diff options
| author | WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> | 2021-06-25 22:14:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-25 23:14:27 +0200 |
| commit | 6a3877dcd35d31eb79bebbc30ffe70ac0342743e (patch) | |
| tree | f3ddccc0e1315a728fe5b12fdf10990f48f05298 /frida_mode/test/persistent_ret/test.js | |
| parent | c88b98d1c91b37c1941483980161bd46cb03c4d5 (diff) | |
| download | afl++-6a3877dcd35d31eb79bebbc30ffe70ac0342743e.tar.gz | |
Improved FRIDA mode scripting support (#994)
Co-authored-by: Your Name <you@example.com>
Diffstat (limited to 'frida_mode/test/persistent_ret/test.js')
| -rw-r--r-- | frida_mode/test/persistent_ret/test.js | 62 |
1 files changed, 36 insertions, 26 deletions
diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js index 43c6ad7c..8adb45b2 100644 --- a/frida_mode/test/persistent_ret/test.js +++ b/frida_mode/test/persistent_ret/test.js @@ -5,34 +5,44 @@ Afl.print(''); Afl.print(`PID: ${Process.id}`); +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + new ModuleMap().values().forEach(m => { Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); }); -const persistent_addr = DebugSymbol.fromName('main'); -Afl.print(`persistent_addr: ${persistent_addr.address}`); - -const persistent_ret = DebugSymbol.fromName('slow'); -Afl.print(`persistent_ret: ${persistent_ret.address}`); - -Afl.setPersistentAddress(persistent_addr.address); -Afl.setPersistentReturn(persistent_ret.address); -Afl.setPersistentCount(1000000); - -Afl.setDebugMaps(); - -const mod = Process.findModuleByName("libc-2.31.so") -Afl.addExcludedRange(mod.base, mod.size); -Afl.setInstrumentLibraries(); -Afl.setInstrumentDebugFile("/tmp/instr.log"); -Afl.setPrefetchDisable(); -Afl.setInstrumentNoOptimize(); -Afl.setInstrumentEnableTracing(); -Afl.setInstrumentTracingUnique(); -Afl.setStdOut("/tmp/stdout.txt"); -Afl.setStdErr("/tmp/stderr.txt"); -Afl.setStatsFile("/tmp/stats.txt"); -Afl.setStatsInterval(1); -Afl.setStatsTransitions(); -Afl.done(); +if (name === 'testinstr') { + const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; + Afl.print(`persistent_addr: ${persistent_addr}`); + Afl.setEntryPoint(persistent_addr); + Afl.setPersistentAddress(persistent_addr); + Afl.setInstrumentDebugFile("/dev/stdout"); + Afl.setPersistentDebug(); + Afl.setInstrumentNoOptimize(); + Afl.setInstrumentEnableTracing(); + + const LLVMFuzzerTestOneInput = new NativeFunction( + persistent_addr, + 'void', + ['pointer', 'uint64'], + {traps: "all"}); + + const persistentHook = new NativeCallback( + (data, size) => { + const input = Afl.aflFuzzPtr.readPointer(); + const len = Afl.aflFuzzLen.readPointer().readU32(); + const hd = hexdump(input, {length: len, header: false, ansi: true}); + Afl.print(`input: ${hd}`); + LLVMFuzzerTestOneInput(input, len); + }, + 'void', + ['pointer', 'uint64']); + + Afl.aflSharedMemFuzzing.writeInt(1); + Interceptor.replace(persistent_addr, persistentHook); + Interceptor.flush(); +} + Afl.print("done"); +Afl.done(); |