ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improvements to debug output

Browse Source
This commit is contained in:
Your Name
2021-12-20 18:14:57 +00:00
parent db19116ce6
commit d59a76261d
32 changed files with 253 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
frida_mode/README.md
View File

@ -176,9 +176,6 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
instrumentation (the default where available). Required to use
`AFL_FRIDA_INST_TRACE`.
* `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing
each block, control will return to FRIDA to identify the next block to
execute.
* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default, the child will
report instrumented blocks back to the parent so that it can also instrument
them and they be inherited by the next child on fork, implies
@ -227,6 +224,9 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
* `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries
stored along-side branch instructions which provide a cache to avoid having to
call back into FRIDA to find the next block. Default is 32.
* `AFL_FRIDA_STALKER_NO_BACKPATCH` - Disable backpatching. At the end of executing
each block, control will return to FRIDA to identify the next block to
execute.
* `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being
instrumented to the given file name. The statistics are written only for the
child process when new block is instrumented (when the
@ -307,6 +307,7 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
core dump of the instrumented target. Note that in order to capture the core
dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz`
killing the process whilst it is being dumped.
* `AFL_FRIDA_VERBOSE` - Enable verbose output from FRIDA mode.
## FASAN - FRIDA Address Sanitizer mode

2
frida_mode/Scripting.md
View File

@ -782,7 +782,7 @@ class Afl {
Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
}
/**
* See `AFL_FRIDA_INST_NO_BACKPATCH`.
* See `AFL_FRIDA_STALKER_NO_BACKPATCH`.
*/
static setBackpatchDisable() {
Afl.jsApiSetBackpatchDisable();

1
frida_mode/frida.map
View File

@ -37,6 +37,7 @@
js_api_set_stderr;
js_api_set_stdout;
js_api_set_traceable;
js_api_set_verbose;
local:
*;

16
frida_mode/include/util.h
View File

@ -8,9 +8,12 @@
#define UNUSED_PARAMETER(x) (void)(x)
#define IGNORED_RETURN(x) (void)!(x)
extern gboolean util_verbose;
guint64 util_read_address(char *key, guint64 default_value);
guint64 util_read_num(char *key, guint64 default_value);
gboolean util_output_enabled(void);
gboolean util_verbose_enabled(void);
gsize util_rotate(gsize val, gsize shift, gsize size);
gsize util_log2(gsize val);
@ -19,7 +22,8 @@ gsize util_log2(gsize val);
\
if (!util_output_enabled()) { break; } \
\
OKF(x); \
SAYF(cLGN "[F] " cRST x); \
SAYF(cRST "\n"); \
\
} while (0)
@ -37,5 +41,15 @@ gsize util_log2(gsize val);
\
} while (0)
#define FVERBOSE(x...) \
do { \
\
if (!util_verbose_enabled()) { break; } \
\
SAYF(cGRA "[F] " x); \
SAYF(cRST "\n"); \
\
} while (0)
#endif

14
frida_mode/src/asan/asan.c
View File

@ -9,21 +9,15 @@ gboolean asan_initialized = FALSE;
void asan_config(void) {
if (getenv("AFL_USE_FASAN") != NULL) {
FOKF("Frida ASAN mode enabled");
asan_enabled = TRUE;
} else {
FOKF("Frida ASAN mode disabled");
}
if (getenv("AFL_USE_FASAN") != NULL) { asan_enabled = TRUE; }
}
void asan_init(void) {
FOKF(cBLU "Instrumentation" cRST " - " cGRN "asan:" cYEL " [%c]",
asan_enabled ? 'X' : ' ');
if (asan_enabled) {
asan_arch_init();

11
frida_mode/src/cmplog/cmplog.c
View File

@ -54,7 +54,7 @@ static gint cmplog_sort(gconstpointer a, gconstpointer b) {
static void cmplog_get_ranges(void) {
FOKF("CMPLOG - Collecting ranges");
FVERBOSE("CMPLOG - Collecting ranges");
cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100);
gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, cmplog_ranges);
@ -68,17 +68,20 @@ void cmplog_config(void) {
void cmplog_init(void) {
FOKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "cmplog:" cYEL " [%c]",
__afl_cmp_map == NULL ? ' ' : 'X');
if (__afl_cmp_map == NULL) { return; }
cmplog_get_ranges();
FVERBOSE("Cmplog Ranges");
for (guint i = 0; i < cmplog_ranges->len; i++) {
GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i);
FOKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER
"X - 0x%016" G_GINT64_MODIFIER "X",
FVERBOSE("\t%3u: 0x%016" G_GINT64_MODIFIER "X - 0x%016" G_GINT64_MODIFIER
"X",
i, range->base_address, range->base_address + range->size);
}

