diff options
| -rw-r--r-- | frida_mode/frida.map | 1 | ||||
| -rw-r--r-- | frida_mode/include/instrument.h | 3 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument.c | 6 | ||||
| -rw-r--r-- | frida_mode/src/js/api.js | 7 | ||||
| -rw-r--r-- | frida_mode/src/js/js_api.c | 6 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 2 | ||||
| -rw-r--r-- | qemu_mode/hooking_bridge/README.md | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-extras.c | 4 | ||||
| -rwxr-xr-x | test/test-custom-mutators.sh | 6 | ||||
| -rw-r--r-- | unicorn_mode/helper_scripts/unicorn_loader.py | 2 | ||||
| -rw-r--r-- | unicorn_mode/samples/c/sample_all.sh | 4 |
11 files changed, 33 insertions, 15 deletions
diff --git a/frida_mode/frida.map b/frida_mode/frida.map index a98c2096..90ea1421 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -45,6 +45,7 @@ js_api_set_stdout; js_api_set_traceable; js_api_set_verbose; + js_api_ijon_set; local: *; diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 1825e331..a1969e37 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,6 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; +extern void __afl_coverage_interesting(uint8_t, uint32_t); extern __thread guint64 *instrument_previous_pc_addr; @@ -72,5 +73,7 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output); void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data); void instrument_regs_format(int fd, char *format, ...); +void ijon_set(uint32_t edge); + #endif diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index db73d845..d30e21ec 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -449,3 +449,9 @@ void instrument_regs_format(int fd, char *format, ...) { } +void ijon_set(uint32_t edge) { + + __afl_coverage_interesting(1, edge); + +} + diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index a65d32df..9e2b15c5 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -326,6 +326,12 @@ class Afl { static jsApiGetSymbol(name) { return Afl.module.getExportByName(name); } + + static IJON = class { + static set(addr, val) { + Afl.jsApiIjonSet((addr ^ val) & 0xffffffff); + } + } } /** * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode @@ -377,3 +383,4 @@ Afl.jsApiSetVerbose = Afl.jsApiGetFunction("js_api_set_verbose", "void", []); Afl.jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); +Afl.jsApiIjonSet = Afl.jsApiGetFunction("js_api_ijon_set", "void", ["uint32"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 288aec95..274cd1bc 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -316,3 +316,9 @@ __attribute__((visibility("default"))) void js_api_set_verbose(void) { } +__attribute__((visibility("default"))) void js_api_ijon_set(uint32_t edge) { + + ijon_set(edge); + +} + diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 83aa9486..372b9f5a 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -2725,7 +2725,7 @@ void __afl_coverage_skip() { // mark this area as especially interesting void __afl_coverage_interesting(u8 val, u32 id) { - __afl_area_ptr[id] = val; + __afl_area_ptr[id % __afl_map_size] = val; } diff --git a/qemu_mode/hooking_bridge/README.md b/qemu_mode/hooking_bridge/README.md index ae8e62e4..c6276305 100644 --- a/qemu_mode/hooking_bridge/README.md +++ b/qemu_mode/hooking_bridge/README.md @@ -22,7 +22,7 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three return &to_ret; } ``` - i. Hook functions must be named as `hook_<left padded hook location>`. Here, `<left padded hook location>` means `<hook location>` left padded with 0's to until the `(system word length)/4` number of hex characters, e.g. 16 on a 64 bit machine. The unpaded part of `<hook location>` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. + i. Hook functions must be named as `hook_<left padded hook location>`. Here, `<left padded hook location>` means `<hook location>` left padded with 0's to until 16 hex characters. The unpaded part of `<hook location>` is the absolute address where you want to place the hook. It is basically the file base address (which does not change in QEMU as of now) plus the instruction offset where the hooks is to be placed. The hook function must return a `struct ret *`, which is touched upon later. ii. Most likely you will need to access memory or registers in the hook. So we provide four functions ```C @@ -77,11 +77,6 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three ## Running with hooks Set `QEMU_PLUGIN="file=<AFL download path>qemu_mode/hooking_bridge/build/plugin.so,arg=<your hook .so>"` before running AFL++ in QEMU mode. Note `<your hook .so>` is the absolute path to your hooks library. -## Contributing -* If you want to enable debugging - * Compile with an additional `DEBUG=1` switch. - * Akin to QEMU's own documentation, set `QEMU_LOG=plugin QEMU_LOG_FILENAME=<your plugin log path>` before you run. - ## Current limitations 1. Cannot be used to debug (-g option) when using the bridge as it uses the gdbstub internally. This is not a problem if used with AFL++, so not such a big issue. 2. Cannot put a hook on the first block after `<entry point>`. Not typically a hookable location. diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55b6be04..da996602 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -455,13 +455,13 @@ void deunicode_extras(afl_state_t *afl) { case 2: if (!afl->extras[i].data[j]) { ++z3; } - // fall through + __attribute__((fallthrough)); case 0: if (!afl->extras[i].data[j]) { ++z1; } break; case 3: if (!afl->extras[i].data[j]) { ++z4; } - // fall through + __attribute__((fallthrough)); case 1: if (!afl->extras[i].data[j]) { ++z2; } break; diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index 8c8b0ad3..3f0a96ba 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -38,7 +38,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ the C mutator $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -58,7 +58,7 @@ test -e test-custom-mutator.c -a -e ${CUSTOM_MUTATOR_PATH}/example.c -a -e ${CUS # Run afl-fuzz w/ multiple C mutators $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -d -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -88,7 +88,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V07 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py index a83e7000..4219c6ab 100644 --- a/unicorn_mode/helper_scripts/unicorn_loader.py +++ b/unicorn_mode/helper_scripts/unicorn_loader.py @@ -90,7 +90,7 @@ class UnicornSimpleHeap(object): _chunks_freed = [] # List of all freed chunks _debug_print = False # True to print debug information - def __init__(self, uc, debug_print=Falseļ¼ uaf_check=False): + def __init__(self, uc, debug_print=False, uaf_check=False): self._uc = uc self._debug_print = debug_print diff --git a/unicorn_mode/samples/c/sample_all.sh b/unicorn_mode/samples/c/sample_all.sh index 01daf365..3bb396e7 100644 --- a/unicorn_mode/samples/c/sample_all.sh +++ b/unicorn_mode/samples/c/sample_all.sh @@ -12,7 +12,7 @@ fi -if [ ! test -e $DIR/harness]; then +if [ ! -e $DIR/harness ]; then echo "[!] harness not found in $DIR" exit 1 -fi \ No newline at end of file +fi |