diff options
| -rw-r--r-- | frida_mode/README.md | 10 | ||||
| -rw-r--r-- | frida_mode/include/complog.h | 14 | ||||
| -rw-r--r-- | frida_mode/include/frida_cmplog.h | 14 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog.c | 75 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_arm.c (renamed from frida_mode/src/complog/complog_arm.c) | 6 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_arm64.c (renamed from frida_mode/src/complog/complog_arm64.c) | 6 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_x64.c (renamed from frida_mode/src/complog/complog_x64.c) | 93 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_x86.c (renamed from frida_mode/src/complog/complog_x86.c) | 6 | ||||
| -rw-r--r-- | frida_mode/src/complog/complog.c | 76 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument.c | 6 | ||||
| -rwxr-xr-x | frida_mode/src/lib/lib | bin | 4144 -> 0 bytes | |||
| -rwxr-xr-x | frida_mode/test/fuzzbench/fuzzer | bin | 1703936 -> 0 bytes | |||
| -rwxr-xr-x | frida_mode/test/libxml/xml | bin | 1849872 -> 0 bytes |
13 files changed, 152 insertions, 154 deletions
diff --git a/frida_mode/README.md b/frida_mode/README.md index ddba6928..67dc6048 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -18,15 +18,15 @@ perhaps leverage some of its design and implementation. | -------------------------|:----------:|:---------------------------------------:| | NeverZero | x | | | Persistent Mode | x | (x64 only)(Only on function boundaries) | - | LAF-Intel / CompCov | - | (Superseded by CmpLog) | - | CmpLog | x | (x64 only) | + | LAF-Intel / CompCov | - | (CMPLOG is better 90% of the time) | + | CMPLOG | x | (x64 only) | | Selective Instrumentation| x | | | Non-Colliding Coverage | - | | | Ngram prev_loc Coverage | - | | | Context Coverage | - | | | Auto Dictionary | - | | | Snapshot LKM Support | - | | - | In-Memory Test Cases | x |(x64 only) | + | In-Memory Test Cases | x | (x64 only) | # Compatibility Currently FRIDA mode supports Linux and macOS targets on both x86/x64 @@ -112,9 +112,9 @@ to push and pop the full register context. Note that since this instrumentation is used on every basic block to generate coverage, it has a large impact on performance. -CmpLog support also adds code to the assembly, however, at present this code +CMPLOG support also adds code to the assembly, however, at present this code makes use of a basic C function and is yet to be optimized. Since not all -instances run CmpLog mode and instrumentation of the binary is less frequent +instances run CMPLOG mode and instrumentation of the binary is less frequent (only on CMP, SUB and CALL instructions) performance is not quite so critical. # Advanced configuration options diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h deleted file mode 100644 index 1c1adb6d..00000000 --- a/frida_mode/include/complog.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef _COMPLOG_H -#define _COMPLOG_H - -extern struct cmp_map *__afl_cmp_map; - -void complog_init(void); - -/* Functions to be implemented by the different architectures */ -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); - -gboolean complog_is_readable(void *addr, size_t size); - -#endif - diff --git a/frida_mode/include/frida_cmplog.h b/frida_mode/include/frida_cmplog.h new file mode 100644 index 00000000..28864c0e --- /dev/null +++ b/frida_mode/include/frida_cmplog.h @@ -0,0 +1,14 @@ +#ifndef _CMPLOG_H +#define _CMPLOG_H + +extern struct cmp_map *__afl_cmp_map; + +void cmplog_init(void); + +/* Functions to be implemented by the different architectures */ +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); + +gboolean cmplog_is_readable(void *addr, size_t size); + +#endif + diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c new file mode 100644 index 00000000..84412c0b --- /dev/null +++ b/frida_mode/src/cmplog/cmplog.c @@ -0,0 +1,75 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "util.h" + +extern struct cmp_map *__afl_cmp_map; + +static GArray *cmplog_ranges = NULL; + +static gboolean cmplog_range(const GumRangeDetails *details, + gpointer user_data) { + + UNUSED_PARAMETER(user_data); + GumMemoryRange range = *details->range; + g_array_append_val(cmplog_ranges, range); + return