ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 20:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added framework for logging register contents at the end of each basic block

Browse Source
This commit is contained in:
Your Name
2022-07-29 18:24:22 +01:00
parent f2b7104cd6
commit 4fdd64d6d6
14 changed files with 169 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
frida_mode/README.md
View File

@ -178,6 +178,8 @@ Default is 256Mb.
a file. a file.
* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
instrumentation (the default where available). Required to use instrumentation (the default where available). Required to use
* `AFL_FRIDA_INST_REGS_FILE` - File to write raw register contents at the start
of each block.
`AFL_FRIDA_INST_TRACE`. `AFL_FRIDA_INST_TRACE`.
* `AFL_FRIDA_INST_NO_CACHE` - Don't use a look-up table to cache real to * `AFL_FRIDA_INST_NO_CACHE` - Don't use a look-up table to cache real to
instrumented address block translations. instrumented address block translations.

8
frida_mode/Scripting.md
View File

@ -850,6 +850,14 @@ class Afl {
static setInstrumentNoOptimize() { static setInstrumentNoOptimize() {
Afl.jsApiSetInstrumentNoOptimize(); Afl.jsApiSetInstrumentNoOptimize();
} }
/**
* See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as
* an argument.
*/
public static setInstrumentRegsFile(file: string): void {
const buf = Memory.allocUtf8String(file);
Afl.jsApiSetInstrumentRegsFile(buf);
}
/* /*
* See `AFL_FRIDA_INST_SEED` * See `AFL_FRIDA_INST_SEED`
*/ */

1
frida_mode/frida.map
View File

@ -19,6 +19,7 @@
js_api_set_instrument_libraries; js_api_set_instrument_libraries;
js_api_set_instrument_instructions; js_api_set_instrument_instructions;
js_api_set_instrument_no_optimize; js_api_set_instrument_no_optimize;
js_api_set_instrument_regs_file;
js_api_set_instrument_seed; js_api_set_instrument_seed;
js_api_set_instrument_trace; js_api_set_instrument_trace;
js_api_set_instrument_trace_unique; js_api_set_instrument_trace_unique;

3
frida_mode/include/instrument.h
View File

@ -13,6 +13,7 @@ extern gboolean instrument_unique;
extern guint64 instrument_hash_zero; extern guint64 instrument_hash_zero;
extern char *instrument_coverage_unstable_filename; extern char *instrument_coverage_unstable_filename;
extern gboolean instrument_coverage_insn; extern gboolean instrument_coverage_insn;
extern char * instrument_regs_filename;
extern gboolean instrument_use_fixed_seed; extern gboolean instrument_use_fixed_seed;
extern guint64 instrument_fixed_seed; extern guint64 instrument_fixed_seed;
@ -66,6 +67,8 @@ void instrument_cache_config(void);
void instrument_cache_init(void); void instrument_cache_init(void);
void instrument_cache_insert(gpointer real_address, gpointer code_address); void instrument_cache_insert(gpointer real_address, gpointer code_address);
void instrument_cache(const cs_insn *instr, GumStalkerOutput *output); void instrument_cache(const cs_insn *instr, GumStalkerOutput *output);
void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data);
void instrument_regs_format(int fd, char *format, ...);
#endif #endif

