ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

final push to stable (really?) (#939)

Browse Source 
* sync (#886)

* Create FUNDING.yml

* Update FUNDING.yml

* moved custom_mutator examples

* unicorn speedtest makefile cleanup

* fixed example location

* fix qdbi

* update util readme

* Frida persistent (#880)

* Added x64 support for persistent mode (function call only), in-memory teest cases and complog

* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC

* Various minor fixes and finished support for AFL_INST_LIBS

* Review changes

Co-authored-by: Your Name <you@example.com>

* nits

* fix frida mode

* Integer overflow/underflow fixes in libdislocator (#889)

* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'

* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads

* Bumped warnings up to the max and fixed remaining issues (#890)

Co-authored-by: Your Name <you@example.com>

* nits

* frida mode - support non-pie

* nits

* nit

* update grammar mutator

* Fixes for aarch64, OSX and other minor issues (#891)

Co-authored-by: Your Name <you@example.com>

* nits

* nits

* fix PCGUARD, build aflpp_driver with fPIC

* Added representative fuzzbench test and test for libxml (#893)

* Added representative fuzzbench test and test for libxml

* Added support for building FRIDA from source with FRIDA_SOURCE=1

Co-authored-by: Your Name <you@example.com>

* nits

* update changelog

* typos

* fixed potential double free in custom trim (#881)

* error handling, freeing mem

* frida: complog -> cmplog

* fix statsd writing

* let aflpp_qemu_driver_hook.so build fail gracefully

* fix stdin trimming

* Support for AFL_ENTRYPOINT (#898)

Co-authored-by: Your Name <you@example.com>

* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used

* reverse push (#901)

* Create FUNDING.yml

* Update FUNDING.yml

* disable QEMU static pie

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>

* clarify that no modifications are required.

* add new test for frida_mode (please review)

* typos

* fix persistent mode (64-bit)

* set ARCH for linux intel 32-bit for frida-gum-devkit

* prepare for 32-bit support (later)

* not on qemu 3 anymore

* unicorn mips fixes

* instrumentation further move to C++11 (#900)

* unicorn fixes

* more unicorn fixes

* Fix memory errors when trim causes testcase growth (#881) (#903)

* Revert "fixed potential double free in custom trim (#881)"

This reverts commit e9d2f72382.

* Revert "fix custom trim for increasing data"

This reverts commit 86a8ef168d.

* Fix memory errors when trim causes testcase growth

Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.

Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.

This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...

* Fix an unlikely situation

Put back some `unlikely()` calls that were in
the e9d2f72382 commit that was
reverted.

* typo

* Exit on time (#904)

* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.

* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.

* Command `export AFL_EXIT_WHEN_DONE=1` has been added.

* Millisecond to second conversion has been added.
Call get_cur_time() has been added.

* Revert to using the saved current time value.

* Useless check has been removed.

* fix new path to custom-mutators

* ensure crashes/README.txt exists

* fix

* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)

Co-authored-by: Your Name <you@example.com>

* Fix numeric overflow in cmplog implementation (#907)

Co-authored-by: Your Name <you@example.com>

* testcase fixes for unicorn

* remove merge conflict artifacts

* fix afl-plot

* Changes to remove binaries from frida_mode (#913)

Co-authored-by: Your Name <you@example.com>

* Frida cmplog fail fast (#914)

* Changes to remove binaries from frida_mode

* Changes to make cmplog fail fast

Co-authored-by: Your Name <you@example.com>

* afl-plot: relative time

* arch linux and mac os support for afl-system-config

* typo

* code-format

* update documentation

* github workflow for qemu

* OSX-specific improvements (#912)

* Fix afl-cc to work correctly by default on OSX using xcode

- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected

* Add OSX-specific documentation for configuring shared memory

* Fixes to memory operands for complog (#916)

Co-authored-by: Your Name <you@example.com>

* fix a few cur_time uses

* added bounds check to pivot_inputs (fixes #921)

* additional safety checks for restarts

* restrict afl-showmap in_file size

* fix seed crash disable

* add warning for afl-showmap partial read

* no core dumps

* AFL_PRINT_FILENAMES added

* more documentation for AFL_EXIT_ON_TIME

* Flushing for AFL_PRINT_FILENAMES

* FASAN Support (#918)

* FASAN Support

* Fix handling of Address Sanitizer DSO

* Changes to identification of Address Sanitizer DSO

Co-authored-by: Your Name <you@example.com>

* Support for x86 (#920)

Co-authored-by: Your Name <you@example.com>

* Update frida_mode readme (#925)

* libqasan: use syscalls for read and write

* update readme

* Minor integration tweaks (#926)

Co-authored-by: Your Name <you@example.com>

* merge

* fix afl-fuzz.c frida preload

* cleaned up AFL_PRINT_FILENAMES env

* Changes to have persistent mode exit at the end of the loop (#928)

Co-authored-by: Your Name <you@example.com>

* fix llvm-dict2file

* push to stable (#931) (#932)

* sync (#886)

* Create FUNDING.yml

* Update FUNDING.yml

* moved custom_mutator examples

* unicorn speedtest makefile cleanup

* fixed example location

* fix qdbi

* update util readme

* Frida persistent (#880)

* Added x64 support for persistent mode (function call only), in-memory teest cases and complog

* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC

* Various minor fixes and finished support for AFL_INST_LIBS

* Review changes

Co-authored-by: Your Name <you@example.com>

* nits

* fix frida mode

* Integer overflow/underflow fixes in libdislocator (#889)

* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'

* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads

* Bumped warnings up to the max and fixed remaining issues (#890)

Co-authored-by: Your Name <you@example.com>

* nits

* frida mode - support non-pie

* nits

* nit

* update grammar mutator

* Fixes for aarch64, OSX and other minor issues (#891)

Co-authored-by: Your Name <you@example.com>

* nits

* nits

* fix PCGUARD, build aflpp_driver with fPIC

* Added representative fuzzbench test and test for libxml (#893)

* Added representative fuzzbench test and test for libxml

* Added support for building FRIDA from source with FRIDA_SOURCE=1

Co-authored-by: Your Name <you@example.com>

* nits

* update changelog

* typos

* fixed potential double free in custom trim (#881)

* error handling, freeing mem

* frida: complog -> cmplog

* fix statsd writing

* let aflpp_qemu_driver_hook.so build fail gracefully

* fix stdin trimming

* Support for AFL_ENTRYPOINT (#898)

Co-authored-by: Your Name <you@example.com>

* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used

* reverse push (#901)

* Create FUNDING.yml

* Update FUNDING.yml

* disable QEMU static pie

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>

* clarify that no modifications are required.

* add new test for frida_mode (please review)

* typos

* fix persistent mode (64-bit)

* set ARCH for linux intel 32-bit for frida-gum-devkit

* prepare for 32-bit support (later)

* not on qemu 3 anymore

* unicorn mips fixes

* instrumentation further move to C++11 (#900)

* unicorn fixes

* more unicorn fixes

* Fix memory errors when trim causes testcase growth (#881) (#903)

* Revert "fixed potential double free in custom trim (#881)"

This reverts commit e9d2f72382.

* Revert "fix custom trim for increasing data"

This reverts commit 86a8ef168d.

* Fix memory errors when trim causes testcase growth

Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.

Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.

This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...

* Fix an unlikely situation

Put back some `unlikely()` calls that were in
the e9d2f72382 commit that was
reverted.

* typo

* Exit on time (#904)

* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.

* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.

* Command `export AFL_EXIT_WHEN_DONE=1` has been added.

* Millisecond to second conversion has been added.
Call get_cur_time() has been added.

* Revert to using the saved current time value.

* Useless check has been removed.

* fix new path to custom-mutators

* ensure crashes/README.txt exists

* fix

* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)

Co-authored-by: Your Name <you@example.com>

* Fix numeric overflow in cmplog implementation (#907)

Co-authored-by: Your Name <you@example.com>

* testcase fixes for unicorn

* remove merge conflict artifacts

* fix afl-plot

* Changes to remove binaries from frida_mode (#913)

Co-authored-by: Your Name <you@example.com>

* Frida cmplog fail fast (#914)

* Changes to remove binaries from frida_mode

* Changes to make cmplog fail fast

Co-authored-by: Your Name <you@example.com>

* afl-plot: relative time

* arch linux and mac os support for afl-system-config

* typo

* code-format

* update documentation

* github workflow for qemu

* OSX-specific improvements (#912)

* Fix afl-cc to work correctly by default on OSX using xcode

- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected

* Add OSX-specific documentation for configuring shared memory

* Fixes to memory operands for complog (#916)

Co-authored-by: Your Name <you@example.com>

* fix a few cur_time uses

* added bounds check to pivot_inputs (fixes #921)

* additional safety checks for restarts

* restrict afl-showmap in_file size

* fix seed crash disable

* add warning for afl-showmap partial read

* no core dumps

* AFL_PRINT_FILENAMES added

* more documentation for AFL_EXIT_ON_TIME

* Flushing for AFL_PRINT_FILENAMES

* FASAN Support (#918)

* FASAN Support

* Fix handling of Address Sanitizer DSO

* Changes to identification of Address Sanitizer DSO

Co-authored-by: Your Name <you@example.com>

* Support for x86 (#920)

Co-authored-by: Your Name <you@example.com>

* Update frida_mode readme (#925)

* libqasan: use syscalls for read and write

* update readme

* Minor integration tweaks (#926)

Co-authored-by: Your Name <you@example.com>

* merge

* fix afl-fuzz.c frida preload

* cleaned up AFL_PRINT_FILENAMES env

* Changes to have persistent mode exit at the end of the loop (#928)

Co-authored-by: Your Name <you@example.com>

* fix llvm-dict2file

Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>

Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>

* improve error msg

* Added documentation for wine LoadLibrary workaround (#933)

* Fix cmake target compilation command example (#934)

- Fix typo DCMAKE_C_COMPILERC -> DCMAKE_C_COMPILER.
- Add `cd build` after `mkdir build`.

* showmap passes queue items in alphabetical order

* added tmp files to gitignore

* lenient dict parsing, no map size enum for binary fuzzing

* added info about showmap queue directions

* update binary-only doc

* turn off map size detection if skip_bin_check is set

* Typo

* update docs

* update afl-system-config

* Set kill signal before using it in afl-showmap (#935)

* fix afl-cc help output

* add libafl to binary-only doc

* update docs

* less executions on variable paths

* AFL_SKIP_CRASHES is obsolete since 3.0

* add AFL_TRY_AFFINITY

* Typo

* Typo

* Typo/wording

* tweaks

* typos

* fix afl-whatsup help output

* fix afl-plot output

* fix for MacOS

* fix cmpcov doc for qemu

* fix tmpfile removal

* update dockerfile

* Frida (#940)

* Added re2 test

* Added libpcap test

* Fix validation of setting of ADDR_NO_RANDOMIZE

* Added support for printing original and instrumented code

Co-authored-by: Your Name <you@example.com>

* Support for AFL_FRIDA_PERSISTENT_RET (#941)

Co-authored-by: Your Name <you@example.com>

* Changes to add missing exclusion of ranges (#943)

Co-authored-by: Your Name <you@example.com>

* add --afl-noopt to afl-cc

* docs: fix link to README in QuickStartGuide (#946)

* Support writing Stalker stats (#945)

* Support writing Stalker stats

* Fixed string handling in print functions

Co-authored-by: Your Name <you@example.com>

* afl-cmin help fix, aflpp_driver - + @@ support

* fix for afl-showmap

Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: 0x4d5a-ctf <51098072+0x4d5a-ctf@users.noreply.github.com>
Co-authored-by: Tommy Chiang <oToToT@users.noreply.github.com>
Co-authored-by: buherator <buherator@silentsignal.hu>
Co-authored-by: Dag Heyman Kajevic <dag.heyman@gmail.com>
This commit is contained in:
van Hauser
2021-05-30 02:06:05 +02:00
committed by GitHub
parent 95f47ac3a4
commit 67293b298d
67 changed files with 6960 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Dockerfile
View File

@ -50,6 +50,7 @@ RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
ENV LLVM_CONFIG=llvm-config-12
ENV AFL_SKIP_CPUFREQ=1
ENV AFL_TRY_AFFINITY=1
ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov
@ -61,8 +62,10 @@ WORKDIR /AFLplusplus
RUN export CC=gcc-10 && export CXX=g++-10 && make clean && \
make distrib && make install && make clean
RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc
RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc
RUN sh -c 'echo set encoding=utf-8 > /root/.vimrc'
RUN echo '. /etc/bash_completion' >> ~/.bashrc
RUN echo 'alias joe="joe --wordwrap --joe_state -nobackup"' >> ~/.bashrc
RUN echo "export PS1='"'[afl++ \h] \w$(__git_ps1) \$ '"'" >> ~/.bashrc
ENV IS_DOCKER="1"
# Disabled until we have the container ready

12
README.md
View File

@ -679,8 +679,8 @@ If you see that an important area or a feature has not been covered so far then
try to find an input that is able to reach that and start a new secondary in
that fuzzing campaign with that seed as input, let it run for a few minutes,
then terminate it. The main node will pick it up and make it available to the
other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` if you have no
free core.
other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
`export AFL_TRY_AFFINITY=1` if you have no free core.
Note that you in nearly all cases can never reach full coverage. A lot of
functionality is usually behind options that were not activated or fuzz e.g.
@ -800,10 +800,10 @@ Alternatively you can use frida_mode, just switch `-Q` with `-O` and remove the
LAF instance.
Then run as many instances as you have cores left with either -Q mode or - better -
use a binary rewriter like afl-dyninst, retrowrite, zaflr, fibre, etc.
use a binary rewriter like afl-dyninst, retrowrite, zaflr, etc.
For Qemu and Frida mode, check out the persistent mode and snapshot features,
they give a huge speed improvement!
For Qemu and Frida mode, check out the persistent mode, it gives a huge speed
improvement if it is possible to use.
### QEMU
@ -822,7 +822,7 @@ less conducive to parallelization.
If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for
your binary, then you can use afl-fuzz normally and it will have twice
the speed compared to qemu_mode (but slower than persistent mode).
the speed compared to qemu_mode (but slower than qemu persistent mode).
Note that several other binary rewriters exist, all with their advantages and
caveats.

