From d59a76261db02141dae06bf804fd0f84679f0d34 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 20 Dec 2021 18:14:57 +0000 Subject: Improvements to debug output --- frida_mode/include/util.h | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'frida_mode/include') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 4dc05f20..bd37687c 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -8,9 +8,12 @@ #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) +extern gboolean util_verbose; + guint64 util_read_address(char *key, guint64 default_value); guint64 util_read_num(char *key, guint64 default_value); gboolean util_output_enabled(void); +gboolean util_verbose_enabled(void); gsize util_rotate(gsize val, gsize shift, gsize size); gsize util_log2(gsize val); @@ -19,7 +22,8 @@ gsize util_log2(gsize val); \ if (!util_output_enabled()) { break; } \ \ - OKF(x); \ + SAYF(cLGN "[F] " cRST x); \ + SAYF(cRST "\n"); \ \ } while (0) @@ -37,5 +41,15 @@ gsize util_log2(gsize val); \ } while (0) +#define FVERBOSE(x...) \ + do { \ + \ + if (!util_verbose_enabled()) { break; } \ + \ + SAYF(cGRA "[F] " x); \ + SAYF(cRST "\n"); \ + \ + } while (0) + #endif -- cgit 1.4.1 From edeaf72ea8c83843c68b93ab6b319c202d4ab1ce Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 23 Dec 2021 22:39:43 +0000 Subject: Fix compiler warnings --- frida_mode/include/instrument.h | 2 +- frida_mode/src/instrument/instrument_debug.c | 4 ++++ frida_mode/src/persistent/persistent_arm64.c | 7 +++---- frida_mode/src/util.c | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index a5d52616..63f12181 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -51,7 +51,7 @@ void instrument_coverage_unstable(guint64 edge, guint64 previous_rip, guint64 previous_end, guint64 current_rip, guint64 current_end); -void instrument_on_fork(); +void instrument_on_fork(void); guint64 instrument_get_offset_hash(GumAddress current_rip); diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index a1f80467..592ab673 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -35,6 +35,10 @@ static void instrument_debug(char *format, ...) { static void instrument_disasm(guint8 *start, guint8 *end, GumStalkerOutput *output) { +#if !defined(__arm__) + UNUSED_PARAMETER(output); +#endif + csh capstone; cs_err err; cs_mode mode; diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index adad41be..48f29bb0 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -89,7 +89,7 @@ static void instrument_persitent_save_regs(GumArm64Writer * cw, /* LR (x30) */ gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0, - offsetof(GumCpuContext, x[30])); + offsetof(GumCpuContext, lr)); /* PC & Adjusted SP (31) */ gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, @@ -189,7 +189,7 @@ static void instrument_persitent_restore_regs(GumArm64Writer * cw, /* LR (x30) */ gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0, - offsetof(GumCpuContext, x[30])); + offsetof(GumCpuContext, lr)); /* Adjusted SP (31) (use x1 as clobber)*/ gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0, @@ -264,8 +264,7 @@ static void persistent_prologue_hook(GumArm64Writer * cw, gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); - gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_X2, - G_MAXULONG); + gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_W2, ARM64_REG_W2); gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X1, GUM_ADDRESS(&__afl_fuzz_ptr)); diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index e4d2aaf2..90c10917 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -68,7 +68,7 @@ guint64 util_read_num(char *key, guint64 default_value) { errno = 0; - guint64 value = g_ascii_strtoull(value_str, NULL, 10); + guint64 value = g_ascii_strtoull(value_str, &end_ptr, 10); if (errno != 0) { -- cgit 1.4.1 From 81aae9b54c06fd6de2d0caa8a99dfad8f40ae944 Mon Sep 17 00:00:00 2001 From: jon Date: Mon, 27 Dec 2021 01:45:12 +0000 Subject: Changes to explicitly place the previous_pc --- frida_mode/addr/addr.c | 2 +- frida_mode/include/instrument.h | 17 +++++++++-------- frida_mode/src/instrument/instrument.c | 21 ++++++++++++++++----- frida_mode/src/instrument/instrument_arm64.c | 24 ++++++++++++++++++------ frida_mode/src/instrument/instrument_x64.c | 17 ++++++++++++++--- frida_mode/src/instrument/instrument_x86.c | 17 +++++++++++++++-- frida_mode/src/persistent/persistent_arm64.c | 8 +++++++- frida_mode/src/persistent/persistent_x64.c | 8 +++++++- frida_mode/src/persistent/persistent_x86.c | 8 +++++++- 9 files changed, 94 insertions(+), 28 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/addr/addr.c b/frida_mode/addr/addr.c index 40ddc5ba..371f69d4 100644 --- a/frida_mode/addr/addr.c +++ b/frida_mode/addr/addr.c @@ -32,7 +32,7 @@ int main (int argc, char** argv, char** envp) { dl_iterate_phdr(phdr_callback, &base); - printf("0x%016lx\n", base); + printf("%p\n", (void *)base); if (base == 0) { return 1; } return 0; diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 63f12181..abb89c9f 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -5,14 +5,13 @@ #include "config.h" -extern char * instrument_debug_filename; -extern char * instrument_coverage_filename; -extern gboolean instrument_tracing; -extern gboolean instrument_optimize; -extern gboolean instrument_unique; -extern __thread guint64 instrument_previous_pc; -extern guint64 instrument_hash_zero; -extern char * instrument_coverage_unstable_filename; +extern char * instrument_debug_filename; +extern char * instrument_coverage_filename; +extern gboolean instrument_tracing; +extern gboolean instrument_optimize; +extern gboolean instrument_unique; +extern guint64 instrument_hash_zero; +extern char * instrument_coverage_unstable_filename; extern gboolean instrument_use_fixed_seed; extern guint64 instrument_fixed_seed; @@ -20,6 +19,8 @@ extern guint64 instrument_fixed_seed; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; +extern __thread guint64 *instrument_previous_pc_addr; + void instrument_config(void); void instrument_init(void); diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index bf102a82..46ed1a34 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -32,12 +32,13 @@ char * instrument_coverage_unstable_filename = NULL; static GumStalkerTransformer *transformer = NULL; -__attribute__((aligned(0x1000))) __thread guint64 instrument_previous_pc = 0; - static GumAddress previous_rip = 0; static GumAddress previous_end = 0; static u8 * edges_notified = NULL; +__thread guint64 instrument_previous_pc; +__thread guint64 *instrument_previous_pc_addr = NULL; + typedef struct { GumAddress address; @@ -105,8 +106,14 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, guint16 current_end = ctx->end; guint64 current_pc = instrument_get_offset_hash(current_rip); guint64 edge; + if (instrument_previous_pc_addr == NULL) { + + instrument_previous_pc_addr = &instrument_previous_pc; + *instrument_previous_pc_addr = instrument_hash_zero; + + } - edge = current_pc ^ instrument_previous_pc; + edge = current_pc ^ *instrument_previous_pc_addr; instrument_increment_map(edge); @@ -136,7 +143,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, previous_end = current_end; gsize map_size_pow2 = util_log2(__afl_map_size); - instrument_previous_pc = util_rotate(current_pc, 1, map_size_pow2); + *instrument_previous_pc_addr = util_rotate(current_pc, 1, map_size_pow2); } @@ -393,7 +400,11 @@ GumStalkerTransformer *instrument_get_transformer(void) { void instrument_on_fork() { - instrument_previous_pc = instrument_hash_zero; + if (instrument_previous_pc_addr != NULL) { + + *instrument_previous_pc_addr = instrument_hash_zero; + + } } diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 27142f1f..f5557bb8 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -155,10 +155,23 @@ void instrument_coverage_optimize(const cs_insn * instr, afl_log_code code = {0}; GumArm64Writer *cw = output->writer.arm64; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); - gsize map_size_pow2; - gsize area_offset_ror; + gsize map_size_pow2; + gsize area_offset_ror; GumAddress code_addr = 0; + if (instrument_previous_pc_addr == NULL) { + + GumAddressSpec spec = {.near_address = cw->code, + .max_distance = 1ULL << 30}; + + instrument_previous_pc_addr = gum_memory_allocate_near( + &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE); + *instrument_previous_pc_addr = instrument_hash_zero; + FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr); + FVERBOSE("code_addr: %p", cw->code); + + } + // gum_arm64_writer_put_brk_imm(cw, 0x0); code_addr = cw->pc; @@ -170,13 +183,13 @@ void instrument_coverage_optimize(const cs_insn * instr, * 64KB in size, then it should also end on a 64 KB boundary. It is followed * by our previous_pc, so this too should be 64KB aligned. */ - g_assert(PAGE_ALIGNED(&instrument_previous_pc)); + g_assert(PAGE_ALIGNED(instrument_previous_pc_addr)); g_assert(PAGE_ALIGNED(__afl_area_ptr)); instrument_patch_ardp( &code.code.adrp_x0_prev_loc1, code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc1), - GUM_ADDRESS(&instrument_previous_pc)); + GUM_ADDRESS(instrument_previous_pc_addr)); code.code.mov_x0_curr_loc |= area_offset << 5; @@ -191,7 +204,7 @@ void instrument_coverage_optimize(const cs_insn * instr, instrument_patch_ardp( &code.code.adrp_x0_prev_loc2, code_addr + offsetof(afl_log_code, code.adrp_x0_prev_loc2), - GUM_ADDRESS(&instrument_previous_pc)); + GUM_ADDRESS(instrument_previous_pc_addr)); code.code.mov_x1_curr_loc_shr_1 |= (area_offset_ror << 5); @@ -214,7 +227,6 @@ void instrument_coverage_optimize_init(void) { } FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr); - FVERBOSE("instrument_previous_pc: %p", &instrument_previous_pc); } diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index b7b6ca6f..0ea4f7f0 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -360,7 +360,6 @@ void instrument_coverage_optimize_init(void) { } FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr); - FVERBOSE("instrument_previous_pc: %p", &instrument_previous_pc); } @@ -439,6 +438,18 @@ void instrument_coverage_optimize(const cs_insn * instr, gsize map_size_pow2; gsize area_offset_ror; GumAddress code_addr = 0; + if (instrument_previous_pc_addr == NULL) { + + GumAddressSpec spec = {.near_address = cw->code, + .max_distance = 1ULL << 30}; + + instrument_previous_pc_addr = gum_memory_allocate_near( + &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE); + *instrument_previous_pc_addr = instrument_hash_zero; + FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr); + FVERBOSE("code_addr: %p", cw->code); + + } instrument_coverage_suppress_init(); @@ -462,7 +473,7 @@ void instrument_coverage_optimize(const cs_insn * instr, *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); gssize prev_loc_value = - GPOINTER_TO_SIZE(&instrument_previous_pc) - + GPOINTER_TO_SIZE(instrument_previous_pc_addr) - (code_addr + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + sizeof(code.code.mov_prev_loc_curr_loc_shr1)); gssize prev_loc_value_offset = @@ -478,7 +489,7 @@ void instrument_coverage_optimize(const cs_insn * instr, *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; gssize prev_loc_value2 = - GPOINTER_TO_SIZE(&instrument_previous_pc) - + GPOINTER_TO_SIZE(instrument_previous_pc_addr) - (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc) + sizeof(code.code.mov_eax_prev_loc)); gssize prev_loc_value_offset2 = diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index ad837e2d..c4e93324 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -153,6 +153,19 @@ void instrument_coverage_optimize(const cs_insn * instr, gsize map_size_pow2; gsize area_offset_ror; + if (instrument_previous_pc_addr == NULL) { + + GumAddressSpec spec = {.near_address = cw->code, + .max_distance = 1ULL << 30}; + + instrument_previous_pc_addr = gum_memory_allocate_near( + &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE); + *instrument_previous_pc_addr = instrument_hash_zero; + FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr); + FVERBOSE("code_addr: %p", cw->code); + + } + code.code = template; instrument_coverage_suppress_init(); @@ -170,7 +183,7 @@ void instrument_coverage_optimize(const cs_insn * instr, sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); *((gint *)&code.bytes[prev_loc_value_offset2]) = - (gint)GPOINTER_TO_SIZE(&instrument_previous_pc); + (gint)GPOINTER_TO_SIZE(instrument_previous_pc_addr); gssize curr_loc_shr_1_offset = offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + @@ -187,7 +200,7 @@ void instrument_coverage_optimize(const cs_insn * instr, sizeof(guint32); *((gint *)&code.bytes[prev_loc_value_offset]) = - (gint)GPOINTER_TO_SIZE(&instrument_previous_pc); + (gint)GPOINTER_TO_SIZE(instrument_previous_pc_addr); gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) + sizeof(code.code.xor_eax_curr_loc) - diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 48f29bb0..16ecf39c 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -236,7 +236,13 @@ static void instrument_exit(GumArm64Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = instrument_hash_zero; + if (instrument_previous_pc_addr == NULL) { + + FATAL("instrument_previous_pc_addr uninitialized"); + + } + + *instrument_previous_pc_addr = instrument_hash_zero; return ret; } diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 13d6a090..56141787 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -173,7 +173,13 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = instrument_hash_zero; + if (instrument_previous_pc_addr == NULL) { + + FATAL("instrument_previous_pc_addr uninitialized"); + + } + + *instrument_previous_pc_addr = instrument_hash_zero; return ret; } diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 3fe5891c..76c25334 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -130,7 +130,13 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = instrument_hash_zero; + if (instrument_previous_pc_addr == NULL) { + + FATAL("instrument_previous_pc_addr uninitialized"); + + } + + *instrument_previous_pc_addr = instrument_hash_zero; return ret; } -- cgit 1.4.1