How to Perform Fuzz Tests with IoSpy and IoAttack
Note
IoSpy and IoAttack are no longer available in the WDK after Windows 10 Version 1703.
As an alternative to these tools, consider using the fuzzing tests available in the HLK. Here are a few to consider.
DF - Fuzz random IOCTL test (Reliability)
DF - Fuzz sub-opens test (Reliability)
DF - Fuzz zero length buffer FSCTL test (Reliability)
DF - Fuzz random FSCTL test (Reliability)
DF - Fuzz Misc API test (Reliability)
You can also use the Kernel synchronization delay fuzzing that is included with Driver Verifier.
To perform fuzz tests by using IoSpy and IoAttack, do the following:
Install IoSpy:
To install IoSpy and enable fuzz tests on specific device(s), run the Enable I/O Spy test. The DQ parameter controls which devices the IoSpy filter driver is installed on.
Run IOCTL and WMI tests on the specified devices:
After you restart the test system, IoSpy is ready to filter IOCTL and WMI requests to the devices that were enabled for fuzz tests. You must now exercise the IOCTL and WMI code paths in drivers for these devices by using whatever tests are appropriate. This allows IoSpy to record as many details as possible based on these IOCTL and WMI requests. IoSpy saves these details in the IoSpy Data File.
Uninstall IoSpy:
After you have fully exercised the IOCTL and WMI code paths, you must first uninstall IoSpy before you can run IoAttack to perform the fuzz tests. To uninstall IoSpy, run the Disable I/O Spy test.
This command removes the IoSpy filter driver from all devices that were enabled for fuzz tests. After the command is run, reboot the test system in order to unload the IoSpy filter driver from memory.
Note When you uninstall IoSpy, it will not delete the IoSpy data file. The location of this file is set by the DFD parameter to the Enable I/O Spy test. The default location is %SystemDrive%\DriverTest\IoSpy. For more information, see IoSpy Data File.
Run IoAttack:
The test system is now ready to run the fuzz tests by running the Run I/O Attack test. For more information about how to run IoAttack, see IoAttack.
Note In order to verify the access privileges of your driver's IOCTL and WMI interfaces, you should run IoAttack accounts with different privileges, such as a guest account and an administrator account.