IOCTL-HAMMER
Abstract
IOCTL-hammer is a lightweight, Python-based fuzzing harness designed for efficient and targeted security auditing of Windows driver IOCTL interfaces. It addresses the high barrier to entry for kernel driver testing by providing a simple, accessible framework that focuses on the most common vulnerability patterns: buffer mismanagement. The tool adopts a parameter-centric methodology, systematically manipulating the four core user-mode buffer descriptors sent via DeviceIoControl. The fuzzer executes a structured, predefined suite of test cases designed to stress boundary conditions, null parameter handling, and size discrepancies. This focused approach has proven effective in real-world testing, uncovering multiple zero-day vulnerabilities including kernel-to-user heap overflow, DoS, and BSODs.
Presented at Black Hat Europe 2025 Arsenal, December 8-11, London. Track: Exploitation and Ethical Hacking.