After attending "Vulnerability Discovery and Triage Automation" training at POC 2017, I decided to give WinAFL a shot and fuzz Hangul (HWP) which is a Korean word processor. I'd like to thank @richinseattle for helping me through the WinAFL fuzzing process.

I knew from the past researches that Hangul has integrated a security module named HncAppShield which scans .hwp files for malicious payloads etc before parsing and showing the document to user. Because this module is relatively new and is not developed by Hancom, it seemed to me a good fuzzing target.

Version #1

To use WinAFL, you have to locate specific function to fuzz since it uses persistent fuzzing mode by instrumenting target function to run in a loop without restarting the process. In HncAppShield case, it is a DLL so I created a simple loader to load the DLL and call AppShield_InspectMalware() with fuzzing input. AppShield_InpectMalware() is an exported function which receives file path as an argument. I chose this function to fuzz with WinAFL at first.