19 files changed, 153 insertions, 64 deletions

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 6b193806..e317237a 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -3,9 +3,25 @@ ROOT:=$(shell realpath $(PWD)..)/
 INC_DIR:=$(PWD)include/
 SRC_DIR:=$(PWD)src/
 INCLUDES:=$(wildcard $(INC_DIR)*.h)
-SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 BUILD_DIR:=$(PWD)build/
-CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor -fcommon -Wl,--allow-multiple-definition
+OBJ_DIR:=$(BUILD_DIR)obj/
+SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
+OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
+CFLAGS+=-fPIC \
+		-D_GNU_SOURCE \
+		-D_FORTIFY_SOURCE=2 \
+		-Werror \
+		-Wall \
+		-Wextra \
+		-Wpointer-arith \
+		-g \
+		-O3 \
+		-funroll-loops \
+
+LDFLAGS+=-shared \
+		 -lpthread \
+		 -lresolv \
+		 -ldl \
 
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
@@ -36,7 +52,8 @@ GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
 GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a
 GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h
 
-TEST_BUILD_DIR:=$(BUILD_DIR)test/
+AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
+AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
 
 .PHONY: all clean format
@@ -49,6 +66,9 @@ all: $(FRIDA_TRACE)
 $(BUILD_DIR):
 	mkdir -p $(BUILD_DIR)
 
+$(OBJ_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
 $(FRIDA_BUILD_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
@@ -61,18 +81,40 @@ $(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL)
 $(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
 
-$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_API) Makefile | $(BUILD_DIR)
-	$(CC) -shared \
+$(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
+	$(CC) \
 		$(CFLAGS) \
-		-o $@ \
-		$(SOURCES) \
-		$(GUM_DEVIT_LIBRARY) \
-		-I $(FRIDA_BUILD_DIR) \
 		-I $(ROOT) \
 		-I $(ROOT)include \
+		-Wno-unused-parameter \
+		-Wno-sign-compare \
+		-Wno-unused-function \
+		-Wno-prio-ctor-dtor \
+		-Wno-unused-result \
+		-o $@ \
+		-c $<
+
+
+define BUILD_SOURCE =
+$(2): $(1) GNUmakefile | $(OBJ_DIR)
+	$(CC) \
+		$(CFLAGS) \
+		-I $(ROOT)include \
+		-I $(FRIDA_BUILD_DIR) \
 		-I $(INC_DIR) \
-		$(ROOT)instrumentation/afl-compiler-rt.o.c
-#		-lpthread -ldl -lresolv -lelf
+		-c $1 \
+		-o $2
+endef
+
+$(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))))
+
+$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR)
+	$(CC) \
+		-o $@ \
+		$(OBJS) \
+		$(GUM_DEVIT_LIBRARY) \
+		$(AFL_COMPILER_RT_OBJ) \
+		$(LDFLAGS) \
 
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h
index 094b7b93..1c1adb6d 100644
--- a/frida_mode/include/complog.h
+++ b/frida_mode/include/complog.h
@@ -1,3 +1,6 @@
+#ifndef _COMPLOG_H
+#define _COMPLOG_H
+
 extern struct cmp_map *__afl_cmp_map;
 
 void complog_init(void);
@@ -7,3 +10,5 @@ void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
 
 gboolean complog_is_readable(void *addr, size_t size);
 
+#endif
+
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 1b6c6bba..03fd33e5 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -1,10 +1,13 @@
+#ifndef _INSTRUMENT_H
+#define _INSTRUMENT_H
+
 #include "frida-gum.h"
 
 #include "config.h"
 
-extern uint64_t __thread previous_pc;
-extern uint8_t *__afl_area_ptr;
-extern uint32_t __afl_map_size;
+extern __thread uint64_t previous_pc;
+extern uint8_t *         __afl_area_ptr;
+extern uint32_t          __afl_map_size;
 
 void instrument_init(void);
 
@@ -16,3 +19,5 @@ gboolean instrument_is_coverage_optimize_supported(void);
 void instrument_coverage_optimize(const cs_insn *   instr,
                                   GumStalkerOutput *output);
 
