about summary refs log tree commit diff
path: root/examples
diff options
context:
space:
mode:
Diffstat (limited to 'examples')
-rw-r--r--examples/afl_frida/Makefile2
-rw-r--r--examples/afl_frida/afl-frida.c260
2 files changed, 241 insertions, 21 deletions
diff --git a/examples/afl_frida/Makefile b/examples/afl_frida/Makefile
index 5d482e54..c154f3a4 100644
--- a/examples/afl_frida/Makefile
+++ b/examples/afl_frida/Makefile
@@ -11,7 +11,7 @@ libfrida-gum.a:
 	@exit 1
 	
 afl-frida:	afl-frida.c libfrida-gum.a
-	$(CC) -g $(OPT) -o afl-frida -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread
+	$(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-llvm-rt.o libfrida-gum.a -ldl -lresolv -pthread
 
 libtestinstr.so:        libtestinstr.c
 	$(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c
diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c
index ff10ffb7..76732aeb 100644
--- a/examples/afl_frida/afl-frida.c
+++ b/examples/afl_frida/afl-frida.c
@@ -42,6 +42,7 @@
   #include <sys/personality.h>
 #endif
 
+int debug = 0;
 
 // STEP 1:
 
@@ -58,7 +59,6 @@ static void *(*o_function)(uint8_t *, int);
 
 // END STEP 1
 
-
 #include "frida-gum.h"
 
 G_BEGIN_DECLS
@@ -100,7 +100,7 @@ static void gum_fake_event_sink_class_init(GumFakeEventSinkClass *klass) {
 static void gum_fake_event_sink_iface_init(gpointer g_iface,
                                            gpointer iface_data) {
 
-  GumEventSinkInterface *iface = (GumEventSinkInterface *) g_iface;
+  GumEventSinkInterface *iface = (GumEventSinkInterface *)g_iface;
   iface->query_mask = gum_fake_event_sink_query_mask;
   iface->process = gum_fake_event_sink_process;
 
@@ -113,20 +113,20 @@ G_DEFINE_TYPE_EXTENDED(GumFakeEventSink, gum_fake_event_sink, G_TYPE_OBJECT, 0,
 #include "../../config.h"
 
 // Shared memory fuzzing.
-int __afl_sharedmem_fuzzing = 1;
-extern unsigned int *__afl_fuzz_len;
+int                   __afl_sharedmem_fuzzing = 1;
+extern unsigned int * __afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;
 
 // Notify AFL about persistent mode.
 static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##";
-int __afl_persistent_loop(unsigned int);
+int                  __afl_persistent_loop(unsigned int);
 
 // Notify AFL about deferred forkserver.
 static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##";
-void __afl_manual_init();
+void                 __afl_manual_init();
 
 // Because we do our own logging.
-extern uint8_t * __afl_area_ptr;
+extern uint8_t *__afl_area_ptr;
 
 // Frida stuff below.
 typedef struct {
@@ -140,6 +140,8 @@ inline static void afl_maybe_log(guint64 current_pc) {
 
   static __thread guint64 previous_pc;
 
+  // fprintf(stderr, "PC: %p\n", current_pc);
+
   current_pc = (current_pc >> 4) ^ (current_pc << 8);
   current_pc &= MAP_SIZE - 1;
 
@@ -165,10 +167,14 @@ void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output,
 
     if (begin) {
 
-      guint64 current_pc = instr->address - range->base_address;
-      gum_stalker_iterator_put_callout(iterator, on_basic_block,
-                                       (gpointer)current_pc, NULL);
-      begin = FALSE;
+      if (instr->address >= range->code_start &&
+          instr->address <= range->code_end) {
+
+        gum_stalker_iterator_put_callout(iterator, on_basic_block,
+                                         (gpointer)instr->address, NULL);
+        begin = FALSE;
+
+      }
 
     }
 
@@ -178,7 +184,9 @@ void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output,
 
 }
 
-static void gum_fake_event_sink_init(GumFakeEventSink *self) { }
+static void gum_fake_event_sink_init(GumFakeEventSink *self) {
+
+}
 
 static void gum_fake_event_sink_finalize(GObject *obj) {
 
@@ -189,12 +197,14 @@ static void gum_fake_event_sink_finalize(GObject *obj) {
 GumEventSink *gum_fake_event_sink_new(void) {
 