8
frida_mode/src/entry.c
View File

@ -24,7 +24,7 @@ gboolean entry_run = FALSE;
static void entry_launch(void) {
FOKF("Entry point reached");
FVERBOSE("Entry point reached");
__afl_manual_init();
/* Child here */
@ -69,8 +69,8 @@ void entry_config(void) {
void entry_init(void) {
FOKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point);
FOKF("dumpable: [%c]", traceable ? 'X' : ' ');
FVERBOSE("Entry Point: 0x%016" G_GINT64_MODIFIER "X", entry_point);
FVERBOSE("Dumpable: [%c]", traceable ? 'X' : ' ');
if (dlopen(NULL, RTLD_NOW) == NULL) { FFATAL("Failed to dlopen: %d", errno); }
@ -94,7 +94,7 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) {
void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) {
UNUSED_PARAMETER(output);
FOKF("AFL_ENTRYPOINT reached");
FVERBOSE("AFL_ENTRYPOINT reached");
if (persistent_start == 0) {

28
frida_mode/src/instrument/instrument.c
View File

@ -274,14 +274,19 @@ void instrument_init(void) {
if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false;
FOKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' ');
FOKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' ');
FOKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' ');
FOKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "optimize:" cYEL " [%c]",
instrument_optimize ? 'X' : ' ');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "tracing:" cYEL " [%c]",
instrument_tracing ? 'X' : ' ');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "unique:" cYEL " [%c]",
instrument_unique ? 'X' : ' ');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "fixed seed:" cYEL
" [%c] [0x%016" G_GINT64_MODIFIER "x]",
instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed);
FOKF("Instrumentation - unstable coverage [%c] [%s]",
instrument_coverage_unstable_filename == NULL ? ' ' : 'X',
instrument_coverage_unstable_filename);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "unstable coverage:" cYEL " [%s]",
instrument_coverage_unstable_filename == NULL
? " "
: instrument_coverage_unstable_filename);
if (instrument_tracing && instrument_optimize) {
@ -366,15 +371,16 @@ void instrument_init(void) {
}
FOKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "seed:" cYEL
" [0x%016" G_GINT64_MODIFIER "x]",
instrument_hash_seed);
instrument_hash_zero = instrument_get_offset_hash(0);
instrument_coverage_optimize_init();
instrument_debug_init();
instrument_coverage_init();
asan_init();
cmplog_init();
instrument_coverage_init();
instrument_coverage_optimize_init();
instrument_debug_init();
}

22
frida_mode/src/instrument/instrument_coverage.c
View File

@ -659,17 +659,17 @@ void instrument_coverage_config(void) {
void instrument_coverage_normal_init(void) {
FOKF("Coverage - enabled [%c]",
instrument_coverage_filename == NULL ? ' ' : 'X');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "coverage:" cYEL " [%s]",
instrument_coverage_filename == NULL ? " "
: instrument_coverage_filename);
if (instrument_coverage_filename == NULL) { return; }
FOKF("Coverage - file [%s]", instrument_coverage_filename);
char *path = g_canonicalize_filename(instrument_coverage_filename,
g_get_current_dir());
FOKF("Coverage - path [%s]", path);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "coverage path:" cYEL " [%s]",
path);
normal_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
@ -718,7 +718,7 @@ void instrument_coverage_unstable_find_output(void) {
GDir *dir = g_dir_open(fds_name, 0, NULL);
FOKF("Coverage Unstable - fds: %s", fds_name);
FVERBOSE("Coverage Unstable - fds: %s", fds_name);
for (const gchar *filename = g_dir_read_name(dir); filename != NULL;
filename = g_dir_read_name(dir)) {
@ -782,18 +782,24 @@ void instrument_coverage_unstable_find_output(void) {
}
FOKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats);
FVERBOSE("Fuzzer stats: %s", unstable_coverage_fuzzer_stats);
}
void instrument_coverage_unstable_init(void) {
FOKF(cBLU "Instrumentation" cRST " - " cGRN "unstable coverage:" cYEL " [%s]",
instrument_coverage_unstable_filename == NULL
? " "
: instrument_coverage_unstable_filename);
if (instrument_coverage_unstable_filename == NULL) { return; }
char *path = g_canonicalize_filename(instrument_coverage_unstable_filename,
g_get_current_dir());
FOKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "unstable coverage path:" cYEL
" [%s]",
path == NULL ? " " : path);
unstable_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);

