about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--frida_mode/README.md2
-rw-r--r--frida_mode/frida.map1
-rw-r--r--frida_mode/include/stalker.h3
-rw-r--r--frida_mode/src/js/api.js7
-rw-r--r--frida_mode/src/js/js_api.c6
-rw-r--r--frida_mode/src/stalker.c9
-rw-r--r--frida_mode/ts/lib/afl.ts12
-rw-r--r--include/envs.h1
8 files changed, 38 insertions, 3 deletions
diff --git a/frida_mode/README.md b/frida_mode/README.md
index bb194080..8211224d 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -174,6 +174,8 @@ file.
 * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
 instrumentation (the default where available). Required to use
 `AFL_FRIDA_INST_TRACE`.
+* `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing
+each block, control will return to FRIDA to identify the next block to execute.
 * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will
 report instrumented blocks back to the parent so that it can also instrument
 them and they be inherited by the next child on fork, implies
diff --git a/frida_mode/frida.map b/frida_mode/frida.map
index e2ae87a7..7be41aa0 100644
--- a/frida_mode/frida.map
+++ b/frida_mode/frida.map
@@ -8,6 +8,7 @@
     js_api_add_include_range;
     js_api_done;
     js_api_error;
+    js_api_set_backpatch_disable;
     js_api_set_debug_maps;
     js_api_set_entrypoint;
     js_api_set_instrument_coverage_file;
diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h
index 955f3913..8a111b90 100644
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@@ -3,7 +3,8 @@
 
 #include "frida-gumjs.h"
 
-extern guint stalker_ic_entries;
+extern guint    stalker_ic_entries;
+extern gboolean backpatch_enable;
 
 void        stalker_config(void);
 void        stalker_init(void);
diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js
index 6f9f05d8..5db62389 100644
--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@@ -63,6 +63,12 @@ class Afl {
         Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
     }
     /**
+     * See `AFL_FRIDA_INST_NO_BACKPATCH`.
+     */
+    static setBackpatchDisable() {
+        Afl.jsApiSetBackpatchDisable();
+    }
+    /**
      * See `AFL_FRIDA_DEBUG_MAPS`.
      */
     static setDebugMaps() {
@@ -267,6 +273,7 @@ Afl.jsApiAddIncludeRange = Afl.jsApiGetFunction("js_api_add_include_range", "voi
 Afl.jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing");
 Afl.jsApiDone = Afl.jsApiGetFunction("js_api_done", "void", []);
 Afl.jsApiError = Afl.jsApiGetFunction("js_api_error", "void", ["pointer"]);
+Afl.jsApiSetBackpatchDisable = Afl.jsApiGetFunction("js_api_set_backpatch_disable", "void", []);
 Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []);
 Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]);
 Afl.jsApiSetInstrumentCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_coverage_file", "void", ["pointer"]);
diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c
index f3d81a32..abc0ac30 100644
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@@ -237,3 +237,9 @@ __attribute__((visibility("default"))) void js_api_set_traceable(void) {
 
 }
 
+__attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) {
+
+  backpatch_enable = FALSE;
+
+}
+
diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c
index 814aaeb3..6ba41bc6 100644
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@@ -6,7 +6,8 @@
 #include "stats.h"
 #include "util.h"
 
-guint stalker_ic_entries = 0;
+guint    stalker_ic_entries = 0;
+gboolean backpatch_enable = TRUE;
 
 static GumStalker *stalker = NULL;
 
@@ -58,6 +59,8 @@ void stalker_config(void) {
 
   if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); }
 
+  backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL);
+
   stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES");
 
   observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL);
@@ -87,6 +90,8 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details,
 
 void stalker_init(void) {
 
+  OKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' ');
+
   OKF("Stalker - ic_entries [%u]", stalker_ic_entries);
 
 #if !(defined(__x86_64__) || defined(__i386__))
@@ -134,7 +139,7 @@ void stalker_start(void) {
 
 void stalker_trust(void) {
 
-  gum_stalker_set_trust_threshold(stalker, 0);
+  if (backpatch_enable) { gum_stalker_set_trust_threshold(stalker, 0); }
 
 }
 
diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts
index 538d9b70..3639d670 100644
--- a/frida_mode/ts/lib/afl.ts
+++ b/frida_mode/ts/lib/afl.ts
@@ -78,6 +78,13 @@ class Afl {
   }
 
   /**
+   * See `AFL_FRIDA_INST_NO_BACKPATCH`.
+   */
+  public static setBackpatchDisable(): void {
+    Afl.jsApiSetBackpatchDisable();
+  }
+
+  /**
    * See `AFL_FRIDA_DEBUG_MAPS`.
    */
   public static setDebugMaps(): void {
@@ -313,6 +320,11 @@ class Afl {
     "void",
     ["pointer"]);
 
+  private static readonly jsApiSetBackpatchDisable = Afl.jsApiGetFunction(
+    "js_api_set_backpatch_disable",
+    "void",
+    []);
+
   private static readonly jsApiSetDebugMaps = Afl.jsApiGetFunction(
     "js_api_set_debug_maps",
     "void",
diff --git a/include/envs.h b/include/envs.h
index fd459f14..0ba79092 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -59,6 +59,7 @@ static char *afl_environment_variables[] = {
     "AFL_FRIDA_INST_COVERAGE_FILE",
     "AFL_FRIDA_INST_DEBUG_FILE",
     "AFL_FRIDA_INST_JIT",
+    "AFL_FRIDA_INST_NO_BACKPATCH",
     "AFL_FRIDA_INST_NO_OPTIMIZE",
     "AFL_FRIDA_INST_NO_PREFETCH",
     "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-21 09:27:25 +0000