ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

integrate frida_mode, code-format

Browse Source
This commit is contained in:
vanhauser-thc
2021-03-25 20:10:09 +01:00
parent 00a53a870d
commit c169cb3911
14 changed files with 60 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
GNUmakefile
View File

@ -593,6 +593,7 @@ distrib: all
$(MAKE) -C utils/afl_network_proxy $(MAKE) -C utils/afl_network_proxy
$(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/socket_fuzzing
$(MAKE) -C utils/argv_fuzzing $(MAKE) -C utils/argv_fuzzing
-$(MAKE) -C frida_mode
-cd qemu_mode && sh ./build_qemu_support.sh -cd qemu_mode && sh ./build_qemu_support.sh
-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
@ -603,6 +604,7 @@ binary-only: test_shm test_python ready $(PROGS)
$(MAKE) -C utils/afl_network_proxy $(MAKE) -C utils/afl_network_proxy
$(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/socket_fuzzing
$(MAKE) -C utils/argv_fuzzing $(MAKE) -C utils/argv_fuzzing
-$(MAKE) -C frida_mode
-cd qemu_mode && sh ./build_qemu_support.sh -cd qemu_mode && sh ./build_qemu_support.sh
-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
@ -648,6 +650,7 @@ install: all $(MANPAGES)
@if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi @if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
@if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi @if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi
@if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi @if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi
@if [ -f afl-frida-trace.so ]; then install -m 755 afl-frida-trace.so $${DESTDIR}$(HELPER_PATH); fi
@if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi @if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi
@if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi @if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi
@if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi @if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi

2
docs/Changelog.md
View File

@ -9,6 +9,8 @@ Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>. sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++3.13a (development) ### Version ++3.13a (development)
- frida_mode - new mode that uses frida to fuzz binary-only targets,
thanks to @WorksButNotTested!
- afl-fuzz: - afl-fuzz:
- added patch by @realmadsci to support @@ as part of command line - added patch by @realmadsci to support @@ as part of command line
options, e.g. `afl-fuzz ... -- ./target --infile=@@` options, e.g. `afl-fuzz ... -- ./target --infile=@@`

