ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #833 from WorksButNotTested/frida

Browse Source 
Frida
This commit is contained in:
van Hauser
2021-03-25 19:42:27 +01:00
committed by GitHub
parent 0029c1a83e 1725e6be31
commit 00a53a870d
24 changed files with 1803 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/afl-analyze.c
View File

@ -83,6 +83,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_timed_out; /* Child timed out? */
static u8 *target_path;
static u8 frida_mode;
static u8 qemu_mode;
static u32 map_size = MAP_SIZE;
@ -717,9 +718,11 @@ static void handle_stop_sig(int sig) {
/* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(void) {
static void set_up_environment(char **argv) {
u8 *x;
u8 * x;
char *afl_preload;
char *frida_afl_preload = NULL;
dev_null_fd = open("/dev/null", O_RDWR);
if (dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
@ -824,6 +827,25 @@ static void set_up_environment(void) {
/* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else if (frida_mode) {
afl_preload = getenv("AFL_PRELOAD");
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
if (afl_preload) {
frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary);
} else {
frida_afl_preload = alloc_printf("%s", frida_binary);
}
ck_free(frida_binary);
setenv("LD_PRELOAD", frida_afl_preload, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
} else {
setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
@ -831,8 +853,17 @@ static void set_up_environment(void) {
}
} else if (frida_mode) {
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
setenv("LD_PRELOAD", frida_binary, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
ck_free(frida_binary);
}
if (frida_afl_preload) { ck_free(frida_afl_preload); }
}
/* Setup signal handlers, duh. */
@ -872,6 +903,7 @@ static void usage(u8 *argv0) {
" -f file - input file read by the tested program (stdin)\n"
" -t msec - timeout for each run (%u ms)\n"
" -m megs - memory limit for child process (%u MB)\n"
" -O - use binary-only instrumentation (FRIDA mode)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
@ -914,7 +946,7 @@ int main(int argc, char **argv_orig, char **envp) {
SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n");
while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) {
while ((opt = getopt(argc, argv, "+i:f:m:t:eOQUWh")) > 0) {
switch (opt) {
@ -1008,6 +1040,14 @@ int main(int argc, char **argv_orig, char **envp) {
break;
case 'O': /* FRIDA mode */
if (frida_mode) { FATAL("Multiple -O options not supported"); }
frida_mode = 1;
break;
case 'Q':
if (qemu_mode) { FATAL("Multiple -Q options not supported"); }
@ -1062,7 +1102,7 @@ int main(int argc, char **argv_orig, char **envp) {
atexit(at_exit_handler);
setup_signal_handlers();
set_up_environment();
set_up_environment(argv);
target_path = find_binary(argv[optind]);
detect_file_args(argv + optind, prog_in, &use_stdin);

7
src/afl-fuzz-init.c
View File

@ -2692,7 +2692,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
#endif /* ^!__APPLE__ */
if (!afl->fsrv.qemu_mode && !afl->unicorn_mode &&
if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode &&
!afl->non_instrumented_mode &&
!memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
@ -2720,7 +2720,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
}
if ((afl->fsrv.qemu_mode) &&
if ((afl->fsrv.qemu_mode || afl->fsrv.frida_mode) &&
memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
SAYF("\n" cLRD "[-] " cRST
@ -2757,7 +2757,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
}
if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
if (afl->fsrv.frida_mode ||
memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
OKF(cPIN "Deferred forkserver binary detected.");
setenv(DEFER_ENV_VAR, "1", 1);

52
src/afl-fuzz.c
View File

@ -109,6 +109,7 @@ static void usage(u8 *argv0, int more_help) {
"maximum.\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
" -O - use binary-only instrumentation (FRIDA mode)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
@ -329,6 +330,8 @@ int main(int argc, char **argv_orig, char **envp) {
u8 *extras_dir[4];
u8 mem_limit_given = 0, exit_1 = 0, debug = 0,
extras_dir_cnt = 0 /*, have_p = 0*/;
char * afl_preload;
char * frida_afl_preload = NULL;
char **use_argv;
struct timeval tv;
@ -372,7 +375,7 @@ int main(int argc, char **argv_orig, char **envp) {
while ((opt = getopt(
argc, argv,
"+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) > 0) {
"+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:Wx:Z")) > 0) {
switch (opt) {
@ -764,6 +767,18 @@ int main(int argc, char **argv_orig, char **envp) {
afl->use_banner = optarg;
break;
case 'O': /* FRIDA mode */
if (afl->fsrv.frida_mode) {
FATAL("Multiple -O options not supported");
}
afl->fsrv.frida_mode = 1;
break;
case 'Q': /* QEMU mode */
if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); }
@ -1118,6 +1133,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->non_instrumented_mode) {
if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); }
if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); }
if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); }
if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); }
@ -1322,6 +1338,25 @@ int main(int argc, char **argv_orig, char **envp) {
/* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else if (afl->fsrv.frida_mode) {
afl_preload = getenv("AFL_PRELOAD");
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
if (afl_preload) {
frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary);
} else {
frida_afl_preload = alloc_printf("%s", frida_binary);
}
ck_free(frida_binary);
setenv("LD_PRELOAD", frida_afl_preload, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
} else {
setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
@ -1329,6 +1364,13 @@ int main(int argc, char **argv_orig, char **envp) {
}
} else if (afl->fsrv.frida_mode) {
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
setenv("LD_PRELOAD", frida_binary, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
ck_free(frida_binary);
}
if (getenv("AFL_LD_PRELOAD")) {
@ -1512,7 +1554,8 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (!afl->fsrv.qemu_mode && !afl->non_instrumented_mode) {
if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode &&
!afl->non_instrumented_mode) {
check_binary(afl, afl->cmplog_binary);
@ -1563,7 +1606,8 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || afl->unicorn_mode) {
if (afl->non_instrumented_mode || afl->fsrv.qemu_mode ||
afl->fsrv.frida_mode || afl->unicorn_mode) {
map_size = afl->fsrv.map_size = MAP_SIZE;
afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size);
@ -2124,6 +2168,8 @@ stop_fuzzing:
}
if (frida_afl_preload) { ck_free(frida_afl_preload); }
fclose(afl->fsrv.plot_file);
destroy_queue(afl);
destroy_extras(afl);

