added initial defork example

2025-06-18 20:48:07 +00:00 · 2020-07-16 02:17:05 +02:00
parent 4314e59af9
commit f465a75b65
5 changed files with 173 additions and 0 deletions
--- a/examples/defork/Makefile
+++ b/examples/defork/Makefile
@ -0,0 +1,64 @@
 #
 # american fuzzy lop++ - defork
 # ----------------------------------
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at:
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 .PHONY: all install clean
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin
 HELPER_PATH = $(PREFIX)/lib/afl
 CFLAGS = -fPIC -Wall -Wextra
 LDFLAGS = -shared
 UNAME_SAYS_LINUX=$(shell uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?)
 UNAME_SAYS_LINUX:sh=uname | grep -E '^Linux|^GNU' >/dev/null; echo $$?
 _LDFLAGS_ADD=$(UNAME_SAYS_LINUX:1=)
 LDFLAGS_ADD=$(_LDFLAGS_ADD:0=-ldl)
 LDFLAGS  += $(LDFLAGS_ADD)
 # on gcc for arm there is no -m32, but -mbe32
 M32FLAG = -m32
 M64FLAG = -m64
 CC_IS_GCC=$(shell $(CC) --version 2>/dev/null | grep -q gcc; echo $$?)
 CC_IS_GCC:sh=$(CC) --version 2>/dev/null | grep -q gcc; echo $$?
 CC_IS_ARMCOMPILER=$(shell $(CC) -v 2>&1 >/dev/null | grep -q arm; echo $$?)
 CC_IS_ARMCOMPILER:sh=$(CC) -v 2>&1 >/dev/null | grep -q arm; echo $$?
 _M32FLAG=$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)
 __M32FLAG=$(_M32FLAG:00=-mbe32)
 ___M32FLAG=$(__M32FLAG:$(CC_IS_GCC)$(CC_IS_ARMCOMPILER)=-m32)
 M32FLAG=$(___M32FLAG)
 #ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
 # ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
 #  M32FLAG = -mbe32
 # endif
 #endif
 all: defork32.so defork64.so
 defork32.so: defork.c
 	-@$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "defork32 build failure (that's fine)"
 defork64.so: defork.c
 	-@$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ 2>/dev/null || echo "defork64 build failure (that's fine)"
 install: defork32.so defork64.so
 	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
 	if [ -f defork32.so ]; then set -e; install -m 755 defork32.so $(DESTDIR)$(HELPER_PATH)/; fi
 	if [ -f defork64.so ]; then set -e; install -m 755 defork64.so $(DESTDIR)$(HELPER_PATH)/; fi
 target:
 	../../afl-clang forking_target.c -o forking_target -Wall -Wextra -Werror
 clean:
 	rm -f defork32.so defork64.so forking_target
--- a/examples/defork/README.md
+++ b/examples/defork/README.md
@ -0,0 +1,11 @@
 # defork
 when the target forks, this breaks all normal fuzzing runs.
 Sometimes, though, it is enough to just run the child process.
 If this is the case, then this LD_PRELOAD library will always return 0 on fork,
 the target will belive it is running as the child, post-fork.
 This is defork.c from the amazing preeny project
 https://github.com/zardus/preeny
 It is altered for afl++ to work with its fork-server: the initial fork will go through, the second fork will be blocked.
--- a/examples/defork/defork.c
+++ b/examples/defork/defork.c
@ -0,0 +1,52 @@
 #define __GNU_SOURCE
 #include <dlfcn.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <stdbool.h>
 #include "../../include/config.h"
 /* we want to fork once (for the afl++ forkserver),
   then immediately return as child on subsequent forks. */
 static bool forked = 0;
 pid_t (*original_fork)(void);
 /* In case we are not running in afl, we use a dummy original_fork */
 static pid_t nop(void) {
  return 0;
 }
 __attribute__((constructor)) void preeny_fork_orig() {
  if (getenv(SHM_ENV_VAR)) {
    printf("defork: running in AFL++. Allowing forkserver.\n");
    original_fork = dlsym(RTLD_NEXT, "socket");
  } else {
    printf("defork: no AFL++ detected. Disabling fork from the start.\n");
    original_fork = &nop;
  }
 }
 pid_t fork(void) {
  printf("called fork. forked state is %d\n", (int) forked);
  fflush(stdout);
  /* If we forked before, or if we're in the child (pid==0),
    we don't want to fork anymore, else, we are still in the forkserver.
    The forkserver parent needs to fork infinite times, each child should never
    fork again. This can be written without branches and I hate myself for it.
  */
  pid_t ret = !forked && original_fork();
  forked = !ret;
  return ret;
 }
--- a/examples/defork/forking_target
+++ b/examples/defork/forking_target
--- a/examples/defork/forking_target.c
+++ b/examples/defork/forking_target.c
@ -0,0 +1,46 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <stdint.h>
 #include <sys/types.h>
 /* This is an example target for defork.c - fuzz using
 ```
 mkdir in; echo a > ./in/a
 AFL_PRELOAD=./defork64.so ../../afl-fuzz -i in -o out -- ./forking_target @@
 ```
 */
 int main(int argc, char **argv) {
  if (argc < 2) {
    printf("Example tool to test defork.\nUsage ./forking_target <input>\n");
    return -1;
  }
  pid_t pid = fork();
  if (pid == 0) {
    printf("We're in the child.\n");
    FILE *f = fopen(argv[1], "r");
    char  buf[4096];
    fread(buf, 1, 4096, f);
    uint32_t offset = buf[100] + (buf[101] << 8);
    char     test_val = buf[offset];
    return test_val < 100;
  } else if (pid < 0) {
    perror("fork");
    return -1;
  } else {
    printf("We are in the parent - defork didn't work! :( (pid=%d)\n", (int) pid);
  }
  return 0;
 }