8
afl-cmin
View File

@ -119,13 +119,13 @@ function usage() {
"Environment variables used:\n" \
"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n" \
"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \
"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \
"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the forkserver to come up\n" \
"AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
"AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \
"AFL_KILL_SIGNAL: Signal delivered to child processes on timeout (default: SIGKILL)\n" \
"AFL_PATH: path for the afl-showmap binary if not found anywhere in PATH\n" \
"AFL_PRINT_FILENAMES: If set, the filename currently processed will be " \
"printed to stdout\n" \
"AFL_SKIP_BIN_CHECK: skip check for target binary\n"
"AFL_SKIP_BIN_CHECK: skip afl instrumentation checks for target binary\n"
exit 1
}

2
afl-plot
View File

@ -127,7 +127,7 @@ set key outside
set autoscale xfixmin
set autoscale xfixmax
set xlabel "all times in UTC" font "small"
#set xlabel "all times in UTC" font "small"
plot '$inputdir/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
'' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\

13
afl-whatsup
View File

@ -21,11 +21,11 @@
echo "$0 status check tool for afl-fuzz by Michal Zalewski"
echo
test "$1" = "-h" -o "$1" = "-hh" && {
echo "$0 [-s] [-d] output_directory"
echo "Usage: $0 [-s] [-d] afl_output_directory"
echo
echo Options:
echo -s - skip details and output summary results only
echo -d - include dead fuzzer stats
echo " -s - skip details and output summary results only"
echo " -d - include dead fuzzer stats"
echo
exit 1
}
@ -51,10 +51,11 @@ DIR="$1"
if [ "$DIR" = "" ]; then
echo "Usage: $0 [-s] [-d] afl_sync_dir" 1>&2
echo "Usage: $0 [-s] [-d] afl_output_directory" 1>&2
echo 1>&2
echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
echo "just the summary results. See docs/parallel_fuzzing.md for additional tips." 1>&2
echo Options: 1>&2
echo " -s - skip details and output summary results only" 1>&2
echo " -d - include dead fuzzer stats" 1>&2
echo 1>&2
exit 1

12
docs/Changelog.md
View File

@ -33,8 +33,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
-i dir crashes the target or results in a timeout. By default
afl++ ignores these and uses them for splicing instead.
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after
no new paths have been found for n seconds
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
after no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will now be calibrated
8 times instead of originally 40. Long calibration is now 20.
- added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
it fails
- afl-cc:
- We do not support llvm versions prior 6.0 anymore
- Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
@ -42,6 +46,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- Removed InsTrim instrumentation as it is not as good as PCGUARD
- Removed automatic linking with -lc++ for LTO mode
- Fixed a crash in llvm dict2file when a strncmp length was -1
- added --afl-noopt support
- utils/aflpp_driver:
- aflpp_qemu_driver_hook fixed to work with qemu_mode
- aflpp_driver now compiled with -fPIC
@ -53,7 +58,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
MacOS shared memory
- updated the grammar custom mutator to the newest version
- add -d (add dead fuzzer stats) to afl-whatsup
- added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the current filename
- added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the
current filename
- afl-showmap/cmin will now process queue items in alphabetical order
### Version ++3.12c (release)

2
docs/QuickStartGuide.md
View File

@ -1,6 +1,6 @@
# AFL quick start guide
You should read [README.md](README.md) - it's pretty short. If you really can't, here's
You should read [README.md](../README.md) - it's pretty short. If you really can't, here's
how to hit the ground running:
1) Compile AFL with 'make'. If build fails, see [INSTALL.md](INSTALL.md) for tips.

2
docs/binaryonly_fuzzing.md
View File

@ -43,7 +43,7 @@
If you like to code a customized fuzzer without much work, we highly
recommend to check out our sister project libafl which will support QEMU
very too:
too:
[https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL)

