diff options
| author | Your Name <you@example.com> | 2022-02-18 07:55:45 +0000 |
|---|---|---|
| committer | Your Name <you@example.com> | 2022-02-18 08:01:34 +0000 |
| commit | cb1256499f7e07fd0edf0958d08b958fec63c34c (patch) | |
| tree | 6e11894987f8d234d651e780b0b58cb2265f725c /frida_mode/test | |
| parent | dd8ad4dfa35c8b11ebcc6005f44855db02fefb74 (diff) | |
| download | afl++-cb1256499f7e07fd0edf0958d08b958fec63c34c.tar.gz | |
Added instrumentation for CMOV instructions
Diffstat (limited to 'frida_mode/test')
| -rw-r--r-- | frida_mode/test/cmov/GNUmakefile | 87 | ||||
| -rw-r--r-- | frida_mode/test/cmov/Makefile | 19 | ||||
| -rw-r--r-- | frida_mode/test/cmov/cmov.c | 122 |
3 files changed, 228 insertions, 0 deletions
diff --git a/frida_mode/test/cmov/GNUmakefile b/frida_mode/test/cmov/GNUmakefile new file mode 100644 index 00000000..318b2ad0 --- /dev/null +++ b/frida_mode/test/cmov/GNUmakefile @@ -0,0 +1,87 @@ +PWD:=$(shell pwd)/ +ROOT:=$(PWD)../../../ +BUILD_DIR:=$(PWD)build/ + +TEST_CMOV_SRC:=$(PWD)cmov.c +TEST_CMOV_OBJ:=$(BUILD_DIR)cmov + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +CMP_LOG_INPUT:=$(TEST_DATA_DIR)in +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +ADDR_BIN:=$(ROOT)frida_mode/build/addr +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh + +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so + +AFL_FRIDA_BASE_ADDR:=$(shell $(ADDR_BIN)) +AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_CMOV_OBJ) LLVMFuzzerTestOneInput $(AFL_FRIDA_BASE_ADDR)) + +DUMMY_DATA_FILE:=$(BUILD_DIR)dummy.dat + +.PHONY: all 32 clean frida frida_noinst debug format + +all: $(TEST_CMOV_OBJ) + make -C $(ROOT)frida_mode/ + +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(CMP_LOG_INPUT): | $(TEST_DATA_DIR) + echo -n "ABC" > $@ + +$(TEST_CMOV_OBJ): $(TEST_CMOV_SRC) | $(BUILD_DIR) + $(CC) -g $(CFLAGS) $(LDFLAGS) $< -o $@ + +########## DUMMY ####### + +$(DUMMY_DATA_FILE): | $(BUILD_DIR) + dd if=/dev/zero bs=1048576 count=1 of=$@ + +frida: $(TEST_CMOV_OBJ) $(CMP_LOG_INPUT) $(DUMMY_DATA_FILE) + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -Z \ + -t 10000+ \ + -- \ + $(TEST_CMOV_OBJ) $(DUMMY_DATA_FILE) + +frida_noinst: $(TEST_CMOV_OBJ) $(CMP_LOG_INPUT) $(DUMMY_DATA_FILE) + AFL_FRIDA_INST_NO_INSN=1 \ + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -Z \ + -- \ + $(TEST_CMOV_OBJ) $(DUMMY_DATA_FILE) + +debug: $(TEST_CMOV_OBJ) $(CMP_LOG_INPUT) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --ex 'r $(CMP_LOG_INPUT)' \ + --args $(TEST_CMOV_OBJ) $(CMP_LOG_INPUT) + +clean: + rm -rf $(BUILD_DIR) + +format: + cd $(ROOT) && echo $(TEST_CMOV_SRC) | xargs -L1 ./.custom-format.py -i diff --git a/frida_mode/test/cmov/Makefile b/frida_mode/test/cmov/Makefile new file mode 100644 index 00000000..9ef6fc8f --- /dev/null +++ b/frida_mode/test/cmov/Makefile @@ -0,0 +1,19 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida + +format: + @gmake format + +debug: + @gmake debug diff --git a/frida_mode/test/cmov/cmov.c b/frida_mode/test/cmov/cmov.c new file mode 100644 index 00000000..08c7c132 --- /dev/null +++ b/frida_mode/test/cmov/cmov.c @@ -0,0 +1,122 @@ +#include <fcntl.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +static bool cmov_test(char *x, char *y, size_t len) { + + register char * __rdi __asm__("rdi") = x; + register char * __rsi __asm__("rsi") = y; + register size_t __rcx __asm__("rcx") = len; + + register long __rax __asm__("rax"); + + __asm__ __volatile__( + "mov $0x1, %%rax\n" + "mov $0x0, %%r8\n" + "1:\n" + "mov (%%rsi), %%bl\n" + "mov (%%rdi), %%dl\n" + "cmp %%bl, %%dl\n" + "cmovne %%r8, %%rax\n" + "inc %%rsi\n" + "inc %%rdi\n" + "dec %%rcx\n" + "jnz 1b\n" + : "=r"(__rax) + : "r"(__rdi), "r"(__rsi) + : "r8", "bl", "dl", "memory"); + + return __rax; + +} + +void LLVMFuzzerTestOneInput(char *buf, int len) { + + char match[] = "CBAABC"; + + if (len > sizeof(match)) { return; } + + if (cmov_test(buf, match, sizeof(buf)) != 0) { + + printf("Puzzle solved, congrats!\n"); + abort(); + + } + +} + +int main(int argc, char **argv) { + + char * file; + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + do { + + file = argv[1]; + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = (char *)malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + LLVMFuzzerTestOneInput(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + |