Changes to allow configuration of stalker adjacent blocks

2025-06-15 11:28:08 +00:00 · 2021-11-15 17:14:04 +00:00
parent de90fd652e
commit e1d3fe30de
8 changed files with 51 additions and 3 deletions
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@ -215,6 +215,11 @@ gdb \
 ```
 * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to
 the specified file.
+* `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks
+ to fetch when generating instrumented code. By fetching blocks in the same
+ order they appear in the original program, rather than the order of execution
+ should help reduce locallity and adjacency. This includes allowing us to vector
+ between adjancent blocks using a NOP slide rather than an immediate branch.
 * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries
 stored along-side branch instructions which provide a cache to avoid having to
 call back into FRIDA to find the next block. Default is 32.
--- a/frida_mode/frida.map
+++ b/frida_mode/frida.map
@ -29,6 +29,7 @@
    js_api_set_prefetch_disable;
    js_api_set_seccomp_file;
    js_api_set_stalker_callback;
+    js_api_set_stalker_adjacent_blocks;
    js_api_set_stalker_ic_entries;
    js_api_set_stats_file;
    js_api_set_stats_interval;
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@ -5,6 +5,7 @@

 extern guint    stalker_ic_entries;
 extern gboolean backpatch_enable;
+extern guint    stalker_adjacent_blocks;

 void        stalker_config(void);
 void        stalker_init(void);
--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@ -205,6 +205,12 @@ class Afl {
        const buf = Memory.allocUtf8String(file);
        Afl.jsApiSetSeccompFile(buf);
    }
+    /**
+     * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`.
+     */
+    static setStalkerAdjacentBlocks(val) {
+        Afl.jsApiSetStalkerAdjacentBlocks(val);
+    }
    /*
     * Set a function to be called for each instruction which is instrumented
     * by AFL FRIDA mode.
@ -294,6 +300,7 @@ Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch
 Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []);
 Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]);
 Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]);
+Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]);
 Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]);
 Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]);
 Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]);
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@ -250,3 +250,11 @@ __attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) {

 }

+
+__attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks(
+    guint val) {
+
+  stalker_adjacent_blocks = val;
+
+}
+
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@ -7,6 +7,7 @@

 guint    stalker_ic_entries = 0;
 gboolean backpatch_enable = TRUE;
+guint    stalker_adjacent_blocks = 0;

 static GumStalker *stalker = NULL;

@ -60,7 +61,9 @@ void stalker_config(void) {

  backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL);

-  stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES");
+  stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS");
+
+  stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES");

  observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL);

@ -92,6 +95,7 @@ void stalker_init(void) {
  FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' ');

  FOKF("Stalker - ic_entries [%u]", stalker_ic_entries);
+  FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks);

 #if !(defined(__x86_64__) || defined(__i386__))
  if (stalker_ic_entries != 0) {
@ -100,13 +104,21 @@ void stalker_init(void) {

  }

+  if (stalker_adjacent_blocks != 0) {
+
+    FFATAL("AFL_FRIDA_STALKER_ADJACENT_BLOCKS not supported");
+
+  }
+
 #endif

  if (stalker_ic_entries == 0) { stalker_ic_entries = 32; }

+  if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; }
+
 #if defined(__x86_64__) || defined(__i386__)
-  stalker =
-      g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, NULL);
+  stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries,
+                         "adjacent-blocks", stalker_adjacent_blocks, NULL);
 #else
  stalker = gum_stalker_new();
 #endif
--- a/frida_mode/ts/lib/afl.ts
+++ b/frida_mode/ts/lib/afl.ts
@ -241,6 +241,13 @@ class Afl {
    Afl.jsApiSetSeccompFile(buf);
  }

+  /**
+   * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`.
+   */
+  public static setStalkerAdjacentBlocks(val: number): void {
+    Afl.jsApiSetStalkerAdjacentBlocks(val);
+  }
+
  /*
   * Set a function to be called for each instruction which is instrumented
   * by AFL FRIDA mode.
@ -425,6 +432,11 @@ class Afl {
    "void",
    ["pointer"]);

+  private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction(
+    "js_api_set_stalker_adjacent_blocks",
+    "void",
+    ["uint32"]);
+
  private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction(
    "js_api_set_stalker_ic_entries",
    "void",
--- a/include/envs.h
+++ b/include/envs.h
@ -76,6 +76,8 @@ static char *afl_environment_variables[] = {
    "AFL_FRIDA_PERSISTENT_DEBUG",
    "AFL_FRIDA_PERSISTENT_HOOK",
    "AFL_FRIDA_PERSISTENT_RET",
+    "AFL_FRIDA_STALKER_IC_ENTRIES",
+    "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
    "AFL_FRIDA_STATS_FILE",
    "AFL_FRIDA_STATS_INTERVAL",
    "AFL_FRIDA_TRACEABLE",