   GumFakeEventSink *sink;
-  sink = (GumFakeEventSink *) g_object_new(GUM_TYPE_FAKE_EVENT_SINK, NULL);
+  sink = (GumFakeEventSink *)g_object_new(GUM_TYPE_FAKE_EVENT_SINK, NULL);
   return GUM_EVENT_SINK(sink);
 
 }
 
-void gum_fake_event_sink_reset(GumFakeEventSink *self) { }
+void gum_fake_event_sink_reset(GumFakeEventSink *self) {
+
+}
 
 static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink) {
 
@@ -202,8 +212,201 @@ static GumEventType gum_fake_event_sink_query_mask(GumEventSink *sink) {
 
 }
 
+typedef struct library_list {
+
+  uint8_t *name;
+  uint64_t addr_start, addr_end;
+
+} library_list_t;
+
+#define MAX_LIB_COUNT 256
+static library_list_t liblist[MAX_LIB_COUNT];
+static u32            liblist_cnt;
+
+void read_library_information() {
+
+#if defined(__linux__)
+  FILE *f;
+  u8    buf[1024], *b, *m, *e, *n;
+
+  if ((f = fopen("/proc/self/maps", "r")) == NULL) {
+
+    fprintf(stderr, "Error: cannot open /proc/self/maps\n");
+    exit(-1);
+
+  }
+
+  if (debug) fprintf(stderr, "Library list:\n");
+  while (fgets(buf, sizeof(buf), f)) {
+
+    if (strstr(buf, " r-x")) {
+
+      if (liblist_cnt >= MAX_LIB_COUNT) {
+
+        fprintf(
+            stderr,
+            "Warning: too many libraries to old, maximum count of %d reached\n",
+            liblist_cnt);
+        return;
+
+      }
+
+      b = buf;
+      m = index(buf, '-');
+      e = index(buf, ' ');
+      if ((n = rindex(buf, '/')) == NULL) n = rindex(buf, ' ');
+      if (n &&
+          ((*n >= '0' && *n <= '9') || *n == '[' || *n == '{' || *n == '('))
+        n = NULL;
+      else
+        n++;
+      if (b && m && e && n && *n) {
+
+        *m++ = 0;
+        *e = 0;
+        if (n[strlen(n) - 1] == '\n') n[strlen(n) - 1] = 0;
+
+        if (rindex(n, '/') != NULL) {
+
+          n = rindex(n, '/');
+          n++;
+
+        }
+
+        liblist[liblist_cnt].name = strdup(n);
+        liblist[liblist_cnt].addr_start = strtoull(b, NULL, 16);
+        liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16);
+        if (debug)
+          fprintf(
+              stderr, "%s:%llx (%llx-%llx)\n", liblist[liblist_cnt].name,
+              liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start,
+              liblist[liblist_cnt].addr_start,
+              liblist[liblist_cnt].addr_end - 1);
+        liblist_cnt++;
+
+      }
+
+    }
+
+  }
+
+  if (debug) fprintf(stderr, "\n");
+
+#elif defined(__FreeBSD__)
+  int    mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, getpid()};
+  char * buf, *start, *end;
+  size_t miblen = sizeof(mib) / sizeof(mib[0]);
+  size_t len;
+
+  if (debug) fprintf(stderr, "Library list:\n");
+  if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) { return; }
+
+  len = len * 4 / 3;
+
+  buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
+  if (buf == MAP_FAILED) { return; }
+  if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
+
+    munmap(buf, len);
+    return;
+
+  }
+
+  start = buf;
+  end = buf + len;
+
+  while (start < end) {
+
+    struct kinfo_vmentry *region = (struct kinfo_vmentry *)start;
+    size_t                size = region->kve_structsize;
+
+    if (size == 0) { break; }
+
+    if ((region->kve_protection & KVME_PROT_READ) &&
+        !(region->kve_protection & KVME_PROT_EXEC)) {
+
+      liblist[liblist_cnt].name =
+          region->kve_path[0] != '\0' ? strdup(region->kve_path) : 0;
+      liblist[liblist_cnt].addr_start = region->kve_start;
+      liblist[liblist_cnt].addr_end = region->kve_end;
+
+      if (debug) {
+
+        fprintf(stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name,
+                liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start,
+                liblist[liblist_cnt].addr_start,
+                liblist[liblist_cnt].addr_end - 1);
+
+      }
+
+      liblist_cnt++;
+
+    }
+
+    start += size;
+
+  }
+
+#endif
+
+}
+
+library_list_t *find_library(char *name) {
+
+  char *filename = rindex(name, '/');
+
+  if (filename)
+    filename++;
+  else
+    filename = name;
+
+#if defined(__linux__)
+  u32 i;
+  for (i = 0; i < liblist_cnt; i++)
+    if (strcmp(liblist[i].name, filename) == 0) return &liblist[i];
+#elif defined(__APPLE__) && defined(__LP64__)
+  kern_return_t         err;
+  static library_list_t lib;
+
+  // get the list of all loaded modules from dyld
+  // the task_info mach API will get the address of the dyld all_image_info
+  // struct for the given task from which we can get the names and load
+  // addresses of all modules
+  task_dyld_info_data_t  task_dyld_info;
+  mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
+  err = task_info(mach_task_self(), TASK_DYLD_INFO,
+                  (task_info_t)&task_dyld_info, &count);
+
+  const struct dyld_all_image_infos *all_image_infos =
+      (const struct dyld_all_image_infos *)task_dyld_info.all_image_info_addr;
+  const struct dyld_image_info *image_infos = all_image_infos->infoArray;
+
+  for (size_t i = 0; i < all_image_infos->infoArrayCount; i++) {
+
+    const char *      image_name = image_infos[i].imageFilePath;
+    mach_vm_address_t image_load_address =
+        (mach_vm_address_t)image_infos[i].imageLoadAddress;
+    if (strstr(image_name, name)) {
+
+      lib.name = name;
+      lib.addr_start = (u64)image_load_address;
+      lib.addr_end = 0;
+      return &lib;
+
+    }
+
+  }
+
+#endif
+
+  return NULL;
+
+}
+
 static void gum_fake_event_sink_process(GumEventSink *  sink,
-                                        const GumEvent *ev) { }
+                                        const GumEvent *ev) {
+
+}
 
