diff options
22 files changed, 144 insertions, 50 deletions
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 6c17f369..4d8f8507 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -98,9 +98,12 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o -HOOK_DIR:=$(PWD)hook/ -AFLPP_DRIVER_HOOK_SRC=$(HOOK_DIR)hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)hook.so +FRIDA_HOOK_DIR:=$(PWD)hook/ +AFLPP_FRIDA_DRIVER_HOOK_SRC=$(FRIDA_HOOK_DIR)hook.c +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(BUILD_DIR)frida_hook.so + +QEMU_HOOK_DIR:=$(ROOT)utils/aflpp_driver/ +AFLPP_QEMU_DRIVER_HOOK_OBJ:=$(BUILD_DIR)qemu_hook.so BIN2C:=$(BUILD_DIR)bin2c BIN2C_SRC:=$(PWD)util/bin2c.c @@ -109,7 +112,7 @@ BIN2C_SRC:=$(PWD)util/bin2c.c ############################## ALL ############################################# -all: $(FRIDA_TRACE) $(AFLPP_DRIVER_HOOK_OBJ) +all: $(FRIDA_TRACE) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all @@ -150,10 +153,10 @@ $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) wget -O $@ $(GUM_DEVKIT_URL) endif -$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) +$(GUM_DEVIT_LIBRARY): $(GUM_DEVKIT_TARBALL) tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) -$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) +$(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL) tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) ############################## AFL ############################################# @@ -214,10 +217,14 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL ############################# HOOK ############################################# -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) +$(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ -hook: $(AFLPP_DRIVER_HOOK_OBJ) +$(AFLPP_QEMU_DRIVER_HOOK_OBJ): | $(QEMU_HOOK_DIR) + make -C $(QEMU_HOOK_DIR) aflpp_qemu_driver_hook.so + cp $(QEMU_HOOK_DIR)aflpp_qemu_driver_hook.so $@ + +hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) ############################# CLEAN ############################################ clean: @@ -225,7 +232,7 @@ clean: ############################# FORMAT ########################################### format: - cd $(ROOT) && echo $(SOURCES) $(AFLPP_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i + cd $(ROOT) && echo $(SOURCES) $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i ############################# RUN ############################################# diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index 801c2bbe..cbc5c8c7 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -3,7 +3,8 @@ #include "frida-gumjs.h" -extern guint64 entry_point; +extern guint64 entry_point; +extern gboolean entry_reached; void entry_config(void); diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index 8f00196c..c79f0143 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -30,7 +30,10 @@ void persistent_init(void); gboolean persistent_is_supported(void); void persistent_prologue(GumStalkerOutput *output); +void persistent_prologue_arch(GumStalkerOutput *output); + void persistent_epilogue(GumStalkerOutput *output); +void persistent_epilogue_arch(GumStalkerOutput *output); #endif diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 2136fe52..b5e05d5a 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -7,6 +7,7 @@ void stalker_config(void); void stalker_init(void); GumStalker *stalker_get(void); void stalker_start(void); +void stalker_trust(void); #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index e95b923b..1d3b3e43 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -4,12 +4,15 @@ #include "entry.h" #include "instrument.h" +#include "persistent.h" +#include "ranges.h" #include "stalker.h" #include "util.h" extern void __afl_manual_init(); -guint64 entry_point = 0; +guint64 entry_point = 0; +gboolean entry_reached = FALSE; static void entry_launch(void) { @@ -50,6 +53,16 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { UNUSED_PARAMETER(output); + OKF("AFL_ENTRYPOINT reached"); + + if (persistent_start == 0) { + + entry_reached = TRUE; + ranges_exclude(); + stalker_trust(); + + } + gum_stalker_iterator_put_callout(iterator, entry_callout, NULL, NULL); } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index c646843c..2d857716 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -149,7 +149,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator, if (unlikely(begin)) { - prefetch_write(GSIZE_TO_POINTER(instr->address)); + instrument_debug_start(instr->address, output); + + if (likely(entry_reached)) { + + prefetch_write(GSIZE_TO_POINTER(instr->address)); + + } if (likely(!excluded)) { diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index bcc59ea7..639a694e 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -5,7 +5,10 @@ #include "config.h" #include "debug.h" +#include "entry.h" #include "persistent.h" +#include "ranges.h" +#include "stalker.h" #include "util.h" int __afl_sharedmem_fuzzing = 0; @@ -83,3 +86,20 @@ void persistent_init(void) { } +void persistent_prologue(GumStalkerOutput *output) { + + OKF("AFL_FRIDA_PERSISTENT_ADDR reached"); + entry_reached = TRUE; + ranges_exclude(); + stalker_trust(); + persistent_prologue_arch(output); + +} + +void persistent_epilogue(GumStalkerOutput *output) { + + OKF("AFL_FRIDA_PERSISTENT_RET reached"); + persistent_epilogue_arch(output); + +} + diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index f12f1af8..769f1505 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -61,14 +61,14 @@ gboolean persistent_is_supported(void) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); FATAL("Persistent mode not supported on this architecture"); } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); FATAL("Persistent mode not supported on this architecture"); diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 003f058a..4ab7b283 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -299,7 +299,7 @@ static void instrument_persitent_save_lr(GumArm64Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -366,7 +366,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumArm64Writer *cw = output->writer.arm64; diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index b2186db1..ce3017e4 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -244,7 +244,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -313,7 +313,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index f50bccb0..cc1f1a4f 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -184,7 +184,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -251,7 +251,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 98483cde..5df0386f 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -38,7 +38,7 @@ void stalker_init(void) { stalker = gum_stalker_new(); if (stalker == NULL) { FATAL("Failed to initialize stalker"); } - gum_stalker_set_trust_threshold(stalker, 0); + gum_stalker_set_trust_threshold(stalker, -1); /* *NEVER* stalk the stalker, only bad things will ever come of this! */ gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, stalker_exclude_self, NULL); @@ -59,3 +59,9 @@ void stalker_start(void) { } +void stalker_trust(void) { + + gum_stalker_set_trust_threshold(stalker, 0); + +} + diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c index 7c3a90d7..11464a2a 100644 --- a/frida_mode/src/stats/stats_x64.c +++ b/frida_mode/src/stats/stats_x64.c @@ -31,6 +31,9 @@ typedef struct { guint64 num_rip_relative; + guint64 num_rip_relative_type[X86_INS_ENDING]; + char name_rip_relative_type[X86_INS_ENDING][CS_MNEMONIC_SIZE]; + } stats_data_arch_t; gboolean stats_is_supported_arch(void) { @@ -136,6 +139,18 @@ void stats_write_arch(void) { stats_data_arch->num_rip_relative, (stats_data_arch->num_rip_relative * 100 / num_instructions)); + for (size_t i = 0; i < X86_INS_ENDING; i++) { + + if (stats_data_arch->num_rip_relative_type[i] != 0) { + + stats_print(" %10d %s\n", + stats_data_arch->num_rip_relative_type[i], + stats_data_arch->name_rip_relative_type[i]); + + } + + } + stats_print("\n"); stats_print("\n"); @@ -256,6 +271,9 @@ static void stats_collect_rip_relative_arch(const cs_insn *instr) { if (rm != 5) { return; } stats_data_arch->num_rip_relative++; + stats_data_arch->num_rip_relative_type[instr->id]++; + memcpy(stats_data_arch->name_rip_relative_type[instr->id], instr->mnemonic, + CS_MNEMONIC_SIZE); } diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile index 68469782..1c124743 100644 --- a/frida_mode/test/jpeg/GNUmakefile +++ b/frida_mode/test/jpeg/GNUmakefile @@ -2,7 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so LIBJPEG_BUILD_DIR:=$(BUILD_DIR)libjpeg/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_DEBUG_CHILD=1 \ AFL_DISABLE_TRIM=1 \ AFL_FRIDA_PERSISTENT_CNT=1000000 \ @@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_SKIP_CPUFREQ=1 \ AFL_SKIP_CRASHES=1 \ AFL_TESTCACHE_SIZE=2 \ - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile index 4d0bc4f1..f1ad06e4 100644 --- a/frida_mode/test/libpcap/GNUmakefile +++ b/frida_mode/test/libpcap/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -148,8 +149,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR) clean: rm -rf $(BUILD_DIR) -qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -162,8 +163,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDU -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index fdb2c318..a1a7f1a5 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -112,3 +112,9 @@ frida: $(TEST_BIN) -o $(FRIDA_OUT) \ -- \ $(TEST_BIN) @@ + +debug: + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.png diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile index 4bef1ccb..f843af19 100644 --- a/frida_mode/test/png/Makefile +++ b/frida_mode/test/png/Makefile @@ -14,3 +14,6 @@ qemu: frida: @gmake frida + +debug: + @gmake debug diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 8a1a9a60..ddf63a96 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so CFLAGS+=-O3 \ -funroll-loops \ @@ -73,8 +74,8 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) truncate -s 1M $@ -qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ $(ROOT)/afl-fuzz \ @@ -86,8 +87,8 @@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -100,8 +101,8 @@ qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ -D \ @@ -113,8 +114,8 @@ frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ @@ -126,7 +127,7 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) +frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=load.js \ $(ROOT)afl-fuzz \ @@ -139,7 +140,7 @@ frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DI -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) +frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=cmodule.js \ $(ROOT)afl-fuzz \ @@ -155,7 +156,7 @@ debug: $(AFLPP_DRIVER_DUMMY_INPUT) echo $(AFL_FRIDA_PERSISTENT_ADDR) gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ - --ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ)' \ --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ --ex 'set disassembly-flavor intel' \ --args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) diff --git a/frida_mode/test/png/persistent/hook/load.js b/frida_mode/test/png/persistent/hook/load.js index ce4374ae..ea4d28c3 100644 --- a/frida_mode/test/png/persistent/hook/load.js +++ b/frida_mode/test/png/persistent/hook/load.js @@ -19,7 +19,7 @@ Afl.setPersistentAddress(persistent_addr); const path = Afl.module.path; const dir = path.substring(0, path.lastIndexOf("/")); -const mod = Module.load(`${dir}/frida_mode/build/hook.so`); +const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`); const hook = mod.getExportByName('afl_persistent_hook'); Afl.setPersistentHook(hook); diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile index 6ce03fd3..8555ebad 100644 --- a/frida_mode/test/proj4/GNUmakefile +++ b/frida_mode/test/proj4/GNUmakefile @@ -2,7 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so LIBPROJ4_BUILD_DIR:=$(BUILD_DIR)libproj4/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_DEBUG_CHILD=1 \ AFL_DISABLE_TRIM=1 \ AFL_FRIDA_PERSISTENT_CNT=1000000 \ @@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_SKIP_CPUFREQ=1 \ AFL_SKIP_CRASHES=1 \ AFL_TESTCACHE_SIZE=2 \ - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile index ab986190..ce95df3b 100644 --- a/frida_mode/test/re2/GNUmakefile +++ b/frida_mode/test/re2/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -130,8 +131,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -144,8 +145,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile index a35073ab..3701ddc8 100644 --- a/frida_mode/test/testinstr/GNUmakefile +++ b/frida_mode/test/testinstr/GNUmakefile @@ -53,6 +53,13 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) $(TESTINSTBIN) @@ debug: + echo $(AFL_FRIDA_PERSISTENT_ADDR) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + +debug: gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ --ex 'set disassembly-flavor intel' \ |