Peach模糊测试工具使用指南<\/h1>

1. Peach简介<\/h2>

Peach是一个功能强大的模糊测试框架，支持多种版本：<\/p>

Peach2<\/strong>：使用Python2编写，环境搭建困难且文档较少<\/li>

Peach3<\/strong>和Peach4<\/strong>：使用C#编写，本文主要分析Peach4<\/li> <\/ul>
2. 环境搭建<\/h2>
2.1 准备工作<\/h3>

安装TypeScript 1.8以下版本：
npm install -g typescript@1.8 <\/code><\/pre> <\/li> 安装Ruby 3.4，但环境变量指向Ruby2.7\/bin目录<\/li> 使用管理员权限安装： Java<\/li> xsltprocs<\/li> git<\/li> <\/ul> <\/li> 安装最新版doxygen<\/li> 安装Visual C++ Redistributable for Visual Studio 2012 Update 4<\/li> <\/ol> 2.2 编译环境<\/h3> 使用命令生成sln文件： waf.bat msvs2017 <\/code><\/pre> <\/li> 将启动项目设为peach<\/li> 为peach项目指定pit文件作为命令行参数<\/li> <\/ol> 3. PIT文件基础<\/h2> PIT文件是XML格式的配置文件，包含三个基本元素：<\/p> DataModel<\/strong>：定义协议格式<\/li> StateModel<\/strong>：定义协议状态机<\/li> Test<\/strong>：指定运行时配置<\/li> <\/ol> 3.1 DataModel通用参数<\/h3> name<\/code>：元素标识<\/li> mutable<\/code>：是否变异（默认true）<\/li> occur<\/code>相关参数： minOccurs<\/code>：最少出现次数（默认1）<\/li> maxOccurs<\/code>：最多出现次数（默认1）<\/li> occurs<\/code>：实际出现次数（默认1）<\/li> <\/ul> <\/li> <\/ul> 4. DataModel元素类型<\/h2> 4.1 Block<\/h3> 用于统一操作多个元素<\/li> 关键参数： ref<\/code>：引用其他Block或DataModel<\/li> <\/ul> <\/li> <\/ul> 4.2 Number<\/h3> 定义整数（字节码数据）<\/li> 关键参数： size<\/code>：bit为单位（最大64）<\/li> signed<\/code>：是否有符号（默认false）<\/li> endian<\/code>：大小端（默认小端）<\/li> value<\/code>：默认值<\/li> valueType<\/code>：值格式（string或hex，默认string）<\/li> <\/ul> <\/li> <\/ul> 4.3 Double<\/h3> 定义浮点数<\/li> 关键参数： size<\/code>：32或64 bit<\/li> signed<\/code>：是否有符号<\/li> endian<\/code>：大小端<\/li> value<\/code>：默认值（支持科学计数法）<\/li> valueType<\/code>：值格式<\/li> <\/ul> <\/li> <\/ul> 4.4 Blob<\/h3> 定义数据块<\/li> 关键参数： length<\/code>：长度<\/li> lengthType<\/code>：bytes或bits（默认bytes）<\/li> value<\/code>：默认值<\/li> valueType<\/code>：值格式<\/li> token<\/code>：是否为token（默认false）<\/li> <\/ul> <\/li> <\/ul> 4.5 Choice<\/h3> 包含多个子元素<\/li> 变异时从子元素中选择一个<\/li> 建议将子元素的mutable<\/code>设为false<\/li> <\/ul> 4.6 Flag<\/h3> 本质上是Number<\/li> 通过Flags包裹可支持数组相关变异策略<\/li> <\/ul> 4.7 Padding<\/h3> 填充数据包<\/li> 关键参数： alignment<\/code>：对齐bit数（默认8）<\/li> alignedTo<\/code>：指定对齐元素<\/li> minSize<\/code>：最少填充bit数（默认0）<\/li> <\/ul> <\/li> <\/ul> 4.8 String<\/h3> 定义字符串<\/li> 关键参数： length<\/code>：长度<\/li> lengthType<\/code>：bytes、bits或chars（默认bytes）<\/li> nullTerminated<\/code>：是否以00结尾（默认false）<\/li> padCharacter<\/code>：填充字符<\/li> type<\/code>：编码类型（默认utf8）<\/li> value<\/code>：默认值<\/li> valueType<\/code>：值格式<\/li> <\/ul> <\/li> <\/ul> 5. Relation元素<\/h2> 用于统计其他字段信息：<\/p> 5.1 长度计算<\/h3> <Relation<\/span> type=<\/span>"size"<\/span> of=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>5.2 表达式运算<\/h3> <Relation<\/span> type=<\/span>"size"<\/span> of=<\/span>"元素名"<\/span> <\/span><\/span> expressionSet=<\/span>"size*2"<\/span> <\/span><\/span> expressionGet=<\/span>"size\/2"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>5.3 