3
docs/custom_mutators.md
View File

@ -92,6 +92,9 @@ def queue_new_entry(filename_new_queue, filename_orig_queue):
def introspection():
return string
def deinit(): # optional for Python
pass
```
### Custom Mutation

8
docs/env_variables.md
View File

@ -312,14 +312,12 @@ checks or alter some of the more exotic semantics of the tool:
on Linux systems. This slows things down, but lets you run more instances
of afl-fuzz than would be prudent (if you really want to).
- Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
on Linux systems, but will not terminate if that fails.
- Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
that is compiled into the target.
- `AFL_SKIP_CRASHES` causes AFL++ to tolerate crashing files in the input
queue. This can help with rare situations where a program crashes only
intermittently, but it's not really recommended under normal operating
conditions.
- Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for
deciding if a particular test case is a "hang". The default is 1 second
or the value of the `-t` parameter, whichever is larger. Dialing the value

3
frida_mode/GNUmakefile
View File

@ -94,9 +94,6 @@ AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
all: $(FRIDA_TRACE)
32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all

146
frida_mode/README.md
View File

@ -21,7 +21,7 @@ perhaps leverage some of its design and implementation.
| Feature/Instrumentation | frida-mode | Notes |
| -------------------------|:----------:|:--------------------------------------------:|
| NeverZero | x | |
| Persistent Mode | x | (x86/x64 only)(Only on function boundaries) |
| Persistent Mode | x | (x86/x64 only)(Only on function boundaries) |
| LAF-Intel / CompCov | - | (CMPLOG is better 90% of the time) |
| CMPLOG | x | (x86/x64 only) |
| Selective Instrumentation| x | |
@ -43,16 +43,16 @@ system does not support cross compilation.
## Getting Started
To build everything run `make`. To build for x86 run `make 32`. Note that in
To build everything run `make`. To build for x86 run `make 32`. Note that in
x86 bit mode, it is not necessary for afl-fuzz to be built for 32-bit. However,
the shared library for frida_mode must be since it is injected into the target
process.
Various tests can be found in subfolders within the `test/` directory. To use
these, first run `make` to build any dependencies. Then run `make qemu` or
`make frida` to run on either QEMU of FRIDA mode respectively. To run frida
tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between
architectures it may be necessary to run `make clean` first for a given build
`make frida` to run on either QEMU of FRIDA mode respectively. To run frida
tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between
architectures it may be necessary to run `make clean` first for a given build
target to remove previously generated binaries for a different architecture.
## Usage
@ -74,6 +74,8 @@ following options are currently supported:
* `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR`
* `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT`
* `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK`
* `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET`
* `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` - See `AFL_QEMU_PERSISTENT_RETADDR_OFFSET`
To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`.
@ -127,34 +129,144 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
## Advanced configuration options
* `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks
and their instrumented counterparts during block compilation.
```
***
Creating block for 0x7ffff7953313:
0x7ffff7953313 mov qword ptr [rax], 0
0x7ffff795331a add rsp, 8
0x7ffff795331e ret
Generated block 0x7ffff75e98e2
0x7ffff75e98e2 mov qword ptr [rax], 0
0x7ffff75e98e9 add rsp, 8
0x7ffff75e98ed lea rsp, [rsp - 0x80]
0x7ffff75e98f5 push rcx
0x7ffff75e98f6 movabs rcx, 0x7ffff795331e
0x7ffff75e9900 jmp 0x7ffff75e9384
***
```
* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
instrumentation (the default where available). Required to use
`AFL_FRIDA_INST_TRACE`.
* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will
report instrumented blocks back to the parent so that it can also instrument
them and they be inherited by the next child on fork.
* `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code.
Requires `AFL_FRIDA_INST_NO_OPTIMIZE`.
* `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks
`AFL_FRIDA_INST_NO_OPTIMIZE`.
* `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target
application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`)
* `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target
application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`)
* `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code
at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the user
to determine the value of `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` using a
debugger.
```
gdb \
--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=XXXXXXXXXX' \
--ex 'set environment AFL_FRIDA_PERSISTENT_RET=XXXXXXXXXX' \
--ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \
--ex 'set environment AFL_DEBUG_CHILD=1' \
--ex 'set environment LD_PRELOAD=afl-frida-trace.so' \
--args <my-executable> [my arguments]
```
* `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being
instrumented to the given file name. The statistics are written only for the
child process when new block is instrumented (when the
`AFL_FRIDA_STATS_INTERVAL` has expired). Note that simply because a new path is
found does not mean a new block needs to be compiled. It could simply be that
the existing blocks instrumented have been executed in a different order.
```
stats
-----
Index: 2
Pid: 1815944
Time: 2021-05-28 15:26:41
Blocks: 1985
Instructions: 9192
Avg Instructions / Block: 4
Call Immediates: 391 (4.25%)
Call Immediates Excluded: 65 (0.71%)
Call Register: 0 (0.00%)
Call Memory: 0 (0.00%)
Jump Immediates: 202 (2.20%)
Jump Register: 10 (0.11%)
Jump Memory: 12 (0.13%)
Conditional Jump Immediates: 1210 (13.16%)
Conditional Jump CX Immediate: 0 (0.00%)
Conditional Jump Register: 0 (0.00%)
Conditional Jump Memory: 0 (0.00%)
Returns: 159 (0.00%)
Rip Relative: 247 (0.00%)
```
* `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics
information. Stats will be written whenever they are updated if the given
interval has elapsed since last time they were written.
* `AFL_FRIDA_STATS_TRANSITIONS` - Also dump the internal stalker counters to
stderr when the regular stats are written. Note that these stats are reset in
the child each time a new fork occurs since they are not stored in shared
memory. Unfortunately, these stats are internal to stalker, so this is the best
we can do for now.
```
stats
-----
Index: 2
Pid: 1816794
Time: 2021-05-28 15:26:41
total_transitions: 786
call_imms: 97
call_regs: 0
call_mems: 0
post_call_invokes: 86
excluded_call_imms: 29
ret_slow_paths: 23
jmp_imms: 58
jmp_mems: 7
jmp_regs: 26
jmp_cond_imms: 460
jmp_cond_mems: 0
jmp_cond_regs: 0
jmp_cond_jcxzs: 0
jmp_continuations: 0
```
## FASAN - Frida Address Sanitizer Mode
Frida mode also supports FASAN. The design of this is actually quite simple and
very similar to that used when instrumenting applications compiled from source.
### Address Sanitizer Basics
When Address Sanitizer is used to instrument programs built from source, the
When Address Sanitizer is used to instrument programs built from source, the
compiler first adds a dependency (`DT_NEEDED` entry) for the Address Sanitizer
dynamic shared object (DSO). This shared object contains the main logic for Address
Sanitizer, including setting and managing up the shadow memory. It also provides
replacement implementations for a number of functions in standard libraries.
replacement implementations for a number of functions in standard libraries.
These replacements include things like `malloc` and `free` which allows for those
allocations to be marked in the shadow memory, but also a number of other fuctions.
Consider `memcpy` for example, this is instrumented to validate the paramters
(test the source and destination buffers against the shadow memory. This is much
easier than instrumenting those standard libraries since, first it would require
Consider `memcpy` for example, this is instrumented to validate the paramters
(test the source and destination buffers against the shadow memory. This is much
easier than instrumenting those standard libraries since, first it would require
you to re-compile them and secondly it would mean that the instrumentation would
be applied at a more expensive granular level. Lastly, load-widening (typically
be applied at a more expensive granular level. Lastly, load-widening (typically
found in highy optimized code) can also make this instrumentation more difficult.
Since the DSO is loaded before all of the standard libraries (in fact it insists
@ -165,9 +277,9 @@ modules which depend on it.
FASAN takes a similar approach. It requires the user to add the Address Sanitizer
DSO to the `AFL_PRELOAD` environment variable such that it is loaded into the target.
Again, it must be first in the list. This means that it is not necessary to
instrument the standard libraries to detect when an application has provided an
incorrect argument to `memcpy` for example. This avoids issues with load-widening
Again, it must be first in the list. This means that it is not necessary to
instrument the standard libraries to detect when an application has provided an
incorrect argument to `memcpy` for example. This avoids issues with load-widening
and should also mean a huge improvement in performance.
FASAN then adds instrumentation for any instrucutions which use memory operands and
@ -176,7 +288,7 @@ to validate memory accesses against the shadow memory.
## TODO
The next features to be added are Aarch64 and Aarch32 support as well as looking at
The next features to be added are Aarch64 and Aarch32 support as well as looking at
potential performance improvements. The intention is to achieve feature parity with
QEMU mode in due course. Contributions are welcome, but please get in touch to
ensure that efforts are deconflicted.

4
frida_mode/include/instrument.h
View File

@ -19,5 +19,9 @@ gboolean instrument_is_coverage_optimize_supported(void);
void instrument_coverage_optimize(const cs_insn * instr,
GumStalkerOutput *output);
void instrument_debug_init(void);
void instrument_debug_start(uint64_t address, GumStalkerOutput *output);
void instrument_debug_instruction(uint64_t address, uint16_t size);
void instrument_debug_end(GumStalkerOutput *output);
#endif

9
frida_mode/include/output.h Normal file
View File

@ -0,0 +1,9 @@
#ifndef _OUTPUT_H
#define _OUTPUT_H
#include "frida-gum.h"
void output_init(void);
#endif

4
frida_mode/include/persistent.h
View File

@ -18,6 +18,9 @@ extern unsigned char *__afl_fuzz_ptr;
extern guint64 persistent_start;
extern guint64 persistent_count;
extern guint64 persistent_ret;
extern guint64 persistent_ret_offset;
extern gboolean persistent_debug;
extern afl_persistent_hook_fn hook;
void persistent_init(void);
@ -26,6 +29,7 @@ void persistent_init(void);
gboolean persistent_is_supported(void);
void persistent_prologue(GumStalkerOutput *output);
void persistent_epilogue(GumStalkerOutput *output);
#endif

2
frida_mode/include/ranges.h
View File

@ -7,5 +7,7 @@ void ranges_init(void);
gboolean range_is_excluded(gpointer address);
void ranges_exclude();
#endif

28
frida_mode/include/stats.h Normal file
View File

@ -0,0 +1,28 @@
#ifndef _STATS_H
#define _STATS_H
#include "frida-gum.h"
typedef struct {
guint64 num_blocks;
guint64 num_instructions;
guint64 stats_last_time;
guint64 stats_idx;
guint64 transitions_idx;
} stats_data_header_t;
extern stats_data_header_t *stats_data;
void stats_init(void);
void stats_collect(const cs_insn *instr, gboolean begin);
void stats_print(char *format, ...);
gboolean stats_is_supported_arch(void);
size_t stats_data_size_arch(void);
void stats_collect_arch(const cs_insn *instr);
void stats_write_arch(void);
#endif

2
frida_mode/include/util.h
View File

@ -4,7 +4,7 @@
#include "frida-gum.h"
#define UNUSED_PARAMETER(x) (void)(x)
#define IGNORED_RERURN(x) (void)!(x)
#define IGNORED_RETURN(x) (void)!(x)
guint64 util_read_address(char *key);

51
frida_mode/src/instrument/instrument.c
View File

@ -13,6 +13,7 @@
#include "prefetch.h"
#include "ranges.h"
#include "stalker.h"
#include "stats.h"
#include "util.h"
static gboolean tracing = false;
@ -47,7 +48,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
"x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n",
current_pc, previous_pc);
IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1));
IGNORED_RETURN(write(STDOUT_FILENO, buffer, len + 1));
}
@ -79,17 +80,52 @@ static void instr_basic_block(GumStalkerIterator *iterator,
const cs_insn *instr;
gboolean begin = TRUE;
gboolean excluded;
while (gum_stalker_iterator_next(iterator, &instr)) {
if (instr->address == entry_start) { entry_prologue(iterator, output); }
if (instr->address == persistent_start) { persistent_prologue(output); }
if (instr->address == persistent_ret) { persistent_epilogue(output); }
if (begin) {
/*
* Until we reach AFL_ENTRYPOINT (assumed to be main if not specified) or
* AFL_FRIDA_PERSISTENT_ADDR (if specified), we don't mark our ranges
* excluded as we wish to remain inside stalker at all times so that we can
* instrument our entry point and persistent loop (if present). This allows
* the user to exclude ranges which would be traversed between main and the
* AFL_ENTRYPOINT, but which they don't want included in their coverage
* information when fuzzing.
*
* Since we have no means to discard the instrumented copies of blocks
* (setting the trust threshold simply causes a new copy to be made on each
* execution), we instead ensure that we honour the additional
* instrumentation requested (e.g. coverage, asan and complog) when a block
* is compiled no matter where we are during initialization. We will end up
* re-using these blocks if the code under test calls a block which is also
* used during initialization.
*
* Coverage data generated during initialization isn't a problem since the
* map is zeroed each time the target is forked or each time the persistent
* loop is run.
*
* Lastly, we don't enable pre-fetching back to the parent until we reach
* our AFL_ENTRYPOINT, since it is not until then that we start the
* fork-server and thus start executing in the child.
*/
excluded = range_is_excluded(GSIZE_TO_POINTER(instr->address));
stats_collect(instr, begin);
if (unlikely(begin)) {
instrument_debug_start(instr->address, output);
