diff options
| author | van Hauser <vh@thc.org> | 2021-06-08 10:10:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-08 10:10:42 +0200 |
| commit | 48c878a76ddec2c133fd5708b185b2ac27740084 (patch) | |
| tree | 5cc820ab3835ad9d9c59702224ff437419143d12 /frida_mode/src/persistent | |
| parent | 436f997d2658aee79d5eadafdb6af8a283941b9b (diff) | |
| download | afl++-48c878a76ddec2c133fd5708b185b2ac27740084.tar.gz | |
push to stable (#962)
* use atomic read-modify-write increment for LLVM CLASSIC
* Change other LLVM modes to atomic increments
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* work in progress: not working correctly yet
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* still not working
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* first working NeverZero implementation
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* add some comments
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
* push to stable (#931) (#932)
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
* improve error msg
* Added documentation for wine LoadLibrary workaround (#933)
* Fix cmake target compilation command example (#934)
- Fix typo DCMAKE_C_COMPILERC -> DCMAKE_C_COMPILER.
- Add `cd build` after `mkdir build`.
* showmap passes queue items in alphabetical order
* added tmp files to gitignore
* lenient dict parsing, no map size enum for binary fuzzing
* added info about showmap queue directions
* update binary-only doc
* turn off map size detection if skip_bin_check is set
* Typo
* update docs
* update afl-system-config
* Set kill signal before using it in afl-showmap (#935)
* fix afl-cc help output
* add libafl to binary-only doc
* update docs
* less executions on variable paths
* AFL_SKIP_CRASHES is obsolete since 3.0
* add AFL_TRY_AFFINITY
* Typo
* Typo
* Typo/wording
* tweaks
* typos
* fix afl-whatsup help output
* fix afl-plot output
* fix for MacOS
* fix cmpcov doc for qemu
* fix tmpfile removal
* update dockerfile
* Frida (#940)
* Added re2 test
* Added libpcap test
* Fix validation of setting of ADDR_NO_RANDOMIZE
* Added support for printing original and instrumented code
Co-authored-by: Your Name <you@example.com>
* Support for AFL_FRIDA_PERSISTENT_RET (#941)
Co-authored-by: Your Name <you@example.com>
* Changes to add missing exclusion of ranges (#943)
Co-authored-by: Your Name <you@example.com>
* add --afl-noopt to afl-cc
* docs: fix link to README in QuickStartGuide (#946)
* Support writing Stalker stats (#945)
* Support writing Stalker stats
* Fixed string handling in print functions
Co-authored-by: Your Name <you@example.com>
* afl-cmin help fix, aflpp_driver - + @@ support
* fix for afl-showmap
* support new env var AFL_LLVM_THREADSAFE_INST to enable atomic counters.
add new test case for that.
* add documentation for AFL_LLVM_THREADSAFE_INST
* add support for AFL_LLVM_THREADSAFE_INST to other LLVM passes
* add missing include for _exit()
* threadsafe doc fixes, code format
* Wording: "never zero" -> NeverZero
* fix afl_custom_post_process with multiple custom mutators
* fix docs
* debug ck_write
* fixed potential diff by 0
* fixes
* fix classic threadsafe counters
* v3.13c release
* back push (#952)
* Dev (#949)
* use atomic read-modify-write increment for LLVM CLASSIC
* Change other LLVM modes to atomic increments
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* work in progress: not working correctly yet
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* still not working
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* first working NeverZero implementation
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* add some comments
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
* push to stable (#931) (#932)
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
* improve error msg
* Added documentation for wine LoadLibrary workaround (#933)
* Fix cmake target compilation command example (#934)
- Fix typo DCMAKE_C_COMPILERC -> DCMAKE_C_COMPILER.
- Add `cd build` after `mkdir build`.