TRUE; + +} + +static gint cmplog_sort(gconstpointer a, gconstpointer b) { + + return ((GumMemoryRange *)b)->base_address - + ((GumMemoryRange *)a)->base_address; + +} + +void cmplog_init(void) { + + if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); } + + cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); + gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, NULL); + g_array_sort(cmplog_ranges, cmplog_sort); + + for (guint i = 0; i < cmplog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); + OKF("CMPLOG Range - 0x%016" G_GINT64_MODIFIER "X - 0x%016" G_GINT64_MODIFIER + "X", + range->base_address, range->base_address + range->size); + + } + +} + +static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit, + GumAddress outer_base, GumAddress outer_limit) { + + return (inner_base >= outer_base && inner_limit <= outer_limit); + +} + +gboolean cmplog_is_readable(void *addr, size_t size) { + + if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); + + GumAddress inner_base = GUM_ADDRESS(addr); + GumAddress inner_limit = inner_base + size; + + for (guint i = 0; i < cmplog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); + GumAddress outer_base = range->base_address; + GumAddress outer_limit = outer_base + range->size; + + if (cmplog_contains(inner_base, inner_limit, outer_base, outer_limit)) + return true; + + } + + return false; + +} + diff --git a/frida_mode/src/complog/complog_arm.c b/frida_mode/src/cmplog/cmplog_arm.c index 1b8eb8f1..5af28f3f 100644 --- a/frida_mode/src/complog/complog_arm.c +++ b/frida_mode/src/cmplog/cmplog_arm.c @@ -2,16 +2,16 @@ #include "debug.h" -#include "complog.h" +#include "frida_cmplog.h" #include "util.h" #if defined(__arm__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); + FATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/complog/complog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index ce62f6fd..187d0162 100644 --- a/frida_mode/src/complog/complog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -2,16 +2,16 @@ #include "debug.h" -#include "complog.h" +#include "frida_cmplog.h" #include "util.h" #if defined(__aarch64__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); + FATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 28010e7f..cdb698d5 100644 --- a/frida_mode/src/complog/complog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -3,7 +3,7 @@ #include "debug.h" #include "cmplog.h" -#include "complog.h" +#include "frida_cmplog.h" #include "util.h" #if defined(__x86_64__) @@ -56,16 +56,16 @@ typedef struct { }; -} complog_ctx_t; +} cmplog_ctx_t; typedef struct { - complog_ctx_t operand1; - complog_ctx_t operand2; + cmplog_ctx_t operand1; + cmplog_ctx_t operand2; -} complog_pair_ctx_t; +} cmplog_pair_ctx_t; -static guint64 complog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { +static guint64 cmplog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { switch (reg) { @@ -134,15 +134,15 @@ static guint64 complog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { } -static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { +static guint64 cmplog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { guint64 base = 0; guint64 index = 0; guint64 address; - if (mem->base != X86_REG_INVALID) base = complog_read_reg(ctx, mem->base); + if (mem->base != X86_REG_INVALID) base = cmplog_read_reg(ctx, mem->base); - if (mem->index != X86_REG_INVALID) index = complog_read_reg(ctx, mem->index); + if (mem->index != X86_REG_INVALID) index = cmplog_read_reg(ctx, mem->index); address = base + (index * mem->scale) + mem->disp; return address; @@ -150,16 +150,16 @@ static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { } static guint64 cmplog_get_operand_value(GumCpuContext *context, - complog_ctx_t *ctx) { + cmplog_ctx_t * ctx) { switch (ctx->type) { case X86_OP_REG: - return complog_read_reg(context, ctx->reg); + return cmplog_read_reg(context, ctx->reg); case X86_OP_IMM: return ctx->imm; case X86_OP_MEM: - return complog_read_mem(context, &ctx->mem); + return cmplog_read_mem(context, &ctx->mem); default: FATAL("Invalid operand type: %d\n", ctx->type); @@ -167,18 +167,18 @@ static guint64 cmplog_get_operand_value(GumCpuContext *context, } -static void