ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-07 07:41:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
vanhauser-thc 2024-07-14 10:33:12 +02:00
parent 8afb60d2f9
commit 55a2362348
22 changed files with 350 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
frida_mode/addr/addr.c
View File

@ -6,17 +6,19 @@
#define UNUSED_PARAMETER(x) (void)(x) #define UNUSED_PARAMETER(x) (void)(x)
int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) {
{
UNUSED_PARAMETER(size); UNUSED_PARAMETER(size);
ElfW(Addr) *base = data; ElfW(Addr) *base = data;
if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; }
return 0; return 0;
} }
int main(int argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) {
UNUSED_PARAMETER(argc); UNUSED_PARAMETER(argc);
ElfW(Addr) base = 0; ElfW(Addr) base = 0;
@ -26,6 +28,7 @@ int main (int argc, char** argv, char** envp) {
printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno);
return 1; return 1;
} }
if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); }
@ -36,4 +39,6 @@ int main (int argc, char** argv, char** envp) {
if (base == 0) { return 1; } if (base == 0) { return 1; }
return 0; return 0;
} }

3
frida_mode/hook/qemu_hook.c
View File

@ -84,6 +84,7 @@ void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
*arg2 = (void *)input_buf_len; *arg2 = (void *)input_buf_len;
} }
#elif defined(__aarch64__) #elif defined(__aarch64__)
struct arm64_regs { struct arm64_regs {
@ -180,6 +181,7 @@ void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base,
(void)guest_base; /* unused */ (void)guest_base; /* unused */
memcpy((void *)regs->x0, input_buf, input_buf_len); memcpy((void *)regs->x0, input_buf, input_buf_len);
regs->x1 = input_buf_len; regs->x1 = input_buf_len;
} }
#else #else
@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) {
return 1; return 1;
} }

3
frida_mode/test/cache/cache.c vendored
View File

@ -37,8 +37,7 @@ __asm__ (
"call_offset:\n" "call_offset:\n"
" .quad call_target\n" " .quad call_target\n"
"rax_offset:\n" "rax_offset:\n"
" .quad rax_target\n" " .quad rax_target\n");
);
int main(int argc, char **argv) { int main(int argc, char **argv) {

3
frida_mode/test/deferred/testinstr.c
View File

@ -51,6 +51,7 @@ int run(char *file) {
fd = open(file, O_RDONLY); fd = open(file, O_RDONLY);
if (fd < 0) { if (fd < 0) {
perror("open"); perror("open");
break; break;
@ -111,7 +112,9 @@ void slow() {
} }
TESTINSTR_SECTION int do_run(char *file) { TESTINSTR_SECTION int do_run(char *file) {
return run(file); return run(file);
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {

20
frida_mode/test/dynamic/testinstr.c
View File

@ -19,22 +19,29 @@
typedef void (*fntestinstrlib)(char *buf, int len); typedef void (*fntestinstrlib)(char *buf, int len);
void testinstr(char *buf, int len) { void testinstr(char *buf, int len) {
void *lib = dlopen("testinstrlib.so", RTLD_NOW); void *lib = dlopen("testinstrlib.so", RTLD_NOW);
if (lib == NULL) { if (lib == NULL) {
puts("Library not found"); puts("Library not found");
abort(); abort();
} }
fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib")); fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib"));
if (fn == NULL) { if (fn == NULL) {
puts("Function not found"); puts("Function not found");
abort(); abort();
} }
fn(buf, len); fn(buf, len);
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
char *file; char *file;
int fd = -1; int fd = -1;
off_t len; off_t len;
@ -45,6 +52,7 @@ int main(int argc, char **argv) {
if (argc != 2) { return 1; } if (argc != 2) { return 1; }
do { do {
file = argv[1]; file = argv[1];
printf("file: %s\n", file); printf("file: %s\n", file);
@ -52,33 +60,43 @@ int main(int argc, char **argv) {
fd = open(file, O_RDONLY); fd = open(file, O_RDONLY);
if (fd < 0) { if (fd < 0) {
perror("open"); perror("open");
break; break;
} }
len = lseek(fd, 0, SEEK_END); len = lseek(fd, 0, SEEK_END);
if (len < 0) { if (len < 0) {
perror("lseek (SEEK_END)"); perror("lseek (SEEK_END)");
break; break;
} }
if (lseek(fd, 0, SEEK_SET) != 0) { if (lseek(fd, 0, SEEK_SET) != 0) {
perror("lseek (SEEK_SET)"); perror("lseek (SEEK_SET)");
break; break;
} }
printf("len: %ld\n", len); printf("len: %ld\n", len);
buf = malloc(len); buf = malloc(len);
if (buf == NULL) { if (buf == NULL) {
perror("malloc"); perror("malloc");
break; break;
} }
n_read = read(fd, buf, len); n_read = read(fd, buf, len);
if (n_read != len) { if (n_read != len) {
perror("read"); perror("read");
break; break;
} }
dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read);
@ -95,4 +113,6 @@ int main(int argc, char **argv) {
if (fd != -1) { close(fd); } if (fd != -1) { close(fd); }
return result; return result;
} }

