diff options
| author | van Hauser <vh@thc.org> | 2020-06-09 19:25:09 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-09 19:25:09 +0200 |
| commit | 12bdefe00e38cdc3dd8cb028eeac325ab2e94e16 (patch) | |
| tree | 0d321d362a19ff19a4a98dcd1b9b72601945695f /unicorn_mode/samples/persistent | |
| parent | 748238d6ab4aeb7f34958d4c37c5ef200ad22463 (diff) | |
| parent | 81829d132bebcb42c0e289bb5788b8f2b29c1599 (diff) | |
| download | afl++-12bdefe00e38cdc3dd8cb028eeac325ab2e94e16.tar.gz | |
Merge pull request #392 from AFLplusplus/dev
Push to master
Diffstat (limited to 'unicorn_mode/samples/persistent')
| -rw-r--r-- | unicorn_mode/samples/persistent/Makefile | 4 | ||||
| -rw-r--r-- | unicorn_mode/samples/persistent/harness.c | 42 |
2 files changed, 28 insertions, 18 deletions
diff --git a/unicorn_mode/samples/persistent/Makefile b/unicorn_mode/samples/persistent/Makefile index 9596facc..80a47550 100644 --- a/unicorn_mode/samples/persistent/Makefile +++ b/unicorn_mode/samples/persistent/Makefile @@ -38,13 +38,13 @@ harness.o: harness.c ../../unicornafl/include/unicorn/*.h ${MYCC} ${CFLAGS} -O3 -c harness.c harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h - ${MYCC} ${CFLAGS} -g -c harness.c -o $@ + ${MYCC} ${CFLAGS} -DAFL_DEBUG=1 -g -c harness.c -o $@ harness: harness.o ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ debug: harness-debug.o - ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug + ${MYCC} -L${LIBDIR} harness-debug.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug fuzz: harness ../../../afl-fuzz -m none -i sample_inputs -o out -- ./harness @@ diff --git a/unicorn_mode/samples/persistent/harness.c b/unicorn_mode/samples/persistent/harness.c index 3d379f46..30013b4c 100644 --- a/unicorn_mode/samples/persistent/harness.c +++ b/unicorn_mode/samples/persistent/harness.c @@ -68,7 +68,7 @@ static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user /* The sample uses strlen, since we don't have a loader or libc, we'll fake it. -We know the strlen will return the lenght of argv[1] that we just planted. +We know the strlen will return the length of argv[1] that we just planted. It will be a lot faster than an actual strlen for this specific purpose. */ static void hook_strlen(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { @@ -86,7 +86,7 @@ static void hook_strlen(uc_engine *uc, uint64_t address, uint32_t size, void *us static uint64_t pad(uint64_t size) { if (size % ALIGNMENT == 0) return size; return ((size / ALIGNMENT) + 1) * ALIGNMENT; -} +} /* returns the filesize in bytes, -1 or error. */ static off_t afl_mmap_file(char *filename, char **buf_ptr) { @@ -100,9 +100,9 @@ static off_t afl_mmap_file(char *filename, char **buf_ptr) { off_t in_len = st.st_size; if (in_len == -1) { - /* This can only ever happen on 32 bit if the file is exactly 4gb. */ - fprintf(stderr, "Filesize of %s too large\n", filename); - goto exit; + /* This can only ever happen on 32 bit if the file is exactly 4gb. */ + fprintf(stderr, "Filesize of %s too large\n", filename); + goto exit; } *buf_ptr = mmap(0, in_len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); @@ -117,10 +117,10 @@ exit: /* Place the input at the right spot inside unicorn */ static bool place_input_callback( - uc_engine *uc, - char *input, - size_t input_len, - uint32_t persistent_round, + uc_engine *uc, + char *input, + size_t input_len, + uint32_t persistent_round, void *data ){ // printf("Placing input with len %ld to %x\n", input_len, DATA_ADDRESS); @@ -129,12 +129,22 @@ static bool place_input_callback( return false; } +#if defined(AFL_DEBUG) + printf("[d] harness: input len=%ld, [ ", input_len); + int i = 0; + for (i = 0; i < input_len && i < 16; i++) { + printf("0x%02x ", (unsigned char) input[i]); + } + if (input_len > 16) printf("... "); + printf("]\n"); +#endif + // For persistent mode, we have to set up stack and memory each time. uc_reg_write(uc, UC_X86_REG_RIP, &CODE_ADDRESS); // Set the instruction pointer back // Set up the function parameters accordingly RSI, RDI (see calling convention/disassembly) uc_reg_write(uc, UC_X86_REG_RSI, &INPUT_LOCATION); // argv uc_reg_write(uc, UC_X86_REG_RDI, &EMULATED_ARGC); // argc == 2 - + // We need a valid c string, make sure it never goes out of bounds. input[input_len-1] = '\0'; // Write the testcase to unicorn. @@ -188,13 +198,13 @@ int main(int argc, char **argv, char **envp) { return -2; } if (len == 0) { - fprintf(stderr, "File at '%s' is empty\n", BINARY_FILE); - return -3; + fprintf(stderr, "File at '%s' is empty\n", BINARY_FILE); + return -3; } // Map memory. mem_map_checked(uc, BASE_ADDRESS, len, UC_PROT_ALL); - printf("Len: %lx", len); + printf("Len: %lx\n", len); fflush(stdout); // write machine code to be emulated to memory @@ -209,7 +219,7 @@ int main(int argc, char **argv, char **envp) { uint64_t start_address = CODE_ADDRESS; // address of entry point of main() uint64_t end_address = END_ADDRESS; // Address of last instruction in main() uc_reg_write(uc, UC_X86_REG_RIP, &start_address); // address of entry point of main() - + // Setup the Stack mem_map_checked(uc, STACK_ADDRESS - STACK_SIZE, STACK_SIZE, UC_PROT_READ | UC_PROT_WRITE); uint64_t stack_val = STACK_ADDRESS; @@ -219,7 +229,7 @@ int main(int argc, char **argv, char **envp) { // reserve some space for our input data mem_map_checked(uc, INPUT_LOCATION, INPUT_SIZE_MAX, UC_PROT_READ); - // build a "dummy" argv with lenth 2 at 0x10000: + // build a "dummy" argv with length 2 at 0x10000: // 0x10000 argv[0] NULL // 0x10008 argv[1] (char *)0x10016 --. points to the next offset. // 0x10016 argv[1][0], ... <-^ contains the acutal input data. (INPUT_LOCATION + INPUT_OFFSET) @@ -264,6 +274,6 @@ int main(int argc, char **argv, char **envp) { break; default: break; - } + } return 0; } |