogAll"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Globals]
"sprintf"=dword:00000000
"_vsnprintf"=dword:00000000
"_vsnwprintf"=dword:00000000
.
.
.

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Programs]

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Programs\CMD.EXE]
"sprintf"=dword:00000000
"_vsnprintf"=dword:00000000
"_vsnwprintf"=dword:00000000
.
.
.

LogDir specifies a location for feszer logs.  By default, all logs are sent to either the user's temp directory, or the system temp directory.  The LogAll value enables logging for any program linked to MSVCRT.dll, and any function the feszer supports.  Under the Globals key, you can enable global logging for all programs according to a specific function.  Under Programs, use subkeys of the program name, with function names enabled (dword:00000001) or disabled (dword:00000000) for fine-grained logging.

Installation:
Copy your current MSVCRT.dll to fescrt.dll in winnt\system32.  Replace MSVCRT.dll with the feszer copy included in this distribution.  Alternatively, you can use the installer provided to accomplish this.

Disclaimer:
There is no warranty whatsoever, and neither @stake nor I will be held liable for anything related to the use of this utility.

Sample .reg file:
--- feszer.reg ---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer]
"LogDir"="d:\\feszer_logs"
"LogAll"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Globals]
"sprintf"=dword:00000000
"_vsnprintf"=dword:00000000
"_vsnwprintf"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Programs]

[HKEY_LOCAL_MACHINE\SOFTWARE\feszer\Programs\FTP.EXE]
"sprintf"=dword:00000001
"_snprintf"=dword:00000001
"printf"=dword:00000001
"wprintf"=dword:00000001
"fprintf"=dword:00000001
"vfprintf"=dword:00000001
"_vsnprintf"=dword:00000001
"vsprintf"=dword:00000001
"fwprintf"=dword:00000001
"_snwprintf"=dword:00000001
"swprintf"=dword:00000001
"vfwprintf"=dword:00000001
"_vsnwprintf"=dword:00000001
"vswprintf"=dword:00000001
"strcat"=dword:00000001
"strcpy"=dword:00000001
"wcscat"=dword:00000001
"wcscpy"=dword:00000001
"system"=dword:00000001
--- feszer.reg ---


