From c169cb3911b33fbc3974005788ade1c9218ade98 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 25 Mar 2021 20:10:09 +0100 Subject: integrate frida_mode, code-format --- frida_mode/include/instrument.h | 7 +++++++ frida_mode/include/interceptor.h | 4 ++++ frida_mode/include/prefetch.h | 5 +++++ frida_mode/include/ranges.h | 6 ++++++ 4 files changed, 22 insertions(+) create mode 100644 frida_mode/include/instrument.h create mode 100644 frida_mode/include/interceptor.h create mode 100644 frida_mode/include/prefetch.h create mode 100644 frida_mode/include/ranges.h (limited to 'frida_mode/include') diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h new file mode 100644 index 00000000..ff71bed4 --- /dev/null +++ b/frida_mode/include/instrument.h @@ -0,0 +1,7 @@ +#include "frida-gum.h" + +void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, + gpointer user_data); + +void instrument_init(); + diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h new file mode 100644 index 00000000..5ed3cf49 --- /dev/null +++ b/frida_mode/include/interceptor.h @@ -0,0 +1,4 @@ +#include "frida-gum.h" + +void intercept(void *address, gpointer replacement, gpointer user_data); + diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h new file mode 100644 index 00000000..b7f25a97 --- /dev/null +++ b/frida_mode/include/prefetch.h @@ -0,0 +1,5 @@ +void prefetch_init(); +void prefetch_start(GumStalker *stalker); +void prefetch_write(void *addr); +void prefetch_read(GumStalker *stalker); + diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h new file mode 100644 index 00000000..b9394dbc --- /dev/null +++ b/frida_mode/include/ranges.h @@ -0,0 +1,6 @@ +#include "frida-gum.h" + +void ranges_init(GumStalker *stalker); + +gboolean range_is_excluded(gpointer address); + -- cgit 1.4.1 From 39ad3b89467d6de12cbb9d08ccd77d331c0d1f9e Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 28 Apr 2021 09:25:26 +0100 Subject: Frida persistent (#880) * Added x64 support for persistent mode (function call only), in-memory teest cases and complog * Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC * Various minor fixes and finished support for AFL_INST_LIBS * Review changes Co-authored-by: Your Name --- frida_mode/GNUmakefile | 88 ++++ frida_mode/Makefile | 349 +--------------- frida_mode/README.md | 103 +++-- frida_mode/include/complog.h | 9 + frida_mode/include/instrument.h | 17 +- frida_mode/include/interceptor.h | 2 + frida_mode/include/lib.h | 8 + frida_mode/include/persistent.h | 26 ++ frida_mode/include/prefetch.h | 7 +- frida_mode/include/ranges.h | 2 +- frida_mode/include/stalker.h | 8 + frida_mode/include/util.h | 6 + frida_mode/src/complog/complog.c | 72 ++++ frida_mode/src/complog/complog_arm.c | 15 + frida_mode/src/complog/complog_arm64.c | 15 + frida_mode/src/complog/complog_x64.c | 363 ++++++++++++++++ frida_mode/src/complog/complog_x86.c | 15 + frida_mode/src/instrument.c | 271 ------------ frida_mode/src/instrument/instrument.c | 150 +++++++ frida_mode/src/instrument/instrument_arm32.c | 23 ++ frida_mode/src/instrument/instrument_arm64.c | 97 +++++ frida_mode/src/instrument/instrument_x64.c | 93 +++++ frida_mode/src/instrument/instrument_x86.c | 23 ++ frida_mode/src/interceptor.c | 19 + frida_mode/src/lib.c | 167 ++++++++ frida_mode/src/main.c | 59 +-- frida_mode/src/persistent/persistent.c | 68 +++ frida_mode/src/persistent/persistent_arm32.c | 70 ++++ frida_mode/src/persistent/persistent_arm64.c | 113 +++++ frida_mode/src/persistent/persistent_x64.c | 337 +++++++++++++++ frida_mode/src/persistent/persistent_x86.c | 53 +++ frida_mode/src/prefetch.c | 23 +- frida_mode/src/ranges.c | 457 ++++++++++++++------- frida_mode/src/stalker.c | 49 +++ frida_mode/src/util.c | 66 +++ frida_mode/test/cmplog/GNUmakefile | 66 +++ frida_mode/test/cmplog/Makefile | 12 + frida_mode/test/cmplog/get_section_addrs.py | 49 +++ frida_mode/test/png/GNUmakefile | 106 +++++ frida_mode/test/png/Makefile | 12 + frida_mode/test/png/persistent/GNUmakefile | 54 +++ frida_mode/test/png/persistent/Makefile | 12 + frida_mode/test/png/persistent/get_symbol_addr.py | 36 ++ frida_mode/test/png/persistent/hook/GNUmakefile | 70 ++++ frida_mode/test/png/persistent/hook/Makefile | 12 + frida_mode/test/testinstr.c | 112 ----- frida_mode/test/testinstr.py | 49 --- frida_mode/test/testinstr/GNUmakefile | 50 +++ frida_mode/test/testinstr/Makefile | 12 + frida_mode/test/testinstr/testinstr.c | 112 +++++ include/envs.h | 3 + instrumentation/afl-compiler-rt.o.c | 15 +- instrumentation/afl-llvm-lto-instrumentation.so.cc | 8 +- qemu_mode/qemuafl | 2 +- src/afl-forkserver.c | 3 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-init.c | 8 + src/afl-fuzz.c | 3 +- 58 files changed, 3023 insertions(+), 1028 deletions(-) create mode 100644 frida_mode/GNUmakefile create mode 100644 frida_mode/include/complog.h create mode 100644 frida_mode/include/lib.h create mode 100644 frida_mode/include/persistent.h create mode 100644 frida_mode/include/stalker.h create mode 100644 frida_mode/include/util.h create mode 100644 frida_mode/src/complog/complog.c create mode 100644 frida_mode/src/complog/complog_arm.c create mode 100644 frida_mode/src/complog/complog_arm64.c create mode 100644 frida_mode/src/complog/complog_x64.c create mode 100644 frida_mode/src/complog/complog_x86.c delete mode 100644 frida_mode/src/instrument.c create mode 100644 frida_mode/src/instrument/instrument.c create mode 100644 frida_mode/src/instrument/instrument_arm32.c create mode 100644 frida_mode/src/instrument/instrument_arm64.c create mode 100644 frida_mode/src/instrument/instrument_x64.c create mode 100644 frida_mode/src/instrument/instrument_x86.c create mode 100644 frida_mode/src/lib.c create mode 100644 frida_mode/src/persistent/persistent.c create mode 100644 frida_mode/src/persistent/persistent_arm32.c create mode 100644 frida_mode/src/persistent/persistent_arm64.c create mode 100644 frida_mode/src/persistent/persistent_x64.c create mode 100644 frida_mode/src/persistent/persistent_x86.c create mode 100644 frida_mode/src/stalker.c create mode 100644 frida_mode/src/util.c create mode 100644 frida_mode/test/cmplog/GNUmakefile create mode 100644 frida_mode/test/cmplog/Makefile create mode 100755 frida_mode/test/cmplog/get_section_addrs.py create mode 100644 frida_mode/test/png/GNUmakefile create mode 100644 frida_mode/test/png/Makefile create mode 100644 frida_mode/test/png/persistent/GNUmakefile create mode 100644 frida_mode/test/png/persistent/Makefile create mode 100755 frida_mode/test/png/persistent/get_symbol_addr.py create mode 100644 frida_mode/test/png/persistent/hook/GNUmakefile create mode 100644 frida_mode/test/png/persistent/hook/Makefile delete mode 100644 frida_mode/test/testinstr.c delete mode 100755 frida_mode/test/testinstr.py create mode 100644 frida_mode/test/testinstr/GNUmakefile create mode 100644 frida_mode/test/testinstr/Makefile create mode 100644 frida_mode/test/testinstr/testinstr.c (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile new file mode 100644 index 00000000..51107910 --- /dev/null +++ b/frida_mode/GNUmakefile @@ -0,0 +1,88 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)..)