Changes to allow configuration of stalker adjacent blocks

2025-06-15 11:28:08 +00:00 · 2021-11-15 17:14:04 +00:00
parent de90fd652e
commit e1d3fe30de
8 changed files with 51 additions and 3 deletions
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@ -215,6 +215,11 @@ gdb \
 ```
 * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to
 the specified file.
 * `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks
 to fetch when generating instrumented code. By fetching blocks in the same
 order they appear in the original program, rather than the order of execution
 should help reduce locallity and adjacency. This includes allowing us to vector
 between adjancent blocks using a NOP slide rather than an immediate branch.
 * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries
 stored along-side branch instructions which provide a cache to avoid having to
 call back into FRIDA to find the next block. Default is 32.
--- a/frida_mode/frida.map
+++ b/frida_mode/frida.map
@ -29,6 +29,7 @@
    js_api_set_prefetch_disable;
    js_api_set_seccomp_file;
    js_api_set_stalker_callback;
    js_api_set_stalker_adjacent_blocks;
    js_api_set_stalker_ic_entries;
    js_api_set_stats_file;
    js_api_set_stats_interval;
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@ -5,6 +5,7 @@
 extern guint    stalker_ic_entries;
 extern gboolean backpatch_enable;
 extern guint    stalker_adjacent_blocks;
 void        stalker_config(void);
 void        stalker_init(void);
--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@ -205,6 +205,12 @@ class Afl {
        const buf = Memory.allocUtf8String(file);
        Afl.jsApiSetSeccompFile(buf);
    }
    /**
     * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`.
     */
    static setStalkerAdjacentBlocks(val) {
        Afl.jsApiSetStalkerAdjacentBlocks(val);
    }
    /*
     * Set a function to be called for each instruction which is instrumented
     * by AFL FRIDA mode.
@ -294,6 +300,7 @@ Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch
 Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []);
 Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]);
 Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]);
 Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]);
 Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]);
 Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]);
 Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]);
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@ -250,3 +250,11 @@ __attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) {
 }
 __attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks(
    guint val) {
  stalker_adjacent_blocks = val;
 }
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@ -7,6 +7,7 @@
 guint    stalker_ic_entries = 0;
 gboolean backpatch_enable = TRUE;
 guint    stalker_adjacent_blocks = 0;
 static GumStalker *stalker = NULL;
@ -60,7 +61,9 @@ void stalker_config(void) {
  backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL);
-  stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES");
+  stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS");
  stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES");
  observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL);
@ -92,6 +95,7 @@ void stalker_init(void) {
  FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' ');
  FOKF("Stalker - ic_entries [%u]", stalker_ic_entries);
  FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks);
 #if !(defined(__x86_64__) || defined(__i386__))
  if (stalker_ic_entries != 0) {
@ -100,13 +104,21 @@ void stalker_init(void) {
  }
  if (stalker_adjacent_blocks != 0) {
    FFATAL("AFL_FRIDA_STALKER_ADJACENT_BLOCKS not supported");
  }
 #endif
  if (stalker_ic_entries == 0) { stalker_ic_entries = 32; }
  if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; }
 #if defined(__x86_64__) || defined(__i386__)
-  stalker =
+  stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries,
-      g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, NULL);
+                         "adjacent-blocks", stalker_adjacent_blocks, NULL);
 #else
  stalker = gum_stalker_new();
 #endif
--- a/frida_mode/ts/lib/afl.ts
+++ b/frida_mode/ts/lib/afl.ts
@ -241,6 +241,13 @@ class Afl {
    Afl.jsApiSetSeccompFile(buf);
  }
  /**
   * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`.
   */
  public static setStalkerAdjacentBlocks(val: number): void {
    Afl.jsApiSetStalkerAdjacentBlocks(val);
  }
  /*
   * Set a function to be called for each instruction which is instrumented
   * by AFL FRIDA mode.
@ -425,6 +432,11 @@ class Afl {
    "void",
    ["pointer"]);
  private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction(
    "js_api_set_stalker_adjacent_blocks",
    "void",
    ["uint32"]);
  private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction(
    "js_api_set_stalker_ic_entries",
    "void",
--- a/include/envs.h
+++ b/include/envs.h
@ -76,6 +76,8 @@ static char *afl_environment_variables[] = {
    "AFL_FRIDA_PERSISTENT_DEBUG",
    "AFL_FRIDA_PERSISTENT_HOOK",
    "AFL_FRIDA_PERSISTENT_RET",
    "AFL_FRIDA_STALKER_IC_ENTRIES",
    "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
    "AFL_FRIDA_STATS_FILE",
    "AFL_FRIDA_STATS_INTERVAL",
    "AFL_FRIDA_TRACEABLE",