about summary refs log tree commit diff
path: root/frida_mode/test/png
diff options
context:
space:
mode:
Diffstat (limited to 'frida_mode/test/png')
-rw-r--r--frida_mode/test/png/GNUmakefile8
-rw-r--r--frida_mode/test/png/Makefile3
-rw-r--r--frida_mode/test/png/persistent/GNUmakefile24
-rw-r--r--frida_mode/test/png/persistent/Makefile3
-rwxr-xr-xfrida_mode/test/png/persistent/get_symbol_addr.py36
-rw-r--r--frida_mode/test/png/persistent/hook/GNUmakefile70
-rw-r--r--frida_mode/test/png/persistent/hook/Makefile3
-rw-r--r--frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c97
8 files changed, 83 insertions, 161 deletions
diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile
index e05bade2..a1a7f1a5 100644
--- a/frida_mode/test/png/GNUmakefile
+++ b/frida_mode/test/png/GNUmakefile
@@ -22,7 +22,7 @@ PNGTEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmar
 
 TEST_BIN:=$(BUILD_DIR)test
 ifeq "$(shell uname)" "Darwin"
-TEST_BIN_LDFLAGS:=-undefined dynamic_lookup
+TEST_BIN_LDFLAGS:=-undefined dynamic_lookup -Wl,-no_pie
 endif
 
 TEST_DATA_DIR:=$(LIBPNG_DIR)contrib/pngsuite/
@@ -112,3 +112,9 @@ frida: $(TEST_BIN)
 		-o $(FRIDA_OUT) \
 		-- \
 			$(TEST_BIN) @@
+
+debug:
+	gdb \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.png
diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile
index 4bef1ccb..f843af19 100644
--- a/frida_mode/test/png/Makefile
+++ b/frida_mode/test/png/Makefile
@@ -14,3 +14,6 @@ qemu:
 
 frida:
 	@gmake frida
+
+debug:
+	@gmake debug
diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile
index ca6f0ff2..c1ad86e5 100644
--- a/frida_mode/test/png/persistent/GNUmakefile
+++ b/frida_mode/test/png/persistent/GNUmakefile
@@ -5,6 +5,7 @@ BUILD_DIR:=$(PWD)build/
 TEST_BIN:=$(PWD)../build/test
 TEST_DATA_DIR:=../build/libpng/libpng-1.2.56/contrib/pngsuite/
 
+AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)in
 QEMU_OUT:=$(BUILD_DIR)qemu-out
 FRIDA_OUT:=$(BUILD_DIR)frida-out
 
@@ -20,19 +21,20 @@ ifeq "$(ARCH)" "i686"
 endif
 endif
 
-AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x4000000000)
+GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh
 
-ARCH=$(shell uname -m)
-ifeq "$(ARCH)" "aarch64"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000aaaaaaaaa000)
+AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) main 0x4000000000)
+
+ifeq "$(ARCH)" "arm64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) main 0x0000aaaaaaaaa000)
 endif
 
 ifeq "$(ARCH)" "x86_64"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000555555554000)
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) main 0x0000555555554000)
 endif
 
 ifeq "$(ARCH)" "x86"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x56555000)
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) main 0x56555000)
 endif
 
 .PHONY: all 32 clean qemu qemu_entry frida frida_entry
@@ -46,6 +48,9 @@ all:
 $(BUILD_DIR):
 	mkdir -p $@
 
+$(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR)
+	truncate -s 1M $@
+
 qemu: | $(BUILD_DIR)
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
@@ -94,5 +99,12 @@ frida_entry: | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) @@
 