3
frida_mode/test/dynamic/testinstrlib.c
View File

@ -1,6 +1,7 @@
#include <stdio.h> #include <stdio.h>
void testinstrlib(char *buf, int len) { void testinstrlib(char *buf, int len) {
if (len < 1) return; if (len < 1) return;
buf[len] = 0; buf[len] = 0;
@ -11,4 +12,6 @@ void testinstrlib(char *buf, int len) {
printf("Pretty sure that is a one!\n"); printf("Pretty sure that is a one!\n");
else else
printf("Neither one or zero? How quaint!\n"); printf("Neither one or zero? How quaint!\n");
} }

33
frida_mode/test/js/test2.c
View File

@ -22,6 +22,7 @@
#define IGNORED_RETURN(x) (void)!(x) #define IGNORED_RETURN(x) (void)!(x)
const uint32_t crc32_tab[] = { const uint32_t crc32_tab[] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
@ -64,18 +65,17 @@ const uint32_t crc32_tab[] = {
0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d};
};
uint32_t crc32(const void *buf, size_t size) {
uint32_t
crc32(const void *buf, size_t size)
{
const uint8_t *p = buf; const uint8_t *p = buf;
uint32_t crc; uint32_t crc;
crc = ~0U; crc = ~0U;
while (size--) while (size--)
crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
return crc ^ ~0U; return crc ^ ~0U;
} }
/* /*
@ -84,10 +84,12 @@ crc32(const void *buf, size_t size)
* could change it to actually correct the checksum. * could change it to actually correct the checksum.
*/ */
int crc32_check(char *buf, int len) { int crc32_check(char *buf, int len) {
if (len < sizeof(uint32_t)) { return 0; } if (len < sizeof(uint32_t)) { return 0; }
uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)];
uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); uint32_t calculated = crc32(buf, len - sizeof(uint32_t));
return expected == calculated; return expected == calculated;
} }
/* /*
@ -97,12 +99,16 @@ int crc32_check (char * buf, int len) {
* cloud your output unnecessarily. Again, we can use FRIDA to patch it out. * cloud your output unnecessarily. Again, we can use FRIDA to patch it out.
*/ */
void some_boring_bug(char c) { void some_boring_bug(char c) {
switch (c) { switch (c) {
case 'A' ... 'Z': case 'A' ... 'Z':
case 'a' ... 'z': case 'a' ... 'z':
__builtin_trap(); __builtin_trap();
break; break;
} }
} }
extern void some_boring_bug2(char c); extern void some_boring_bug2(char c);
@ -127,16 +133,20 @@ void LLVMFuzzerTestOneInput(char *buf, int len) {
some_boring_bug2(buf[0]); some_boring_bug2(buf[0]);
if (buf[0] == '0') { if (buf[0] == '0') {
printf("Looks like a zero to me!\n"); printf("Looks like a zero to me!\n");
}
else if (buf[0] == '1') { } else if (buf[0] == '1') {
printf("Pretty sure that is a one!\n"); printf("Pretty sure that is a one!\n");
}
else if (buf[0] == '2') { } else if (buf[0] == '2') {
printf("Oh we, weren't expecting that!"); printf("Oh we, weren't expecting that!");
__builtin_trap(); __builtin_trap();
}
else } else
printf("Neither one or zero? How quaint!\n"); printf("Neither one or zero? How quaint!\n");
} }
@ -173,5 +183,6 @@ int main(int argc, char **argv) {
printf("Done: %s: (%zd bytes)\n", argv[1], n_read); printf("Done: %s: (%zd bytes)\n", argv[1], n_read);
return 0; return 0;
} }

22
frida_mode/test/osx-lib/harness.c
View File

@ -4,23 +4,23 @@
#include <stdlib.h> #include <stdlib.h>
#include <dlfcn.h> #include <dlfcn.h>
// typedef for our exported target function. // typedef for our exported target function.
typedef void (*CRASHME)(const uint8_t *Data, size_t Size); typedef void (*CRASHME)(const uint8_t *Data, size_t Size);
// globals // globals
CRASHME fpn_crashme = NULL; CRASHME fpn_crashme = NULL;
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
fpn_crashme(data, size); fpn_crashme(data, size);
return 0; return 0;
} }
int main(int argc, const char * argv[]) int main(int argc, const char *argv[]) {
{
for (int i = 1; i < argc; i++) { for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]); fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r"); FILE *f = fopen(argv[i], "r");
assert(f); assert(f);
@ -34,19 +34,20 @@ int main(int argc, const char * argv[])
LLVMFuzzerTestOneInput(buf, len); LLVMFuzzerTestOneInput(buf, len);
free(buf); free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
} }
return 0; return 0;
} }
__attribute__((constructor())) __attribute__((constructor())) void constructor(void) {
void constructor(void) {
// handles to required libs // handles to required libs
void *dylib = NULL; void *dylib = NULL;
dylib = dlopen("./libcrashme.dylib", RTLD_NOW); dylib = dlopen("./libcrashme.dylib", RTLD_NOW);
if (dylib == NULL) if (dylib == NULL) {
{
printf("[-] Failed to load lib\n"); printf("[-] Failed to load lib\n");
printf("[-] Dlerror: %s\n", dlerror()); printf("[-] Dlerror: %s\n", dlerror());
@ -57,8 +58,7 @@ void constructor(void) {
printf("[+] Resolve function\n"); printf("[+] Resolve function\n");
fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); fpn_crashme = (CRASHME)dlsym(dylib, "crashme");
if (!fpn_crashme) if (!fpn_crashme) {
{
printf("[-] Failed to find function\n"); printf("[-] Failed to find function\n");
exit(1); exit(1);
@ -66,4 +66,6 @@ void constructor(void) {
} }
printf("[+] Found function.\n"); printf("[+] Found function.\n");
} }

22
frida_mode/test/osx-lib/harness2.c
View File

@ -4,23 +4,23 @@
#include <stdlib.h> #include <stdlib.h>
#include <dlfcn.h> #include <dlfcn.h>
// typedef for our exported target function. // typedef for our exported target function.
typedef void (*CRASHME)(const uint8_t *Data, size_t Size); typedef void (*CRASHME)(const uint8_t *Data, size_t Size);
// globals // globals
CRASHME fpn_crashme = NULL; CRASHME fpn_crashme = NULL;
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
fpn_crashme(data, size); fpn_crashme(data, size);
return 0; return 0;
} }
int main(int argc, const char * argv[]) int main(int argc, const char *argv[]) {
{
for (int i = 1; i < argc; i++) { for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]); fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r"); FILE *f = fopen(argv[i], "r");
assert(f); assert(f);
@ -34,19 +34,20 @@ int main(int argc, const char * argv[])
LLVMFuzzerTestOneInput(buf, len); LLVMFuzzerTestOneInput(buf, len);
free(buf); free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
} }
return 0; return 0;
} }
__attribute__((constructor())) __attribute__((constructor())) void constructor(void) {
void constructor(void) {
// handles to required libs // handles to required libs
void *dylib = NULL; void *dylib = NULL;
dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); dylib = dlopen("./libcrashme2.dylib", RTLD_NOW);
if (dylib == NULL) if (dylib == NULL) {
{
printf("[-] Failed to load lib\n"); printf("[-] Failed to load lib\n");
printf("[-] Dlerror: %s\n", dlerror()); printf("[-] Dlerror: %s\n", dlerror());
@ -57,8 +58,7 @@ void constructor(void) {
printf("[+] Resolve function\n"); printf("[+] Resolve function\n");
fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); fpn_crashme = (CRASHME)dlsym(dylib, "crashme");
if (!fpn_crashme) if (!fpn_crashme) {
{
printf("[-] Failed to find function\n"); printf("[-] Failed to find function\n");
exit(1); exit(1);
@ -66,4 +66,6 @@ void constructor(void) {
} }
printf("[+] Found function.\n"); printf("[+] Found function.\n");
} }