45
frida_mode/src/instrument/instrument.c
View File

@ -1,3 +1,4 @@
#include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#include <sys/shm.h> #include <sys/shm.h>
#include <sys/mman.h> #include <sys/mman.h>
@ -32,6 +33,7 @@ gboolean instrument_use_fixed_seed = FALSE;
guint64 instrument_fixed_seed = 0; guint64 instrument_fixed_seed = 0;
char *instrument_coverage_unstable_filename = NULL; char *instrument_coverage_unstable_filename = NULL;
gboolean instrument_coverage_insn = FALSE; gboolean instrument_coverage_insn = FALSE;
char * instrument_regs_filename = NULL;
static GumStalkerTransformer *transformer = NULL; static GumStalkerTransformer *transformer = NULL;
@ -39,6 +41,8 @@ static GumAddress previous_rip = 0;
static GumAddress previous_end = 0; static GumAddress previous_end = 0;
static u8 *edges_notified = NULL; static u8 *edges_notified = NULL;
static int regs_fd = -1;
__thread guint64 instrument_previous_pc; __thread guint64 instrument_previous_pc;
__thread guint64 *instrument_previous_pc_addr = NULL; __thread guint64 *instrument_previous_pc_addr = NULL;
@ -232,6 +236,10 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
} }
if (unlikely(instrument_regs_filename != NULL)) {
gum_stalker_iterator_put_callout(iterator, instrument_write_regs,
(void *)(size_t)regs_fd, NULL);
}
} }
} }
@ -242,8 +250,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
} }
instrument_debug_instruction(instr->address, instr->size, output);
if (likely(!excluded)) { if (likely(!excluded)) {
asan_instrument(instr, iterator); asan_instrument(instr, iterator);
@ -268,7 +274,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
instrument_flush(output); instrument_flush(output);
instrument_debug_end(output); instrument_debug_end(output);
instrument_coverage_end(instr->address + instr->size); instrument_coverage_end(instr->address + instr->size);
} }
void instrument_config(void) { void instrument_config(void) {
@ -281,6 +286,7 @@ void instrument_config(void) {
instrument_coverage_unstable_filename = instrument_coverage_unstable_filename =
(getenv("AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE")); (getenv("AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE"));
instrument_coverage_insn = (getenv("AFL_FRIDA_INST_INSN") != NULL); instrument_coverage_insn = (getenv("AFL_FRIDA_INST_INSN") != NULL);
instrument_regs_filename = getenv("AFL_FRIDA_INST_REGS_FILE");
instrument_debug_config(); instrument_debug_config();
instrument_coverage_config(); instrument_coverage_config();
@ -394,6 +400,23 @@ void instrument_init(void) {
instrument_hash_seed); instrument_hash_seed);
instrument_hash_zero = instrument_get_offset_hash(0); instrument_hash_zero = instrument_get_offset_hash(0);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "regs:" cYEL " [%s]",
instrument_regs_filename == NULL ? " " : instrument_regs_filename);
if (instrument_regs_filename != NULL) {
char *path =
g_canonicalize_filename(instrument_regs_filename, g_get_current_dir());
FOKF(cBLU "Instrumentation" cRST " - " cGRN "path:" cYEL " [%s]", path);
regs_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (regs_fd < 0) { FFATAL("Failed to open regs file '%s'", path); }
g_free(path);
}
asan_init(); asan_init();
cmplog_init(); cmplog_init();
instrument_coverage_init(); instrument_coverage_init();
@ -420,3 +443,19 @@ void instrument_on_fork() {
} }
void instrument_regs_format(int fd, char *format, ...) {
va_list ap;
char buffer[4096] = {0};
int ret;
int len;
va_start(ap, format);
ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap);
va_end(ap);
if (ret < 0) { return; }
len = strnlen(buffer, sizeof(buffer));
IGNORED_RETURN(write(fd, buffer, len));
}

19
frida_mode/src/instrument/instrument_arm32.c
View File

@ -80,5 +80,24 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {
} }
void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
int fd = (int)user_data;
instrument_regs_format(fd,
"r0 : 0x%08x, r1 : 0x%08x, r2 : 0x%08x, r3 : 0x%08x\n",
cpu_context->r[0], cpu_context->r[2],
cpu_context->r[1], cpu_context->r[3]);
instrument_regs_format(fd,
"r4 : 0x%08x, r5 : 0x%08x, r6 : 0x%08x, r7 : 0x%08x\n",
cpu_context->r[4], cpu_context->r[5],
cpu_context->r[6], cpu_context->r[7]);
instrument_regs_format(
fd, "r8 : 0x%08x, r9 : 0x%08x, r10: 0x%08x, r11: 0x%08x\n",
cpu_context->r8, cpu_context->r9, cpu_context->r10, cpu_context->r11);
instrument_regs_format(
fd, "r12: 0x%08x, sp : 0x%08x, lr : 0x%08x, pc : 0x%08x\n",
cpu_context->r12, cpu_context->sp, cpu_context->lr, cpu_context->pc);
instrument_regs_format(fd, "cpsr: 0x%08x\n\n", cpu_context->cpsr);
}
#endif #endif

