diff options
| -rw-r--r-- | frida_mode/addr/addr.c | 43 | ||||
| -rw-r--r-- | frida_mode/hook/qemu_hook.c | 11 | ||||
| -rw-r--r-- | frida_mode/include/instrument.h | 2 | ||||
| -rw-r--r-- | frida_mode/test/cache/cache.c | 69 | ||||
| -rw-r--r-- | frida_mode/test/cmov/cmov.c | 8 | ||||
| -rw-r--r-- | frida_mode/test/deferred/testinstr.c | 7 | ||||
| -rw-r--r-- | frida_mode/test/dynamic/testinstr.c | 24 | ||||
| -rw-r--r-- | frida_mode/test/dynamic/testinstrlib.c | 3 | ||||
| -rw-r--r-- | frida_mode/test/entry_point/testinstr.c | 2 | ||||
| -rw-r--r-- | frida_mode/test/exe/testinstr.c | 4 | ||||
| -rw-r--r-- | frida_mode/test/js/test.c | 2 | ||||
| -rw-r--r-- | frida_mode/test/js/test2.c | 161 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/harness.c | 92 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/harness2.c | 92 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/harness3.c | 55 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/lib.c | 3 | ||||
| -rw-r--r-- | frida_mode/test/osx-lib/lib2.c | 2 | ||||
| -rw-r--r-- | frida_mode/test/output/testinstr.c | 4 | ||||
| -rw-r--r-- | frida_mode/test/perf/perf.c | 22 | ||||
| -rw-r--r-- | frida_mode/test/persistent_ret/testinstr.c | 6 | ||||
| -rw-r--r-- | frida_mode/test/testinstr/testinstr.c | 4 | ||||
| -rw-r--r-- | frida_mode/test/unstable/unstable.c | 23 |
22 files changed, 355 insertions, 284 deletions
diff --git a/frida_mode/addr/addr.c b/frida_mode/addr/addr.c index 371f69d4..69a04b17 100644 --- a/frida_mode/addr/addr.c +++ b/frida_mode/addr/addr.c @@ -6,34 +6,39 @@ #define UNUSED_PARAMETER(x) (void)(x) -int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) -{ - UNUSED_PARAMETER (size); +int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) { - ElfW(Addr) * base = data; + UNUSED_PARAMETER(size); + + ElfW(Addr) *base = data; + + if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } + return 0; - if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } - return 0; } -int main (int argc, char** argv, char** envp) { - UNUSED_PARAMETER (argc); +int main(int argc, char **argv, char **envp) { + + UNUSED_PARAMETER(argc); - ElfW(Addr) base = 0; + ElfW(Addr) base = 0; - int persona = personality(ADDR_NO_RANDOMIZE); - if (persona == -1) { + int persona = personality(ADDR_NO_RANDOMIZE); + if (persona == -1) { - printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); - return 1; - } + printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); + return 1; - if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } + } - dl_iterate_phdr(phdr_callback, &base); + if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } - printf("%p\n", (void *)base); - if (base == 0) { return 1; } + dl_iterate_phdr(phdr_callback, &base); + + printf("%p\n", (void *)base); + if (base == 0) { return 1; } + + return 0; - return 0; } + diff --git a/frida_mode/hook/qemu_hook.c b/frida_mode/hook/qemu_hook.c index 56e787e3..d7d45974 100644 --- a/frida_mode/hook/qemu_hook.c +++ b/frida_mode/hook/qemu_hook.c @@ -36,7 +36,7 @@ struct x86_64_regs { void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->rdi, input_buf, input_buf_len); regs->rsi = input_buf_len; @@ -76,14 +76,15 @@ struct x86_regs { void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ void **esp = (void **)regs->esp; - void * arg1 = esp[1]; + void *arg1 = esp[1]; void **arg2 = &esp[2]; memcpy(arg1, input_buf, input_buf_len); *arg2 = (void *)input_buf_len; } + #elif defined(__aarch64__) struct arm64_regs { @@ -177,9 +178,10 @@ struct arm64_regs { void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { - (void)guest_base; /* unused */ + (void)guest_base; /* unused */ memcpy((void *)regs->x0, input_buf, input_buf_len); regs->x1 = input_buf_len; + } #else @@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) { return 1; } + diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index a1969e37..9287019a 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -22,7 +22,7 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; -extern void __afl_coverage_interesting(uint8_t, uint32_t); +extern void __afl_coverage_interesting(uint8_t, uint32_t); extern __thread guint64 *instrument_previous_pc_addr; diff --git a/frida_mode/test/cache/cache.c b/frida_mode/test/cache/cache.c index b4102205..6ee8bf01 100644 --- a/frida_mode/test/cache/cache.c +++ b/frida_mode/test/cache/cache.c @@ -6,46 +6,45 @@ void LLVMFuzzerTestOneInput(char *buf, int len); -__asm__ ( - "LLVMFuzzerTestOneInput:\n" - ".func LLVMFuzzerTestOneInput\n" - ".global LLVMFuzzerTestOneInput\n" - " jmpq *jmp_offset(%rip)\n" - " nop\n" - " nop\n" - "call_target:\n" - " ret\n" - " nop\n" - " nop\n" - "jmp_target:\n" - " callq *call_offset(%rip)\n" - " nop\n" - " nop\n" - " leaq rax_offset(%rip), %rax\n" - " jmp (%rax)\n" - " nop\n" - " ud2\n" - " nop\n" - "rax_target:\n" - " ret\n" - "\n" - "\n" - ".global jmp_offset\n" - ".p2align 