10
frida_mode/src/instrument/instrument_debug.c
View File

@ -94,19 +94,15 @@ void instrument_debug_config(void) {
void instrument_debug_init(void) {
FOKF("Instrumentation debugging - enabled [%c]",
instrument_debug_filename == NULL ? ' ' : 'X');
if (instrument_debug_filename == NULL) { return; }
FOKF("Instrumentation debugging - file [%s]", instrument_debug_filename);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "debugging:" cYEL " [%s]",
instrument_debug_filename == NULL ? " " : instrument_debug_filename);
if (instrument_debug_filename == NULL) { return; }
char *path =
g_canonicalize_filename(instrument_debug_filename, g_get_current_dir());
FOKF("Instrumentation debugging - path [%s]", path);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "path:" cYEL " [%s]", path);
debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);

8
frida_mode/src/instrument/instrument_x64.c
View File

@ -323,7 +323,7 @@ void instrument_coverage_optimize_init(void) {
gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low,
&low_address);
FOKF("Low address: %p", low_address);
FVERBOSE("Low address: %p", low_address);
if (low_address == 0 ||
GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) {
@ -335,7 +335,7 @@ void instrument_coverage_optimize_init(void) {
ranges_print_debug_maps();
char *shm_env = getenv(SHM_ENV_VAR);
FOKF("SHM_ENV_VAR: %s", shm_env);
FVERBOSE("SHM_ENV_VAR: %s", shm_env);
if (shm_env == NULL) {
@ -359,8 +359,8 @@ void instrument_coverage_optimize_init(void) {
}
FOKF("__afl_area_ptr: %p", __afl_area_ptr);
FOKF("instrument_previous_pc: %p", &instrument_previous_pc);
FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr);
FVERBOSE("instrument_previous_pc: %p", &instrument_previous_pc);
}

9
frida_mode/src/js/api.js
View File

@ -63,7 +63,7 @@ class Afl {
Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
}
/**
* See `AFL_FRIDA_INST_NO_BACKPATCH`.
* See `AFL_FRIDA_STALKER_NO_BACKPATCH`.
*/
static setBackpatchDisable() {
Afl.jsApiSetBackpatchDisable();
@ -268,6 +268,12 @@ class Afl {
static setTraceable() {
Afl.jsApiSetTraceable();
}
/**
* See `AFL_FRIDA_VERBOSE`
*/
static setVerbose() {
Afl.jsApiSetVerbose();
}
static jsApiGetFunction(name, retType, argTypes) {
const addr = Afl.module.getExportByName(name);
return new NativeFunction(addr, retType, argTypes);
@ -315,6 +321,7 @@ Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "v
Afl.jsApiSetStdErr = Afl.jsApiGetFunction("js_api_set_stderr", "void", ["pointer"]);
Afl.jsApiSetStdOut = Afl.jsApiGetFunction("js_api_set_stdout", "void", ["pointer"]);
Afl.jsApiSetTraceable = Afl.jsApiGetFunction("js_api_set_traceable", "void", []);
Afl.jsApiSetVerbose = Afl.jsApiGetFunction("js_api_set_verbose", "void", []);
Afl.jsApiWrite = new NativeFunction(
/* tslint:disable-next-line:no-null-keyword */
Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]);

7
frida_mode/src/js/js.c
View File

@ -55,7 +55,10 @@ static gchar *js_get_script() {
} else {
FOKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename,
FOKF(cBLU "Javascript" cRST " - " cGRN "script:" cYEL " [%s]",
filename == NULL ? " " : filename);
FOKF(cBLU "Javascript" cRST " - " cGRN "size: " cYEL "%" G_GSIZE_MODIFIER
"d bytes",
length);
gchar *source = g_malloc0(api_js_len + length + 1);
@ -74,7 +77,7 @@ static void js_print_script(gchar *source) {
for (size_t i = 0; split[i] != NULL; i++) {
FOKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]);
FVERBOSE("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]);
}