prefetch_write(GSIZE_TO_POINTER(instr->address));
if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
if (optimize) {
if (likely(!excluded)) {
if (likely(optimize)) {
instrument_coverage_optimize(instr, output);
@ -106,7 +142,9 @@ static void instr_basic_block(GumStalkerIterator *iterator,
}
if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
instrument_debug_instruction(instr->address, instr->size);
if (likely(!excluded)) {
asan_instrument(instr, iterator);
cmplog_instrument(instr, iterator);
@ -117,6 +155,8 @@ static void instr_basic_block(GumStalkerIterator *iterator,
}
instrument_debug_end(output);
}
void instrument_init(void) {
@ -144,6 +184,7 @@ void instrument_init(void) {
transformer =
gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL);
instrument_debug_init();
asan_init();
cmplog_init();

129
frida_mode/src/instrument/instrument_debug.c Normal file
View File

@ -0,0 +1,129 @@
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>
#include "frida-gum.h"
#include "debug.h"
#include "util.h"
static int debugging_fd = -1;
static gpointer instrument_gen_start = NULL;
static void instrument_debug(char *format, ...) {
va_list ap;
char buffer[4096] = {0};
int ret;
int len;
va_start(ap, format);
ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap);
va_end(ap);
if (ret < 0) { return; }
len = strnlen(buffer, sizeof(buffer));
IGNORED_RETURN(write(debugging_fd, buffer, len));
}
static void instrument_disasm(guint8 *code, guint size) {
csh capstone;
cs_err err;
cs_insn *insn;
size_t count, i;
err = cs_open(GUM_DEFAULT_CS_ARCH,
GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone);
g_assert(err == CS_ERR_OK);
count = cs_disasm(capstone, code, size, GPOINTER_TO_SIZE(code), 0, &insn);
g_assert(insn != NULL);
for (i = 0; i != count; i++) {
instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t%s %s\n", insn[i].address,
insn[i].mnemonic, insn[i].op_str);
}
cs_free(insn, count);
cs_close(&capstone);
}
static gpointer instrument_cur(GumStalkerOutput *output) {
#if defined(__i386__) || defined(__x86_64__)
return gum_x86_writer_cur(output->writer.x86);
#elif defined(__aarch64__)
return gum_arm64_writer_cur(output->writer.arm64);
#elif defined(__arm__)
return gum_arm_writer_cur(output->writer.arm);
#else
#error "Unsupported architecture"
#endif
}
void instrument_debug_init(void) {
char *filename = getenv("AFL_FRIDA_INST_DEBUG_FILE");
OKF("Instrumentation debugging - enabled [%c]", filename == NULL ? ' ' : 'X');
if (filename == NULL) { return; }
OKF("Instrumentation debugging - file [%s]", filename);
if (filename == NULL) { return; }
char *path = g_canonicalize_filename(filename, g_get_current_dir());
OKF("Instrumentation debugging - path [%s]", path);
debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); }
g_free(path);
}
void instrument_debug_start(uint64_t address, GumStalkerOutput *output) {
if (likely(debugging_fd < 0)) { return; }
instrument_gen_start = instrument_cur(output);
instrument_debug("\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER "x:\n",
address);
}
void instrument_debug_instruction(uint64_t address, uint16_t size) {
if (likely(debugging_fd < 0)) { return; }
uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address);
instrument_disasm(start, size);
}
void instrument_debug_end(GumStalkerOutput *output) {
if (likely(debugging_fd < 0)) { return; }
gpointer instrument_gen_end = instrument_cur(output);
uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) -
GPOINTER_TO_SIZE(instrument_gen_start);
instrument_debug("\nGenerated block %p\n", instrument_gen_start);
instrument_disasm(instrument_gen_start, size);
}

7
frida_mode/src/main.c
View File

@ -1,3 +1,4 @@
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
@ -18,10 +19,12 @@
#include "instrument.h"
#include "interceptor.h"
#include "lib.h"
#include "output.h"
#include "persistent.h"
#include "prefetch.h"
#include "ranges.h"
#include "stalker.h"
#include "stats.h"
#include "util.h"
#ifdef __APPLE__
@ -58,10 +61,10 @@ static void on_main_os(int argc, char **argv, char **envp) {
static void on_main_os(int argc, char **argv, char **envp) {
UNUSED_PARAMETER(argc);
/* Personality doesn't affect the current process, it only takes effect on
* evec */
int persona = personality(ADDR_NO_RANDOMIZE);
if (persona == -1) { WARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); }
if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); }
GumInterceptor *interceptor = gum_interceptor_obtain();
@ -94,9 +97,11 @@ void afl_frida_start() {
lib_init();
entry_init();
instrument_init();
output_init();
persistent_init();
prefetch_init();
ranges_init();
stats_init();
void *fork_addr =
GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork"));

45
frida_mode/src/output.c Normal file
View File

@ -0,0 +1,45 @@
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include "frida-gum.h"
#include "debug.h"
#include "output.h"
static int output_fd = -1;
static void output_redirect(int fd, char *variable) {
char *filename = getenv(variable);
char *path = NULL;
if (filename == NULL) { return; }
path = g_canonicalize_filename(filename, g_get_current_dir());
OKF("Redirect %d -> '%s'", fd, path);
output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
g_free(path);
if (output_fd < 0) { FATAL("Failed to open fd(%d) error %d", fd, errno); }
if (dup2(output_fd, fd) < 0) {
FATAL("Failed to set fd(%d) error %d", fd, errno);
}
}
void output_init(void) {
output_redirect(STDOUT_FILENO, "AFL_FRIDA_OUTPUT_STDOUT");
output_redirect(STDERR_FILENO, "AFL_FRIDA_OUTPUT_STDERR");
}

34
frida_mode/src/persistent/persistent.c
View File

@ -12,6 +12,9 @@ int __afl_sharedmem_fuzzing = 0;
afl_persistent_hook_fn hook = NULL;
guint64 persistent_start = 0;
guint64 persistent_count = 0;
guint64 persistent_ret = 0;
guint64 persistent_ret_offset = 0;
gboolean persistent_debug = FALSE;
void persistent_init(void) {
@ -19,12 +22,36 @@ void persistent_init(void) {
persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR");
persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT");
persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET");
persistent_ret_offset =
util_read_address("AFL_FRIDA_PERSISTENT_RETADDR_OFFSET");
if (getenv("AFL_FRIDA_PERSISTENT_DEBUG") != NULL) { persistent_debug = TRUE; }
if (persistent_count != 0 && persistent_start == 0) {
if (persistent_count != 0 && persistent_start == 0)
FATAL(
"AFL_FRIDA_PERSISTENT_ADDR must be specified if "
"AFL_FRIDA_PERSISTENT_CNT is");
}
if (persistent_ret != 0 && persistent_start == 0) {
FATAL(
"AFL_FRIDA_PERSISTENT_ADDR must be specified if "
"AFL_FRIDA_PERSISTENT_RET is");
}
if (persistent_ret_offset != 0 && persistent_ret == 0) {
FATAL(
"AFL_FRIDA_PERSISTENT_RET must be specified if "
"AFL_FRIDA_PERSISTENT_RETADDR_OFFSET is");
}
if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
if (persistent_count != 0 && persistent_count < 100)
@ -39,6 +66,11 @@ void persistent_init(void) {
persistent_start == 0 ? ' ' : 'X', persistent_count);
OKF("Instrumentation - hook [%s]", hook_name);
OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
persistent_ret == 0 ? ' ' : 'X', persistent_ret);
OKF("Instrumentation - persistent ret offset [%c] (%" G_GINT64_MODIFIER "d)",
persistent_ret_offset == 0 ? ' ' : 'X', persistent_ret_offset);
if (hook_name != NULL) {
void *hook_obj = dlopen(hook_name, RTLD_NOW);

7
frida_mode/src/persistent/persistent_arm32.c
View File

@ -68,5 +68,12 @@ void persistent_prologue(GumStalkerOutput *output) {
}
void persistent_epilogue(GumStalkerOutput *output) {
UNUSED_PARAMETER(output);
FATAL("Persistent mode not supported on this architecture");
}
#endif

7
frida_mode/src/persistent/persistent_arm64.c
View File

@ -111,5 +111,12 @@ void persistent_prologue(GumStalkerOutput *output) {
}
void persistent_epilogue(GumStalkerOutput *output) {
UNUSED_PARAMETER(output);
FATAL("Persistent mode not supported on this architecture");
}
#endif

19
frida_mode/src/persistent/persistent_x64.c
View File

@ -1,9 +1,11 @@
#include "frida-gum.h"
#include "config.h"
#include "debug.h"
#include "instrument.h"
#include "persistent.h"
#include "util.h"
#if defined(__x86_64__)
@ -264,7 +266,6 @@ void persistent_prologue(GumStalkerOutput *output) {
GumX86Writer *cw = output->writer.x86;
gconstpointer loop = cw->code + 1;
// gum_x86_writer_put_breakpoint(cw);
/* Stack must be 16-byte aligned per ABI */
instrument_persitent_save_regs(cw, &saved_regs);
@ -288,7 +289,9 @@ void persistent_prologue(GumStalkerOutput *output) {
instrument_persitent_restore_regs(cw, &saved_regs);
gconstpointer original = cw->code + 1;
/* call original */
gum_x86_writer_put_call_near_label(cw, original);
/* jmp loop */
gum_x86_writer_put_jmp_near_label(cw, loop);
@ -300,9 +303,23 @@ void persistent_prologue(GumStalkerOutput *output) {
/* original: */
gum_x86_writer_put_label(cw, original);
if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
gum_x86_writer_flush(cw);
}
void persistent_epilogue(GumStalkerOutput *output) {
GumX86Writer *cw = output->writer.x86;
if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
persistent_ret_offset);
gum_x86_writer_put_ret(cw);
}
#endif

15
frida_mode/src/persistent/persistent_x86.c
View File

@ -244,9 +244,24 @@ void persistent_prologue(GumStalkerOutput *output) {
/* original: */
gum_x86_writer_put_label(cw, original);
if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
gum_x86_writer_flush(cw);
}
void persistent_epilogue(GumStalkerOutput *output) {
GumX86Writer *cw = output->writer.x86;
if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP,
persistent_ret_offset);
gum_x86_writer_put_ret(cw);
}
#endif

69
frida_mode/src/ranges.c
View File

@ -480,15 +480,40 @@ static GArray *merge_ranges(GArray *a) {
}
static gboolean exclude_ranges_callback(const GumRangeDetails *details,
gpointer user_data) {
UNUSED_PARAMETER(user_data);
gchar * name;
gboolean found;
GumStalker *stalker;
if (details->file == NULL) { return TRUE; }
name = g_path_get_basename(details->file->path);
found = (g_strcmp0(name, "afl-frida-trace.so") == 0);
g_free(name);
if (!found) { return TRUE; }
stalker = stalker_get();
gum_stalker_exclude(stalker, details->range);
return FALSE;
}
static void ranges_exclude_self(void) {
gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, exclude_ranges_callback, NULL);
}
void ranges_init(void) {
GumMemoryRange ri;
GArray * step1;
GArray * step2;
GArray * step3;
GArray * step4;
GumMemoryRange *r;
GumStalker * stalker;
GumMemoryRange ri;
GArray * step1;
GArray * step2;
GArray * step3;
GArray * step4;
if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) {
@ -535,20 +560,16 @@ void ranges_init(void) {
ranges = merge_ranges(step4);
print_ranges("final", ranges);
stalker = stalker_get();
for (guint i = 0; i < ranges->len; i++) {
r = &g_array_index(ranges, GumMemoryRange, i);
gum_stalker_exclude(stalker, r);
}
g_array_free(step4, TRUE);
g_array_free(step3, TRUE);
g_array_free(step2, TRUE);
g_array_free(step1, TRUE);
/* *NEVER* stalk the stalker, only bad things will ever come of this! */
ranges_exclude_self();
ranges_exclude();
}
gboolean range_is_excluded(gpointer address) {
@ -572,3 +593,19 @@ gboolean range_is_excluded(gpointer address) {
}
void ranges_exclude() {
GumMemoryRange *r;
GumStalker * stalker = stalker_get();
OKF("Excluding ranges");
for (guint i = 0; i < ranges->len; i++) {
r = &g_array_index(ranges, GumMemoryRange, i);
gum_stalker_exclude(stalker, r);
}
}

208
frida_mode/src/stats/stats.c Normal file
View File

@ -0,0 +1,208 @@
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include "frida-gum.h"
#include "config.h"
#include "debug.h"
#include "util.h"
#include "stats.h"
#define MICRO_TO_SEC 1000000
stats_data_header_t *stats_data = NULL;
static int stats_parent_pid = -1;
static int stats_fd = -1;
static gboolean stats_transitions = FALSE;
static guint64 stats_interval = 0;
void stats_init(void) {
stats_parent_pid = getpid();
char *filename = getenv("AFL_FRIDA_STATS_FILE");
stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL");
if (getenv("AFL_FRIDA_STATS_TRANSITIONS") != NULL) {
stats_transitions = TRUE;
}
OKF("Stats - file [%s]", filename);
OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval);
if (stats_interval != 0 && filename == NULL) {
FATAL(
"AFL_FRIDA_STATS_FILE must be specified if "
"AFL_FRIDA_STATS_INTERVAL is");
}
if (stats_interval == 0) { stats_interval = 10; }
if (filename == NULL) { return; }
if (!stats_is_supported_arch()) {
FATAL("Stats is not supported on this architecture");
}
char *path = NULL;
if (filename == NULL) { return; }
if (stats_transitions) { gum_stalker_set_counters_enabled(TRUE); }
path = g_canonicalize_filename(filename, g_get_current_dir());
OKF("Stats - path [%s]", path);
stats_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (stats_fd < 0) { FATAL("Failed to open stats file '%s'", path); }
g_free(path);
size_t data_size = stats_data_size_arch();
int shm_id = shmget(IPC_PRIVATE, data_size, IPC_CREAT | IPC_EXCL | 0600);
if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); }
stats_data = shmat(shm_id, NULL, 0);
g_assert(stats_data != MAP_FAILED);
/*
* Configure the shared memory region to be removed once the process dies.
*/
if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
}
/* Clear it, not sure it's necessary, just seems like good practice */
memset(stats_data, '\0', data_size);
}
void stats_vprint(int fd, char *format, va_list ap) {
char buffer[4096] = {0};
int ret;
int len;
if(vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; }
len = strnlen(buffer, sizeof(buffer));
IGNORED_RETURN(write(fd, buffer, len));
}
void stats_print_fd(int fd, char *format, ...) {
va_list ap;
va_start(ap, format);
stats_vprint(fd, format, ap);
va_end(ap);
}
void stats_print(char *format, ...) {
va_list ap;
va_start(ap, format);
stats_vprint(stats_fd, format, ap);
va_end(ap);
}
void stats_write(void) {
if (stats_parent_pid == getpid()) { return; }
GDateTime *date_time = g_date_time_new_now_local();
char *date_time_string = g_date_time_format(date_time, "%Y-%m-%e %H:%M:%S");
stats_print("stats\n");
stats_print("-----\n");
stats_print("Index: %" G_GINT64_MODIFIER "u\n",
stats_data->stats_idx++);
stats_print("Pid: %d\n", getpid());
stats_print("Time: %s\n", date_time_string);
stats_print("Blocks: %" G_GINT64_MODIFIER "u\n",
stats_data->num_blocks);
stats_print("Instructions: %" G_GINT64_MODIFIER "u\n",
stats_data->num_instructions);
stats_print("Avg Instructions / Block: %" G_GINT64_MODIFIER "u\n",
stats_data->num_instructions / stats_data->num_blocks);
stats_print("\n");
g_free(date_time_string);
g_date_time_unref(date_time);
stats_write_arch();
if (stats_transitions) {