重复次数计算<\/h3> <Relation<\/span> type=<\/span>"count"<\/span> of=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>5.4 偏移计算<\/h3> 相对于数据包头部： <Relation<\/span> type=<\/span>"offset"<\/span> of=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> 相对于Relation所在元素： <Relation<\/span> type=<\/span>"offset"<\/span> of=<\/span>"元素名"<\/span> relative=<\/span>"true"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> 相对于指定元素： <Relation<\/span> type=<\/span>"offset"<\/span> of=<\/span>"元素名"<\/span> from=<\/span>"参考元素"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. Fixup功能<\/h2> 6.1 校验和计算<\/h3> <Fixup<\/span> class=<\/span>"Checksum"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"待校验元素"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"type"<\/span> value=<\/span>"算法类型"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre>6.2 自定义校验和（Python）<\/h3> 编写Python模块： class<\/span> MyChecksum<\/span>: <\/span><\/span> def<\/span> __init__(self): <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span> def<\/span> fixup<\/span>(self, data): <\/span><\/span> # 处理C#类型数据，返回整型<\/span> <\/span><\/span> return<\/span> checksum <\/span><\/span><\/code><\/pre><\/li> 导入模块： <Import<\/span> import=<\/span>"文件名"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> 绑定元素： <Fixup<\/span> class=<\/span>"ScriptFixup"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"class"<\/span> value=<\/span>"文件名.类名"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.3 Hash计算<\/h3> <Fixup<\/span> class=<\/span>"Hash"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"type"<\/span> value=<\/span>"算法类型"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre>6.4 序列号生成<\/h3> 递增序列号： <Fixup<\/span> class=<\/span>"Sequence"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"type"<\/span> value=<\/span>"increment"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre><\/li> 随机序列号： <Fixup<\/span> class=<\/span>"Sequence"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"type"<\/span> value=<\/span>"random"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.5 值拷贝<\/h3> <Fixup<\/span> class=<\/span>"CopyValue"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"源元素"<\/span>\/><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"from"<\/span> value=<\/span>"目标元素"<\/span>\/><\/span> <\/span><\/span><\/Fixup><\/span> <\/span><\/span><\/code><\/pre>7. Transformer<\/h2> 对元素进行编码：<\/p> <Transformer<\/span> class=<\/span>"编码类型"<\/span>><\/span> <\/span><\/span> <Param<\/span> name=<\/span>"ref"<\/span> value=<\/span>"元素名"<\/span>\/><\/span> <\/span><\/span><\/Transformer><\/span> <\/span><\/span><\/code><\/pre>8. Hint<\/h2> 为字段添加特定变异器：<\/p> <Hint<\/span> name=<\/span>"NumericalString"<\/span>\/><\/span> <\/span><\/span><Hint<\/span> name=<\/span>"TypeTransform"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>9. 