Fuzzing para-virtualized devices in Hyper-V

A general idea to fuzz virtual devices is finding the VMBus channel available to a VSC and use it to send malformed data to the VSP. The summarized (and generic) flow is:

A kernel debugger and the command “ ” can be used to list the devices available on the top of VMBus inside a guest:

Now that we’ve established VMBus as an interesting attack vector and learned how to use it, we can discuss one of the virtual devices making use of it: VPCI. After that, the reference to the channel is saved in the FDO context:

Now that we understand how VPCI sets up its VMBus channel, a simple strategy to get a reference and use it for fuzzing is to use an upper filter driver for VPCI.

Source: blogs.technet.microsoft.com