6
frida_mode/src/js/js_api.c
View File

@ -262,3 +262,9 @@ __attribute__((visibility("default"))) void js_api_set_js_main_hook(
}
__attribute__((visibility("default"))) void js_api_set_verbose(void) {
util_verbose = TRUE;
}

25
frida_mode/src/lib/lib.c
View File

@ -93,17 +93,18 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
}
FOKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x",
FVERBOSE("\tpreferred load address: 0x%016" G_GSIZE_MODIFIER "x",
preferred_base);
shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff);
shstrtab = &shdr[hdr->e_shstrndx];
shstr = (char *)hdr + shstrtab->sh_offset;
FOKF("shdr: %p", shdr);
FOKF("shstrtab: %p", shstrtab);
FOKF("shstr: %p", shstr);
FVERBOSE("\tshdr: %p", shdr);
FVERBOSE("\tshstrtab: %p", shstrtab);
FVERBOSE("\tshstr: %p", shstr);
FVERBOSE("Sections:");
for (size_t i = 0; i < hdr->e_shnum; i++) {
curr = &shdr[i];
@ -111,7 +112,7 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
if (curr->sh_name == 0) continue;
section_name = &shstr[curr->sh_name];
FOKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER
FVERBOSE("\t%2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER
"X size: 0x%016" G_GSIZE_MODIFIER "X %s",
i, curr->sh_addr, curr->sh_size, section_name);
if (memcmp(section_name, text_name, sizeof(text_name)) == 0 &&
@ -119,13 +120,15 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
text_base = lib_details->base_address + curr->sh_addr - preferred_base;
text_limit = text_base + curr->sh_size;
FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base);
FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit);
}
}
FVERBOSE(".text\n");
FVERBOSE("\taddr: 0x%016" G_GINT64_MODIFIER "X", text_base);
FVERBOSE("\tlimit: 0x%016" G_GINT64_MODIFIER "X", text_limit);
}
static void lib_get_text_section(lib_details_t *details) {
@ -141,7 +144,7 @@ static void lib_get_text_section(lib_details_t *details) {
if (len == (off_t)-1) { FFATAL("Failed to lseek %s", details->path); }
FOKF("len: %ld", len);
FVERBOSE("\tlength: %ld", len);
hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0);
if (hdr == MAP_FAILED) { FFATAL("Failed to map %s", details->path); }
@ -162,8 +165,10 @@ void lib_init(void) {
lib_details_t lib_details;
gum_process_enumerate_modules(lib_find_exe, &lib_details);
FOKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s",
lib_details.base_address, lib_details.path);
FVERBOSE("Image");
FVERBOSE("\tbase: 0x%016" G_GINT64_MODIFIER "x",
lib_details.base_address);
FVERBOSE("\tpath: %s", lib_details.path);
lib_get_text_section(&lib_details);
}

12
frida_mode/src/lib/lib_apple.c
View File

@ -20,7 +20,7 @@ static gboolean lib_get_main_module(const GumModuleDetails *details,
details->path, mach_task_self(), details->range->base_address,
GUM_DARWIN_MODULE_FLAGS_NONE, NULL);
FOKF("Found main module: %s", module->name);
FVERBOSE("Found main module: %s", module->name);
*ret = module;
@ -35,7 +35,7 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details,
static size_t idx = 0;
char text_name[] = "__text";
FOKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER
FVERBOSE("\t%2lu - base: 0x%016" G_GINT64_MODIFIER
"X size: 0x%016" G_GINT64_MODIFIER "X %s",
idx++, details->vm_address, details->vm_address + details->size,
details->section_name);
@ -45,11 +45,13 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details,
text_base = details->vm_address;
text_limit = details->vm_address + details->size;
FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base);
FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit);
}
FVERBOSE(".text\n");
FVERBOSE("\taddr: 0x%016" G_GINT64_MODIFIER "X", text_base);
FVERBOSE("\tlimit: 0x%016" G_GINT64_MODIFIER "X", text_limit);
return TRUE;
}
@ -62,6 +64,8 @@ void lib_init(void) {
GumDarwinModule *module = NULL;
gum_darwin_enumerate_modules(mach_task_self(), lib_get_main_module, &module);
FVERBOSE("Sections:");
gum_darwin_module_enumerate_sections(module, lib_get_text_section, NULL);
}

