diff options
Diffstat (limited to 'frida_mode/src/cmplog')
| -rw-r--r-- | frida_mode/src/cmplog/cmplog.c | 40 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_arm32.c | 4 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_arm64.c | 61 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_x64.c | 60 | ||||
| -rw-r--r-- | frida_mode/src/cmplog/cmplog_x86.c | 63 |
5 files changed, 157 insertions, 71 deletions
diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index ae3116eb..443baa1d 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -7,8 +7,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "util.h" #define DEFAULT_MMAP_MIN_ADDR (32UL << 10) @@ -35,14 +33,28 @@ static gboolean cmplog_range(const GumRangeDetails *details, static gint cmplog_sort(gconstpointer a, gconstpointer b) { - return ((GumMemoryRange *)b)->base_address - - ((GumMemoryRange *)a)->base_address; + GumMemoryRange *ra = (GumMemoryRange *)a; + GumMemoryRange *rb = (GumMemoryRange *)b; + + if (ra->base_address < rb->base_address) { + + return -1; + + } else if (ra->base_address > rb->base_address) { + + return 1; + + } else { + + return 0; + + } } static void cmplog_get_ranges(void) { - OKF("CMPLOG - Collecting ranges"); + FOKF("CMPLOG - Collecting ranges"); cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, cmplog_ranges); @@ -56,7 +68,7 @@ void cmplog_config(void) { void cmplog_init(void) { - OKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); + FOKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); if (__afl_cmp_map == NULL) { return; } @@ -65,9 +77,9 @@ void cmplog_init(void) { for (guint i = 0; i < cmplog_ranges->len; i++) { GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); - OKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER - "X - 0x%016" G_GINT64_MODIFIER "X", - i, range->base_address, range->base_address + range->size); + FOKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER + "X - 0x%016" G_GINT64_MODIFIER "X", + i, range->base_address, range->base_address + range->size); } @@ -78,14 +90,14 @@ void cmplog_init(void) { hash_yes = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_yes == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } hash_no = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_no == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -117,7 +129,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_no, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -127,7 +139,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_yes, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -139,7 +151,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { gboolean cmplog_is_readable(guint64 addr, size_t size) { - if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); + if (cmplog_ranges == NULL) FFATAL("CMPLOG not initialized"); /* * The Linux kernel prevents mmap from allocating from the very bottom of the diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c index ac703408..106baa52 100644 --- a/frida_mode/src/cmplog/cmplog_arm32.c +++ b/frida_mode/src/cmplog/cmplog_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "frida_cmplog.h" #include "util.h" @@ -11,7 +9,7 @@ void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); + FFATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index dd97f38d..515a6256 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__aarch64__) @@ -66,7 +67,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -88,7 +89,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case ARM64_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -104,30 +105,45 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize x0 = ctx_read_reg(context, ARM64_REG_X0); gsize x1 = ctx_read_reg(context, ARM64_REG_X1); - if (((G_MAXULONG - x0) < 32) || ((G_MAXULONG - x1) < 32)) return; + if (((G_MAXULONG - x0) < 31) || ((G_MAXULONG - x1) < 31)) return; - if (!cmplog_is_readable(x0, 32) || !cmplog_is_readable(x1, 32)) return; + if (!cmplog_is_readable(x0, 31) || !cmplog_is_readable(x1, 31)) return; void *ptr1 = GSIZE_TO_POINTER(x0); void *ptr2 = GSIZE_TO_POINTER(x1); - uintptr_t k = address; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; + + } - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } - u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].shape = 30; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -147,7 +163,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(arm64_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } @@ -193,12 +209,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); + + } else { - __afl_cmp_map->headers[k].shape = (size - 1); + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 0d18767a..7d515336 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__x86_64__) @@ -61,7 +62,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -83,7 +84,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -99,30 +100,43 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize rdi = ctx_read_reg(context, X86_REG_RDI); gsize rsi = ctx_read_reg(context, X86_REG_RSI); - if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return; + if (((G_MAXULONG - rdi) < 31) || ((G_MAXULONG - rsi) < 31)) return; - if (!cmplog_is_readable(rdi, 32) || !cmplog_is_readable(rsi, 32)) return; + if (!cmplog_is_readable(rdi, 31) || !cmplog_is_readable(rsi, 31)) return; void *ptr1 = GSIZE_TO_POINTER(rdi); void *ptr2 = GSIZE_TO_POINTER(rsi); - uintptr_t k = address; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + } + + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -143,7 +157,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } @@ -179,13 +193,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 7; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); - __afl_cmp_map->headers[k].shape = (size - 1); + } else { + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; __afl_cmp_map->log[k][hits].v1 = operand2; diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index dd666c34..4a747417 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__i386__) @@ -58,7 +59,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint32 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -80,7 +81,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -104,30 +105,43 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize arg1 = esp[0]; gsize arg2 = esp[1]; - if (((G_MAXULONG - arg1) < 32) || ((G_MAXULONG - arg2) < 32)) return; + if (((G_MAXULONG - arg1) < 31) || ((G_MAXULONG - arg2) < 31)) return; - if (!cmplog_is_readable(arg1, 32) || !cmplog_is_readable(arg2, 32)) return; + if (!cmplog_is_readable(arg1, 31) || !cmplog_is_readable(arg2, 31)) return; void *ptr1 = GSIZE_TO_POINTER(arg1); void *ptr2 = GSIZE_TO_POINTER(arg2); - uintptr_t k = address; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + } + + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -148,7 +162,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } @@ -184,12 +198,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); - __afl_cmp_map->headers[k].shape = (size - 1); + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; @@ -203,7 +228,7 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { gsize operand1; gsize operand2; - if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + if (ctx->operand1.size != ctx->operand2.size) FFATAL("Operand size mismatch"); if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } |