ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-06 15:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
vanhauser-thc 2024-07-14 10:33:12 +02:00
parent 8afb60d2f9
commit 55a2362348
22 changed files with 350 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
frida_mode/addr/addr.c
View File

@ -6,18 +6,20 @@
#define UNUSED_PARAMETER(x) (void)(x)
int phdr_callback(struct dl_phdr_info *info, size_t size, void *data)
{
UNUSED_PARAMETER (size);
int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) {
ElfW(Addr) * base = data;
UNUSED_PARAMETER(size);
ElfW(Addr) *base = data;
if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; }
return 0;
}
int main (int argc, char** argv, char** envp) {
UNUSED_PARAMETER (argc);
int main(int argc, char **argv, char **envp) {
UNUSED_PARAMETER(argc);
ElfW(Addr) base = 0;
@ -26,6 +28,7 @@ int main (int argc, char** argv, char** envp) {
printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno);
return 1;
}
if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); }
@ -36,4 +39,6 @@ int main (int argc, char** argv, char** envp) {
if (base == 0) { return 1; }
return 0;
}

5
frida_mode/hook/qemu_hook.c
View File

@ -78,12 +78,13 @@ void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
(void)guest_base; /* unused */
void **esp = (void **)regs->esp;
void * arg1 = esp[1];
void *arg1 = esp[1];
void **arg2 = &esp[2];
memcpy(arg1, input_buf, input_buf_len);
*arg2 = (void *)input_buf_len;
}
#elif defined(__aarch64__)
struct arm64_regs {
@ -180,6 +181,7 @@ void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base,
(void)guest_base; /* unused */
memcpy((void *)regs->x0, input_buf, input_buf_len);
regs->x1 = input_buf_len;
}
#else
@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) {
return 1;
}

9
frida_mode/test/cache/cache.c vendored
View File

@ -6,7 +6,7 @@
void LLVMFuzzerTestOneInput(char *buf, int len);
__asm__ (
__asm__(
"LLVMFuzzerTestOneInput:\n"
".func LLVMFuzzerTestOneInput\n"
".global LLVMFuzzerTestOneInput\n"
@ -37,15 +37,14 @@ __asm__ (
"call_offset:\n"
" .quad call_target\n"
"rax_offset:\n"
" .quad rax_target\n"
);
" .quad rax_target\n");
int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

8
frida_mode/test/cmov/cmov.c
View File

@ -6,8 +6,8 @@
static bool cmov_test(char *x, char *y, size_t len) {
register char * __rdi __asm__("rdi") = x;
register char * __rsi __asm__("rsi") = y;
register char *__rdi __asm__("rdi") = x;
register char *__rsi __asm__("rsi") = y;
register size_t __rcx __asm__("rcx") = len;
register long __rax __asm__("rax");
@ -49,10 +49,10 @@ void LLVMFuzzerTestOneInput(char *buf, int len) {
int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

7
frida_mode/test/deferred/testinstr.c
View File

@ -41,7 +41,7 @@ int run(char *file) {
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;
@ -51,6 +51,7 @@ int run(char *file) {
fd = open(file, O_RDONLY);
if (fd < 0) {
perror("open");
break;
@ -110,8 +111,10 @@ void slow() {
}
TESTINSTR_SECTION int do_run(char * file) {
TESTINSTR_SECTION int do_run(char *file) {
return run(file);
}
int main(int argc, char **argv) {

24
frida_mode/test/dynamic/testinstr.c
View File

@ -19,32 +19,40 @@
typedef void (*fntestinstrlib)(char *buf, int len);
void testinstr(char *buf, int len) {
void *lib = dlopen("testinstrlib.so", RTLD_NOW);
if (lib == NULL) {
puts("Library not found");
abort();
}
fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib"));
if (fn == NULL) {
puts("Function not found");
abort();
}
fn(buf, len);
}
int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;
if (argc != 2) { return 1; }
do {
file = argv[1];
printf("file: %s\n", file);
@ -52,33 +60,43 @@ int main(int argc, char **argv) {
fd = open(file, O_RDONLY);
if (fd < 0) {
perror("open");
break;
}
len = lseek(fd, 0, SEEK_END);
if (len < 0) {
perror("lseek (SEEK_END)");
break;
}
if (lseek(fd, 0, SEEK_SET) != 0) {
perror("lseek (SEEK_SET)");
break;
}
printf("len: %ld\n", len);
buf = malloc(len);
if (buf == NULL) {
perror("malloc");
break;
}
n_read = read(fd, buf, len);
if (n_read != len) {
perror("read");
break;
}
dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read);
@ -95,4 +113,6 @@ int main(int argc, char **argv) {
if (fd != -1) { close(fd); }
return result;
}

3
frida_mode/test/dynamic/testinstrlib.c
View File

@ -1,6 +1,7 @@
#include <stdio.h>
void testinstrlib(char *buf, int len) {
if (len < 1) return;
buf[len] = 0;
@ -11,4 +12,6 @@ void testinstrlib(char *buf, int len) {
printf("Pretty sure that is a one!\n");
else
printf("Neither one or zero? How quaint!\n");
}