+#endif
+
diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h
index 49c0630a..0ff754a4 100644
--- a/frida_mode/include/interceptor.h
+++ b/frida_mode/include/interceptor.h
@@ -1,6 +1,11 @@
+#ifndef _INTERCEPTOR_H
+#define _INTERCEPTOR_H
+
 #include "frida-gum.h"
 
 void intercept(void *address, gpointer replacement, gpointer user_data);
 void unintercept(void *address);
 void unintercept_self(void);
 
+#endif
+
diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h
index 1dc426a2..237aecb0 100644
--- a/frida_mode/include/lib.h
+++ b/frida_mode/include/lib.h
@@ -1,3 +1,6 @@
+#ifndef _LIB_H
+#define _LIB_H
+
 #include "frida-gum.h"
 
 void lib_init(void);
@@ -6,3 +9,5 @@ guint64 lib_get_text_base(void);
 
 guint64 lib_get_text_limit(void);
 
+#endif
+
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index 017c26c7..e58c5301 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -1,6 +1,5 @@
 
 #ifndef _PERSISTENT_H
-
 #define _PERSISTENT_H
 
 #include "frida-gum.h"
@@ -17,9 +16,9 @@ extern int __afl_persistent_loop(unsigned int max_cnt);
 extern unsigned int * __afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;
 
-guint64                persistent_start;
-guint64                persistent_count;
-afl_persistent_hook_fn hook;
+extern guint64                persistent_start;
+extern guint64                persistent_count;
+extern afl_persistent_hook_fn hook;
 
 void persistent_init(void);
 
@@ -29,3 +28,4 @@ gboolean persistent_is_supported(void);
 void persistent_prologue(GumStalkerOutput *output);
 
 #endif
+
diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h
index 110f717f..8f0cee68 100644
--- a/frida_mode/include/prefetch.h
+++ b/frida_mode/include/prefetch.h
@@ -1,6 +1,11 @@
+#ifndef _PREFETCH_H
+#define _PREFETCH_H
+
 #include "frida-gum.h"
 
 void prefetch_init(void);
 void prefetch_write(void *addr);
 void prefetch_read(void);
 
+#endif
+
diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h
index a021f35c..f652eb8a 100644
--- a/frida_mode/include/ranges.h
+++ b/frida_mode/include/ranges.h
@@ -1,6 +1,11 @@
+#ifndef _RANGES_H
+#define _RANGES_H
+
 #include "frida-gum.h"
 
 void ranges_init(void);
 
 gboolean range_is_excluded(gpointer address);
 
+#endif
+
diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h
index 1962eec9..1f1abb6b 100644
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@@ -1,3 +1,6 @@
+#ifndef _STALKER_H
+#define _STALKER_H
+
 #include "frida-gum.h"
 
 void        stalker_init(void);
@@ -6,3 +9,5 @@ void        stalker_start(void);
 void        stalker_pause(void);
 void        stalker_resume(void);
 
+#endif
+
diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h
index 5b4ea76b..afd0b9c1 100644
--- a/frida_mode/include/util.h
+++ b/frida_mode/include/util.h
@@ -1,6 +1,14 @@
+#ifndef _UTIL_H
+#define _UTIL_H
+
 #include "frida-gum.h"
 
+#define UNUSED_PARAMETER(x) (void)(x)
+#define IGNORED_RERURN(x) (void)!(x)
+
 guint64 util_read_address(char *key);
 
 guint64 util_read_num(char *key);
 
+#endif
+
diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c
index 3b679a5c..1857ea3b 100644
--- a/frida_mode/src/complog/complog.c
+++ b/frida_mode/src/complog/complog.c
@@ -2,6 +2,7 @@
 
 #include "debug.h"
 #include "cmplog.h"
+#include "util.h"
 
 extern struct cmp_map *__afl_cmp_map;
 
@@ -10,8 +11,10 @@ static GArray *complog_ranges = NULL;
 static gboolean complog_range(const GumRangeDetails *details,
                               gpointer               user_data) {
 
+  UNUSED_PARAMETER(user_data);
   GumMemoryRange range = *details->range;
   g_array_append_val(complog_ranges, range);
+  return TRUE;
 
 }
 
diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/complog/complog_x64.c
index 253ec041..28010e7f 100644
--- a/frida_mode/src/complog/complog_x64.c
+++ b/frida_mode/src/complog/complog_x64.c
@@ -4,6 +4,7 @@
 #include "cmplog.h"
 
 #include "complog.h"
+#include "util.h"
 
 #if defined(__x86_64__)
 