3\n" - "jmp_offset:\n" - " .quad jmp_target\n" - "call_offset:\n" - " .quad call_target\n" - "rax_offset:\n" - " .quad rax_target\n" -); +__asm__( + "LLVMFuzzerTestOneInput:\n" + ".func LLVMFuzzerTestOneInput\n" + ".global LLVMFuzzerTestOneInput\n" + " jmpq *jmp_offset(%rip)\n" + " nop\n" + " nop\n" + "call_target:\n" + " ret\n" + " nop\n" + " nop\n" + "jmp_target:\n" + " callq *call_offset(%rip)\n" + " nop\n" + " nop\n" + " leaq rax_offset(%rip), %rax\n" + " jmp (%rax)\n" + " nop\n" + " ud2\n" + " nop\n" + "rax_target:\n" + " ret\n" + "\n" + "\n" + ".global jmp_offset\n" + ".p2align 3\n" + "jmp_offset:\n" + " .quad jmp_target\n" + "call_offset:\n" + " .quad call_target\n" + "rax_offset:\n" + " .quad rax_target\n"); int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/cmov/cmov.c b/frida_mode/test/cmov/cmov.c index 08c7c132..97f2fb7f 100644 --- a/frida_mode/test/cmov/cmov.c +++ b/frida_mode/test/cmov/cmov.c @@ -6,8 +6,8 @@ static bool cmov_test(char *x, char *y, size_t len) { - register char * __rdi __asm__("rdi") = x; - register char * __rsi __asm__("rsi") = y; + register char *__rdi __asm__("rdi") = x; + register char *__rsi __asm__("rsi") = y; register size_t __rcx __asm__("rcx") = len; register long __rax __asm__("rax"); @@ -49,10 +49,10 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/deferred/testinstr.c b/frida_mode/test/deferred/testinstr.c index 4e5124ed..2bd1d718 100644 --- a/frida_mode/test/deferred/testinstr.c +++ b/frida_mode/test/deferred/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -51,6 +51,7 @@ int run(char *file) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; @@ -110,8 +111,10 @@ void slow() { } -TESTINSTR_SECTION int do_run(char * file) { +TESTINSTR_SECTION int do_run(char *file) { + return run(file); + } int main(int argc, char **argv) { diff --git a/frida_mode/test/dynamic/testinstr.c b/frida_mode/test/dynamic/testinstr.c index 0abc61fd..55bf579e 100644 --- a/frida_mode/test/dynamic/testinstr.c +++ b/frida_mode/test/dynamic/testinstr.c @@ -19,32 +19,40 @@ typedef void (*fntestinstrlib)(char *buf, int len); void testinstr(char *buf, int len) { + void *lib = dlopen("testinstrlib.so", RTLD_NOW); if (lib == NULL) { + puts("Library not found"); abort(); + } fntestinstrlib fn = (fntestinstrlib)(dlsym(lib, "testinstrlib")); if (fn == NULL) { + puts("Function not found"); abort(); + } fn(buf, len); + } int main(int argc, char **argv) { - char * file; + + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; if (argc != 2) { return 1; } do { + file = argv[1]; printf("file: %s\n", file); @@ -52,33 +60,43 @@ int main(int argc, char **argv) { fd = open(file, O_RDONLY); if (fd < 0) { + perror("open"); break; + } len = lseek(fd, 0, SEEK_END); if (len < 0) { + perror("lseek (SEEK_END)"); break; + } if (lseek(fd, 0, SEEK_SET) != 0) { + perror("lseek (SEEK_SET)"); break; + } printf("len: %ld\n", len); buf = malloc(len); if (buf == NULL) { + perror("malloc"); break; + } n_read = read(fd, buf, len); if (n_read != len) { + perror("read"); break; + } dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); @@ -95,4 +113,6 @@ int main(int argc, char **argv) { if (fd != -1) { close(fd); } return result; + } + diff --git a/frida_mode/test/dynamic/testinstrlib.c b/frida_mode/test/dynamic/testinstrlib.c index 987cbf91..85e2c837 100644 --- a/frida_mode/test/dynamic/testinstrlib.c +++ b/frida_mode/test/dynamic/testinstrlib.c @@ -1,6 +1,7 @@ #include <stdio.h> void testinstrlib(char *buf, int len) { + if (len < 1) return; buf[len] = 0; @@ -11,4 +12,6 @@ void testinstrlib(char *buf, int len) { printf("Pretty sure that is a one!\n"); else printf("Neither one or zero? How quaint!\n"); + } + diff --git a/frida_mode/test/entry_point/testinstr.c b/frida_mode/test/entry_point/testinstr.c index 75e71bda..5fe17165 100644 --- a/frida_mode/test/entry_point/testinstr.c +++ b/frida_mode/test/entry_point/testinstr.c @@ -41,7 +41,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/exe/testinstr.c b/frida_mode/test/exe/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/exe/testinstr.c +++ b/frida_mode/test/exe/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test.c b/frida_mode/test/js/test.c index 9799bf3b..e233f13a 100644 --- a/frida_mode/test/js/test.c +++ b/frida_mode/test/js/test.c @@ -35,7 +35,7 @@ int run(char *file) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/js/test2.c b/frida_mode/test/js/test2.c index 60b30eb5..c3557bbf 100644 --- a/frida_mode/test/js/test2.c +++ b/frida_mode/test/js/test2.c @@ -22,60 +22,60 @@ #define IGNORED_RETURN(x) (void)!