36
frida_mode/src/instrument/instrument_arm64.c
View File

@ -406,5 +406,41 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {
} }
void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
int fd = (int)(size_t)user_data;
instrument_regs_format(
fd, "x0 : 0x%016x, x1 : 0x%016x, x2 : 0x%016x, x3 : 0x%016x\n",
cpu_context->x[0], cpu_context->x[1], cpu_context->x[2],
cpu_context->x[3]);
instrument_regs_format(
fd, "x4 : 0x%016x, x5 : 0x%016x, x6 : 0x%016x, x7 : 0x%016x\n",
cpu_context->x[4], cpu_context->x[5], cpu_context->x[6],
cpu_context->x[7]);
instrument_regs_format(
fd, "x8 : 0x%016x, x9 : 0x%016x, x10: 0x%016x, x11: 0x%016x\n",
cpu_context->x[8], cpu_context->x[9], cpu_context->x[10],
cpu_context->x[11]);
instrument_regs_format(
fd, "x12: 0x%016x, x13: 0x%016x, x14: 0x%016x, x15: 0x%016x\n",
cpu_context->x[12], cpu_context->x[13], cpu_context->x[14],
cpu_context->x[15]);
instrument_regs_format(
fd, "x16: 0x%016x, x17: 0x%016x, x18: 0x%016x, x19: 0x%016x\n",
cpu_context->x[16], cpu_context->x[17], cpu_context->x[18],
cpu_context->x[19]);
instrument_regs_format(
fd, "x20: 0x%016x, x21: 0x%016x, x22: 0x%016x, x23: 0x%016x\n",
cpu_context->x[20], cpu_context->x[21], cpu_context->x[22],
cpu_context->x[23]);
instrument_regs_format(
fd, "x24: 0x%016x, x25: 0x%016x, x26: 0x%016x, x27: 0x%016x\n",
cpu_context->x[24], cpu_context->x[25], cpu_context->x[26],
cpu_context->x[27]);
instrument_regs_format(
fd, "x28: 0x%016x, fp : 0x%016x, lr : 0x%016x, sp : 0x%016x\n",
cpu_context->x[28], cpu_context->fp, cpu_context->lr, cpu_context->sp);
instrument_regs_format(fd, "pc : 0x%016x\n\n", cpu_context->pc);
}
#endif #endif

4
frida_mode/src/instrument/instrument_debug.c
View File

@ -63,14 +63,12 @@ static void instrument_disasm(guint8 *start, guint8 *end,
count = cs_disasm(capstone, curr, size, GPOINTER_TO_SIZE(curr), 0, &insn); count = cs_disasm(capstone, curr, size, GPOINTER_TO_SIZE(curr), 0, &insn);
if (insn == NULL) { if (insn == NULL) {
instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t* 0x%016" G_GSIZE_MODIFIER instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t* 0x%016" G_GSIZE_MODIFIER
"x\n", "x\n",
(uint64_t)curr, *(size_t *)curr); (uint64_t)(size_t)curr, *(size_t *)curr);
len += sizeof(size_t); len += sizeof(size_t);
continue; continue;
} }
for (i = 0; i != count; i++) { for (i = 0; i != count; i++) {

17
frida_mode/src/instrument/instrument_x64.c
View File

@ -468,5 +468,22 @@ gpointer instrument_cur(GumStalkerOutput *output) {
} }
void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
int fd = (int)(size_t)user_data;
instrument_regs_format(
fd, "rax: 0x%016x, rbx: 0x%016x, rcx: 0x%016x, rdx: 0x%016x\n",
cpu_context->rax, cpu_context->rbx, cpu_context->rcx, cpu_context->rdx);
instrument_regs_format(
fd, "rdi: 0x%016x, rsi: 0x%016x, rbp: 0x%016x, rsp: 0x%016x\n",
cpu_context->rdi, cpu_context->rsi, cpu_context->rbp, cpu_context->rsp);
instrument_regs_format(
fd, "r8 : 0x%016x, r9 : 0x%016x, r10: 0x%016x, r11: 0x%016x\n",
cpu_context->r8, cpu_context->r9, cpu_context->r10, cpu_context->r11);
instrument_regs_format(
fd, "r12: 0x%016x, r13: 0x%016x, r14: 0x%016x, r15: 0x%016x\n",
cpu_context->r12, cpu_context->r13, cpu_context->r14, cpu_context->r15);
instrument_regs_format(fd, "rip: 0x%016x\n\n", cpu_context->rip);
}
#endif #endif

