about summary refs log tree commit diff
path: root/frida_mode/src/instrument
diff options
context:
space:
mode:
Diffstat (limited to 'frida_mode/src/instrument')
-rw-r--r--frida_mode/src/instrument/instrument.c53
-rw-r--r--frida_mode/src/instrument/instrument_debug.c129
2 files changed, 176 insertions, 6 deletions
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 67eadc3f..cd1ac0be 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -13,6 +13,7 @@
 #include "prefetch.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "stats.h"
 #include "util.h"
 
 static gboolean               tracing = false;
@@ -47,7 +48,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
                    "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n",
                    current_pc, previous_pc);
 
-    IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1));
+    IGNORED_RETURN(write(STDOUT_FILENO, buffer, len + 1));
 
   }
 
@@ -79,17 +80,52 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
   const cs_insn *instr;
   gboolean       begin = TRUE;
+  gboolean       excluded;
+
   while (gum_stalker_iterator_next(iterator, &instr)) {
 
     if (instr->address == entry_start) { entry_prologue(iterator, output); }
     if (instr->address == persistent_start) { persistent_prologue(output); }
-
-    if (begin) {
+    if (instr->address == persistent_ret) { persistent_epilogue(output); }
+
+    /*
+     * Until we reach AFL_ENTRYPOINT (assumed to be main if not specified) or
+     * AFL_FRIDA_PERSISTENT_ADDR (if specified), we don't mark our ranges
+     * excluded as we wish to remain inside stalker at all times so that we can
+     * instrument our entry point and persistent loop (if present). This allows
+     * the user to exclude ranges which would be traversed between main and the
+     * AFL_ENTRYPOINT, but which they don't want included in their coverage
+     * information when fuzzing.
+     *
+     * Since we have no means to discard the instrumented copies of blocks
+     * (setting the trust threshold simply causes a new copy to be made on each
+     * execution), we instead ensure that we honour the additional
+     * instrumentation requested (e.g. coverage, asan and complog) when a block
+     * is compiled no matter where we are during initialization. We will end up
+     * re-using these blocks if the code under test calls a block which is also
+     * used during initialization.
+     *
+     * Coverage data generated during initialization isn't a problem since the
+     * map is zeroed each time the target is forked or each time the persistent
+     * loop is run.
+     *
+     * Lastly, we don't enable pre-fetching back to the parent until we reach
+     * our AFL_ENTRYPOINT, since it is not until then that we start the
+     * fork-server and thus start executing in the child.
+     */
+    excluded = range_is_excluded(GSIZE_TO_POINTER(instr->address));
+
+    stats_collect(instr, begin);
+
+    if (unlikely(begin)) {
+
+      instrument_debug_start(instr->address, output);
 
       prefetch_write(GSIZE_TO_POINTER(instr->address));
-      if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
 
-        if (optimize) {
+      if (likely(!excluded)) {
+
+        if (likely(optimize)) {
 
           instrument_coverage_optimize(instr, output);
 
@@ -106,7 +142,9 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
     }
 
-    if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
+    instrument_debug_instruction(instr->address, instr->size);
+
+    if (likely(!excluded)) {
 
       asan_instrument(instr, iterator);
       cmplog_instrument(instr, iterator);
@@ -117,6 +155,8 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
   }
 
+  instrument_debug_end(output);
+
 }
 
 void instrument_init(void) {
@@ -144,6 +184,7 @@ void instrument_init(void) {
   transformer =
       gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL);
 
+  instrument_debug_init();
   asan_init();
   cmplog_init();
 
diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c
new file mode 100644
index 00000000..be72ef89
--- /dev/null
+++ b/frida_mode/src/instrument/instrument_debug.c
@@ -0,0 +1,129 @@
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include "frida-gum.h"
+
+#include "debug.h"
+
+#include "util.h"
+
+static int      debugging_fd = -1;
+static gpointer instrument_gen_start = NULL;
+
+static void instrument_debug(char *format, ...) {
+
+  va_list ap;
+  char    buffer[4096] = {0};
+  int     ret;
+  int len;
+
+  va_start(ap, format);
+  ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap);
+  va_end(ap);
+
+  if (ret < 0) { return; }
+
+  len = strnlen(buffer, sizeof(buffer));
+
+  IGNORED_RETURN(write(debugging_fd, buffer, len));
+
+}
+
+static void instrument_disasm(guint8 *code, guint size) {
+
+  csh      capstone;
+  cs_err   err;
+  cs_insn *insn;
+  size_t   count, i;
+
+  err = cs_open(GUM_DEFAULT_CS_ARCH,
+                GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone);
+  g_assert(err == CS_ERR_OK);
+
+  count = cs_disasm(capstone, code, size, GPOINTER_TO_SIZE(code), 0, &insn);
+  g_assert(insn != NULL);
+
+  for (i = 0; i != count; i++) {
+
+    instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t%s %s\n", insn[i].address,
+                     insn[i].mnemonic, insn[i].op_str);
+
+  }
+
+  cs_free(insn, count);
+
+  cs_close(&capstone);
+
+}
+
+static gpointer instrument_cur(GumStalkerOutput *output) {
+
+#if defined(__i386__) || defined(__x86_64__)
+  return gum_x86_writer_cur(output->writer.x86);
+#elif defined(__aarch64__)
+  return gum_arm64_writer_cur(output->writer.arm64);
+#elif defined(__arm__)
+  return gum_arm_writer_cur(output->writer.arm);
+#else
+  #error "Unsupported architecture"
+#endif
+
+}
+
+void instrument_debug_init(void) {
+
+  char *filename = getenv("AFL_FRIDA_INST_DEBUG_FILE");
+  OKF("Instrumentation debugging - enabled [%c]", filename == NULL ? ' ' : 'X');
+
+  if (filename == NULL) { return; }
+
+  OKF("Instrumentation debugging - file [%s]", filename);
+
+  if (filename == NULL) { return; }
+
+  char *path = g_canonicalize_filename(filename, g_get_current_dir());
+
+  OKF("Instrumentation debugging - path [%s]", path);
+
+  debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
+                      S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+
+  if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); }
+
+  g_free(path);
+
+}
+
+void instrument_debug_start(uint64_t address, GumStalkerOutput *output) {
+
+  if (likely(debugging_fd < 0)) { return; }
+
+  instrument_gen_start = instrument_cur(output);
+
+  instrument_debug("\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER "x:\n",
+                   address);
+
+}
+
+void instrument_debug_instruction(uint64_t address, uint16_t size) {
+
+  if (likely(debugging_fd < 0)) { return; }
+  uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address);
+  instrument_disasm(start, size);
+
+}
+
+void instrument_debug_end(GumStalkerOutput *output) {
+
+  if (likely(debugging_fd < 0)) { return; }
+  gpointer instrument_gen_end = instrument_cur(output);
+  uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) -
+                  GPOINTER_TO_SIZE(instrument_gen_start);
+
+  instrument_debug("\nGenerated block %p\n", instrument_gen_start);
+  instrument_disasm(instrument_gen_start, size);
+
+}
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-08-10 17:39:12 +0000