complog_call_callout(GumCpuContext *context, gpointer user_data) { +static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { UNUSED_PARAMETER(user_data); - guint64 address = complog_read_reg(context, X86_REG_RIP); - guint64 rdi = complog_read_reg(context, X86_REG_RDI); - guint64 rsi = complog_read_reg(context, X86_REG_RSI); + guint64 address = cmplog_read_reg(context, X86_REG_RIP); + guint64 rdi = cmplog_read_reg(context, X86_REG_RDI); + guint64 rsi = cmplog_read_reg(context, X86_REG_RSI); void *ptr1 = GSIZE_TO_POINTER(rdi); void *ptr2 = GSIZE_TO_POINTER(rsi); - if (!complog_is_readable(ptr1, 32) || !complog_is_readable(ptr2, 32)) return; + if (!cmplog_is_readable(ptr1, 32) || !cmplog_is_readable(ptr2, 32)) return; uintptr_t k = address; @@ -200,8 +200,8 @@ static void complog_call_callout(GumCpuContext *context, gpointer user_data) { } -static void complog_instrument_put_operand(complog_ctx_t *ctx, - cs_x86_op * operand) { +static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, + cs_x86_op * operand) { ctx->type = operand->type; ctx->size = operand->size; @@ -223,20 +223,20 @@ static void complog_instrument_put_operand(complog_ctx_t *ctx, } -static void complog_instrument_call_put_callout(GumStalkerIterator *iterator, - cs_x86_op * operand) { +static void cmplog_instrument_call_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand) { - complog_ctx_t *ctx = g_malloc(sizeof(complog_ctx_t)); + cmplog_ctx_t *ctx = g_malloc(sizeof(cmplog_ctx_t)); if (ctx == NULL) return; - complog_instrument_put_operand(ctx, operand); + cmplog_instrument_put_operand(ctx, operand); - gum_stalker_iterator_put_callout(iterator, complog_call_callout, ctx, g_free); + gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, ctx, g_free); } -static void complog_instrument_call(const cs_insn * instr, - GumStalkerIterator *iterator) { +static void cmplog_instrument_call(const cs_insn * instr, + GumStalkerIterator *iterator) { cs_x86 x86 = instr->detail->x86; cs_x86_op *operand; @@ -251,14 +251,14 @@ static void complog_instrument_call(const cs_insn * instr, if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID) return; - complog_instrument_call_put_callout(iterator, operand); + cmplog_instrument_call_put_callout(iterator, operand); } -static void complog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, - guint64 operand2, uint8_t size) { +static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, + guint64 operand2, uint8_t size) { - guint64 address = complog_read_reg(context, X86_REG_RIP); + guint64 address = cmplog_read_reg(context, X86_REG_RIP); register uintptr_t k = (uintptr_t)address; @@ -278,37 +278,36 @@ static void complog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, } -static void complog_cmp_sub_callout(GumCpuContext *context, - gpointer user_data) { +static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { - complog_pair_ctx_t *ctx = (complog_pair_ctx_t *)user_data; + cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); guint64 operand1 = cmplog_get_operand_value(context, &ctx->operand1); guint64 operand2 = cmplog_get_operand_value(context, &ctx->operand2); - complog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); + cmplog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); } -static void complog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, - cs_x86_op * operand1, - cs_x86_op *operand2) { +static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand1, + cs_x86_op *operand2) { - complog_pair_ctx_t *ctx = g_malloc(sizeof(complog_pair_ctx_t)); + cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t)); if (ctx == NULL) return; - complog_instrument_put_operand(&ctx->operand1, operand1); - complog_instrument_put_operand(&ctx->operand2, operand2); + cmplog_instrument_put_operand(&ctx->operand1, operand1); + cmplog_instrument_put_operand(&ctx->operand2, operand2); - gum_stalker_iterator_put_callout(iterator, complog_cmp_sub_callout, ctx, + gum_stalker_iterator_put_callout(iterator, cmplog_cmp_sub_callout, ctx, g_free); } -static void complog_instrument_cmp_sub(const cs_insn * instr, - GumStalkerIterator *iterator) { +static void cmplog_instrument_cmp_sub(const cs_insn * instr, + GumStalkerIterator *iterator) { cs_x86 x86 = instr->detail->x86; cs_x86_op *operand1; @@ -340,16 +339,16 @@ static void complog_instrument_cmp_sub(const cs_insn * instr, (operand2->mem.segment != X86_REG_INVALID)) return; - complog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); + cmplog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); } -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { if (__afl_cmp_map == NULL) return; - complog_instrument_call(instr, iterator); - complog_instrument_cmp_sub(instr, iterator); + cmplog_instrument_call(instr, iterator); + cmplog_instrument_cmp_sub(instr, iterator); } diff --git a/frida_mode/src/complog/complog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index b2e5ddcf..2401180c 100644 --- a/frida_mode/src/complog/complog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -2,16 +2,16 @@ #include "debug.h" -#include "complog.h" +#include "frida_cmplog.h" #include "util.h" #if defined(__i386__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); + FATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c deleted file mode 100644 index ce8a3f62..00000000 --- a/frida_mode/src/complog/complog.c +++ /dev/null @@ -1,76 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" -#include "cmplog.h" -#include "util.h" - -extern struct cmp_map *__afl_cmp_map; - -static GArray *complog_ranges = NULL; - -static gboolean complog_range(const GumRangeDetails *details, - gpointer user_data) { - - UNUSED_PARAMETER(user_data); - GumMemoryRange range = *details->range; - g_array_append_val(complog_ranges, range); - return TRUE; - -} - -static gint complog_sort(gconstpointer a, gconstpointer b) { - - return ((GumMemoryRange *)b)->base_address - - ((GumMemoryRange *)a)->base_address; - -} - -void complog_init(void) { - - if (__afl_cmp_map != NULL) { OKF("CompLog mode enabled"); } - - complog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); - gum_process_enumerate_ranges(GUM_PAGE_READ, complog_range, NULL); - g_array_sort(complog_ranges, complog_sort); - - for (guint i = 0; i < complog_ranges->len; i++) { - - GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); - OKF("CompLog Range - 0x%016" G_GINT64_MODIFIER - "X - 0x%016" G_GINT64_MODIFIER "X", - range->base_address, range->base_address + range->size); - - } - -} - -static gboolean complog_contains(GumAddress inner_base, GumAddress inner_limit, - GumAddress outer_base, - GumAddress outer_limit) { - - return (inner_base >= outer_base && inner_limit <= outer_limit); - -} - -gboolean complog_is_readable(void *addr, size_t size) { - - if (complog_ranges == NULL) FATAL("CompLog not initialized"); - - GumAddress inner_base = GUM_ADDRESS(addr); - GumAddress inner_limit = inner_base + size; - - for (guint i = 0; i < complog_ranges->len; i++) { - - GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); - GumAddress outer_base = range->base_address; - GumAddress outer_limit = outer_base + range->size; - - if (complog_contains(inner_base, inner_limit, outer_base, outer_limit)) - return true; - - } - - return false; - -} - diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 3806136a..d93f37c7 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -5,7 +5,7 @@ #include "config.h" #include "debug.h" -#include "complog.h" +#include "frida_cmplog.h" #include "instrument.h" #include "persistent.h" #include "prefetch.h" @@ -105,7 +105,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (!range_is_excluded((void *)instr->address)) { - complog_instrument(instr, iterator); + cmplog_instrument(instr, iterator); } @@ -140,7 +140,7 @@ void instrument_init(void) { transformer = gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); - complog_init(); + cmplog_init(); } diff --git a/frida_mode/src/lib/lib b/frida_mode/src/lib/lib deleted file mode 100755 index 8f09a3b1..00000000 --- a/frida_mode/src/lib/lib +++ /dev/null Binary files differdiff --git a/frida_mode/test/fuzzbench/fuzzer b/frida_mode/test/fuzzbench/fuzzer deleted file mode 100755 index 5e8b7f70..00000000 --- a/frida_mode/test/fuzzbench/fuzzer +++ /dev/null Binary files differdiff --git a/frida_mode/test/libxml/xml b/frida_mode/test/libxml/xml deleted file mode 100755 index fb5c7c76..00000000 --- a/frida_mode/test/libxml/xml +++ /dev/null Binary files differ |