(x) const uint32_t crc32_tab[] = { - 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, - 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, - 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, - 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, - 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, - 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, - 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, - 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, - 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, - 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, - 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, - 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, - 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, - 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, - 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, - 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, - 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, - 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, - 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, - 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, - 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, - 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, - 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, - 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, - 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, - 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, - 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, - 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, - 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, - 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, - 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, - 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, - 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, - 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, - 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, - 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, - 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, - 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, - 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, - 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, - 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, - 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, - 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d -}; - -uint32_t -crc32(const void *buf, size_t size) -{ - const uint8_t *p = buf; - uint32_t crc; - crc = ~0U; - while (size--) - crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); - return crc ^ ~0U; + + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, + 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, + 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, + 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, + 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, + 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, + 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, + 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, + 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, + 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, + 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, + 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, + 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, + 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, + 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, + 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, + 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, + 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, + 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, + 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, + 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, + 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, + 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, + 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, + 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, + 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, + 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, + 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, + 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, + 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, + 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, + 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, + 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, + 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, + 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, + 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, + 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, + 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, + 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, + 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; + +uint32_t crc32(const void *buf, size_t size) { + + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; + } /* @@ -83,11 +83,13 @@ crc32(const void *buf, size_t size) * FRIDA to patch this function out and always return success. Otherwise, we * could change it to actually correct the checksum. */ -int crc32_check (char * buf, int len) { +int crc32_check(char *buf, int len) { + if (len < sizeof(uint32_t)) { return 0; } uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); return expected == calculated; + } /* @@ -97,27 +99,31 @@ int crc32_check (char * buf, int len) { * cloud your output unnecessarily. Again, we can use FRIDA to patch it out. */ void some_boring_bug(char c) { + switch (c) { - case 'A'...'Z': - case 'a'...'z': + + case 'A' ... 