* showmap passes queue items in alphabetical order
* added tmp files to gitignore
* lenient dict parsing, no map size enum for binary fuzzing
* added info about showmap queue directions
* update binary-only doc
* turn off map size detection if skip_bin_check is set
* Typo
* update docs
* update afl-system-config
* Set kill signal before using it in afl-showmap (#935)
* fix afl-cc help output
* add libafl to binary-only doc
* update docs
* less executions on variable paths
* AFL_SKIP_CRASHES is obsolete since 3.0
* add AFL_TRY_AFFINITY
* Typo
* Typo
* Typo/wording
* tweaks
* typos
* fix afl-whatsup help output
* fix afl-plot output
* fix for MacOS
* fix cmpcov doc for qemu
* fix tmpfile removal
* update dockerfile
* Frida (#940)
* Added re2 test
* Added libpcap test
* Fix validation of setting of ADDR_NO_RANDOMIZE
* Added support for printing original and instrumented code
Co-authored-by: Your Name <you@example.com>
* Support for AFL_FRIDA_PERSISTENT_RET (#941)
Co-authored-by: Your Name <you@example.com>
* Changes to add missing exclusion of ranges (#943)
Co-authored-by: Your Name <you@example.com>
* add --afl-noopt to afl-cc
* docs: fix link to README in QuickStartGuide (#946)
* Support writing Stalker stats (#945)
* Support writing Stalker stats
* Fixed string handling in print functions
Co-authored-by: Your Name <you@example.com>
* afl-cmin help fix, aflpp_driver - + @@ support
* fix for afl-showmap
* support new env var AFL_LLVM_THREADSAFE_INST to enable atomic counters.
add new test case for that.
* add documentation for AFL_LLVM_THREADSAFE_INST
* add support for AFL_LLVM_THREADSAFE_INST to other LLVM passes
* add missing include for _exit()
* threadsafe doc fixes, code format
* Wording: "never zero" -> NeverZero
* fix afl_custom_post_process with multiple custom mutators
* fix docs
* debug ck_write
* fixed potential diff by 0
* fixes
* fix classic threadsafe counters
Co-authored-by: van Hauser <vh@thc.org>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: 0x4d5a-ctf <51098072+0x4d5a-ctf@users.noreply.github.com>
Co-authored-by: Tommy Chiang <oToToT@users.noreply.github.com>
Co-authored-by: buherator <buherator@silentsignal.hu>
Co-authored-by: Dag Heyman Kajevic <dag.heyman@gmail.com>
* v3.13c release (#950)
* use atomic read-modify-write increment for LLVM CLASSIC
* Change other LLVM modes to atomic increments
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* work in progress: not working correctly yet
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* still not working
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* first working NeverZero implementation
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* add some comments
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
* push to stable (#931) (#932)
* sync (#886)
* Create FUNDING.yml
* Update FUNDING.yml
* moved custom_mutator examples
* unicorn speedtest makefile cleanup
* fixed example location
* fix qdbi
* update util readme
* Frida persistent (#880)
* Added x64 support for persistent mode (function call only), in-memory teest cases and complog
* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC
* Various minor fixes and finished support for AFL_INST_LIBS
* Review changes
Co-authored-by: Your Name <you@example.com>
* nits
* fix frida mode
* Integer overflow/underflow fixes in libdislocator (#889)
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'
* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
* Bumped warnings up to the max and fixed remaining issues (#890)
Co-authored-by: Your Name <you@example.com>
* nits
* frida mode - support non-pie
* nits
* nit
* update grammar mutator
* Fixes for aarch64, OSX and other minor issues (#891)
Co-authored-by: Your Name <you@example.com>
* nits
* nits
* fix PCGUARD, build aflpp_driver with fPIC
* Added representative fuzzbench test and test for libxml (#893)
* Added representative fuzzbench test and test for libxml
* Added support for building FRIDA from source with FRIDA_SOURCE=1
Co-authored-by: Your Name <you@example.com>
* nits
* update changelog
* typos
* fixed potential double free in custom trim (#881)
* error handling, freeing mem
* frida: complog -> cmplog
* fix statsd writing
* let aflpp_qemu_driver_hook.so build fail gracefully
* fix stdin trimming
* Support for AFL_ENTRYPOINT (#898)
Co-authored-by: Your Name <you@example.com>
* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used
* reverse push (#901)
* Create FUNDING.yml
* Update FUNDING.yml
* disable QEMU static pie
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* clarify that no modifications are required.