2
frida_mode/test/entry_point/testinstr.c
View File

@ -41,7 +41,7 @@ int run(char *file) {
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

4
frida_mode/test/exe/testinstr.c
View File

@ -39,10 +39,10 @@ void testinstr(char *buf, int len) {
TESTINSTR_SECTION int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

2
frida_mode/test/js/test.c
View File

@ -35,7 +35,7 @@ int run(char *file) {
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

43
frida_mode/test/js/test2.c
View File

@ -22,6 +22,7 @@
#define IGNORED_RETURN(x) (void)!(x)
const uint32_t crc32_tab[] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
@ -64,18 +65,17 @@ const uint32_t crc32_tab[] = {
0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d};
uint32_t crc32(const void *buf, size_t size) {
uint32_t
crc32(const void *buf, size_t size)
{
const uint8_t *p = buf;
uint32_t crc;
crc = ~0U;
while (size--)
crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
return crc ^ ~0U;
}
/*
@ -83,11 +83,13 @@ crc32(const void *buf, size_t size)
* FRIDA to patch this function out and always return success. Otherwise, we
* could change it to actually correct the checksum.
*/
int crc32_check (char * buf, int len) {
int crc32_check(char *buf, int len) {
if (len < sizeof(uint32_t)) { return 0; }
uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)];
uint32_t calculated = crc32(buf, len - sizeof(uint32_t));
return expected == calculated;
}
/*
@ -97,17 +99,21 @@ int crc32_check (char * buf, int len) {
* cloud your output unnecessarily. Again, we can use FRIDA to patch it out.
*/
void some_boring_bug(char c) {
switch (c) {
case 'A'...'Z':
case 'a'...'z':
case 'A' ... 'Z':
case 'a' ... 'z':
__builtin_trap();
break;
}
}
extern void some_boring_bug2(char c);
__asm__ (
__asm__(
".text \n"
"some_boring_bug2: \n"
".global some_boring_bug2 \n"
@ -127,16 +133,20 @@ void LLVMFuzzerTestOneInput(char *buf, int len) {
some_boring_bug2(buf[0]);
if (buf[0] == '0') {
printf("Looks like a zero to me!\n");
}
else if (buf[0] == '1') {
} else if (buf[0] == '1') {
printf("Pretty sure that is a one!\n");
}
else if (buf[0] == '2') {
} else if (buf[0] == '2') {
printf("Oh we, weren't expecting that!");
__builtin_trap();
}
else
} else
printf("Neither one or zero? How quaint!\n");
}
@ -145,7 +155,7 @@ int main(int argc, char **argv) {
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;
@ -173,5 +183,6 @@ int main(int argc, char **argv) {
printf("Done: %s: (%zd bytes)\n", argv[1], n_read);
return 0;
}

28
frida_mode/test/osx-lib/harness.c
View File

@ -4,49 +4,50 @@
#include <stdlib.h>
#include <dlfcn.h>
//typedef for our exported target function.
// typedef for our exported target function.
typedef void (*CRASHME)(const uint8_t *Data, size_t Size);
//globals
// globals
CRASHME fpn_crashme = NULL;
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
fpn_crashme(data, size);
return 0;
}
int main(int argc, const char * argv[])
{
int main(int argc, const char *argv[]) {
for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r");
assert(f);
fseek(f, 0, SEEK_END);
size_t len = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *buf = (unsigned char*)malloc(len);
unsigned char *buf = (unsigned char *)malloc(len);
size_t n_read = fread(buf, 1, len, f);
fclose(f);
assert(n_read == len);
LLVMFuzzerTestOneInput(buf, len);
free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
}
return 0;
}
__attribute__((constructor()))
void constructor(void) {
__attribute__((constructor())) void constructor(void) {
// handles to required libs
void *dylib = NULL;
dylib = dlopen("./libcrashme.dylib", RTLD_NOW);
if (dylib == NULL)
{
if (dylib == NULL) {
printf("[-] Failed to load lib\n");
printf("[-] Dlerror: %s\n", dlerror());
@ -57,8 +58,7 @@ void constructor(void) {
printf("[+] Resolve function\n");
fpn_crashme = (CRASHME)dlsym(dylib, "crashme");
if (!fpn_crashme)
{
if (!fpn_crashme) {
printf("[-] Failed to find function\n");
exit(1);
@ -66,4 +66,6 @@ void constructor(void) {
}
printf("[+] Found function.\n");
}