'Z': + case 'a' ... 'z': __builtin_trap(); break; + } + } extern void some_boring_bug2(char c); -__asm__ ( - ".text \n" - "some_boring_bug2: \n" - ".global some_boring_bug2 \n" - ".type some_boring_bug2, @function \n" - "mov %edi, %eax \n" - "cmp $0xb4, %al \n" - "jne ok \n" - "ud2 \n" - "ok: \n" - "ret \n"); +__asm__( + ".text \n" + "some_boring_bug2: \n" + ".global some_boring_bug2 \n" + ".type some_boring_bug2, @function \n" + "mov %edi, %eax \n" + "cmp $0xb4, %al \n" + "jne ok \n" + "ud2 \n" + "ok: \n" + "ret \n"); void LLVMFuzzerTestOneInput(char *buf, int len) { @@ -127,16 +133,20 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { some_boring_bug2(buf[0]); if (buf[0] == '0') { + printf("Looks like a zero to me!\n"); - } - else if (buf[0] == '1') { + + } else if (buf[0] == '1') { + printf("Pretty sure that is a one!\n"); - } - else if (buf[0] == '2') { + + } else if (buf[0] == '2') { + printf("Oh we, weren't expecting that!"); __builtin_trap(); - } - else + + } else + printf("Neither one or zero? How quaint!\n"); } @@ -145,7 +155,7 @@ int main(int argc, char **argv) { int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; @@ -173,5 +183,6 @@ int main(int argc, char **argv) { printf("Done: %s: (%zd bytes)\n", argv[1], n_read); return 0; + } diff --git a/frida_mode/test/osx-lib/harness.c b/frida_mode/test/osx-lib/harness.c index 3d427b4a..186cfcee 100644 --- a/frida_mode/test/osx-lib/harness.c +++ b/frida_mode/test/osx-lib/harness.c @@ -4,66 +4,68 @@ #include <stdlib.h> #include <dlfcn.h> - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ - - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } - - return 0; +int main(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; + } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { + + // handles to required libs + void *dylib = NULL; - dylib = dlopen("./libcrashme.dylib", RTLD_NOW); - if (dylib == NULL) - { + dylib = dlopen("./libcrashme.dylib", RTLD_NOW); + if (dylib == NULL) { - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - } + } - printf("[+] Resolve function\n"); + printf("[+] Resolve function\n"); - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - printf("[-] Failed to find function\n"); - exit(1); + printf("[-] Failed to find function\n"); + exit(1); - } + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness2.c b/frida_mode/test/osx-lib/harness2.c index 464614ee..ed0b85d8 100644 --- a/frida_mode/test/osx-lib/harness2.c +++ b/frida_mode/test/osx-lib/harness2.c @@ -4,66 +4,68 @@ #include <stdlib.h> #include <dlfcn.h> - -//typedef for our exported target function. +// typedef for our exported target function. typedef void (*CRASHME)(const uint8_t *Data, size_t Size); -//globals +// globals CRASHME fpn_crashme = NULL; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + fpn_crashme(data, size); + return 0; -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - fpn_crashme(data, size); - return 0; } -int main(int argc, const char * argv[]) -{ - - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } - - return 0; +int main(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + + return 0; + } -__attribute__((constructor())) -void constructor(void) { - // handles to required libs - void *dylib = NULL; +__attribute__((constructor())) void constructor(void) { + + // handles to required libs + void *dylib = NULL; - dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); - if (dylib == NULL) - { + dylib = dlopen("./libcrashme2.dylib", RTLD_NOW); + if (dylib == NULL) { - printf("[-] Failed to load lib\n"); - printf("[-] Dlerror: %s\n", dlerror()); - exit(1); + printf("[-] Failed to load lib\n"); + printf("[-] Dlerror: %s\n", dlerror()); + exit(1); - } + } - printf("[+] Resolve function\n"); + printf("[+] Resolve function\n"); - fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); - if (!fpn_crashme) - { + fpn_crashme = (CRASHME)dlsym(dylib, "crashme"); + if (!fpn_crashme) { - printf("[-] Failed to find function\n"); - exit(1); + printf("[-] Failed to find function\n"); + exit(1); - } + } + + printf("[+] Found function.\n"); - printf("[+] Found function.