* add new test for frida_mode (please review)
* typos
* fix persistent mode (64-bit)
* set ARCH for linux intel 32-bit for frida-gum-devkit
* prepare for 32-bit support (later)
* not on qemu 3 anymore
* unicorn mips fixes
* instrumentation further move to C++11 (#900)
* unicorn fixes
* more unicorn fixes
* Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
* typo
* Exit on time (#904)
* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.
* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.
* Command `export AFL_EXIT_WHEN_DONE=1` has been added.
* Millisecond to second conversion has been added.
Call get_cur_time() has been added.
* Revert to using the saved current time value.
* Useless check has been removed.
* fix new path to custom-mutators
* ensure crashes/README.txt exists
* fix
* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)
Co-authored-by: Your Name <you@example.com>
* Fix numeric overflow in cmplog implementation (#907)
Co-authored-by: Your Name <you@example.com>
* testcase fixes for unicorn
* remove merge conflict artifacts
* fix afl-plot
* Changes to remove binaries from frida_mode (#913)
Co-authored-by: Your Name <you@example.com>
* Frida cmplog fail fast (#914)
* Changes to remove binaries from frida_mode
* Changes to make cmplog fail fast
Co-authored-by: Your Name <you@example.com>
* afl-plot: relative time
* arch linux and mac os support for afl-system-config
* typo
* code-format
* update documentation
* github workflow for qemu
* OSX-specific improvements (#912)
* Fix afl-cc to work correctly by default on OSX using xcode
- CLANG_ENV_VAR must be set for afl-as to work
- Use clang mode by default if no specific compiler selected
* Add OSX-specific documentation for configuring shared memory
* Fixes to memory operands for complog (#916)
Co-authored-by: Your Name <you@example.com>
* fix a few cur_time uses
* added bounds check to pivot_inputs (fixes #921)
* additional safety checks for restarts
* restrict afl-showmap in_file size
* fix seed crash disable
* add warning for afl-showmap partial read
* no core dumps
* AFL_PRINT_FILENAMES added
* more documentation for AFL_EXIT_ON_TIME
* Flushing for AFL_PRINT_FILENAMES
* FASAN Support (#918)
* FASAN Support
* Fix handling of Address Sanitizer DSO
* Changes to identification of Address Sanitizer DSO
Co-authored-by: Your Name <you@example.com>
* Support for x86 (#920)
Co-authored-by: Your Name <you@example.com>
* Update frida_mode readme (#925)
* libqasan: use syscalls for read and write
* update readme
* Minor integration tweaks (#926)
Co-authored-by: Your Name <you@example.com>
* merge
* fix afl-fuzz.c frida preload
* cleaned up AFL_PRINT_FILENAMES env
* Changes to have persistent mode exit at the end of the loop (#928)
Co-authored-by: Your Name <you@example.com>
* fix llvm-dict2file
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
* improve error msg
* Added documentation for wine LoadLibrary workaround (#933)
* Fix cmake target compilation command example (#934)
- Fix typo DCMAKE_C_COMPILERC -> DCMAKE_C_COMPILER.
- Add `cd build` after `mkdir build`.
* showmap passes queue items in alphabetical order
* added tmp files to gitignore
* lenient dict parsing, no map size enum for binary fuzzing
* added info about showmap queue directions
* update binary-only doc
* turn off map size detection if skip_bin_check is set
* Typo
* update docs
* update afl-system-config
* Set kill signal before using it in afl-showmap (#935)
* fix afl-cc help output
* add libafl to binary-only doc
* update docs
* less executions on variable paths
* AFL_SKIP_CRASHES is obsolete since 3.0
* add AFL_TRY_AFFINITY
* Typo
* Typo
* Typo/wording
* tweaks
* typos
* fix afl-whatsup help output
* fix afl-plot output
* fix for MacOS
* fix cmpcov doc for qemu
* fix tmpfile removal
* update dockerfile
* Frida (#940)
* Added re2 test
* Added libpcap test
* Fix validation of setting of ADDR_NO_RANDOMIZE
* Added support for printing original and instrumented code
Co-authored-by: Your Name <you@example.com>
* Support for AFL_FRIDA_PERSISTENT_RET (#941)
Co-authored-by: Your Name <you@example.com>
* Changes to add missing exclusion of ranges (#943)
Co-authored-by: Your Name <you@example.com>
* add --afl-noopt to afl-cc
* docs: fix link to README in QuickStartGuide (#946)
* Support writing Stalker stats (#945)
* Support writing Stalker stats
* Fixed string handling in print functions
Co-authored-by: Your Name <you@example.com>
* afl-cmin help fix, aflpp_driver - + @@ support
* fix for afl-showmap
* support new env var AFL_LLVM_THREADSAFE_INST to enable atomic counters.