28
frida_mode/test/osx-lib/harness2.c
View File

@ -4,49 +4,50 @@
#include <stdlib.h>
#include <dlfcn.h>
//typedef for our exported target function.
// typedef for our exported target function.
typedef void (*CRASHME)(const uint8_t *Data, size_t Size);
//globals
// globals
CRASHME fpn_crashme = NULL;
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
fpn_crashme(data, size);
return 0;
}
int main(int argc, const char * argv[])
{
int main(int argc, const char *argv[]) {
for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r");
assert(f);
fseek(f, 0, SEEK_END);
size_t len = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *buf = (unsigned char*)malloc(len);
unsigned char *buf = (unsigned char *)malloc(len);
size_t n_read = fread(buf, 1, len, f);
fclose(f);
assert(n_read == len);
LLVMFuzzerTestOneInput(buf, len);
free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
}
return 0;
}
__attribute__((constructor()))
void constructor(void) {
__attribute__((constructor())) void constructor(void) {
// handles to required libs
void *dylib = NULL;
dylib = dlopen("./libcrashme2.dylib", RTLD_NOW);
if (dylib == NULL)
{
if (dylib == NULL) {
printf("[-] Failed to load lib\n");
printf("[-] Dlerror: %s\n", dlerror());
@ -57,8 +58,7 @@ void constructor(void) {
printf("[+] Resolve function\n");
fpn_crashme = (CRASHME)dlsym(dylib, "crashme");
if (!fpn_crashme)
{
if (!fpn_crashme) {
printf("[-] Failed to find function\n");
exit(1);
@ -66,4 +66,6 @@ void constructor(void) {
}
printf("[+] Found function.\n");
}

19
frida_mode/test/osx-lib/harness3.c
View File

@ -4,37 +4,42 @@
#include <stdlib.h>
#include <dlfcn.h>
extern void crashme(const uint8_t *Data, size_t Size);
int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
crashme(data, size);
return 0;
}
void run (int argc, const char * argv[])
{
void run(int argc, const char *argv[]) {
for (int i = 1; i < argc; i++) {
fprintf(stderr, "Running: %s\n", argv[i]);
FILE *f = fopen(argv[i], "r");
assert(f);
fseek(f, 0, SEEK_END);
size_t len = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *buf = (unsigned char*)malloc(len);
unsigned char *buf = (unsigned char *)malloc(len);
size_t n_read = fread(buf, 1, len, f);
fclose(f);
assert(n_read == len);
LLVMFuzzerTestOneInput(buf, len);
free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
}
}
int main(int argc, const char * argv[])
{
int main(int argc, const char *argv[]) {
run(argc, argv);
return 0;
}

3
frida_mode/test/osx-lib/lib.c
View File

@ -2,7 +2,6 @@
#include <stdlib.h>
#include <stdint.h>
void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Size < 5) return;
@ -13,5 +12,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Data[3] == '$')
if (Data[4] == '$') abort();
}

2
frida_mode/test/osx-lib/lib2.c
View File

@ -3,7 +3,6 @@
#include <stdint.h>
#include <string.h>
void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
if (Size < 1) return;
@ -56,6 +55,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
}
}

4
frida_mode/test/output/testinstr.c
View File

@ -39,10 +39,10 @@ void testinstr(char *buf, int len) {
TESTINSTR_SECTION int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

22
frida_mode/test/perf/perf.c
View File

@ -20,22 +20,32 @@ void LLVMFuzzerTestOneInput(char *buf, int len) {
int ret = 0;
for (int i = 0; i < 1000; i++) {
switch(buf[i]) {
case 'A': ret += 2; break;
case '1': ret += 3; break;
default: ret++;
switch (buf[i]) {
case 'A':
ret += 2;
break;
case '1':
ret += 3;
break;
default:
ret++;
}
}
printf("ret: %d\n", ret);
}
int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

6
frida_mode/test/persistent_ret/testinstr.c
View File

@ -18,7 +18,7 @@
void LLVMFuzzerTestOneInput(char *buf, int len) {
printf (">>> LLVMFuzzerTestOneInput >>>\n");
printf(">>> LLVMFuzzerTestOneInput >>>\n");
if (len < 1) return;
buf[len] = 0;
@ -40,10 +40,10 @@ void slow() {
int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

4
frida_mode/test/testinstr/testinstr.c
View File

@ -39,10 +39,10 @@ void testinstr(char *buf, int len) {
TESTINSTR_SECTION int main(int argc, char **argv) {
char * file;
char *file;
int fd = -1;
off_t len;
char * buf = NULL;
char *buf = NULL;
size_t n_read;
int result = -1;

21
frida_mode/test/unstable/unstable.c
View File

@ -22,7 +22,7 @@
#define TESTINSTR_SECTION __attribute__((section(".testinstr")))
#endif
void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < 1) return;
@ -30,9 +30,13 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
if (gettimeofday(&tv, NULL) < 0) return;
if ((tv.tv_usec % 2) == 0) {
printf ("Hooray all even\n");
printf("Hooray all even\n");
} else {
printf ("Hmm that's odd\n");
printf("Hmm that's odd\n");
}
// we support three input cases
@ -45,26 +49,33 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
}
void run_test(char * file) {
void run_test(char *file) {
fprintf(stderr, "Running: %s\n", file);
FILE *f = fopen(file, "r");
assert(f);
fseek(f, 0, SEEK_END);
size_t len = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *buf = (unsigned char*)malloc(len);
unsigned char *buf = (unsigned char *)malloc(len);
size_t n_read = fread(buf, 1, len, f);
fclose(f);
assert(n_read == len);
LLVMFuzzerTestOneInput(buf, len);
free(buf);
fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read);
}
int main(int argc, char **argv) {
srand(1);
fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1);
for (int i = 1; i < argc; i++) {
run_test(argv[i]);
}
}