45
src/afl-showmap.c
View File

@ -555,8 +555,10 @@ static void handle_stop_sig(int sig) {
/* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(afl_forkserver_t *fsrv) {
static void set_up_environment(afl_forkserver_t *fsrv, char **argv) {
char *afl_preload;
char *frida_afl_preload = NULL;
setenv("ASAN_OPTIONS",
"abort_on_error=1:"
"detect_leaks=0:"
@ -600,6 +602,25 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
/* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else if (fsrv->frida_mode) {
afl_preload = getenv("AFL_PRELOAD");
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
if (afl_preload) {
frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary);
} else {
frida_afl_preload = alloc_printf("%s", frida_binary);
}
ck_free(frida_binary);
setenv("LD_PRELOAD", frida_afl_preload, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
} else {
setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
@ -607,8 +628,17 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
}
} else if (fsrv->frida_mode) {
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
setenv("LD_PRELOAD", frida_binary, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
ck_free(frida_binary);
}
if (frida_afl_preload) { ck_free(frida_afl_preload); }
}
/* Setup signal handlers, duh. */
@ -655,6 +685,7 @@ static void usage(u8 *argv0) {
"Execution control settings:\n"
" -t msec - timeout for each run (none)\n"
" -m megs - memory limit for child process (%u MB)\n"
" -O - use binary-only instrumentation (FRIDA mode)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use Unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine mode)\n"
@ -723,7 +754,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; }
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrsh")) > 0) {
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOQUWbcrsh")) > 0) {
switch (opt) {
@ -857,6 +888,14 @@ int main(int argc, char **argv_orig, char **envp) {
at_file = optarg;
break;
case 'O': /* FRIDA mode */
if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); }
fsrv->frida_mode = 1;
break;
case 'Q':
if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); }
@ -943,7 +982,7 @@ int main(int argc, char **argv_orig, char **envp) {
shm.cmplog_mode = 0;
setup_signal_handlers();
set_up_environment(fsrv);
set_up_environment(fsrv, argv);
fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);

47
src/afl-tmin.c
View File

@ -640,9 +640,11 @@ static void handle_stop_sig(int sig) {
/* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(afl_forkserver_t *fsrv) {
static void set_up_environment(afl_forkserver_t *fsrv, char **argv) {
u8 *x;
u8 * x;
char *afl_preload;
char *frida_afl_preload = NULL;
fsrv->dev_null_fd = open("/dev/null", O_RDWR);
if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
@ -755,6 +757,25 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
/* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else if (fsrv->frida_mode) {
afl_preload = getenv("AFL_PRELOAD");
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
if (afl_preload) {
frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary);
} else {
frida_afl_preload = alloc_printf("%s", frida_binary);
}
ck_free(frida_binary);
setenv("LD_PRELOAD", frida_afl_preload, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
} else {
setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
@ -762,8 +783,17 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
}
} else if (fsrv->frida_mode) {
u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
setenv("LD_PRELOAD", frida_binary, 1);
setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
ck_free(frida_binary);
}
if (frida_afl_preload) { ck_free(frida_afl_preload); }
}
/* Setup signal handlers, duh. */
@ -804,6 +834,7 @@ static void usage(u8 *argv0) {
" -f file - input file read by the tested program (stdin)\n"
" -t msec - timeout for each run (%u ms)\n"
" -m megs - memory limit for child process (%u MB)\n"
" -O - use binary-only instrumentation (FRIDA mode)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
@ -859,7 +890,7 @@ int main(int argc, char **argv_orig, char **envp) {
SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n");
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) {
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeOQUWHh")) > 0) {
switch (opt) {
@ -971,6 +1002,14 @@ int main(int argc, char **argv_orig, char **envp) {
break;
case 'O': /* FRIDA mode */
if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); }
fsrv->frida_mode = 1;
break;
case 'Q':
if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); }
@ -1054,7 +1093,7 @@ int main(int argc, char **argv_orig, char **envp) {
atexit(at_exit_handler);
setup_signal_handlers();
set_up_environment(fsrv);
set_up_environment(fsrv, argv);
fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);