add new test case for that.
* add documentation for AFL_LLVM_THREADSAFE_INST
* add support for AFL_LLVM_THREADSAFE_INST to other LLVM passes
* add missing include for _exit()
* threadsafe doc fixes, code format
* Wording: "never zero" -> NeverZero
* fix afl_custom_post_process with multiple custom mutators
* fix docs
* debug ck_write
* fixed potential diff by 0
* fixes
* fix classic threadsafe counters
* v3.13c release
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: 0x4d5a-ctf <51098072+0x4d5a-ctf@users.noreply.github.com>
Co-authored-by: Tommy Chiang <oToToT@users.noreply.github.com>
Co-authored-by: buherator <buherator@silentsignal.hu>
Co-authored-by: Dag Heyman Kajevic <dag.heyman@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: 0x4d5a-ctf <51098072+0x4d5a-ctf@users.noreply.github.com>
Co-authored-by: Tommy Chiang <oToToT@users.noreply.github.com>
Co-authored-by: buherator <buherator@silentsignal.hu>
Co-authored-by: Dag Heyman Kajevic <dag.heyman@gmail.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
* v3.14a init
* remove redundant unsetenv (#947)
* update MacOS Install information
* add missing clean action for frida_mode
* ensure memory is there before free
* adapt to incompatible LLVM 13 API
* fix stupid typos
* add fix info
* build afl-compiler-rt even with broken llvm
* fix -F with slash option
* dynamic_list and afl-compiler-rt rework
* detect partial linking in afl-cc
* partial linking with -Wl
* Add proper name and URL for Zafl (#959)
* move link
* add known frontends for supported compiler infrastructures
* add Rust
* fix ui fuzzing stage index (#960)
* fix overflowing UI fields 'now processing'
* restored timeout handling (with SIGALRM for now)
* On non-Linux systems make clean may fail for frida_mode
* give hint how to set env var for path to llvm-config tool
* setting AFL_CC for test-llvm.sh on FreeBSD is not necessary anymore
* remove -D from -M
* write target errors to out_dir/error.txt
* add changelog entry
* add changelog
* format
* more info for error logging
* Forkserver for afl-analyze (#963)
* afl-analyze forkserver
* added missing vars to forkserver
* synchronized a bit more with afl-tmin
* more debugging, runs now, but need to suppress target output
* fix dev/null setting
* afl-analyze info:
Co-authored-by: hexcoder- <heiko@hexco.de>
* proper newlines
* reenable LLVM 3.8 ( Ubuntu 16.04 )
* FRIDA AARCH64 support (#965)
Co-authored-by: Your Name <you@example.com>
* adapt docs to minimum LLVM version
* adapt to minimum llvm version
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
Co-authored-by: Dustin Spicuzza <dustin@virtualroadside.com>
Co-authored-by: 0x4d5a-ctf <51098072+0x4d5a-ctf@users.noreply.github.com>
Co-authored-by: Tommy Chiang <oToToT@users.noreply.github.com>
Co-authored-by: buherator <buherator@silentsignal.hu>
Co-authored-by: Dag Heyman Kajevic <dag.heyman@gmail.com>
Co-authored-by: terrynini <terrynini38514@gmail.com>
Co-authored-by: jdhiser <hiser@virginia.edu>
Co-authored-by: yuan <ssspeed00@gmail.com>
Diffstat (limited to 'frida_mode/src/persistent')
| -rw-r--r-- | frida_mode/src/persistent/persistent_arm64.c | 354 | ||||
| -rw-r--r-- | frida_mode/src/persistent/persistent_x64.c | 2 | ||||
| -rw-r--r-- | frida_mode/src/persistent/persistent_x86.c | 2 |
3 files changed, 349 insertions, 9 deletions
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 1215d8da..b23693fe 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -1,9 +1,11 @@ +#include <unistd.h> #include "frida-gum.h" #include "config.h" #include "debug.h" #include "instrument.h" +#include "persistent.h" #include "util.h" #if defined(__aarch64__) @@ -98,23 +100,365 @@ struct arm64_regs { typedef struct arm64_regs arch_api_regs; +static arch_api_regs saved_regs = {0}; +static gpointer saved_lr = NULL; + gboolean persistent_is_supported(void) { - return false; + return true; + +} + +static void instrument_persitent_save_regs(GumArm64Writer * cw, + struct arm64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + const guint32 mrs_x1_nzcv = 0xd53b4201; + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_SP, -(16), + GUM_INDEX_PRE_ADJUST); + + gum_arm64_writer_put_instruction(cw, mrs_x1_nzcv); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(regs_address)); + + /* Skip x0 & x1 we'll do that later */ + + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 1), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, + ARM64_REG_X0, (16 * 2), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, + ARM64_REG_X0, (16 * 3), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, + ARM64_REG_X0, (16 * 4), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, + ARM64_REG_X0, (16 * 5), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, + ARM64_REG_X0, (16 * 6), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, + ARM64_REG_X0, (16 * 7), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, + ARM64_REG_X0, (16 * 8), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, + ARM64_REG_X0, (16 * 9), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, + ARM64_REG_X0, (16 * 10), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, + ARM64_REG_X0, (16 * 11), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, + ARM64_REG_X0, (16 * 12), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, + ARM64_REG_X0, (16 * 13), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, + ARM64_REG_X0, (16 * 14), + GUM_INDEX_SIGNED_OFFSET); + + /* LR & Adjusted SP */ + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_SP, + (GUM_RED_ZONE_SIZE + 32)); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X2, + ARM64_REG_X0, (16 * 15), + GUM_INDEX_SIGNED_OFFSET); + + /* PC & CPSR */ + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, + GUM_ADDRESS(persistent_start)); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, + ARM64_REG_X0, (16 * 16), + GUM_INDEX_SIGNED_OFFSET); + + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, + ARM64_REG_X0, (16 * 17), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, + ARM64_REG_X0, (16 * 18), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, + ARM64_REG_X0, (16 * 19), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, + ARM64_REG_X0, (16 * 20), + GUM_INDEX_SIGNED_OFFSET); + + /* x0 & x1 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_SP, 16, + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 0), + GUM_INDEX_SIGNED_OFFSET); + + /* Pop the saved values */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_SP, 16, GUM_INDEX_POST_ADJUST); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); + +} + +static void instrument_persitent_restore_regs(GumArm64Writer * cw, + struct arm64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + const guint32 msr_nzcv_x1 = 0xd51b4201; + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(regs_address)); + + /* Skip x0 - x3 we'll do that last */ + + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, + ARM64_REG_X0, (16 * 2), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, + ARM64_REG_X0, (16 * 3), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, + ARM64_REG_X0, (16 * 4), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, + ARM64_REG_X0, (16 * 5), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, + ARM64_REG_X0, (16 * 6), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, + ARM64_REG_X0, (16 * 7), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, + ARM64_REG_X0, (16 * 8), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, + ARM64_REG_X0, (16 * 9), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, + ARM64_REG_X0, (16 * 10), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, + ARM64_REG_X0, (16 * 11), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, + ARM64_REG_X0, (16 * 12), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, + ARM64_REG_X0, (16 * 13), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, + ARM64_REG_X0, (16 * 14), + GUM_INDEX_SIGNED_OFFSET); + + /* Don't restore RIP or RSP, use x1-x3 as clobber */ + + /* LR & Adjusted SP (clobber x1) */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X1, + ARM64_REG_X0, (16 * 15), + GUM_INDEX_SIGNED_OFFSET); + + /* PC (x2) & CPSR (x1) */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, + ARM64_REG_X0, (16 * 16), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_instruction(cw, msr_nzcv_x1); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, + ARM64_REG_X0, (16 * 17), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, + ARM64_REG_X0, (16 * 18), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, + ARM64_REG_X0, (16 * 19), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, + ARM64_REG_X0, (16 * 20), + GUM_INDEX_SIGNED_OFFSET); + + /* x2 & x3 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 1), + GUM_INDEX_SIGNED_OFFSET); + /* x0 & x1 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X1, + ARM64_REG_X0, (16 * 0), + GUM_INDEX_SIGNED_OFFSET); + +} + +static void instrument_exit(GumArm64Writer *cw) { + + gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_X0, ARM64_REG_XZR); + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(_exit), 1, GUM_ARG_REGISTER, ARM64_REG_X0); + +} + +static int instrument_afl_persistent_loop_func(void) { + + int ret = __afl_persistent_loop(persistent_count); + previous_pc = 0; + return ret; + +} + +static void instrument_afl_persistent_loop(GumArm64Writer *cw) { + + gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0); + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + +} + +static void persistent_prologue_hook(GumArm64Writer * cw, + struct arm64_regs *regs) { + + if (hook == NULL) return; + + gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X3, + GUM_ADDRESS(&__afl_fuzz_len)); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); + + gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_X3, + G_MAXULONG); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, + GUM_ADDRESS(&__afl_fuzz_ptr)); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); + + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), + GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2, + GUM_ARG_REGISTER, ARM64_REG_X3); + + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + +} + +static void instrument_persitent_save_lr(GumArm64Writer *cw) { + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(&saved_lr)); + + gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_LR, ARM64_REG_X0, 0); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); } void persistent_prologue(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + /* + * SAVE REGS + * SAVE RET + * POP RET + * loop: + * CALL instrument_afl_persistent_loop + * TEST EAX, EAX + * JZ end: + * call hook (optionally) + * RESTORE REGS + * call original + * jmp loop: + * + * end: + * JMP SAVED RET + * + * original: + * INSTRUMENTED PERSISTENT FUNC + */ + + GumArm64Writer *cw = output->writer.arm64; + + gconstpointer loop = cw->code + 1; + + /* Stack must be 16-byte aligned per ABI */ + instrument_persitent_save_regs(cw, &saved_regs); + + /* loop: */ + gum_arm64_writer_put_label(cw, loop); + + /* call instrument_prologue_func */ + instrument_afl_persistent_loop(cw); + + /* jz done */ + gconstpointer done = cw->code + 1; + gum_arm64_writer_put_cmp_reg_reg(cw, ARM64_REG_X0, ARM64_REG_XZR); + gum_arm64_writer_put_b_cond_label(cw, ARM64_CC_EQ, done); + + /* Optionally call the persistent hook */ + persistent_prologue_hook(cw, &saved_regs); + + instrument_persitent_restore_regs(cw, &saved_regs); + gconstpointer original = cw->code + 1; + /* call original */ + + gum_arm64_writer_put_bl_label(cw, original); + + /* jmp loop */ + gum_arm64_writer_put_b_label(cw, loop); + + /* done: */ + gum_arm64_writer_put_label(cw, done); + + instrument_exit(cw); + + /* original: */ + gum_arm64_writer_put_label(cw, original); + + instrument_persitent_save_lr(cw); + + if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); } } void persistent_epilogue(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + GumArm64Writer *cw = output->writer.arm64; + + if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); } + + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + persistent_ret_offset); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(&saved_lr)); + + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X0, 0); + + gum_arm64_writer_put_br_reg(cw, ARM64_REG_X0); } diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 4cb960fc..858ad38e 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -306,8 +306,6 @@ void persistent_prologue(GumStalkerOutput *output) { if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } - gum_x86_writer_flush(cw); - } void persistent_epilogue(GumStalkerOutput *output) { diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index b30dfadf..0675edf4 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -246,8 +246,6 @@ void persistent_prologue(GumStalkerOutput *output) { if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } - gum_x86_writer_flush(cw); - } void persistent_epilogue(GumStalkerOutput *output) { |