GDateTime *date_time = g_date_time_new_now_local();
char *date_time_string = g_date_time_format(date_time, "%Y-%m-%e %H:%M:%S");
stats_print_fd(STDERR_FILENO, "stats\n");
stats_print_fd(STDERR_FILENO, "-----\n");
stats_print_fd(STDERR_FILENO, "Index: %" G_GINT64_MODIFIER "u\n",
stats_data->transitions_idx++);
stats_print_fd(STDERR_FILENO, "Pid: %d\n", getpid());
stats_print_fd(STDERR_FILENO, "Time: %s\n", date_time_string);
g_free(date_time_string);
g_date_time_unref(date_time);
gum_stalker_dump_counters();
}
}
static void stats_maybe_write(void) {
guint64 current_time;
if (stats_interval == 0) { return; }
current_time = g_get_monotonic_time();
if ((current_time - stats_data->stats_last_time) >
(stats_interval * MICRO_TO_SEC)) {
stats_write();
stats_data->stats_last_time = current_time;
}
}
void stats_collect(const cs_insn *instr, gboolean begin) {
UNUSED_PARAMETER(instr);
UNUSED_PARAMETER(begin);
if (stats_fd < 0) { return; }
if (begin) { stats_data->num_blocks++; }
stats_data->num_instructions++;
stats_collect_arch(instr);
stats_maybe_write();
}

36
frida_mode/src/stats/stats_arm.c Normal file
View File

@ -0,0 +1,36 @@
#include "frida-gum.h"
#include "debug.h"
#include "stats.h"
#include "util.h"
#if defined(__arm__)
gboolean stats_is_supported_arch(void) {
return FALSE;
}
size_t stats_data_size_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_write_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_collect_arch(const cs_insn *instr) {
UNUSED_PARAMETER(instr);
FATAL("Stats not supported on this architecture");
}
#endif

36
frida_mode/src/stats/stats_arm64.c Normal file
View File

@ -0,0 +1,36 @@
#include "frida-gum.h"
#include "debug.h"
#include "stats.h"
#include "util.h"
#if defined(__aarch64__)
gboolean stats_is_supported_arch(void) {
return FALSE;
}
size_t stats_data_size_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_write_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_collect_arch(const cs_insn *instr) {
UNUSED_PARAMETER(instr);
FATAL("Stats not supported on this architecture");
}
#endif

307
frida_mode/src/stats/stats_x64.c Normal file
View File

@ -0,0 +1,307 @@
#include "frida-gum.h"
#include "debug.h"
#include "ranges.h"
#include "stats.h"
#include "util.h"
#if defined(__x86_64__)
typedef struct {
stats_data_header_t header;
guint64 num_call_imm;
guint64 num_call_imm_excluded;
guint64 num_call_reg;
guint64 num_call_mem;
guint64 num_jmp_imm;
guint64 num_jmp_reg;
guint64 num_jmp_mem;
guint64 num_jmp_cond_imm;
guint64 num_jmp_cond_reg;
guint64 num_jmp_cond_mem;
guint64 num_jmp_cond_jcxz;
guint64 num_ret;
guint64 num_rip_relative;
} stats_data_arch_t;
gboolean stats_is_supported_arch(void) {
return TRUE;
}
size_t stats_data_size_arch(void) {
return sizeof(stats_data_arch_t);
}
void stats_write_arch(void) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
guint64 num_instructions = stats_data_arch->header.num_instructions;
stats_print(
"Call Immediates: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_call_imm,
((float)(stats_data_arch->num_call_imm * 100) / num_instructions));
stats_print("Call Immediates Excluded: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_call_imm_excluded,
((float)(stats_data_arch->num_call_imm_excluded * 100) /
num_instructions));
stats_print(
"Call Register: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_call_reg,
((float)(stats_data_arch->num_call_reg * 100) / num_instructions));
stats_print(
"Call Memory: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_call_mem,
((float)(stats_data_arch->num_call_mem * 100) / num_instructions));
stats_print("\n");
stats_print("Jump Immediates: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_imm,
((float)(stats_data_arch->num_jmp_imm * 100) / num_instructions));
stats_print("Jump Register: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_reg,
((float)(stats_data_arch->num_jmp_reg * 100) / num_instructions));
stats_print("Jump Memory: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_mem,
((float)(stats_data_arch->num_jmp_mem * 100) / num_instructions));
stats_print("\n");
stats_print(
"Conditional Jump Immediates: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_cond_imm,
((float)(stats_data_arch->num_jmp_cond_imm * 100) / num_instructions));
stats_print(
"Conditional Jump CX Immediate: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_cond_jcxz,
((float)(stats_data_arch->num_jmp_cond_jcxz * 100) / num_instructions));
stats_print(
"Conditional Jump Register: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_cond_reg,
((float)(stats_data_arch->num_jmp_cond_reg * 100) / num_instructions));
stats_print(
"Conditional Jump Memory: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_jmp_cond_mem,
((float)(stats_data_arch->num_jmp_cond_mem * 100) / num_instructions));
stats_print("\n");
stats_print("Returns: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_ret,
(stats_data_arch->num_ret * 100 / num_instructions));
stats_print("\n");
stats_print("Rip Relative: %" G_GINT64_MODIFIER
"u "
"(%3.2f%%)\n",
stats_data_arch->num_rip_relative,
(stats_data_arch->num_rip_relative * 100 / num_instructions));
stats_print("\n");
stats_print("\n");
}
static x86_op_type stats_get_operand_type(const cs_insn *instr) {
cs_x86 * x86 = &instr->detail->x86;
cs_x86_op *operand;
if (x86->op_count != 1) {
FATAL("Unexpected operand count (%d): %s %s\n", x86->op_count,
instr->mnemonic, instr->op_str);
}
operand = &x86->operands[0];
return operand->type;
}
static void stats_collect_call_imm_excluded_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
cs_x86 * x86 = &instr->detail->x86;
cs_x86_op * operand = &x86->operands[0];
if (range_is_excluded((gpointer)operand->imm)) {
stats_data_arch->num_call_imm_excluded++;
}
}
static void stats_collect_call_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
x86_op_type type = stats_get_operand_type(instr);
switch (type) {
case X86_OP_IMM:
stats_data_arch->num_call_imm++;
stats_collect_call_imm_excluded_arch(instr);
break;
case X86_OP_REG:
stats_data_arch->num_call_reg++;
break;
case X86_OP_MEM:
stats_data_arch->num_call_mem++;
break;
default:
FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str);
}
}
static void stats_collect_jump_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
x86_op_type type = stats_get_operand_type(instr);
switch (type) {
case X86_OP_IMM:
stats_data_arch->num_jmp_imm++;
break;
case X86_OP_REG:
stats_data_arch->num_jmp_reg++;
break;
case X86_OP_MEM:
stats_data_arch->num_jmp_mem++;
break;
default:
FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str);
}
}
static void stats_collect_jump_cond_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
x86_op_type type = stats_get_operand_type(instr);
switch (type) {
case X86_OP_IMM:
stats_data_arch->num_jmp_cond_imm++;
break;
case X86_OP_REG:
stats_data_arch->num_jmp_cond_reg++;
break;
case X86_OP_MEM:
stats_data_arch->num_jmp_cond_mem++;
break;
default:
FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str);
}
}
static void stats_collect_rip_relative_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
cs_x86 * x86 = &instr->detail->x86;
guint mod;
guint rm;
if (x86->encoding.modrm_offset == 0) { return; }
mod = (x86->modrm & 0xc0) >> 6;
if (mod != 0) { return; }
rm = (x86->modrm & 0x07) >> 0;
if (rm != 5) { return; }
stats_data_arch->num_rip_relative++;
}
void stats_collect_arch(const cs_insn *instr) {
stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data;
switch (instr->id) {
case X86_INS_CALL:
stats_collect_call_arch(instr);
break;
case X86_INS_JMP:
stats_collect_jump_arch(instr);
break;
case X86_INS_JA:
case X86_INS_JAE:
case X86_INS_JB:
case X86_INS_JBE:
case X86_INS_JE:
case X86_INS_JG:
case X86_INS_JGE:
case X86_INS_JL:
case X86_INS_JLE:
case X86_INS_JNE:
case X86_INS_JNO:
case X86_INS_JNP:
case X86_INS_JNS:
case X86_INS_JO:
case X86_INS_JP:
case X86_INS_JS:
stats_collect_jump_cond_arch(instr);
break;
case X86_INS_JECXZ:
case X86_INS_JRCXZ:
stats_data_arch->num_jmp_cond_jcxz++;
break;
case X86_INS_RET:
stats_data_arch->num_ret++;
break;
default:
stats_collect_rip_relative_arch(instr);
break;
}
}
#endif

36
frida_mode/src/stats/stats_x86.c Normal file
View File

@ -0,0 +1,36 @@
#include "frida-gum.h"
#include "debug.h"
#include "stats.h"
#include "util.h"
#if defined(__i386__)
gboolean stats_is_supported_arch(void) {
return FALSE;
}
size_t stats_data_size_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_write_arch(void) {
FATAL("Stats not supported on this architecture");
}
void stats_collect_arch(const cs_insn *instr) {
UNUSED_PARAMETER(instr);
FATAL("Stats not supported on this architecture");
}
#endif

13
frida_mode/src/util.c
View File

@ -10,7 +10,7 @@ guint64 util_read_address(char *key) {
if (!g_str_has_prefix(value_str, "0x")) {
FATAL("Invalid address should have 0x prefix: %s\n", value_str);
FATAL("Invalid address should have 0x prefix: %s=%s\n", key, value_str);
}
@ -20,8 +20,8 @@ guint64 util_read_address(char *key) {
if (!g_ascii_isxdigit(*c)) {
FATAL("Invalid address not formed of hex digits: %s ('%c')\n", value_str,
*c);
FATAL("Invalid address not formed of hex digits: %s=%s ('%c')\n", key,
value_str, *c);
}
@ -30,7 +30,7 @@ guint64 util_read_address(char *key) {
guint64 value = g_ascii_strtoull(value_str2, NULL, 16);
if (value == 0) {
FATAL("Invalid address failed hex conversion: %s\n", value_str2);
FATAL("Invalid address failed hex conversion: %s=%s\n", key, value_str2);
}
@ -48,7 +48,8 @@ guint64 util_read_num(char *key) {
if (!g_ascii_isdigit(*c)) {
FATAL("Invalid address not formed of decimal digits: %s\n", value_str);
FATAL("Invalid address not formed of decimal digits: %s=%s\n", key,
value_str);
}
@ -57,7 +58,7 @@ guint64 util_read_num(char *key) {
guint64 value = g_ascii_strtoull(value_str, NULL, 10);
if (value == 0) {
FATAL("Invalid address failed numeric conversion: %s\n", value_str);
FATAL("Invalid address failed numeric conversion: %s=%s\n", key, value_str);
}

71
frida_mode/test/deferred/GNUmakefile Normal file
View File

@ -0,0 +1,71 @@
PWD:=$(shell pwd)/
ROOT:=$(shell realpath $(PWD)../../..)/
BUILD_DIR:=$(PWD)build/
TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
TESTINSTBIN:=$(BUILD_DIR)testinstr
TESTINSTSRC:=$(PWD)testinstr.c
QEMU_OUT:=$(BUILD_DIR)qemu-out
FRIDA_OUT:=$(BUILD_DIR)frida-out
GET_SYMBOL_ADDR:=$(ROOT)frida_mode/test/png/persistent/get_symbol_addr.py
ifndef ARCH
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
ARCH:=arm64
endif
ifeq "$(ARCH)" "i686"
ARCH:=x86
endif
endif
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000aaaaaaaaa000)
endif
ifeq "$(ARCH)" "x86_64"
AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000555555554000)
endif
ifeq "$(ARCH)" "x86"
AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x56555000)
endif
.PHONY: all clean qemu frida
all: $(TESTINSTBIN)
make -C $(ROOT)frida_mode/
32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
$(BUILD_DIR):
mkdir -p $@
$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
mkdir -p $@
$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
echo -n "000" > $@
$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
clean:
rm -rf $(BUILD_DIR)
frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
AFL_ENTRYPOINT=$(AFL_ENTRYPOINT) \
$(ROOT)afl-fuzz \
-D \
-O \
-i $(TESTINSTR_DATA_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TESTINSTBIN) @@

13
frida_mode/test/deferred/Makefile Normal file
View File

@ -0,0 +1,13 @@
all:
@echo trying to use GNU make...
@gmake all || echo please install GNUmake
32:
@echo trying to use GNU make...
@gmake 32 || echo please install GNUmake
clean:
@gmake clean
frida:
@gmake frida

125
frida_mode/test/deferred/testinstr.c Normal file
View File

@ -0,0 +1,125 @@
/*
american fuzzy lop++ - a trivial program to test the build
--------------------------------------------------------
Originally written by Michal Zalewski
Copyright 2014 Google Inc. All rights reserved.
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#ifdef __APPLE__
#define TESTINSTR_SECTION
#else
#define TESTINSTR_SECTION __attribute__((section(".testinstr")))
#endif
void testinstr(char *buf, int len) {
if (len < 1) return;
buf[len] = 0;
// we support three input cases
if (buf[0] == '0')
printf("Looks like a zero to me!\n");
else if (buf[0] == '1')
printf("Pretty sure that is a one!\n");
else
printf("Neither one or zero? How quaint!\n");
}
int run(char *file) {
int fd = -1;
off_t len;
char * buf = NULL;
size_t n_read;
int result = -1;
do {
dprintf(STDERR_FILENO, "Running: %s\n", file);
fd = open(file, O_RDONLY);
if (fd < 0) {
perror("open");
break;
}
len = lseek(fd, 0, SEEK_END);
if (len < 0) {
perror("lseek (SEEK_END)");
break;
}
if (lseek(fd, 0, SEEK_SET) != 0) {
perror("lseek (SEEK_SET)");
break;
}
buf = malloc(len);
if (buf == NULL) {
perror("malloc");
break;
}
n_read = read(fd, buf, len);
if (n_read != len) {
perror("read");
break;
}
dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read);
testinstr(buf, len);
dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read);
result = 0;
} while (false);
if (buf != NULL) { free(buf); }
if (fd != -1) { close(fd); }
return result;
}
void slow() {
usleep(100000);
}
TESTINSTR_SECTION int do_run(char * file) {
return run(file);
}
int main(int argc, char **argv) {
if (argc != 2) { return 1; }
slow();
return do_run(argv[1]);
}

188
frida_mode/test/libpcap/GNUmakefile Normal file
View File

@ -0,0 +1,188 @@
PWD:=$(shell pwd)/
ROOT:=$(shell realpath $(PWD)../../..)/
BUILD_DIR:=$(PWD)build/
AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/
HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
PCAPTEST_BUILD_DIR:=$(BUILD_DIR)libpcaptest/
TCPDUMP_BUILD_DIR:=$(BUILD_DIR)tcpdump/
LIBPCAP_PATCH_URL:=https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpcap_fuzz_both/patch.diff
LIBPCAP_PATCH_FILE:=$(LIBPCAP_BUILD_DIR)patch.diff
LIBPCAP_URL:=https://github.com/the-tcpdump-group/libpcap.git
LIBPCAP_DIR:=$(LIBPCAP_BUILD_DIR)libpcap/
LIBPCAP_CMAKEFILE:=$(LIBPCAP_DIR)CMakeLists.txt
LIBPCAP_MAKEFILE:=$(LIBPCAP_DIR)Makefile
LIBPCAP_LIB:=$(LIBPCAP_DIR)libpcap.a
HARNESS_FILE:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.c
HARNESS_OBJ:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.o
HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c"
PCAPTEST_SRC_DIR:=$(LIBPCAP_DIR)testprogs/fuzz/
PCAPTEST_FILE:=$(PCAPTEST_SRC_DIR)fuzz_both.c
PCAPTEST_OBJ:=$(PCAPTEST_BUILD_DIR)fuzz_both.o
TCPDUMP_URL:=https://github.com/the-tcpdump-group/tcpdump.git
TCPDUMP_TESTS_DIR:=$(TCPDUMP_BUILD_DIR)tests/
CFLAGS += -fpermissive
LDFLAGS += -lpthread
TEST_BIN:=$(BUILD_DIR)test
ifeq "$(shell uname)" "Darwin"
TEST_BIN_LDFLAGS:=-undefined dynamic_lookup
endif
AFLPP_DRIVER_DUMMY_INPUT:=$(TCPDUMP_TESTS_DIR)in
