Abstract
Directed greybox fuzzing (DGF) has proven effective in vulnerability discovery, but most efforts focus on the Linux platform, with substantially less attention devoted to Windows platform due to its closed-source and GUI software nature. This paper proposes WinDGF, a novel directed greybox fuzzer for Windows applications that addresses challenges including target function localization in persistent testing, GUI bypassing, and fitness metric calculation. WinDGF offers two modes: WinDGF_path, which guides fuzzing towards specific execution paths by iteratively reducing path distances, ideal for deep exploration in complex programs, and WinDGF_keyblock, which enhances defect identification by maximizing key-block coverage, suitable for focused and rapid testing in security-critical parts of applications. By flexibly selecting the appropriate mode, users can optimize their testing strategies based on different objectives, enhancing the effectiveness and efficiency of the tests. This paper evaluates the overall performance and crash reproduction capabilities of WinDGF against WinAFL and Winnie across 10 Windows applications. The results demonstrate that WinDGF substantially enhances test case exploration and vulnerability detection capabilities. Compared to WinAFL, WinDGF_path and WinDGF_keyblock show an average increases of 31.72% and 79.48% , respectively, in the number of unique crashes discovered. Moreover, relative to Winnie, WinDGF achieves further improvements of 5.96% and 33.25%, respectively. WinDGF also successfully reproduces 11 known crash points, highlighting its targeted fuzzing capabilities.