20
frida_mode/src/main.c
View File

@ -111,11 +111,13 @@ static void afl_print_cmdline(void) {
int idx = 0;
FVERBOSE("Command Line");
for (ssize_t i = 0; i < bytes_read; i++) {
if (i == 0 || buffer[i - 1] == '\0') {
FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx++, &buffer[i]);
FVERBOSE("\targv[%d] = %s", idx++, &buffer[i]);
}
@ -131,7 +133,7 @@ static void afl_print_cmdline(void) {
for (idx = 0; idx < nargv; idx++) {
FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]);
FVERBOSE("\targv[%d] = %s", idx, argv[idx]);
}
@ -161,11 +163,12 @@ static void afl_print_env(void) {
int idx = 0;
FVERBOSE("ENVIRONMENT");
for (ssize_t i = 0; i < bytes_read; i++) {
if (i == 0 || buffer[i - 1] == '\0') {
FOKF("AFL - ENVIRONMENT %3d: %s", idx++, &buffer[i]);
FVERBOSE("\t%3d: %s", idx++, &buffer[i]);
}
@ -179,6 +182,13 @@ static void afl_print_env(void) {
__attribute__((visibility("default"))) void afl_frida_start(void) {
FOKF(cRED "**********************");
FOKF(cRED "* " cYEL "******************" cRED " *");
FOKF(cRED "* " cYEL "* " cGRN "**************" cYEL " *" cRED " *");
FOKF(cRED "* " cYEL "* " cGRN "* FRIDA MODE *" cYEL " *" cRED " *");
FOKF(cRED "* " cYEL "* " cGRN "**************" cYEL " *" cRED " *");
FOKF(cRED "* " cYEL "******************" cRED " *");
FOKF(cRED "**********************");
afl_print_cmdline();
afl_print_env();
@ -255,9 +265,9 @@ static void intercept_main(void) {
static void intercept_main(void) {
mach_port_t task = mach_task_self();
FOKF("Task Id: %u", task);
FVERBOSE("Task Id: %u", task);
GumAddress entry = gum_darwin_find_entrypoint(task);
FOKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry);
FVERBOSE("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry);
void *main = GSIZE_TO_POINTER(entry);
main_fn = main;
intercept_hook(main, on_main, NULL);

8
frida_mode/src/output.c
View File

@ -18,7 +18,7 @@ static void output_redirect(int fd, char *filename) {
path = g_canonicalize_filename(filename, g_get_current_dir());
FOKF("Redirect %d -> '%s'", fd, path);
FVERBOSE("Redirect %d -> '%s'", fd, path);
int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
@ -46,8 +46,10 @@ void output_config(void) {
void output_init(void) {
FOKF("Output - StdOut: %s", output_stdout);
FOKF("Output - StdErr: %s", output_stderr);
FOKF(cBLU "Output" cRST " - " cGRN "stdout:" cYEL " [%s]",
output_stdout == NULL ? " " : output_stdout);
FOKF(cBLU "Output" cRST " - " cGRN "stderr:" cYEL " [%s]",
output_stderr == NULL ? " " : output_stderr);
output_redirect(STDOUT_FILENO, output_stdout);
output_redirect(STDERR_FILENO, output_stderr);

15
frida_mode/src/persistent/persistent.c
View File

@ -72,13 +72,16 @@ void persistent_config(void) {
void persistent_init(void) {
FOKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "persistent mode:" cYEL
" [%c] (0x%016" G_GINT64_MODIFIER "X)",
persistent_start == 0 ? ' ' : 'X', persistent_start);
FOKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "persistent count:" cYEL
" [%c] (%" G_GINT64_MODIFIER "d)",
persistent_start == 0 ? ' ' : 'X', persistent_count);
FOKF("Instrumentation - hook [%s]", hook_name);
FOKF(cBLU "Instrumentation" cRST " - " cGRN "hook:" cYEL " [%s]", hook_name);
FOKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "persistent ret:" cYEL
" [%c] (0x%016" G_GINT64_MODIFIER "X)",
persistent_ret == 0 ? ' ' : 'X', persistent_ret);
if (persistent_hook != NULL) { __afl_sharedmem_fuzzing = 1; }
@ -87,7 +90,7 @@ void persistent_init(void) {
void persistent_prologue(GumStalkerOutput *output) {
FOKF("AFL_FRIDA_PERSISTENT_ADDR reached");
FVERBOSE("AFL_FRIDA_PERSISTENT_ADDR reached");
entry_compiled = TRUE;
ranges_exclude();
stalker_trust();
@ -97,7 +100,7 @@ void persistent_prologue(GumStalkerOutput *output) {
void persistent_epilogue(GumStalkerOutput *output) {
FOKF("AFL_FRIDA_PERSISTENT_RET reached");
FVERBOSE("AFL_FRIDA_PERSISTENT_RET reached");
persistent_epilogue_arch(output);
}