QEMU_OUT:=$(BUILD_DIR)qemu-out
FRIDA_OUT:=$(BUILD_DIR)frida-out
ifndef ARCH
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
ARCH:=arm64
endif
ifeq "$(ARCH)" "i686"
ARCH:=x86
endif
endif
AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000)
ifeq "$(ARCH)" "aarch64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000)
endif
ifeq "$(ARCH)" "x86_64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000)
endif
ifeq "$(ARCH)" "x86"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000)
endif
.PHONY: all clean qemu frida hook
all: $(TEST_BIN)
make -C $(ROOT)frida_mode/
32:
CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
$(BUILD_DIR):
mkdir -p $@
######### HARNESS ########
$(HARNESS_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(HARNESS_FILE): | $(HARNESS_BUILD_DIR)
wget -O $@ $(HARNESS_URL)
$(HARNESS_OBJ): $(HARNESS_FILE)
$(CC) $(CXXFLAGS) $(LDFLAGS) -o $@ -c $<
######### PCAPTEST ########
$(PCAPTEST_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(PCAPTEST_FILE): | $(LIBPCAP_CMAKEFILE)
$(PCAPTEST_OBJ): $(PCAPTEST_FILE) | $(PCAPTEST_BUILD_DIR)
$(CC) $(CFLAGS) $(LDFLAGS) -I $(LIBPCAP_DIR) -o $@ -c $<
######### LIBPCAP ########
$(LIBPCAP_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(LIBPCAP_PATCH_FILE): | $(LIBPCAP_BUILD_DIR)
wget -O $@ $(LIBPCAP_PATCH_URL)
$(LIBPCAP_CMAKEFILE): $(LIBPCAP_PATCH_FILE) | $(LIBPCAP_BUILD_DIR)
git clone --depth 1 $(LIBPCAP_URL) $(LIBPCAP_DIR)
git apply $(LIBPCAP_PATCH_FILE)
$(LIBPCAP_MAKEFILE): $(LIBPCAP_CMAKEFILE)
cd $(LIBPCAP_DIR) && cmake .
$(LIBPCAP_LIB): $(LIBPCAP_MAKEFILE) $(LIBPCAP_PATCH_FILE)
make -C $(LIBPCAP_DIR)
######## TCPDUMP ######
$(TCPDUMP_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(TCPDUMP_TESTS_DIR): | $(TCPDUMP_BUILD_DIR)
git clone --depth=1 $(TCPDUMP_URL) $(TCPDUMP_BUILD_DIR)
######### TEST ########
$(TEST_BIN): $(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB)
$(CXX) \
$(CFLAGS) \
-o $@ \
$(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB) \
-lz \
$(LDFLAGS) \
$(TEST_BIN_LDFLAGS) \
########## HOOK ########
$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
########## DUMMY #######
$(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR)
truncate -s 1M $@
###### TEST DATA #######
hook: $(AFLPP_DRIVER_HOOK_OBJ)
clean:
rm -rf $(BUILD_DIR)
qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
AFL_QEMU_PERSISTENT_GPR=1 \
$(ROOT)afl-fuzz \
-D \
-V 30 \
-Q \
-i $(TCPDUMP_TESTS_DIR) \
-o $(QEMU_OUT) \
-- \
$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
$(ROOT)afl-fuzz \
-D \
-V 30 \
-O \
-i $(TCPDUMP_TESTS_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
debug:
gdb \
--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
--ex 'set disassembly-flavor intel' \
--args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)

1143
frida_mode/test/libpcap/Makefile Normal file
View File

File diff suppressed because it is too large Load Diff

97
frida_mode/test/libpcap/aflpp_qemu_driver_hook.c Normal file
View File

@ -0,0 +1,97 @@
#include <stdint.h>
#include <string.h>
#if defined(__x86_64__)
struct x86_64_regs {
uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
r15;
union {
uint64_t rip;
uint64_t pc;
};
union {
uint64_t rsp;
uint64_t sp;
};
union {
uint64_t rflags;
uint64_t flags;
};
uint8_t zmm_regs[32][64];
};
void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
uint8_t *input_buf, uint32_t input_buf_len) {
memcpy((void *)regs->rdi, input_buf, input_buf_len);
regs->rsi = input_buf_len;
}
#elif defined(__i386__)
struct x86_regs {
uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
union {
uint32_t eip;
uint32_t pc;
};
union {
uint32_t esp;
uint32_t sp;
};
union {
uint32_t eflags;
uint32_t flags;
};
uint8_t xmm_regs[8][16];
};
void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
uint8_t *input_buf, uint32_t input_buf_len) {
void **esp = (void **)regs->esp;
void * arg1 = esp[1];
void **arg2 = &esp[2];
memcpy(arg1, input_buf, input_buf_len);
*arg2 = (void *)input_buf_len;
}
#else
#pragma error "Unsupported architecture"
#endif
int afl_persistent_hook_init(void) {
// 1 for shared memory input (faster), 0 for normal input (you have to use
// read(), input_buf will be NULL)
return 1;
}

36
frida_mode/test/libpcap/get_symbol_addr.py Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/python3
import argparse
from elftools.elf.elffile import ELFFile
def process_file(file, symbol, base):
with open(file, 'rb') as f:
elf = ELFFile(f)
symtab = elf.get_section_by_name('.symtab')
mains = symtab.get_symbol_by_name(symbol)
if len(mains) != 1:
print ("Failed to find main")
return 1
main_addr = mains[0]['st_value']
main = base + main_addr
print ("0x%016x" % main)
return 0
def hex_value(x):
return int(x, 16)
def main():
parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument('-f', '--file', dest='file', type=str,
help='elf file name', required=True)
parser.add_argument('-s', '--symbol', dest='symbol', type=str,
help='symbol name', required=True)
parser.add_argument('-b', '--base', dest='base', type=hex_value,
help='elf base address', required=True)
args = parser.parse_args()
return process_file (args.file, args.symbol, args.base)
if __name__ == "__main__":
ret = main()
exit(ret)

47
frida_mode/test/output/GNUmakefile Normal file
View File

@ -0,0 +1,47 @@
PWD:=$(shell pwd)/
ROOT:=$(shell realpath $(PWD)../../..)/
BUILD_DIR:=$(PWD)build/
TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
TESTINSTBIN:=$(BUILD_DIR)testinstr
TESTINSTSRC:=$(PWD)testinstr.c
QEMU_OUT:=$(BUILD_DIR)qemu-out
FRIDA_OUT:=$(BUILD_DIR)frida-out
.PHONY: all 32 clean qemu frida
all: $(TESTINSTBIN)
make -C $(ROOT)frida_mode/
32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
$(BUILD_DIR):
mkdir -p $@
$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
mkdir -p $@
$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
echo -n "000" > $@
$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
clean:
rm -rf $(BUILD_DIR)
frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
AFL_FRIDA_OUTPUT_STDOUT=frida_stdout.txt \
AFL_FRIDA_OUTPUT_STDERR=frida_stderr.txt \
AFL_FRIDA_STATS_FILE=frida_stats.txt \
AFL_FRIDA_STATS_INTERVAL=1 \
$(ROOT)afl-fuzz \
-D \
-O \
-i $(TESTINSTR_DATA_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TESTINSTBIN) @@

13
frida_mode/test/output/Makefile Normal file
View File

@ -0,0 +1,13 @@
all:
@echo trying to use GNU make...
@gmake all || echo please install GNUmake
32:
@echo trying to use GNU make...
@gmake 32 || echo please install GNUmake
clean:
@gmake clean
frida:
@gmake frida

2824
frida_mode/test/output/frida_stderr.txt Normal file
View File

File diff suppressed because it is too large Load Diff

349
frida_mode/test/output/frida_stdout.txt Normal file
View File

@ -0,0 +1,349 @@
OG Range - 0x00007FFFF7FFE000 - 0x00007FFFF7FFF000
[+] CMPLOG Range - 0x00007FFFF7FFD000 - 0x00007FFFF7FFE000
[+] CMPLOG Range - 0x00007FFFF7FFC000 - 0x00007FFFF7FFD000
[+] CMPLOG Range - 0x00007FFFF7FF3000 - 0x00007FFFF7FFB000
[+] CMPLOG Range - 0x00007FFFF7FD0000 - 0x00007FFFF7FF3000
[+] CMPLOG Range - 0x00007FFFF7FCF000 - 0x00007FFFF7FD0000
[+] CMPLOG Range - 0x00007FFFF7FCE000 - 0x00007FFFF7FCF000
[+] CMPLOG Range - 0x00007FFFF7FCB000 - 0x00007FFFF7FCE000
[+] CMPLOG Range - 0x00007FFFF7DC4000 - 0x00007FFFF7FCB000
[+] CMPLOG Range - 0x00007FFFF7DBC000 - 0x00007FFFF7DC4000
[+] CMPLOG Range - 0x00007FFFF7DB0000 - 0x00007FFFF7DBC000
[+] CMPLOG Range - 0x00007FFFF7A94000 - 0x00007FFFF7DB0000
[+] CMPLOG Range - 0x00007FFFF7942000 - 0x00007FFFF7A94000
[+] CMPLOG Range - 0x00007FFFF78BF000 - 0x00007FFFF7942000
[+] CMPLOG Range - 0x00007FFFF78AF000 - 0x00007FFFF78BF000
[+] CMPLOG Range - 0x00007FFFF78AA000 - 0x00007FFFF78AB000
[+] CMPLOG Range - 0x00007FFFF78A9000 - 0x00007FFFF78AA000
[+] CMPLOG Range - 0x00007FFFF78A2000 - 0x00007FFFF78A6000
[+] CMPLOG Range - 0x00007FFFF789F000 - 0x00007FFFF78A2000
[+] CMPLOG Range - 0x00007FFFF789C000 - 0x00007FFFF789F000
[+] CMPLOG Range - 0x00007FFFF7851000 - 0x00007FFFF789B000
[+] CMPLOG Range - 0x00007FFFF76DB000 - 0x00007FFFF7851000
[+] CMPLOG Range - 0x00007FFFF76DA000 - 0x00007FFFF76DB000
[+] CMPLOG Range - 0x00007FFFF76D9000 - 0x00007FFFF76DA000
[+] CMPLOG Range - 0x00007FFFF76B4000 - 0x00007FFFF76D9000
[+] CMPLOG Range - 0x00007FFFF76B0000 - 0x00007FFFF76B4000
[+] CMPLOG Range - 0x00007FFFF76AF000 - 0x00007FFFF76B0000
[+] CMPLOG Range - 0x00007FFFF76AE000 - 0x00007FFFF76AF000
[+] CMPLOG Range - 0x00007FFFF76A9000 - 0x00007FFFF76AE000
[+] CMPLOG Range - 0x00007FFFF7698000 - 0x00007FFFF76A9000
[+] CMPLOG Range - 0x00007FFFF7691000 - 0x00007FFFF7698000
[+] CMPLOG Range - 0x00007FFFF768F000 - 0x00007FFFF7691000
[+] CMPLOG Range - 0x00007FFFF768E000 - 0x00007FFFF768F000
[+] CMPLOG Range - 0x00007FFFF768D000 - 0x00007FFFF768E000
[+] CMPLOG Range - 0x00007FFFF7689000 - 0x00007FFFF768C000
[+] CMPLOG Range - 0x00007FFFF7679000 - 0x00007FFFF7689000
[+] CMPLOG Range - 0x00007FFFF7675000 - 0x00007FFFF7679000
[+] CMPLOG Range - 0x00007FFFF7674000 - 0x00007FFFF7675000
[+] CMPLOG Range - 0x00007FFFF7673000 - 0x00007FFFF7674000
[+] CMPLOG Range - 0x00007FFFF7672000 - 0x00007FFFF7673000
[+] CMPLOG Range - 0x00007FFFF7670000 - 0x00007FFFF7672000
[+] CMPLOG Range - 0x00007FFFF766F000 - 0x00007FFFF7670000
[+] CMPLOG Range - 0x00007FFFF766D000 - 0x00007FFFF766F000
[+] Redirect 1 -> '/home/jon/git/AFLplusplus/frida_mode/test/output/frida_stdout.txt'
[+] Redirect 2 -> '/home/jon/git/AFLplusplus/frida_mode/test/output/frida_stderr.txt'
[+] Instrumentation - persistent mode [ ] (0x0000000000000000)
[+] Instrumentation - persistent count [ ] (0)
[+] Instrumentation - hook [(null)]
[+] Instrumentation - persistent ret [ ] (0x0000000000000000)
[+] Instrumentation - persistent ret offset [ ] (0)
[+] Instrumentation - prefetch [X]
[+] Range: Modules Length: 54
[+] Range: Modules Idx: 0 - 0x0000555555554000-0x0000555555555000
[+] Range: Modules Idx: 1 - 0x0000555555555000-0x0000555555556000
[+] Range: Modules Idx: 2 - 0x0000555555556000-0x0000555555557000
[+] Range: Modules Idx: 3 - 0x0000555555557000-0x0000555555558000
[+] Range: Modules Idx: 4 - 0x0000555555558000-0x0000555555559000
[+] Range: Modules Idx: 5 - 0x0000555555559000-0x000055555557a000
[+] Range: Modules Idx: 6 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: Modules Idx: 7 - 0x00007ffff766d000-0x00007ffff766f000
[+] Range: Modules Idx: 8 - 0x00007ffff766f000-0x00007ffff7670000
[+] Range: Modules Idx: 9 - 0x00007ffff7670000-0x00007ffff7672000
[+] Range: Modules Idx: 10 - 0x00007ffff7672000-0x00007ffff7673000
[+] Range: Modules Idx: 11 - 0x00007ffff7673000-0x00007ffff7674000
[+] Range: Modules Idx: 12 - 0x00007ffff7674000-0x00007ffff7675000
[+] Range: Modules Idx: 13 - 0x00007ffff7675000-0x00007ffff7679000
[+] Range: Modules Idx: 14 - 0x00007ffff7679000-0x00007ffff7689000
[+] Range: Modules Idx: 15 - 0x00007ffff7689000-0x00007ffff768c000
[+] Range: Modules Idx: 16 - 0x00007ffff768c000-0x00007ffff768d000
[+] Range: Modules Idx: 17 - 0x00007ffff768d000-0x00007ffff768e000
[+] Range: Modules Idx: 18 - 0x00007ffff768e000-0x00007ffff768f000
[+] Range: Modules Idx: 19 - 0x00007ffff768f000-0x00007ffff7691000
[+] Range: Modules Idx: 20 - 0x00007ffff7691000-0x00007ffff7698000
[+] Range: Modules Idx: 21 - 0x00007ffff7698000-0x00007ffff76a9000
[+] Range: Modules Idx: 22 - 0x00007ffff76a9000-0x00007ffff76ae000
[+] Range: Modules Idx: 23 - 0x00007ffff76ae000-0x00007ffff76af000
[+] Range: Modules Idx: 24 - 0x00007ffff76af000-0x00007ffff76b0000
[+] Range: Modules Idx: 25 - 0x00007ffff76b0000-0x00007ffff76b4000
[+] Range: Modules Idx: 26 - 0x00007ffff76b4000-0x00007ffff76d9000
[+] Range: Modules Idx: 27 - 0x00007ffff76d9000-0x00007ffff76da000
[+] Range: Modules Idx: 28 - 0x00007ffff76da000-0x00007ffff76db000
[+] Range: Modules Idx: 29 - 0x00007ffff76db000-0x00007ffff7851000
[+] Range: Modules Idx: 30 - 0x00007ffff7851000-0x00007ffff789b000
[+] Range: Modules Idx: 31 - 0x00007ffff789b000-0x00007ffff789c000
[+] Range: Modules Idx: 32 - 0x00007ffff789c000-0x00007ffff789f000
[+] Range: Modules Idx: 33 - 0x00007ffff789f000-0x00007ffff78a2000
[+] Range: Modules Idx: 34 - 0x00007ffff78a2000-0x00007ffff78a6000
[+] Range: Modules Idx: 35 - 0x00007ffff78a9000-0x00007ffff78aa000
[+] Range: Modules Idx: 36 - 0x00007ffff78aa000-0x00007ffff78ab000
[+] Range: Modules Idx: 37 - 0x00007ffff78af000-0x00007ffff78bf000
[+] Range: Modules Idx: 38 - 0x00007ffff78bf000-0x00007ffff7942000
[+] Range: Modules Idx: 39 - 0x00007ffff7942000-0x00007ffff7a94000
[+] Range: Modules Idx: 40 - 0x00007ffff7a94000-0x00007ffff7db0000
[+] Range: Modules Idx: 41 - 0x00007ffff7db0000-0x00007ffff7dbc000
[+] Range: Modules Idx: 42 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: Modules Idx: 43 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: Modules Idx: 44 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: Modules Idx: 45 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: Modules Idx: 46 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: Modules Idx: 47 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: Modules Idx: 48 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: Modules Idx: 49 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: Modules Idx: 50 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: Modules Idx: 51 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: Modules Idx: 52 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: Modules Idx: 53 - 0xffffffffff600000-0xffffffffff601000
[+] Range: AFL_INST_LIBS Length: 1
[+] Range: AFL_INST_LIBS Idx: 0 - 0x0000555555555160-0x0000555555555335
[+] Range: step1 Length: 1
[+] Range: step1 Idx: 0 - 0x0000555555555160-0x0000555555555335
[+] Range: step2 Length: 1
[+] Range: step2 Idx: 0 - 0x0000555555555160-0x0000555555555335
[+] Range: step3 Length: 1
[+] Range: step3 Idx: 0 - 0x0000555555555160-0x0000555555555335
[+] Range: step4 Length: 55
[+] Range: step4 Idx: 0 - 0x0000555555554000-0x0000555555555000
[+] Range: step4 Idx: 1 - 0x0000555555555000-0x0000555555555160
[+] Range: step4 Idx: 2 - 0x0000555555555335-0x0000555555556000
[+] Range: step4 Idx: 3 - 0x0000555555556000-0x0000555555557000
[+] Range: step4 Idx: 4 - 0x0000555555557000-0x0000555555558000
[+] Range: step4 Idx: 5 - 0x0000555555558000-0x0000555555559000
[+] Range: step4 Idx: 6 - 0x0000555555559000-0x000055555557a000
[+] Range: step4 Idx: 7 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: step4 Idx: 8 - 0x00007ffff766d000-0x00007ffff766f000
[+] Range: step4 Idx: 9 - 0x00007ffff766f000-0x00007ffff7670000
[+] Range: step4 Idx: 10 - 0x00007ffff7670000-0x00007ffff7672000
[+] Range: step4 Idx: 11 - 0x00007ffff7672000-0x00007ffff7673000
[+] Range: step4 Idx: 12 - 0x00007ffff7673000-0x00007ffff7674000