@@ -148,7 +149,27 @@ static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) {
 
 }
 
-static void complog_handle_call(GumCpuContext *context, guint64 target) {
+static guint64 cmplog_get_operand_value(GumCpuContext *context,
+                                        complog_ctx_t *ctx) {
+
+  switch (ctx->type) {
+
+    case X86_OP_REG:
+      return complog_read_reg(context, ctx->reg);
+    case X86_OP_IMM:
+      return ctx->imm;
+    case X86_OP_MEM:
+      return complog_read_mem(context, &ctx->mem);
+    default:
+      FATAL("Invalid operand type: %d\n", ctx->type);
+
+  }
+
+}
+
+static void complog_call_callout(GumCpuContext *context, gpointer user_data) {
+
+  UNUSED_PARAMETER(user_data);
 
   guint64 address = complog_read_reg(context, X86_REG_RIP);
   guint64 rdi = complog_read_reg(context, X86_REG_RDI);
@@ -179,33 +200,6 @@ static void complog_handle_call(GumCpuContext *context, guint64 target) {
 
 }
 
-static guint64 cmplog_get_operand_value(GumCpuContext *context,
-                                        complog_ctx_t *ctx) {
-
-  switch (ctx->type) {
-
-    case X86_OP_REG:
-      return complog_read_reg(context, ctx->reg);
-    case X86_OP_IMM:
-      return ctx->imm;
-    case X86_OP_MEM:
-      return complog_read_mem(context, &ctx->mem);
-    default:
-      FATAL("Invalid operand type: %d\n", ctx->type);
-
-  }
-
-}
-
-static void complog_call_callout(GumCpuContext *context, gpointer user_data) {
-
-  complog_ctx_t *ctx = (complog_ctx_t *)user_data;
-
-  guint64 target = cmplog_get_operand_value(context, ctx);
-  complog_handle_call(context, target);
-
-}
-
 static void complog_instrument_put_operand(complog_ctx_t *ctx,
                                            cs_x86_op *    operand) {
 
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 81080bee..3806136a 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -11,17 +11,18 @@
 #include "prefetch.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 static gboolean               tracing = false;
 static gboolean               optimize = false;
-static gboolean               strict = false;
 static GumStalkerTransformer *transformer = NULL;
 
-uint64_t __thread previous_pc = 0;
+__thread uint64_t previous_pc = 0;
 
 __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
                                                 gpointer       user_data) {
 
+  UNUSED_PARAMETER(context);
   /*
    * This function is performance critical as it is called to instrument every
    * basic block. By moving our print buffer to a global, we avoid it affecting
@@ -44,7 +45,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
                    "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n",
                    current_pc, previous_pc);
 
-    write(STDOUT_FILENO, buffer, len + 1);
+    IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1));
 
   }
 
@@ -72,6 +73,8 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
 static void instr_basic_block(GumStalkerIterator *iterator,
                               GumStalkerOutput *output, gpointer user_data) {
 
+  UNUSED_PARAMETER(user_data);
+
   const cs_insn *instr;
   gboolean       begin = TRUE;
   while (gum_stalker_iterator_next(iterator, &instr)) {
diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c
index 8d41b075..d2802752 100644
--- a/frida_mode/src/interceptor.c
+++ b/frida_mode/src/interceptor.c
@@ -10,7 +10,7 @@ void intercept(void *address, gpointer replacement, gpointer user_data) {
   gum_interceptor_begin_transaction(interceptor);
   GumReplaceReturn ret =
       gum_interceptor_replace(interceptor, address, replacement, user_data);
-  if (ret != GUM_ATTACH_OK) { FATAL("gum_interceptor_attach: %d", ret); }
+  if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); }
   gum_interceptor_end_transaction(interceptor);
 
 }
diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c
index f712a8c0..11cf041c 100644
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@@ -21,6 +21,7 @@
 #include "prefetch.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 #ifdef __APPLE__
 extern mach_port_t mach_task_self();
@@ -36,8 +37,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp);
 
 static main_fn_t main_fn = NULL;
 
-static GumMemoryRange code_range = {0};
-
 extern void __afl_manual_init();
 
 static int on_fork(void) {
@@ -55,6 +54,8 @@ static void on_main_os(int argc, char **argv, char **envp) {
 #else
 static void on_main_os(int argc, char **argv, char **envp) {
 