2
frida_mode/src/persistent/persistent_arm64.c
View File

@ -324,7 +324,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
gconstpointer loop = cw->code + 1;
FOKF("Persistent loop reached");
FVERBOSE("Persistent loop reached");
instrument_persitent_save_regs(cw, &saved_regs);

2
frida_mode/src/persistent/persistent_x64.c
View File

@ -269,7 +269,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
gconstpointer loop = cw->code + 1;
FOKF("Persistent loop reached");
FVERBOSE("Persistent loop reached");
/* Pop the return value */
gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8);

2
frida_mode/src/persistent/persistent_x86.c
View File

@ -210,7 +210,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
gconstpointer loop = cw->code + 1;
FOKF("Persistent loop reached");
FVERBOSE("Persistent loop reached");
/* Pop the return value */
gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4);

6
frida_mode/src/prefetch.c
View File

@ -178,8 +178,10 @@ static void prefetch_hook_fork(void) {
void prefetch_init(void) {
FOKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' ');
FOKF("Instrumentation - prefetch_backpatch [%c]",
FOKF(cBLU "Instrumentation" cRST " - " cGRN "prefetch:" cYEL " [%c]",
prefetch_enable ? 'X' : ' ');
FOKF(cBLU "Instrumentation" cRST " - " cGRN "prefetch_backpatch:" cYEL
" [%c]",
prefetch_backpatch ? 'X' : ' ');
if (!prefetch_enable) { return; }