17
frida_mode/test/osx-lib/harness3.c
View File

@ -4,17 +4,19 @@
#include <stdlib.h> #include <stdlib.h>
#include <dlfcn.h> #include <dlfcn.h>
extern void crashme(const uint8_t *Data, size_t Size); extern void crashme(const uint8_t *Data, size_t Size);
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
crashme(data, size); crashme(data, size);
return 0; return 0;
} }
void run (int argc, const char * argv[]) void run(int argc, const char *argv[]) {
{
for (int i = 1; i < argc; i++) { for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]); fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r"); FILE *f = fopen(argv[i], "r");
assert(f); assert(f);
@ -28,13 +30,16 @@ void run (int argc, const char * argv[])
LLVMFuzzerTestOneInput(buf, len); LLVMFuzzerTestOneInput(buf, len);
free(buf); free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
}
} }
int main(int argc, const char * argv[]) }
{
int main(int argc, const char *argv[]) {
run(argc, argv); run(argc, argv);
return 0; return 0;
} }

3
frida_mode/test/osx-lib/lib.c
View File

@ -2,7 +2,6 @@
#include <stdlib.h> #include <stdlib.h>
#include <stdint.h> #include <stdint.h>
void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Size < 5) return; if (Size < 5) return;
@ -13,5 +12,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Data[3] == '$') if (Data[3] == '$')
if (Data[4] == '$') abort(); if (Data[4] == '$') abort();
} }

2
frida_mode/test/osx-lib/lib2.c
View File

@ -3,7 +3,6 @@
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Size < 1) return; if (Size < 1) return;
@ -56,6 +55,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
} }
} }

16
frida_mode/test/perf/perf.c
View File

@ -20,12 +20,22 @@ void LLVMFuzzerTestOneInput(char *buf, int len) {
int ret = 0; int ret = 0;
for (int i = 0; i < 1000; i++) { for (int i = 0; i < 1000; i++) {
switch (buf[i]) { switch (buf[i]) {
case 'A': ret += 2; break;
case '1': ret += 3; break; case 'A':
default: ret++; ret += 2;
break;
case '1':
ret += 3;
break;
default:
ret++;
} }
} }
printf("ret: %d\n", ret); printf("ret: %d\n", ret);
} }

11
frida_mode/test/unstable/unstable.c
View File

@ -30,9 +30,13 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
if (gettimeofday(&tv, NULL) < 0) return; if (gettimeofday(&tv, NULL) < 0) return;
if ((tv.tv_usec % 2) == 0) { if ((tv.tv_usec % 2) == 0) {
printf("Hooray all even\n"); printf("Hooray all even\n");
} else { } else {
printf("Hmm that's odd\n"); printf("Hmm that's odd\n");
} }
// we support three input cases // we support three input cases
@ -46,6 +50,7 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
} }
void run_test(char *file) { void run_test(char *file) {
fprintf(stderr, "Running: %s\n", file); fprintf(stderr, "Running: %s\n", file);
FILE *f = fopen(file, "r"); FILE *f = fopen(file, "r");
assert(f); assert(f);
@ -59,12 +64,18 @@ void run_test(char * file) {
LLVMFuzzerTestOneInput(buf, len); LLVMFuzzerTestOneInput(buf, len);
free(buf); free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read);
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
srand(1); srand(1);
fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1);
for (int i = 1; i < argc; i++) { for (int i = 1; i < argc; i++) {
run_test(argv[i]); run_test(argv[i]);
} }
} }