5
docs/env_variables.md
View File

@ -372,7 +372,8 @@ checks or alter some of the more exotic semantics of the tool:
may complain of high load prematurely, especially on systems with low core may complain of high load prematurely, especially on systems with low core
counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`. counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`.
- In QEMU mode (-Q), `AFL_PATH` will be searched for afl-qemu-trace. - In QEMU mode (-Q), Unicorn mode (-U) and Frida mode (-O), `AFL_PATH` will
be searched for afl-qemu-trace.
- In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip
prepending `afl-qemu-trace` to your command line. Use this if you wish to use a prepending `afl-qemu-trace` to your command line. Use this if you wish to use a
@ -605,7 +606,7 @@ optimal values if not already present in the environment:
override this by setting `LD_BIND_LAZY` beforehand, but it is almost override this by setting `LD_BIND_LAZY` beforehand, but it is almost
certainly pointless. certainly pointless.
- By default, `ASAN_OPTIONS` are set to: - By default, `ASAN_OPTIONS` are set to (among others):
``` ```
abort_on_error=1 abort_on_error=1
detect_leaks=0 detect_leaks=0

6
frida_mode/Makefile
View File

@ -1,12 +1,10 @@
PWD:=$(shell pwd)/ PWD:=$(shell pwd)/
INC_DIR:=$(PWD)inc/ INC_DIR:=$(PWD)include/
SRC_DIR:=$(PWD)src/ SRC_DIR:=$(PWD)src/
INCLUDES:=$(wildcard $(INC_DIR)*.h) INCLUDES:=$(wildcard $(INC_DIR)*.h)
SOURCES:=$(wildcard $(SRC_DIR)*.c) SOURCES:=$(wildcard $(SRC_DIR)*.c)
BUILD_DIR:=$(PWD)build/ BUILD_DIR:=$(PWD)build/
CFLAGS:= $(CFLAGS) \ CFLAGS+=-fPIC -D_GNU_SOURCE
-fPIC \
-D_GNU_SOURCE
FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so

0
frida_mode/inc/instrument.h → frida_mode/include/instrument.h
View File

0
frida_mode/inc/interceptor.h → frida_mode/include/interceptor.h
View File

0
frida_mode/inc/prefetch.h → frida_mode/include/prefetch.h
View File

0
frida_mode/inc/ranges.h → frida_mode/include/ranges.h
View File

2
qemu_mode/qemuafl

Submodule qemu_mode/qemuafl updated: 0fb212daab...ddc4a9748d

18
src/afl-cc.c
View File

@ -638,8 +638,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
alloc_printf("%s/afl-llvm-pass.so", obj_path);
} }
@ -1247,7 +1246,9 @@ int main(int argc, char **argv, char **envp) {
strcasecmp(ptr, "CFG") == 0) { strcasecmp(ptr, "CFG") == 0) {
FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and "
"PCGUARD (default in afl-cc).\n");
} else if (strcasecmp(ptr, "AFL") == 0 || } else if (strcasecmp(ptr, "AFL") == 0 ||
@ -1313,7 +1314,9 @@ int main(int argc, char **argv, char **envp) {
if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") ||
getenv("INSTRIM_LIB")) { getenv("INSTRIM_LIB")) {
FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD "
"(default in afl-cc).\n");
} }
@ -1400,7 +1403,9 @@ int main(int argc, char **argv, char **envp) {
if (strncasecmp(ptr2, "cfg", strlen("cfg")) == 0 || if (strncasecmp(ptr2, "cfg", strlen("cfg")) == 0 ||
strncasecmp(ptr2, "instrim", strlen("instrim")) == 0) { strncasecmp(ptr2, "instrim", strlen("instrim")) == 0) {
FATAL("InsTrim instrumentation was removed. Use a modern LLVM and PCGUARD (default in afl-cc).\n"); FATAL(
"InsTrim instrumentation was removed. Use a modern LLVM and "
"PCGUARD (default in afl-cc).\n");
} }
@ -1765,7 +1770,8 @@ int main(int argc, char **argv, char **envp) {
" AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen " " AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen "
"mutator)\n" "mutator)\n"
" AFL_LLVM_INSTRUMENT: set instrumentation mode:\n" " AFL_LLVM_INSTRUMENT: set instrumentation mode:\n"
" CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 ..-16\n" " CLASSIC, PCGUARD, LTO, GCC, CLANG, CALLER, CTX, NGRAM-2 "
"..-16\n"
" You can also use the old environment variables instead:\n" " You can also use the old environment variables instead:\n"
" AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" " AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n"
" AFL_LLVM_CALLER: use single context sensitive coverage (for " " AFL_LLVM_CALLER: use single context sensitive coverage (for "

9
src/afl-common.c
View File

@ -336,7 +336,16 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname) {
} }
if (perm == X_OK) {
target_path = alloc_printf("%s/%s", BIN_PATH, fname); target_path = alloc_printf("%s/%s", BIN_PATH, fname);
} else {
target_path = alloc_printf("%s/%s", AFL_PATH, fname);
}
if (!access(target_path, perm)) { if (!access(target_path, perm)) {
return target_path; return target_path;

7
src/afl-ld-lto.c
View File

@ -73,7 +73,8 @@ static u32 ld_param_cnt = 1; /* Number of params to 'ld' */
so we exploit this property to keep the code "simple". */ so we exploit this property to keep the code "simple". */
static void edit_params(int argc, char **argv) { static void edit_params(int argc, char **argv) {
u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0, inst_present = 0; u32 i, gold_pos = 0, gold_present = 0, rt_present = 0, rt_lto_present = 0,
inst_present = 0;
char *ptr; char *ptr;
ld_params = ck_alloc(4096 * sizeof(u8 *)); ld_params = ck_alloc(4096 * sizeof(u8 *));
@ -188,7 +189,9 @@ static void edit_params(int argc, char **argv) {
if (getenv("AFL_LLVM_INSTRIM") || if (getenv("AFL_LLVM_INSTRIM") ||
((ptr = getenv("AFL_LLVM_INSTRUMENT")) && ((ptr = getenv("AFL_LLVM_INSTRUMENT")) &&
(strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0))) (strcasestr(ptr, "CFG") == 0 || strcasestr(ptr, "INSTRIM") == 0)))
FATAL("InsTrim was removed because it is not effective. Use a modern LLVM and PCGUARD (which is the default in afl-cc).\n"); FATAL(
"InsTrim was removed because it is not effective. Use a modern LLVM "
"and PCGUARD (which is the default in afl-cc).\n");
if (debug) if (debug)
DEBUGF( DEBUGF(