\n"); } + diff --git a/frida_mode/test/osx-lib/harness3.c b/frida_mode/test/osx-lib/harness3.c index 83983c99..ae24db33 100644 --- a/frida_mode/test/osx-lib/harness3.c +++ b/frida_mode/test/osx-lib/harness3.c @@ -4,37 +4,42 @@ #include <stdlib.h> #include <dlfcn.h> - extern void crashme(const uint8_t *Data, size_t Size); -int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ - crashme(data, size); - return 0; +int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + + crashme(data, size); + return 0; + } -void run (int argc, const char * argv[]) -{ - for (int i = 1; i < argc; i++) { - fprintf(stderr, "Running: %s\n", argv[i]); - FILE *f = fopen(argv[i], "r"); - assert(f); - fseek(f, 0, SEEK_END); - size_t len = ftell(f); - fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); - fclose(f); - assert(n_read == len); - LLVMFuzzerTestOneInput(buf, len); - free(buf); - fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); - } +void run(int argc, const char *argv[]) { + + for (int i = 1; i < argc; i++) { + + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + + } + } -int main(int argc, const char * argv[]) -{ +int main(int argc, const char *argv[]) { - run(argc, argv); + run(argc, argv); + + return 0; - return 0; } + diff --git a/frida_mode/test/osx-lib/lib.c b/frida_mode/test/osx-lib/lib.c index b2dad098..84ceb9da 100644 --- a/frida_mode/test/osx-lib/lib.c +++ b/frida_mode/test/osx-lib/lib.c @@ -2,7 +2,6 @@ #include <stdlib.h> #include <stdint.h> - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 5) return; @@ -13,5 +12,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Data[3] == '$') if (Data[4] == '$') abort(); - } + diff --git a/frida_mode/test/osx-lib/lib2.c b/frida_mode/test/osx-lib/lib2.c index ba207210..a84ee6f2 100644 --- a/frida_mode/test/osx-lib/lib2.c +++ b/frida_mode/test/osx-lib/lib2.c @@ -3,7 +3,6 @@ #include <stdint.h> #include <string.h> - void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { if (Size < 1) return; @@ -56,6 +55,5 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { } - } diff --git a/frida_mode/test/output/testinstr.c b/frida_mode/test/output/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/output/testinstr.c +++ b/frida_mode/test/output/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/perf/perf.c b/frida_mode/test/perf/perf.c index 55efba26..596d1bd3 100644 --- a/frida_mode/test/perf/perf.c +++ b/frida_mode/test/perf/perf.c @@ -20,22 +20,32 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { int ret = 0; for (int i = 0; i < 1000; i++) { - switch(buf[i]) { - case 'A': ret += 2; break; - case '1': ret += 3; break; - default: ret++; + + switch (buf[i]) { + + case 'A': + ret += 2; + break; + case '1': + ret += 3; + break; + default: + ret++; + } + } + printf("ret: %d\n", ret); } int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c index 85aa2b80..aa28d953 100644 --- a/frida_mode/test/persistent_ret/testinstr.c +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -18,7 +18,7 @@ void LLVMFuzzerTestOneInput(char *buf, int len) { - printf (">>> LLVMFuzzerTestOneInput >>>\n"); + printf(">>> LLVMFuzzerTestOneInput >>>\n"); if (len < 1) return; buf[len] = 0; @@ -40,10 +40,10 @@ void slow() { int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/testinstr/testinstr.c b/frida_mode/test/testinstr/testinstr.c index 7b603659..8b99352e 100644 --- a/frida_mode/test/testinstr/testinstr.c +++ b/frida_mode/test/testinstr/testinstr.c @@ -39,10 +39,10 @@ void testinstr(char *buf, int len) { TESTINSTR_SECTION int main(int argc, char **argv) { - char * file; + char *file; int fd = -1; off_t len; - char * buf = NULL; + char *buf = NULL; size_t n_read; int result = -1; diff --git a/frida_mode/test/unstable/unstable.c b/frida_mode/test/unstable/unstable.c index 16978e7e..98198578 100644 --- a/frida_mode/test/unstable/unstable.c +++ b/frida_mode/test/unstable/unstable.c @@ -22,7 +22,7 @@ #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) #endif -void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { +void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 1) return; @@ -30,9 +30,13 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (gettimeofday(&tv, NULL) < 0) return; if ((tv.tv_usec % 2) == 0) { - printf ("Hooray all even\n"); + + printf("Hooray all even\n"); + } else { - printf ("Hmm that's odd\n"); + + printf("Hmm that's odd\n"); + } // we support three input cases @@ -45,26 +49,33 @@ void LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } -void run_test(char * file) { +void run_test(char *file) { + fprintf(stderr, "Running: %s\n", file); FILE *f = fopen(file, "r"); assert(f); fseek(f, 0, SEEK_END); size_t len = ftell(f); fseek(f, 0, SEEK_SET); - unsigned char *buf = (unsigned char*)malloc(len); - size_t n_read = fread(buf, 1, len, f); + unsigned char *buf = (unsigned char *)malloc(len); + size_t n_read = fread(buf, 1, len, f); fclose(f); assert(n_read == len); LLVMFuzzerTestOneInput(buf, len); free(buf); fprintf(stderr, "Done: %s: (%zd bytes)\n", file, n_read); + } int main(int argc, char **argv) { + srand(1); fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); for (int i = 1; i < argc; i++) { + run_test(argv[i]); + } + } + |