[+] Range: step4 Idx: 13 - 0x00007ffff7674000-0x00007ffff7675000
[+] Range: step4 Idx: 14 - 0x00007ffff7675000-0x00007ffff7679000
[+] Range: step4 Idx: 15 - 0x00007ffff7679000-0x00007ffff7689000
[+] Range: step4 Idx: 16 - 0x00007ffff7689000-0x00007ffff768c000
[+] Range: step4 Idx: 17 - 0x00007ffff768c000-0x00007ffff768d000
[+] Range: step4 Idx: 18 - 0x00007ffff768d000-0x00007ffff768e000
[+] Range: step4 Idx: 19 - 0x00007ffff768e000-0x00007ffff768f000
[+] Range: step4 Idx: 20 - 0x00007ffff768f000-0x00007ffff7691000
[+] Range: step4 Idx: 21 - 0x00007ffff7691000-0x00007ffff7698000
[+] Range: step4 Idx: 22 - 0x00007ffff7698000-0x00007ffff76a9000
[+] Range: step4 Idx: 23 - 0x00007ffff76a9000-0x00007ffff76ae000
[+] Range: step4 Idx: 24 - 0x00007ffff76ae000-0x00007ffff76af000
[+] Range: step4 Idx: 25 - 0x00007ffff76af000-0x00007ffff76b0000
[+] Range: step4 Idx: 26 - 0x00007ffff76b0000-0x00007ffff76b4000
[+] Range: step4 Idx: 27 - 0x00007ffff76b4000-0x00007ffff76d9000
[+] Range: step4 Idx: 28 - 0x00007ffff76d9000-0x00007ffff76da000
[+] Range: step4 Idx: 29 - 0x00007ffff76da000-0x00007ffff76db000
[+] Range: step4 Idx: 30 - 0x00007ffff76db000-0x00007ffff7851000
[+] Range: step4 Idx: 31 - 0x00007ffff7851000-0x00007ffff789b000
[+] Range: step4 Idx: 32 - 0x00007ffff789b000-0x00007ffff789c000
[+] Range: step4 Idx: 33 - 0x00007ffff789c000-0x00007ffff789f000
[+] Range: step4 Idx: 34 - 0x00007ffff789f000-0x00007ffff78a2000
[+] Range: step4 Idx: 35 - 0x00007ffff78a2000-0x00007ffff78a6000
[+] Range: step4 Idx: 36 - 0x00007ffff78a9000-0x00007ffff78aa000
[+] Range: step4 Idx: 37 - 0x00007ffff78aa000-0x00007ffff78ab000
[+] Range: step4 Idx: 38 - 0x00007ffff78af000-0x00007ffff78bf000
[+] Range: step4 Idx: 39 - 0x00007ffff78bf000-0x00007ffff7942000
[+] Range: step4 Idx: 40 - 0x00007ffff7942000-0x00007ffff7a94000
[+] Range: step4 Idx: 41 - 0x00007ffff7a94000-0x00007ffff7db0000
[+] Range: step4 Idx: 42 - 0x00007ffff7db0000-0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!
0x00007ffff7dbc000
[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000
[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000
[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000
[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000
[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000
[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000
[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000
[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000
[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000
[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000
[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000
[+] Range: final Length: 9
[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160
[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000
[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000
[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000
[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000
[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000
[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000
[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000
[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000
Looks like a zero to me!

112
frida_mode/test/output/testinstr.c Normal file
View File

@ -0,0 +1,112 @@
/*
american fuzzy lop++ - a trivial program to test the build
--------------------------------------------------------
Originally written by Michal Zalewski
Copyright 2014 Google Inc. All rights reserved.
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#ifdef __APPLE__
#define TESTINSTR_SECTION
#else
#define TESTINSTR_SECTION __attribute__((section(".testinstr")))
#endif
void testinstr(char *buf, int len) {
if (len < 1) return;
buf[len] = 0;
// we support three input cases
if (buf[0] == '0')
printf("Looks like a zero to me!\n");
else if (buf[0] == '1')
printf("Pretty sure that is a one!\n");
else
printf("Neither one or zero? How quaint!\n");
}
TESTINSTR_SECTION int main(int argc, char **argv) {
char * file;
int fd = -1;
off_t len;
char * buf = NULL;
size_t n_read;
int result = -1;
if (argc != 2) { return 1; }
do {
file = argv[1];
dprintf(STDERR_FILENO, "Running: %s\n", file);
fd = open(file, O_RDONLY);
if (fd < 0) {
perror("open");
break;
}
len = lseek(fd, 0, SEEK_END);
if (len < 0) {
perror("lseek (SEEK_END)");
break;
}
if (lseek(fd, 0, SEEK_SET) != 0) {
perror("lseek (SEEK_SET)");
break;
}
buf = malloc(len);
if (buf == NULL) {
perror("malloc");
break;
}
n_read = read(fd, buf, len);
if (n_read != len) {
perror("read");
break;
}
dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read);
testinstr(buf, len);
dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read);
result = 0;
} while (false);
if (buf != NULL) { free(buf); }
if (fd != -1) { close(fd); }
return result;
}

105
frida_mode/test/persistent_ret/GNUmakefile Normal file
View File

@ -0,0 +1,105 @@
PWD:=$(shell pwd)/
ROOT:=$(shell realpath $(PWD)../../..)/
BUILD_DIR:=$(PWD)build/
TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
TESTINSTBIN:=$(BUILD_DIR)testinstr
TESTINSTSRC:=$(PWD)testinstr.c
QEMU_OUT:=$(BUILD_DIR)qemu-out
FRIDA_OUT:=$(BUILD_DIR)frida-out
ifndef ARCH
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
ARCH:=arm64
endif
ifeq "$(ARCH)" "i686"
ARCH:=x86
endif
endif
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000aaaaaaaaa000)
AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000aaaaaaaaa000)
endif
ifeq "$(ARCH)" "x86_64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000555555554000)
AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000555555554000)
endif
ifeq "$(ARCH)" "x86"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x56555000)
AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x56555000)
endif
AFL_FRIDA_PERSISTENT_RETADDR_OFFSET:=0x50
.PHONY: all 32 clean qemu frida
all: $(TESTINSTBIN)
make -C $(ROOT)frida_mode/
32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
$(BUILD_DIR):
mkdir -p $@
$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
mkdir -p $@
$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
echo -n "000" > $@
$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
clean:
rm -rf $(BUILD_DIR)
frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
$(ROOT)afl-fuzz \
-D \
-O \
-i $(TESTINSTR_DATA_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TESTINSTBIN) @@
frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
$(ROOT)afl-fuzz \
-D \
-O \
-i $(TESTINSTR_DATA_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TESTINSTBIN) @@
debug: $(TESTINSTR_DATA_FILE)
gdb \
--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
--ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \
--ex 'set environment AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET)' \
--ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \
--ex 'set environment AFL_DEBUG_CHILD=1' \
--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
--ex 'set disassembly-flavor intel' \
--args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
run: $(TESTINSTR_DATA_FILE)
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
AFL_DEBUG_CHILD=1 \
LD_PRELOAD=$(ROOT)afl-frida-trace.so \
$(TESTINSTBIN) $(TESTINSTR_DATA_FILE)

22
frida_mode/test/persistent_ret/Makefile Normal file
View File

@ -0,0 +1,22 @@
all:
@echo trying to use GNU make...
@gmake all || echo please install GNUmake
32:
@echo trying to use GNU make...
@gmake 32 || echo please install GNUmake
clean:
@gmake clean
frida:
@gmake frida
frida_ret:
@gmake frida_ret
debug:
@gmake debug
run:
@gmake run

36
frida_mode/test/persistent_ret/get_symbol_addr.py Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/python3
import argparse
from elftools.elf.elffile import ELFFile
def process_file(file, symbol, base):
with open(file, 'rb') as f:
elf = ELFFile(f)
symtab = elf.get_section_by_name('.symtab')
mains = symtab.get_symbol_by_name(symbol)
if len(mains) != 1:
print ("Failed to find main")
return 1
main_addr = mains[0]['st_value']
main = base + main_addr
print ("0x%016x" % main)
return 0
def hex_value(x):
return int(x, 16)
def main():
parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument('-f', '--file', dest='file', type=str,
help='elf file name', required=True)
parser.add_argument('-s', '--symbol', dest='symbol', type=str,
help='symbol name', required=True)
parser.add_argument('-b', '--base', dest='base', type=hex_value,
help='elf base address', required=True)
args = parser.parse_args()
return process_file (args.file, args.symbol, args.base)
if __name__ == "__main__":
ret = main()
exit(ret)

120
frida_mode/test/persistent_ret/testinstr.c Normal file
View File

@ -0,0 +1,120 @@
/*
american fuzzy lop++ - a trivial program to test the build
--------------------------------------------------------
Originally written by Michal Zalewski
Copyright 2014 Google Inc. All rights reserved.
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#ifdef __APPLE__
#define TESTINSTR_SECTION
#else
#define TESTINSTR_SECTION __attribute__((section(".testinstr")))
#endif
void testinstr(char *buf, int len) {
if (len < 1) return;
buf[len] = 0;
// we support three input cases
if (buf[0] == '0')
printf("Looks like a zero to me!\n");
else if (buf[0] == '1')
printf("Pretty sure that is a one!\n");
else
printf("Neither one or zero? How quaint!\n");
}
void slow() {
usleep(100000);
}
TESTINSTR_SECTION int main(int argc, char **argv) {
char * file;
int fd = -1;
off_t len;
char * buf = NULL;
size_t n_read;
int result = -1;
if (argc != 2) { return 1; }
do {
file = argv[1];
dprintf(STDERR_FILENO, "Running: %s\n", file);
fd = open(file, O_RDONLY);
if (fd < 0) {
perror("open");
break;
}
len = lseek(fd, 0, SEEK_END);
if (len < 0) {
perror("lseek (SEEK_END)");
break;
}
if (lseek(fd, 0, SEEK_SET) != 0) {
perror("lseek (SEEK_SET)");
break;
}
buf = malloc(len);
if (buf == NULL) {
perror("malloc");
break;
}
n_read = read(fd, buf, len);
if (n_read != len) {
perror("read");
break;
}
dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read);
testinstr(buf, len);
dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read);
slow();
result = 0;
} while (false);
if (buf != NULL) { free(buf); }
if (fd != -1) { close(fd); }
return result;
}

170
frida_mode/test/re2/GNUmakefile Normal file
View File

@ -0,0 +1,170 @@
PWD:=$(shell pwd)/
ROOT:=$(shell realpath $(PWD)../../..)/
BUILD_DIR:=$(PWD)build/
AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/
HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
RE2TEST_BUILD_DIR:=$(BUILD_DIR)re2test/
LIBRE2_URL:=https://github.com/google/re2.git
LIBRE2_DIR:=$(LIBRE2_BUILD_DIR)libre2/
LIBRE2_MAKEFILE:=$(LIBRE2_DIR)Makefile
LIBRE2_LIB:=$(LIBRE2_DIR)obj/libre2.a
HARNESS_FILE:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.c
HARNESS_OBJ:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.o
HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c"
RE2TEST_FILE:=$(RE2TEST_BUILD_DIR)target.cc
RE2TEST_OBJ:=$(RE2TEST_BUILD_DIR)target.o
RE2TEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/re2-2014-12-09/target.cc"
LDFLAGS += -lpthread
TEST_BIN:=$(BUILD_DIR)test
ifeq "$(shell uname)" "Darwin"
TEST_BIN_LDFLAGS:=-undefined dynamic_lookup
endif
TEST_DATA_DIR:=$(BUILD_DIR)in/
AFLPP_DRIVER_DUMMY_INPUT:=$(TEST_DATA_DIR)in
QEMU_OUT:=$(BUILD_DIR)qemu-out
FRIDA_OUT:=$(BUILD_DIR)frida-out
ifndef ARCH
ARCH=$(shell uname -m)
ifeq "$(ARCH)" "aarch64"
ARCH:=arm64
endif
ifeq "$(ARCH)" "i686"
ARCH:=x86
endif
endif
AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000)
ifeq "$(ARCH)" "aarch64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000)
endif
ifeq "$(ARCH)" "x86_64"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000)
endif
ifeq "$(ARCH)" "x86"
AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000)
endif
.PHONY: all clean qemu frida hook
all: $(TEST_BIN)
make -C $(ROOT)frida_mode/
32:
CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
$(BUILD_DIR):
mkdir -p $@
######### HARNESS ########
$(HARNESS_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(HARNESS_FILE): | $(HARNESS_BUILD_DIR)
wget -O $@ $(HARNESS_URL)
$(HARNESS_OBJ): $(HARNESS_FILE)
$(CC) $(CXXFLAGS) $(LDFLAGS) -o $@ -c $<
######### RE2TEST ########
$(RE2TEST_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(RE2TEST_FILE): | $(RE2TEST_BUILD_DIR)
wget -O $@ $(RE2TEST_URL)
$(RE2TEST_OBJ): $(RE2TEST_FILE) | $(LIBRE2_MAKEFILE)
$(CXX) $(CXXFLAGS) $(LDFLAGS) -std=c++11 -I $(LIBRE2_DIR) -o $@ -c $<
######### LIBRE2 ########
$(LIBRE2_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(LIBRE2_MAKEFILE): $(LIBRE2_BUILD_DIR)
git clone https://github.com/google/re2.git $(LIBRE2_DIR)
cd $(LIBRE2_DIR) && git checkout 499ef7eff7455ce9c9fae86111d4a77b6ac335de
$(LIBRE2_LIB): $(LIBRE2_MAKEFILE)
make -C $(LIBRE2_DIR) -j $(shell nproc)
######### TEST ########
$(TEST_BIN): $(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB)
$(CXX) \
$(CFLAGS) \
-o $@ \
$(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB) \
-lz \
$(LDFLAGS) \
$(TEST_BIN_LDFLAGS) \
########## HOOK ########
$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
########## DUMMY #######
$(TEST_DATA_DIR): | $(BUILD_DIR)
mkdir -p $@
$(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR)
truncate -s 1M $@
###### TEST DATA #######
hook: $(AFLPP_DRIVER_HOOK_OBJ)
clean:
rm -rf $(BUILD_DIR)
qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
AFL_QEMU_PERSISTENT_GPR=1 \
$(ROOT)afl-fuzz \
-D \
-V 30 \
-Q \
-i $(TEST_DATA_DIR) \
-o $(QEMU_OUT) \
-- \
$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
$(ROOT)afl-fuzz \
-D \
-V 30 \
-O \
-i $(TEST_DATA_DIR) \
-o $(FRIDA_OUT) \
-- \
$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
debug:
gdb \
--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
--ex 'set disassembly-flavor intel' \
--args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.re2

22
frida_mode/test/re2/Makefile Normal file
View File

@ -0,0 +1,22 @@
all:
@echo trying to use GNU make...
@gmake all || echo please install GNUmake
32:
@echo trying to use GNU make...
@gmake 32 || echo please install GNUmake
clean:
@gmake clean
qemu:
@gmake qemu
frida:
@gmake frida
debug:
@gmake debug
hook:
@gmake hook

97
frida_mode/test/re2/aflpp_qemu_driver_hook.c Normal file
View File

@ -0,0 +1,97 @@
#include <stdint.h>
#include <string.h>
#if defined(__x86_64__)
struct x86_64_regs {
uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
r15;
union {
uint64_t rip;
uint64_t pc;
};
union {
uint64_t rsp;
uint64_t sp;
};
union {
uint64_t rflags;
uint64_t flags;
};
uint8_t zmm_regs[32][64];
};
void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
uint8_t *input_buf, uint32_t input_buf_len) {
memcpy((void *)regs->rdi, input_buf, input_buf_len);