 /* Because this CAN be called more than once, it will return the LAST range */
 static int enumerate_ranges(const GumRangeDetails *details,
@@ -243,6 +446,16 @@ int main() {
 
   // END STEP 2
 
+  read_library_information();
+  library_list_t *lib = find_library(TARGET_LIBRARY);
+
+  if (lib == NULL) {
+
+    fprintf(stderr, "Could not find target library\n");
+    exit(-1);
+
+  }
+
   gum_init_embedded();
   if (!gum_stalker_is_supported()) {
 
@@ -253,15 +466,20 @@ int main() {
 
   GumStalker *stalker = gum_stalker_new();
 
-  GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY);
+  /*
+  This does not work here as we load a shared library. pretty sure this
+  would also be easily solvable with frida gum, but I already have all the
+  code I need from afl-untracer
 
+  GumAddress base_address = gum_module_find_base_address(TARGET_LIBRARY);
   GumMemoryRange code_range;
   gum_module_enumerate_ranges(TARGET_LIBRARY, GUM_PAGE_RX, enumerate_ranges,
                               &code_range);
   guint64 code_start = code_range.base_address - base_address;
   guint64 code_end = (code_range.base_address + code_range.size) - base_address;
-
   range_t instr_range = {base_address, code_start, code_end};
+  */
+  range_t instr_range = {0, lib->addr_start, lib->addr_end};
 
   GumStalkerTransformer *transformer =
       gum_stalker_transformer_make_from_callback(instr_basic_block,
@@ -270,8 +488,9 @@ int main() {
   GumEventSink *event_sink = gum_fake_event_sink_new();
 
   // to ensure that the signatures are not optimized out
-  memcpy(__afl_area_ptr, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1);
-  memcpy(__afl_area_ptr + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR) + 1);
+  memcpy(__afl_area_ptr, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1);
+  memcpy(__afl_area_ptr + 32, (void *)AFL_DEFER_FORKSVR,
+         sizeof(AFL_DEFER_FORKSVR) + 1);
   __afl_manual_init();
 
   //
@@ -296,7 +515,7 @@ int main() {
 
     if (*__afl_fuzz_len > 0) {
 
-      __afl_fuzz_ptr[*__afl_fuzz_len] = 0; // if you need to null terminate
+      __afl_fuzz_ptr[*__afl_fuzz_len] = 0;  // if you need to null terminate
       (*o_function)(__afl_fuzz_ptr, *__afl_fuzz_len);
 
     }
@@ -318,3 +537,4 @@ int main() {
   return 0;
 
 }
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-28 18:29:36 +0000