42
frida_mode/src/ranges.c
View File

@ -122,7 +122,7 @@ static gboolean convert_name_token_for_module(const GumModuleDetails *details,
if (!g_str_has_suffix(details->path, ctx->suffix)) { return true; };
FOKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER
FVERBOSE("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER
"x-0x%016" G_GINT64_MODIFIER "x %s",
ctx->suffix, details->range->base_address,
details->range->base_address + details->range->size, details->path);
@ -158,7 +158,7 @@ static void convert_token(gchar *token, GumMemoryRange *range) {
}
FOKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER
FVERBOSE("Converted token: %s -> 0x%016" G_GINT64_MODIFIER
"x-0x%016" G_GINT64_MODIFIER "x\n",
token, range->base_address, range->base_address + range->size);
@ -192,7 +192,7 @@ static gboolean print_ranges_callback(const GumRangeDetails *details,
if (details->file == NULL) {
FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER
FVERBOSE("\t0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER
"X %c%c%c",
details->range->base_address,
details->range->base_address + details->range->size,
@ -202,7 +202,7 @@ static gboolean print_ranges_callback(const GumRangeDetails *details,
} else {
FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER
FVERBOSE("\t0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER
"X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)",
details->range->base_address,
details->range->base_address + details->range->size,
@ -219,14 +219,14 @@ static gboolean print_ranges_callback(const GumRangeDetails *details,
static void print_ranges(char *key, GArray *ranges) {
FOKF("Range: %s Length: %d", key, ranges->len);
FVERBOSE("Range: [%s], Length: %d", key, ranges->len);
for (guint i = 0; i < ranges->len; i++) {
GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i);
GumAddress curr_limit = curr->base_address + curr->size;
FOKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER
"x-0x%016" G_GINT64_MODIFIER "x",
key, i, curr->base_address, curr_limit);
FVERBOSE("\t%3d - 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER
"x",
i, curr->base_address, curr_limit);
}
@ -248,7 +248,7 @@ static GArray *collect_module_ranges(void) {
result = g_array_new(false, false, sizeof(GumMemoryRange));
gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS,
collect_module_ranges_callback, result);
print_ranges("Modules", result);
print_ranges("modules", result);
return result;
}
@ -348,7 +348,7 @@ static GArray *collect_libs_ranges(void) {
g_array_append_val(result, range);
print_ranges("AFL_INST_LIBS", result);
print_ranges("libs", result);
return result;
@ -382,7 +382,7 @@ static GArray *collect_jit_ranges(void) {
}
print_ranges("JIT", result);
print_ranges("jit", result);
return result;
}
@ -564,6 +564,7 @@ static GArray *merge_ranges(GArray *a) {
void ranges_print_debug_maps(void) {
FVERBOSE("Maps");
gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, NULL);
}
@ -590,16 +591,15 @@ void ranges_init(void) {
GArray * step4;
GArray * step5;
FOKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' ');
FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' ');
FOKF(cBLU "Ranges" cRST " - " cGRN "instrument jit:" cYEL " [%c]",
ranges_inst_jit ? 'X' : ' ');
FOKF(cBLU "Ranges" cRST " - " cGRN "instrument libraries:" cYEL " [%c]",
ranges_inst_libs ? 'X' : ' ');
FOKF(cBLU "Ranges" cRST " - " cGRN "instrument libraries:" cYEL " [%c]",
ranges_inst_libs ? 'X' : ' ');
print_ranges("AFL_FRIDA_INST_RANGES", include_ranges);
print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges);
FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' ');
print_ranges("AFL_FRIDA_INST_RANGES", include_ranges);
print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges);
print_ranges("include", include_ranges);
print_ranges("exclude", exclude_ranges);
module_ranges = collect_module_ranges();
libs_ranges = collect_libs_ranges();
@ -673,7 +673,7 @@ void ranges_exclude() {
GumMemoryRange *r;
GumStalker * stalker = stalker_get();
FOKF("Excluding ranges");
FVERBOSE("Excluding ranges");
for (guint i = 0; i < ranges->len; i++) {

3
frida_mode/src/seccomp/seccomp.c
View File

@ -25,7 +25,8 @@ void seccomp_config(void) {
void seccomp_init(void) {
FOKF("Seccomp - file [%s]", seccomp_filename);
FOKF(cBLU "Seccomp" cRST " - " cGRN "file:" cYEL " [%s]",
seccomp_filename == NULL ? " " : seccomp_filename);
if (seccomp_filename == NULL) { return; }

2
frida_mode/src/seccomp/seccomp_callback.c
View File

@ -124,7 +124,7 @@ void seccomp_callback_initialize(void) {
path = g_canonicalize_filename(seccomp_filename, g_get_current_dir());
FOKF("Seccomp - path [%s]", path);
FVERBOSE("Seccomp - path [%s]", path);
fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);

2
frida_mode/src/seccomp/seccomp_filter.c
View File

@ -258,7 +258,7 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) {
if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) {
if (errno == ENOENT) { continue; }
FOKF("SECCOMP_IOCTL_NOTIF_SEND");
FVERBOSE("SECCOMP_IOCTL_NOTIF_SEND");
continue;
}

10
frida_mode/src/stalker.c
View File

@ -93,10 +93,12 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details,
void stalker_init(void) {
FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' ');
FOKF("Stalker - ic_entries [%u]", stalker_ic_entries);
FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks);
FOKF(cBLU "Stalker" cRST " - " cGRN "backpatch:" cYEL " [%c]",
backpatch_enable ? 'X' : ' ');
FOKF(cBLU "Stalker" cRST " - " cGRN "ic_entries:" cYEL " [%u]",
stalker_ic_entries);
FOKF(cBLU "Stalker" cRST " - " cGRN "adjacent_blocks:" cYEL " [%u]",
stalker_adjacent_blocks);
#if !(defined(__x86_64__) || defined(__i386__))
if (getenv("AFL_FRIDA_STALKER_IC_ENTRIES") != NULL) {

