about summary refs log tree commit diff
path: root/frida_mode/test/persistent_ret/test.js
diff options
context:
space:
mode:
Diffstat (limited to 'frida_mode/test/persistent_ret/test.js')
-rw-r--r--frida_mode/test/persistent_ret/test.js62
1 files changed, 36 insertions, 26 deletions
diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js
index 43c6ad7c..8adb45b2 100644
--- a/frida_mode/test/persistent_ret/test.js
+++ b/frida_mode/test/persistent_ret/test.js
@@ -5,34 +5,44 @@ Afl.print('');
 
 Afl.print(`PID: ${Process.id}`);
 
+const name = Process.enumerateModules()[0].name;
+Afl.print(`Name: ${name}`);
+
 new ModuleMap().values().forEach(m => {
     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
 });
 
-const persistent_addr = DebugSymbol.fromName('main');
-Afl.print(`persistent_addr: ${persistent_addr.address}`);
-
-const persistent_ret = DebugSymbol.fromName('slow');
-Afl.print(`persistent_ret: ${persistent_ret.address}`);
-
-Afl.setPersistentAddress(persistent_addr.address);
-Afl.setPersistentReturn(persistent_ret.address);
-Afl.setPersistentCount(1000000);
-
-Afl.setDebugMaps();
-
-const mod = Process.findModuleByName("libc-2.31.so")
-Afl.addExcludedRange(mod.base, mod.size);
-Afl.setInstrumentLibraries();
-Afl.setInstrumentDebugFile("/tmp/instr.log");
-Afl.setPrefetchDisable();
-Afl.setInstrumentNoOptimize();
-Afl.setInstrumentEnableTracing();
-Afl.setInstrumentTracingUnique();
-Afl.setStdOut("/tmp/stdout.txt");
-Afl.setStdErr("/tmp/stderr.txt");
-Afl.setStatsFile("/tmp/stats.txt");
-Afl.setStatsInterval(1);
-Afl.setStatsTransitions();
-Afl.done();
+if (name === 'testinstr') {
+    const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+    Afl.print(`persistent_addr: ${persistent_addr}`);
+    Afl.setEntryPoint(persistent_addr);
+    Afl.setPersistentAddress(persistent_addr);
+    Afl.setInstrumentDebugFile("/dev/stdout");
+    Afl.setPersistentDebug();
+    Afl.setInstrumentNoOptimize();
+    Afl.setInstrumentEnableTracing();
+
+    const LLVMFuzzerTestOneInput = new NativeFunction(
+        persistent_addr,
+        'void',
+        ['pointer', 'uint64'],
+        {traps: "all"});
+
+    const persistentHook = new NativeCallback(
+        (data, size) => {
+            const input = Afl.aflFuzzPtr.readPointer();
+            const len = Afl.aflFuzzLen.readPointer().readU32();
+            const hd = hexdump(input, {length: len, header: false, ansi: true});
+            Afl.print(`input: ${hd}`);
+            LLVMFuzzerTestOneInput(input, len);
+        },
+        'void',
+        ['pointer', 'uint64']);
+
+    Afl.aflSharedMemFuzzing.writeInt(1);
+    Interceptor.replace(persistent_addr, persistentHook);
+    Interceptor.flush();
+}
+
 Afl.print("done");
+Afl.done();
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-15 13:48:27 +0000