变异器(Mutator)<\/h2> 9.1 状态变异器(StateMutator)<\/h3> ActionDuplicate<\/li> ActionRemove<\/li> ActionSwap<\/li> StateChangeRandom<\/li> <\/ol> 9.2 数据变异器(DataMutator)<\/h3> 在Test标签中使用include<\/code>和exclude<\/code>选择变异器：<\/p> 9.2.1 数组相关<\/h4> ArrayEdgeCase：Sequence且元素数量≠0<\/li> ArrayRandomizeOrder：Sequence且元素数量>1<\/li> ArrayReverseOrder：Sequence且元素数量>1<\/li> ArrayVariance：Sequence且元素数量≠0<\/li> <\/ul> 9.2.2 Blob相关<\/h4> BlobChangeFromNull：Blob且内容不为空<\/li> BlobChangeRandom：Blob且内容不为空<\/li> BlobChangeSpecial：Blob且内容不为空<\/li> BlobChangeToNull：Blob且内容不为空<\/li> BlobExpandAllRandom：Blob<\/li> BlobExpandSingleIncrementing：Blob<\/li> BlobExpandSingleRandom：Blob<\/li> BlobExpandZero：Blob<\/li> BlobReduce：Blob且内容不为空<\/li> <\/ul> 9.2.3 其他重要变异器<\/h4> ChoiceSwitch：Choice且选项>1<\/li> DataElementBitFlipper：所有元素且内容不为空<\/li> DataElementDuplicate：非Choice\/Flag且内容不为空<\/li> DataElementRemove：非Choice\/Flag且父元素不为空<\/li> DataElementSwapNear：非Flag且存在下一个元素<\/li> StringSqlInjection：字符串<\/li> StringUnicode*：多种Unicode相关变异器<\/li> <\/ul> 10. 变异策略(Strategy)<\/h2> 10.1 Sequential<\/h3> 对所有mutable=true<\/code>的元素依次使用所有变异器<\/li> 每次只变异一个元素<\/li> <\/ul> 10.2 RandomStrategy<\/h3> 随机选择最多N个元素进行变异（默认N=6）<\/li> 每个元素随机使用变异器<\/li> <\/ul> 10.3 RandomDeterministicStrategy<\/h3> 随机使用所有变异器<\/li> 依次使用变异器返回的结果<\/li> 每次只变异一个元素<\/li> <\/ul> 11. 实用技巧<\/h2> 调试模式： peach --debug <\/code><\/pre> <\/li> 指定随机种子： peach --seed 123 <\/code><\/pre> <\/li> 第一个数据包为原始数据包，不会变异<\/li> <\/ol> 12. 与Boofuzz对比<\/h2> 特性<\/th> Peach<\/th> Boofuzz<\/th> <\/tr> <\/thead> 变异器数量<\/td> 较多<\/td> 较少<\/td> <\/tr> 变异策略<\/td> Sequential\/Random\/RandomDeterministic<\/td> 单一策略<\/td> <\/tr> 数据定义<\/td> XML格式直观<\/td> 函数调用方式<\/td> <\/tr> 状态定义<\/td> 文档较少<\/td> 直接connect<\/td> <\/tr> 自定义函数<\/td> 需C#类型转换<\/td> Python原生支持<\/td> <\/tr> 结果查看<\/td> 需实时抓包<\/td> SQLite数据库+网页查看<\/td> <\/tr> <\/tbody> <\/table> 13. 总结建议<\/h2> 单一状态网络模糊测试<\/strong>：建议使用Peach<\/li> 多状态或需要自定义函数<\/strong>：建议使用Boofuzz<\/li> 文件格式模糊测试<\/strong>：Peach提供更多专用标签<\/li> <\/ol>

特性<\/th>	Peach<\/th>	Boofuzz<\/th> <\/tr> <\/thead>
变异器数量<\/td>	较多<\/td>	较少<\/td> <\/tr>
变异策略<\/td>	Sequential\/Random\/RandomDeterministic<\/td>	单一策略<\/td> <\/tr>
数据定义<\/td>	XML格式直观<\/td>	函数调用方式<\/td> <\/tr>
状态定义<\/td>	文档较少<\/td>	直接connect<\/td> <\/tr>
自定义函数<\/td>	需C#类型转换<\/td>	Python原生支持<\/td> <\/tr>
结果查看<\/td>	需实时抓包<\/td>	SQLite数据库+网页查看<\/td> <\/tr> <\/tbody> <\/table> 13. 总结建议<\/h2> 单一状态网络模糊测试<\/strong>：建议使用Peach<\/li> 多状态或需要自定义函数<\/strong>：建议使用Boofuzz<\/li> 文件格式模糊测试<\/strong>：Peach提供更多专用标签<\/li> <\/ol>