+debug: $(AFLPP_DRIVER_DUMMY_INPUT)
+	gdb \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
 clean:
 	rm -rf $(BUILD_DIR)
diff --git a/frida_mode/test/png/persistent/Makefile b/frida_mode/test/png/persistent/Makefile
index cde0cf30..c2bd55f9 100644
--- a/frida_mode/test/png/persistent/Makefile
+++ b/frida_mode/test/png/persistent/Makefile
@@ -20,3 +20,6 @@ frida:
 
 frida_entry:
 	@gmake frida_entry
+
+debug:
+	@gmake debug
diff --git a/frida_mode/test/png/persistent/get_symbol_addr.py b/frida_mode/test/png/persistent/get_symbol_addr.py
deleted file mode 100755
index 1c46e010..00000000
--- a/frida_mode/test/png/persistent/get_symbol_addr.py
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/python3
-import argparse
-from elftools.elf.elffile import ELFFile
-
-def process_file(file, symbol, base):
-    with open(file, 'rb') as f:
-        elf = ELFFile(f)
-        symtab = elf.get_section_by_name('.symtab')
-        mains = symtab.get_symbol_by_name(symbol)
-        if len(mains) != 1:
-            print ("Failed to find main")
-            return 1
-
-        main_addr = mains[0]['st_value']
-        main = base + main_addr
-        print ("0x%016x" % main)
-        return 0
-
-def hex_value(x):
-    return int(x, 16)
-
-def main():
-    parser = argparse.ArgumentParser(description='Process some integers.')
-    parser.add_argument('-f', '--file', dest='file', type=str,
-                    help='elf file name', required=True)
-    parser.add_argument('-s', '--symbol', dest='symbol', type=str,
-                    help='symbol name', required=True)
-    parser.add_argument('-b', '--base', dest='base', type=hex_value,
-                    help='elf base address', required=True)
-
-    args = parser.parse_args()
-    return process_file (args.file, args.symbol, args.base)
-
-if __name__ == "__main__":
-    ret = main()
-    exit(ret)
diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile
index 82f08fa4..ddf63a96 100644
--- a/frida_mode/test/png/persistent/hook/GNUmakefile
+++ b/frida_mode/test/png/persistent/hook/GNUmakefile
@@ -2,8 +2,8 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so
 
 CFLAGS+=-O3 \
 		-funroll-loops \
@@ -32,23 +32,29 @@ ifeq "$(ARCH)" "i686"
 endif
 endif
 
-AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000)
+GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh
 
-ifeq "$(ARCH)" "aarch64"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000)
+AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x4000000000)
+
+ifeq "$(ARCH)" "arm64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000aaaaaaaaa000)
 endif
 
 ifeq "$(ARCH)" "x86_64"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000)
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000555555554000)
 endif
 
 ifeq "$(ARCH)" "x86"
- AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000)
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x56555000)
+endif
+
+ifeq "$(shell uname)" "Darwin"
+AFL_PRELOAD=/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
 endif
 
 .PHONY: all 32 clean format qemu qemu_entry frida frida_entry debug
 
-all: $(AFLPP_DRIVER_HOOK_OBJ)
+all:
 	make -C $(ROOT)frida_mode/test/png/persistent/
 
 32:
@@ -68,11 +74,8 @@ $(TEST_DATA_DIR): | $(BUILD_DIR)
 $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR)
 	truncate -s 1M $@
 
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
-
-qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
 	$(ROOT)/afl-fuzz \
@@ -84,8 +87,8 @@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
@@ -98,8 +101,8 @@ qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
 		-D \
@@ -111,8 +114,8 @@ frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
 
-frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
@@ -124,11 +127,36 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-debug:
+frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_PRELOAD=$(AFL_PRELOAD) \
+	AFL_FRIDA_JS_SCRIPT=load.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-V 30 \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-t 10000+ \
+		-- \
+			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
+frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_PRELOAD=$(AFL_PRELOAD) \
+	AFL_FRIDA_JS_SCRIPT=cmodule.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-V 30 \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
+debug: $(AFLPP_DRIVER_DUMMY_INPUT)
 	echo $(AFL_FRIDA_PERSISTENT_ADDR)
 	gdb \
 		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
-		--ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ)' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ)' \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
 		--ex 'set disassembly-flavor intel' \
 		--args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile
index 983d009e..dca51d85 100644
--- a/frida_mode/test/png/persistent/hook/Makefile
+++ b/frida_mode/test/png/persistent/hook/Makefile
@@ -24,5 +24,8 @@ frida:
 frida_entry:
 	@gmake frida_entry
 
+frida_js:
+	@gmake frida_js
+
 debug:
 	@gmake debug
diff --git a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 059d438d..00000000
--- a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,97 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-08-06 02:44:12 +0000