+  UNUSED_PARAMETER(argc);
+
   /* Personality doesn't affect the current process, it only takes effect on
    * evec */
   int persona = personality(ADDR_NO_RANDOMIZE);
@@ -97,7 +98,7 @@ static int *on_main(int argc, char **argv, char **envp) {
   /* Child here */
   previous_pc = 0;
   stalker_resume();
-  main_fn(argc, argv, envp);
+  return main_fn(argc, argv, envp);
 
 }
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 34e4093e..fe3a1d20 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -9,6 +9,9 @@
 #include "util.h"
 
 int                    __afl_sharedmem_fuzzing = 0;
+afl_persistent_hook_fn hook = NULL;
+guint64                persistent_start = 0;
+guint64                persistent_count = 0;
 
 void persistent_init(void) {
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 0cabbf24..5b8493b2 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -231,7 +231,7 @@ static int instrument_afl_persistent_loop_func(void) {
 
 }
 
-static int instrument_afl_persistent_loop(GumX86Writer *cw) {
+static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         -(GUM_RED_ZONE_SIZE));
diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c
index 6fcbd258..e3f09f9e 100644
--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@@ -5,6 +5,7 @@
 #include "lib.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 #define MAX_RANGES 20
 
@@ -167,6 +168,7 @@ gint range_sort(gconstpointer a, gconstpointer b) {
 static gboolean print_ranges_callback(const GumRangeDetails *details,
                                       gpointer               user_data) {
 
+  UNUSED_PARAMETER(user_data);
   if (details->file == NULL) {
 
     OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X",
@@ -190,7 +192,7 @@ static gboolean print_ranges_callback(const GumRangeDetails *details,
 static void print_ranges(char *key, GArray *ranges) {
 
   OKF("Range: %s Length: %d", key, ranges->len);
-  for (int i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i);
     GumAddress      curr_limit = curr->base_address + curr->size;
@@ -345,10 +347,10 @@ static GArray *intersect_ranges(GArray *a, GArray *b) {
 
   result = g_array_new(false, false, sizeof(GumMemoryRange));
 
-  for (int i = 0; i < a->len; i++) {
+  for (guint i = 0; i < a->len; i++) {
 
     ra = &g_array_index(a, GumMemoryRange, i);
-    for (int j = 0; j < b->len; j++) {
+    for (guint j = 0; j < b->len; j++) {
 
       rb = &g_array_index(b, GumMemoryRange, j);
 
@@ -377,11 +379,11 @@ static GArray *subtract_ranges(GArray *a, GArray *b) {
 
   result = g_array_new(false, false, sizeof(GumMemoryRange));
 
-  for (int i = 0; i < a->len; i++) {
+  for (guint i = 0; i < a->len; i++) {
 
     ra = &g_array_index(a, GumMemoryRange, i);
     ral = ra->base_address + ra->size;
-    for (int j = 0; j < b->len; j++) {
+    for (guint j = 0; j < b->len; j++) {
 
       rb = &g_array_index(b, GumMemoryRange, j);
 
@@ -453,7 +455,7 @@ static GArray *merge_ranges(GArray *a) {
 
   rp = g_array_index(a, GumMemoryRange, 0);
 
-  for (int i = 1; i < a->len; i++) {
+  for (guint i = 1; i < a->len; i++) {
 
     r = &g_array_index(a, GumMemoryRange, i);
 
@@ -535,7 +537,7 @@ void ranges_init(void) {
 
   stalker = stalker_get();
 
-  for (int i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     r = &g_array_index(ranges, GumMemoryRange, i);
     gum_stalker_exclude(stalker, r);
@@ -551,12 +553,11 @@ void ranges_init(void) {
 
 gboolean range_is_excluded(gpointer address) {
 
-  int        i;
   GumAddress test = GUM_ADDRESS(address);
 
   if (ranges == NULL) { return false; }
 
-  for (i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i);
     GumAddress      curr_limit = curr->base_address + curr->size;
diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile
index c381f5ab..7de3e85a 100644
--- a/frida_mode/test/png/GNUmakefile
+++ b/frida_mode/test/png/GNUmakefile
@@ -80,7 +80,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB)
 		-o $@ \
 		$(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \
 		-lz \
-		$(TEST_LDFLAGS)
 
 clean:
 	rm -rf $(BUILD_DIR)