regs->rsi = input_buf_len;
}
#elif defined(__i386__)
struct x86_regs {
uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
union {
uint32_t eip;
uint32_t pc;
};
union {
uint32_t esp;
uint32_t sp;
};
union {
uint32_t eflags;
uint32_t flags;
};
uint8_t xmm_regs[8][16];
};
void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
uint8_t *input_buf, uint32_t input_buf_len) {
void **esp = (void **)regs->esp;
void * arg1 = esp[1];
void **arg2 = &esp[2];
memcpy(arg1, input_buf, input_buf_len);
*arg2 = (void *)input_buf_len;
}
#else
#pragma error "Unsupported architecture"
#endif
int afl_persistent_hook_init(void) {
// 1 for shared memory input (faster), 0 for normal input (you have to use
// read(), input_buf will be NULL)
return 1;
}

36
frida_mode/test/re2/get_symbol_addr.py Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/python3
import argparse
from elftools.elf.elffile import ELFFile
def process_file(file, symbol, base):
with open(file, 'rb') as f:
elf = ELFFile(f)
symtab = elf.get_section_by_name('.symtab')
mains = symtab.get_symbol_by_name(symbol)
if len(mains) != 1:
print ("Failed to find main")
return 1
main_addr = mains[0]['st_value']
main = base + main_addr
print ("0x%016x" % main)
return 0
def hex_value(x):
return int(x, 16)
def main():
parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument('-f', '--file', dest='file', type=str,
help='elf file name', required=True)
parser.add_argument('-s', '--symbol', dest='symbol', type=str,
help='symbol name', required=True)
parser.add_argument('-b', '--base', dest='base', type=hex_value,
help='elf base address', required=True)
args = parser.parse_args()
return process_file (args.file, args.symbol, args.base)
if __name__ == "__main__":
ret = main()
exit(ret)

4
include/afl-fuzz.h
View File

@ -385,10 +385,10 @@ typedef struct afl_env_vars {
afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
afl_exit_on_seed_issues;
afl_exit_on_seed_issues, afl_try_affinity;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
*afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
*afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
*afl_testcache_entries, *afl_kill_signal, *afl_target_env,

4
include/config.h
View File

@ -154,7 +154,7 @@
cases that show variable behavior): */
#define CAL_CYCLES 8U
#define CAL_CYCLES_LONG 40U
#define CAL_CYCLES_LONG 20U
/* Number of subsequent timeouts before abandoning an input file: */
@ -163,7 +163,7 @@
/* Maximum number of unique hangs or crashes to record: */
#define KEEP_UNIQUE_HANG 500U
#define KEEP_UNIQUE_CRASH 5000U
#define KEEP_UNIQUE_CRASH 10000U
/* Baseline number of random tweaks during a single 'havoc' stage: */

11
include/envs.h
View File

@ -55,14 +55,22 @@ static char *afl_environment_variables[] = {
"AFL_FORCE_UI",
"AFL_FRIDA_DEBUG_MAPS",
"AFL_FRIDA_EXCLUDE_RANGES",
"AFL_FRIDA_INST_DEBUG_FILE",
"AFL_FRIDA_INST_NO_OPTIMIZE",
"AFL_FRIDA_INST_NO_PREFETCH",
"AFL_FRIDA_INST_RANGES",
"AFL_FRIDA_INST_STRICT",
"AFL_FRIDA_INST_TRACE",
"AFL_FRIDA_OUTPUT_STDOUT",
"AFL_FRIDA_OUTPUT_STDERR",
"AFL_FRIDA_PERSISTENT_ADDR",
"AFL_FRIDA_PERSISTENT_CNT",
"AFL_FRIDA_PERSISTENT_DEBUG",
"AFL_FRIDA_PERSISTENT_HOOK",
"AFL_FRIDA_PERSISTENT_RET",
"AFL_FRIDA_PERSISTENT_RETADDR_OFFSET",
"AFL_FRIDA_STATS_FILE",
"AFL_FRIDA_STATS_INTERVAL",
"AFL_FRIDA_STATS_TRANSITIONS",
"AFL_FUZZER_ARGS", // oss-fuzz
"AFL_GDB",
"AFL_GCC_ALLOWLIST",
@ -120,6 +128,7 @@ static char *afl_environment_variables[] = {
"AFL_LLVM_INSTRUMENT_FILE",
"AFL_LLVM_SKIP_NEVERZERO",
"AFL_NO_AFFINITY",
"AFL_TRY_AFFINITY",
"AFL_LLVM_LTO_STARTID",
"AFL_LLVM_LTO_DONTWRITEID",
"AFL_NO_ARITH",

21
qemu_mode/README.md
View File

@ -110,22 +110,23 @@ takes priority over any included ranges or AFL_INST_LIBS.
CompareCoverage is a sub-instrumentation with effects similar to laf-intel.
The environment variable that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL.
There is also ./libcompcov/ which implements CompareCoverage for *cmp functions
(splitting memcmp, strncmp, etc. to make these conditions easier solvable by
afl-fuzz).
You have to set `AFL_PRELOAD=/path/to/libcompcov.so` together with
setting the AFL_COMPCOV_LEVEL you want to enable it.
AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all
comparison instructions and memory comparison functions when libcompcov
is preloaded.
AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables also
the instrumentation of the floating-point comparisons on x86 and x86_64 (experimental).
values / read-only memory.
AFL_COMPCOV_LEVEL=2 instruments all comparison instructions and memory
comparison functions when libcompcov is preloaded.
AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables
also the instrumentation of the floating-point comparisons on x86 and x86_64
(experimental).
Integer comparison instructions are currently instrumented only
on the x86, x86_64, arm and aarch64 targets.
Highly recommended.
Recommended, but not as good as CMPLOG mode (see below).
## 8) CMPLOG mode

14
src/afl-cc.c
View File

@ -1224,6 +1224,14 @@ int main(int argc, char **argv, char **envp) {
if (strncmp(argv[i], "--afl", 5) == 0) {
if (!strcmp(argv[i], "--afl_noopt") || !strcmp(argv[i], "--afl-noopt")) {
passthrough = 1;
argv[i] = "-g"; // we have to overwrite it, -g is always good
continue;
}
if (compiler_mode)
WARNF(
"--afl-... compiler mode supersedes the AFL_CC_COMPILER and "
@ -1821,6 +1829,12 @@ int main(int argc, char **argv, char **envp) {
"If anything fails - be sure to read README.lto.md!\n");
#endif
SAYF(
"\nYou can supply --afl-noopt to not instrument, like AFL_NOOPT. "
"(this is helpful\n"
"in some build systems if you do not want to instrument "
"everything.\n");
}
SAYF(

64
src/afl-fuzz-init.c
View File

@ -113,7 +113,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
u8 lockfile[PATH_MAX] = "";
s32 i;
if (afl->afl_env.afl_no_affinity) {
if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) {
if (afl->cpu_to_bind != -1) {
@ -130,10 +130,21 @@ void bind_to_free_cpu(afl_state_t *afl) {
if (!bind_cpu(afl, afl->cpu_to_bind)) {
FATAL(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
if (afl->afl_env.afl_try_affinity) {
WARNF(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
} else {
FATAL(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
}
}
@ -420,11 +431,14 @@ void bind_to_free_cpu(afl_state_t *afl) {
"Uh-oh, looks like all %d CPU cores on your system are allocated to\n"
" other instances of afl-fuzz (or similar CPU-locked tasks). "
"Starting\n"
" another fuzzer on this machine is probably a bad plan, but if "
"you are\n"
" absolutely sure, you can set AFL_NO_AFFINITY and try again.\n",
afl->cpu_core_count);
FATAL("No more free CPU cores");
" another fuzzer on this machine is probably a bad plan.\n"
"%s",
afl->cpu_core_count,
afl->afl_env.afl_try_affinity ? ""
: " If you are sure, you can set "
"AFL_NO_AFFINITY and try again.\n");
if (!afl->afl_env.afl_try_affinity) { FATAL("No more free CPU cores"); }
}
@ -823,7 +837,6 @@ void perform_dry_run(afl_state_t *afl) {
struct queue_entry *q;
u32 cal_failures = 0, idx;
u8 * skip_crashes = afl->afl_env.afl_skip_crashes;
u8 * use_mem;
for (idx = 0; idx < afl->queued_paths; idx++) {
@ -923,27 +936,6 @@ void perform_dry_run(afl_state_t *afl) {
if (afl->crash_mode) { break; }
if (skip_crashes) {
if (afl->fsrv.uses_crash_exitcode) {
WARNF(
"Test case results in a crash or AFL_CRASH_EXITCODE %d "
"(skipping)",
(int)(s8)afl->fsrv.crash_exitcode);
} else {
WARNF("Test case results in a crash (skipping)");
}
q->cal_failed = CAL_CHANCES;
++cal_failures;
break;
}
if (afl->fsrv.mem_limit) {
u8 val_buf[STRINGIFY_VAL_SIZE_MAX];
@ -1117,14 +1109,12 @@ void perform_dry_run(afl_state_t *afl) {
if (cal_failures == afl->queued_paths) {
FATAL("All test cases time out%s, giving up!",
skip_crashes ? " or crash" : "");
FATAL("All test cases time out or crash, giving up!");
}
WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures,
((double)cal_failures) * 100 / afl->queued_paths,
skip_crashes ? " or crashes" : "");
WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.",
cal_failures, ((double)cal_failures) * 100 / afl->queued_paths);
if (cal_failures * 5 > afl->queued_paths) {

2
src/afl-fuzz-python.c
View File

@ -212,7 +212,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
PyObject_GetAttrString(py_module, "introspection");
py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit");
if (!py_functions[PY_FUNC_DEINIT])
FATAL("deinit function not found in python module");
WARNF("deinit function not found in python module");
for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) {

2
src/afl-fuzz-run.c
View File

@ -410,7 +410,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
}
var_detected = 1;
afl->stage_max = CAL_CYCLES_LONG;
afl->stage_max = afl->fast_cal ? CAL_CYCLES : CAL_CYCLES_LONG;
} else {

10
src/afl-fuzz-state.c
View File

@ -202,12 +202,18 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_no_affinity =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_TRY_AFFINITY",
afl_environment_variable_len)) {
afl->afl_env.afl_try_affinity =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_SKIP_CRASHES",
afl_environment_variable_len)) {
afl->afl_env.afl_skip_crashes =
(u8 *)get_afl_env(afl_environment_variables[i]);
// we should mark this obsolete in a few versions
} else if (!strncmp(env, "AFL_HANG_TMOUT",

28
src/afl-fuzz.c
View File

@ -35,6 +35,10 @@
#include <sys/shm.h>
#endif
#ifdef __APPLE__
#include <sys/qos.h>
#endif
#ifdef PROFILING
extern u64 time_spent_working;
#endif
@ -220,6 +224,7 @@ static void usage(u8 *argv0, int more_help) {
" then they are randomly selected instead all of them being\n"
" used. Defaults to 200.\n"
"AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
"AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful\n"
"AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
"AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n"
"AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
@ -240,7 +245,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n"
"AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size\n"
"AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n"
"AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n"
//"AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n"
"AFL_STATSD: enables StatsD metrics collection\n"
"AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)\n"
"AFL_STATSD_PORT: change default statsd port (default: 8125)\n"
@ -2296,26 +2301,9 @@ stop_fuzzing:
afl_fsrv_deinit(&afl->fsrv);
/* remove tmpfile */
if (afl->tmp_dir != NULL && !afl->in_place_resume) {
if (afl->tmp_dir != NULL && !afl->in_place_resume && afl->fsrv.out_file) {
char tmpfile[PATH_MAX];
if (afl->file_extension) {
snprintf(tmpfile, PATH_MAX, "%s/.cur_input.%s", afl->tmp_dir,
afl->file_extension);
} else {
snprintf(tmpfile, PATH_MAX, "%s/.cur_input", afl->tmp_dir);
}
if (unlink(tmpfile) != 0) {
FATAL("Could not unlink current input file: %s.", tmpfile);
}
(void)unlink(afl->fsrv.out_file);
}

3
src/afl-showmap.c
View File

@ -235,6 +235,9 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
if (cmin_mode &&
(fsrv->last_run_timed_out || (!caa && child_crashed != cco))) {
// create empty file to prevent error messages in afl-cmin
fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
close(fd);
return ret;
}

6
utils/aflpp_driver/README.md
View File

@ -13,6 +13,12 @@ If this is the clang compile command to build for libfuzzer:
then just switch `clang++` with `afl-clang-fast++` and our compiler will
magically insert libAFLDriver.a :)
To use shared-memory testcases, you need nothing to do.
To use stdin testcases give `-` as the only command line parameter.
To use file input testcases give `@@` as the only command line parameter.
IMPORTANT: if you use `afl-cmin` or `afl-cmin.bash` then either pass `-`
or `@@` as command line parameters.
## aflpp_qemu_driver

46
utils/aflpp_driver/aflpp_driver.c
View File

@ -174,11 +174,17 @@ size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) {
static int ExecuteFilesOnyByOne(int argc, char **argv) {
unsigned char *buf = (unsigned char *)malloc(MAX_FILE);
for (int i = 1; i < argc; i++) {
int fd = open(argv[i], O_RDONLY);
if (fd == -1) continue;
int fd = 0;
if (strcmp(argv[i], "-") != 0) { fd = open(argv[i], O_RDONLY); }
if (fd == -1) { continue; }
ssize_t length = read(fd, buf, MAX_FILE);
if (length > 0) {
printf("Reading %zu bytes from %s\n", length, argv[i]);
@ -187,7 +193,7 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) {
}
close(fd);
if (fd > 0) { close(fd); }
}
@ -199,15 +205,19 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) {
int main(int argc, char **argv) {
printf(
"======================= INFO =========================\n"
"============================== INFO ================================\n"
"This binary is built for afl++.\n"
"To use with afl-cmin or afl-cmin.bash pass '-' as single command line "
"option\n"
"To run the target function on individual input(s) execute this:\n"
" %s INPUT_FILE1 [INPUT_FILE2 ... ]\n"
"To fuzz with afl-fuzz execute this:\n"
" afl-fuzz [afl-flags] -- %s [-N]\n"
"afl-fuzz will run N iterations before re-spawning the process (default: "
"INT_MAX)\n"
"======================================================\n",
"For stdin input processing, pass '-' as single command line option.\n"
"For file input processing, pass '@@' as single command line option.\n"
"===================================================================\n",
argv[0], argv[0]);
if (getenv("AFL_GDB")) {
@ -237,22 +247,35 @@ int main(int argc, char **argv) {
memcpy(dummy_input, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT));
memcpy(dummy_input + 32, (void *)AFL_DEFER_FORKSVR,
sizeof(AFL_DEFER_FORKSVR));
int N = INT_MAX;
if (argc == 2 && argv[1][0] == '-')
N = atoi(argv[1] + 1);
else if (argc == 2 && (N = atoi(argv[1])) > 0)
printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N);
else if (argc > 1) {
if (argc == 2 && !strcmp(argv[1], "-")) {
__afl_sharedmem_fuzzing = 0;
__afl_manual_init();
return ExecuteFilesOnyByOne(argc, argv);
} else if (argc == 2 && argv[1][0] == '-') {
N = atoi(argv[1] + 1);
} else if (argc == 2 && (N = atoi(argv[1])) > 0) {
printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N);
} else if (argc > 1) {
__afl_sharedmem_fuzzing = 0;
if (argc == 2) { __afl_manual_init(); }
return ExecuteFilesOnyByOne(argc, argv);
}
assert(N > 0);
// if (!getenv("AFL_DRIVER_DONT_DEFER"))
__afl_manual_init();
// Call LLVMFuzzerTestOneInput here so that coverage caused by initialization
@ -271,6 +294,7 @@ int main(int argc, char **argv) {
fprintf(stderr, "%02x", __afl_fuzz_ptr[i]);
fprintf(stderr, "\n");
#endif
if (*__afl_fuzz_len) {
num_runs++;