11
frida_mode/src/instrument/instrument_x86.c
View File

@ -270,5 +270,16 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {
} }
void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
int fd = (int)(size_t)user_data;
instrument_regs_format(
fd, "eax: 0x%08x, ebx: 0x%08x, ecx: 0x%08x, edx: 0x%08x\n",
cpu_context->eax, cpu_context->ebx, cpu_context->ecx, cpu_context->edx);
instrument_regs_format(
fd, "esi: 0x%08x, edi: 0x%08x, ebp: 0x%08x, esp: 0x%08x\n",
cpu_context->esi, cpu_context->edi, cpu_context->ebp, cpu_context->esp);
instrument_regs_format(fd, "eip: 0x%08x\n\n", cpu_context->eip);
}
#endif #endif

9
frida_mode/src/js/api.js
View File

@ -150,6 +150,14 @@ class Afl {
static setInstrumentNoOptimize() { static setInstrumentNoOptimize() {
Afl.jsApiSetInstrumentNoOptimize(); Afl.jsApiSetInstrumentNoOptimize();
} }
/**
* See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as
* an argument.
*/
static setInstrumentRegsFile(file) {
const buf = Memory.allocUtf8String(file);
Afl.jsApiSetInstrumentRegsFile(buf);
}
/* /*
* See `AFL_FRIDA_INST_SEED` * See `AFL_FRIDA_INST_SEED`
*/ */
@ -322,6 +330,7 @@ Afl.jsApiSetInstrumentInstructions = Afl.jsApiGetFunction("js_api_set_instrument
Afl.jsApiSetInstrumentJit = Afl.jsApiGetFunction("js_api_set_instrument_jit", "void", []); Afl.jsApiSetInstrumentJit = Afl.jsApiGetFunction("js_api_set_instrument_jit", "void", []);
Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []); Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []);
Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []); Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []);
Afl.jsApiSetInstrumentRegsFile = Afl.jsApiGetFunction("js_api_set_instrument_regs_file", "void", ["pointer"]);
Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", "void", ["uint64"]); Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", "void", ["uint64"]);
Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []);
Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []);

5
frida_mode/src/js/js_api.c
View File

@ -156,6 +156,11 @@ __attribute__((visibility("default"))) void js_api_set_instrument_no_optimize(
} }
__attribute__((visibility("default"))) void js_api_set_instrument_regs_file(
char *path) {
instrument_regs_filename = g_strdup(path);
}
__attribute__((visibility("default"))) void js_api_set_instrument_seed( __attribute__((visibility("default"))) void js_api_set_instrument_seed(
guint64 seed) { guint64 seed) {

14
frida_mode/ts/lib/afl.ts
View File

@ -178,6 +178,15 @@ class Afl {
Afl.jsApiSetInstrumentNoOptimize(); Afl.jsApiSetInstrumentNoOptimize();
} }
/**
* See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as
* an argument.
*/
public static setInstrumentRegsFile(file: string): void {
const buf = Memory.allocUtf8String(file);
Afl.jsApiSetInstrumentRegsFile(buf);
}
/* /*
* See `AFL_FRIDA_INST_SEED` * See `AFL_FRIDA_INST_SEED`
*/ */
@ -419,6 +428,11 @@ class Afl {
"void", "void",
[]); []);
private static readonly jsApiSetInstrumentRegsFile = Afl.jsApiGetFunction(
"js_api_set_instrument_regs_file",
"void",
["pointer"]);
private static readonly jsApiSetInstrumentSeed = Afl.jsApiGetFunction( private static readonly jsApiSetInstrumentSeed = Afl.jsApiGetFunction(
"js_api_set_instrument_seed", "js_api_set_instrument_seed",
"void", "void",

1
include/envs.h
View File

@ -67,6 +67,7 @@ static char *afl_environment_variables[] = {
"AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_NO_PREFETCH",
"AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH", "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
"AFL_FRIDA_INST_RANGES", "AFL_FRIDA_INST_RANGES",
"AFL_FRIDA_INST_REGS_FILE",
"AFL_FRIDA_INST_SEED", "AFL_FRIDA_INST_SEED",
"AFL_FRIDA_INST_TRACE", "AFL_FRIDA_INST_TRACE",
"AFL_FRIDA_INST_TRACE_UNIQUE", "AFL_FRIDA_INST_TRACE_UNIQUE",