10
frida_mode/src/stats/stats.c
View File

@ -329,8 +329,11 @@ void stats_config(void) {
void stats_init(void) {
FOKF("Stats - file [%s]", stats_filename);
FOKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval);
FOKF(cBLU "Stats" cRST " - " cGRN "file:" cYEL " [%s]",
stats_filename == NULL ? " " : stats_filename);
FOKF(cBLU "Stats" cRST " - " cGRN "interval:" cYEL " [%" G_GINT64_MODIFIER
"u]",
stats_interval);
if (getenv("AFL_FRIDA_STATS_INTERVAL") != NULL &&
getenv("AFL_FRIDA_STATS_FILE") == NULL) {
@ -347,7 +350,8 @@ void stats_init(void) {
char *path = g_canonicalize_filename(stats_filename, g_get_current_dir());
FOKF("Stats - path [%s]", path);
FOKF(cBLU "Stats" cRST " - " cGRN "path:" cYEL " [%s]",
path == NULL ? " " : path);
stats_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);

22
frida_mode/src/util.c
View File

@ -1,5 +1,7 @@
#include "util.h"
gboolean util_verbose = FALSE;
guint64 util_read_address(char *key, guint64 default_value) {
char *value_str = getenv(key);
@ -87,12 +89,13 @@ guint64 util_read_num(char *key, guint64 default_value) {
gboolean util_output_enabled(void) {
static gboolean initialized = FALSE;
static gboolean enabled = TRUE;
static gboolean enabled = FALSE;
if (!initialized) {
initialized = TRUE;
if (getenv("AFL_DEBUG_CHILD") == NULL) { enabled = FALSE; }
if (getenv("AFL_DEBUG_CHILD") != NULL) { enabled = TRUE; }
if (util_verbose_enabled()) { enabled = TRUE; }
}
@ -100,6 +103,21 @@ gboolean util_output_enabled(void) {
}
gboolean util_verbose_enabled(void) {
static gboolean initialized = FALSE;
if (!initialized) {
initialized = TRUE;
if (getenv("AFL_FRIDA_VERBOSE") != NULL) { util_verbose = TRUE; }
}
return util_verbose;
}
gsize util_rotate(gsize val, gsize shift, gsize size) {
if (shift == 0) { return val; }

14
frida_mode/ts/lib/afl.ts
View File

@ -78,7 +78,7 @@ class Afl {
}
/**
* See `AFL_FRIDA_INST_NO_BACKPATCH`.
* See `AFL_FRIDA_STALKER_NO_BACKPATCH`.
*/
public static setBackpatchDisable(): void {
Afl.jsApiSetBackpatchDisable();
@ -313,6 +313,13 @@ class Afl {
Afl.jsApiSetTraceable();
}
/**
* See `AFL_FRIDA_VERBOSE`
*/
public static setVerbose(): void {
Afl.jsApiSetVerbose();
}
private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction(
"js_api_add_exclude_range",
"void",
@ -480,6 +487,11 @@ class Afl {
"void",
[]);
private static readonly jsApiSetVerbose = Afl.jsApiGetFunction(
"js_api_set_verbose",
"void",
[]);
private static readonly jsApiWrite = new NativeFunction(
/* tslint:disable-next-line:no-null-keyword */
Module.getExportByName(null, "write"),

5
include/envs.h
View File

@ -59,7 +59,6 @@ static char *afl_environment_variables[] = {
"AFL_FRIDA_INST_COVERAGE_FILE",
"AFL_FRIDA_INST_DEBUG_FILE",
"AFL_FRIDA_INST_JIT",
"AFL_FRIDA_INST_NO_BACKPATCH",
"AFL_FRIDA_INST_NO_OPTIMIZE",
"AFL_FRIDA_INST_NO_PREFETCH",
"AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
@ -76,11 +75,13 @@ static char *afl_environment_variables[] = {
"AFL_FRIDA_PERSISTENT_DEBUG",
"AFL_FRIDA_PERSISTENT_HOOK",
"AFL_FRIDA_PERSISTENT_RET",
"AFL_FRIDA_STALKER_IC_ENTRIES",
"AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
"AFL_FRIDA_STALKER_IC_ENTRIES",
"AFL_FRIDA_STALKER_NO_BACKPATCH",
"AFL_FRIDA_STATS_FILE",
"AFL_FRIDA_STATS_INTERVAL",
"AFL_FRIDA_TRACEABLE",
"AFL_FRIDA_VERBOSE",
"AFL_FUZZER_ARGS", // oss-fuzz
"AFL_GDB",
"AFL_GCC_ALLOWLIST",