A mutation-based fuzzer targeting mpengine.dll — the core scan engine inside Windows Defender. The fuzzer generates malformed PE files, scripts, and documents, submits them to the scan pipeline, and monitors for crashes, hangs, or anomalous behaviour. Built to find memory corruption vulnerabilities suitable for CVE submission via MSRC.
| Component | Function |
|---|---|
| Corpus generator | Mutates PE headers, section tables, import tables, overlay data |
| Submission harness | Triggers Defender scan on each mutated sample via filesystem write |
| Crash monitor | WER integration — captures MsMpEng crash dumps automatically |
| Reproduce engine | Minimises crashing sample to smallest reproducible input |
First corpus: malformed PE files with corrupted headers, invalid section counts, overlapping sections, import table corruption. MsMpEng handled all inputs without crashing. Result documented — PE parser appears robust against this mutation class.
VBScript/JScript emulation, Office macro parsing, PDF stream handling, and ZIP/Cabinet decompression. These parser paths have historically yielded memory corruption vulnerabilities in AV engines.
AV engine parsers run at high privilege and process untrusted input — a memory corruption bug in mpengine.dll could allow privilege escalation from standard user to SYSTEM via a malformed file. Finding such bugs through structured fuzzing and reporting them to MSRC is the highest-value contribution a solo researcher can make.