/ +INC_DIR:=$(PWD)include/ +SRC_DIR:=$(PWD)src/ +INCLUDES:=$(wildcard $(INC_DIR)*.h) +SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) +BUILD_DIR:=$(PWD)build/ +CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor + +FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ +FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so +FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(shell uname)" "Darwin" + OS:=macos + CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations +endif + +ifeq "$(shell uname)" "Linux" + OS:=linux +endif + +ifndef OS + $(error "Operating system unsupported") +endif + +GUM_DEVKIT_VERSION=14.2.17 +GUM_DEVKIT_FILENAME=frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz +GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)" +GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME) +GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a +GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h + +TEST_BUILD_DIR:=$(BUILD_DIR)test/ + + +.PHONY: all clean format + +############################# FRIDA ############################################ + +all: $(FRIDA_TRACE) + make -C $(ROOT) + +$(BUILD_DIR): + mkdir -p $(BUILD_DIR) + +$(FRIDA_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) + wget -O $@ $(GUM_DEVKIT_URL) + +$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) + tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) + +$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) + tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) + +$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_API) Makefile | $(BUILD_DIR) + $(CC) -shared \ + $(CFLAGS) \ + -o $@ \ + $(SOURCES) \ + $(GUM_DEVIT_LIBRARY) \ + -I $(FRIDA_BUILD_DIR) \ + -I $(ROOT) \ + -I $(ROOT)include \ + -I $(INC_DIR) \ + $(ROOT)instrumentation/afl-compiler-rt.o.c \ + -lpthread -ldl -lresolv -lelf + + cp -v $(FRIDA_TRACE) $(ROOT) + +############################# CLEAN ############################################ +clean: + rm -rf $(BUILD_DIR) + +############################# FORMAT ########################################### +format: + cd $(ROOT) && echo $(SOURCES) | xargs -L1 ./.custom-format.py -i + cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i + +############################# RUN ############################################# diff --git a/frida_mode/Makefile b/frida_mode/Makefile index 822f1c6a..b6d64bff 100644 --- a/frida_mode/Makefile +++ b/frida_mode/Makefile @@ -1,348 +1,9 @@ -PWD:=$(shell pwd)/ -INC_DIR:=$(PWD)include/ -SRC_DIR:=$(PWD)src/ -INCLUDES:=$(wildcard $(INC_DIR)*.h) -SOURCES:=$(wildcard $(SRC_DIR)*.c) -BUILD_DIR:=$(PWD)build/ -CFLAGS+=-fPIC -D_GNU_SOURCE +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake -FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ -FRIDA_TRACE:=$(FRIDA_BUILD_DIR)afl-frida-trace.so - -ARCH=$(shell uname -m) -ifeq "$(ARCH)" "aarch64" - ARCH:=arm64 - TESTINSTR_BASE:=0x0000aaaaaaaaa000 -endif - -ifeq "$(ARCH)" "x86_64" - TESTINSTR_BASE:=0x0000555555554000 -endif - -ifeq "$(shell uname)" "Darwin" - OS:=macos - AFL_FRIDA_INST_RANGES=0x0000000000001000-0xFFFFFFFFFFFFFFFF - CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations - TEST_LDFLAGS:=-undefined dynamic_lookup -endif -ifeq "$(shell uname)" "Linux" - OS:=linux - AFL_FRIDA_INST_RANGES=$(shell $(PWD)test/testinstr.py -f $(BUILD_DIR)testinstr -s .testinstr -b $(TESTINSTR_BASE)) - CFLAGS:=$(CFLAGS) -Wno-prio-ctor-dtor - TEST_LDFLAGS:= -endif - -ifndef OS - $(error "Operating system unsupported") -endif - -VERSION=14.2.13 -GUM_DEVKIT_FILENAME=frida-gum-devkit-$(VERSION)-$(OS)-$(ARCH).tar.xz -GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(VERSION)/$(GUM_DEVKIT_FILENAME)" -GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME) -GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a -GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h - -TEST_BUILD_DIR:=$(BUILD_DIR)test/ - -LIBPNG_FILE:=$(TEST_BUILD_DIR)libpng-1.2.56.tar.gz -LIBPNG_URL:=https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz -LIBPNG_DIR:=$(TEST_BUILD_DIR)libpng-1.2.56/ -LIBPNG_MAKEFILE:=$(LIBPNG_DIR)Makefile -LIBPNG_LIB:=$(LIBPNG_DIR).libs/libpng12.a - -HARNESS_FILE:=$(TEST_BUILD_DIR)StandaloneFuzzTargetMain.c -HARNESS_OBJ:=$(TEST_BUILD_DIR)StandaloneFuzzTargetMain.o -HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" - -PNGTEST_FILE:=$(TEST_BUILD_DIR)target.cc -PNGTEST_OBJ:=$(TEST_BUILD_DIR)target.o -PNGTEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpng-1.2.56/target.cc" - -TEST_BIN:=$(TEST_BUILD_DIR)pngtest - -TESTINSTBIN:=$(BUILD_DIR)testinstr -TESTINSTSRC:=$(PWD)test/testinstr.c - -TEST_DATA_DIR:=$(PWD)build/test/libpng-1.2.56/contrib/pngsuite/ - -TESTINSTR_DATA_DIR:=$(BUILD_DIR)testinstr_in/ -TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)test.dat -FRIDA_OUT:=$(PWD)frida_out -QEMU_OUT:=$(PWD)qemu_out - -.PHONY: all frida test clean format test_frida test_qemu compare testinstr test_testinstr standalone - -all: $(FRIDA_TRACE) - -frida: $(FRIDA_TRACE) - -$(BUILD_DIR): - mkdir -p $(BUILD_DIR) - -############################# FRIDA ############################################ -$(FRIDA_BUILD_DIR): | $(BUILD_DIR) - mkdir -p $@ - -$(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) - wget -O $@ $(GUM_DEVKIT_URL) - -$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) - tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) - -$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) - tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) - -$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) Makefile | $(FRIDA_BUILD_DIR) - $(CC) -shared \ - $(CFLAGS) \ - -o $@ $(SOURCES) \ - $(GUM_DEVIT_LIBRARY) \ - -I $(FRIDA_BUILD_DIR) \ - -I .. \ - -I ../include \ - -I $(INC_DIR) \ - ../instrumentation/afl-compiler-rt.o.c \ - -lpthread -ldl -lresolv - - cp -v $(FRIDA_TRACE) ../ - -############################# TEST ############################################# - -test: $(TEST_BIN) - -$(TEST_BUILD_DIR): $(BUILD_DIR) - mkdir -p $@ - -$(HARNESS_FILE): | $(TEST_BUILD_DIR) - wget -O $@ $(HARNESS_URL) - -$(HARNESS_OBJ): $(HARNESS_FILE) - $(CC) -o $@ -c $< - -$(PNGTEST_FILE): | $(TEST_BUILD_DIR) - wget -O $@ $(PNGTEST_URL) - -$(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR) - $(CXX) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< - -$(LIBPNG_FILE): | $(TEST_BUILD_DIR) - wget -O $@ $(LIBPNG_URL) - -$(LIBPNG_DIR): $(LIBPNG_FILE) - tar zxvf $(LIBPNG_FILE) -C $(TEST_BUILD_DIR) - -$(LIBPNG_MAKEFILE): | $(LIBPNG_DIR) - cd $(LIBPNG_DIR) && ./configure - -$(LIBPNG_LIB): $(LIBPNG_MAKEFILE) - make -C $(LIBPNG_DIR) - -$(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) - $(CXX) \ - -o $@ \ - $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ - -lz \ - $(TEST_LDFLAGS) - -############################# TESTINSR ######################################### -$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) - mkdir -p $@ - -$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) - echo -n "000" > $@ - -$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) - $(CC) -o $@ $< - -testinstr: $(TESTINSTBIN) - -############################# CLEAN ############################################ clean: - rm -rf $(BUILD_DIR) + @gmake clean -############################# FORMAT ########################################### format: - cd .. && echo $(SOURCES) | xargs -L1 ./.custom-format.py -i - cd .. && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i - cd .. && ./.custom-format.py -i $(TESTINSTSRC) - -############################# RUN ############################################# - -# Add the environment variable AFL_DEBUG_CHILD=1 to show printf's from the target - -png_frida: $(FRIDA_TRACE) $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-fuzz \ - -O \ - -i $(TEST_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TEST_BIN) @@ - -png_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-fuzz \ - -Q \ - -i $(TEST_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TEST_BIN) @@ - -compare: $(FRIDA_TRACE) $(TEST_BIN) - cd .. && \ - ./afl-fuzz \ - -V30 \ - -O \ - -i $(TEST_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TEST_BIN) @@ - cd .. && \ - ./afl-fuzz \ - -V30 \ - -Q \ - -i $(TEST_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TEST_BIN) @@ - cat frida_out/default/fuzzer_stats - cat qemu_out/default/fuzzer_stats - -testinstr_qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - make -C .. - cd .. && \ - AFL_QEMU_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ - ./afl-fuzz \ - -Q \ - -i $(TESTINSTR_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TESTINSTBIN) @@ - -testinstr_frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - make -C .. - cd .. && \ - AFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ - AFL_FRIDA_INST_NO_OPTIMIZE=1 \ - AFL_FRIDA_INST_NO_PREFETCH=1 \ - AFL_FRIDA_INST_STRICT=1 \ - ./afl-fuzz \ - -O \ - -i $(TESTINSTR_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TESTINSTBIN) @@ - -standalone: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - cd .. && \ - AFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ - AFL_DEBUG_CHILD=1 \ - AFL_FRIDA_DEBUG_MAPS=1 \ - AFL_FRIDA_INST_NO_OPTIMIZE=1 \ - AFL_FRIDA_INST_NO_PREFETCH=1 \ - AFL_FRIDA_INST_TRACE=1 \ - AFL_FRIDA_INST_STRICT=1 \ - LD_PRELOAD=$(FRIDA_TRACE) \ - DYLD_INSERT_LIBRARIES=$(FRIDA_TRACE) \ - $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - -tmin_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-tmin \ - -Q \ - -i $(TEST_DATA_DIR)basn0g01.png \ - -o $(QEMU_OUT)/qemu-min-basn0g01.png \ - -- \ - $(TEST_BIN) @@ - -tmin_frida: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-tmin \ - -O \ - -i $(TEST_DATA_DIR)basn0g01.png \ - -o $(FRIDA_OUT)/qemu-min-basn0g01.png \ - -- \ - $(TEST_BIN) - -showmap_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-showmap \ - -Q \ - -i $(TEST_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TEST_BIN) @@ - -showmap_frida: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-showmap \ - -O \ - -i $(TEST_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TEST_BIN) @@ - -analyze_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-analyze \ - -Q \ - -i $(TEST_DATA_DIR)basn0g01.png \ - -- \ - $(TEST_BIN) @@ - -analyze_frida: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-analyze \ - -O \ - -i $(TEST_DATA_DIR)basn0g01.png \ - -- \ - $(TEST_BIN) @@ - -cmin_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-cmin \ - -Q \ - -i $(TEST_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TEST_BIN) @@ - -cmin_frida: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-cmin \ - -O \ - -i $(TEST_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TEST_BIN) @@ - -cmin_bash_qemu: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-cmin.bash \ - -Q \ - -i $(TEST_DATA_DIR) \ - -o $(QEMU_OUT) \ - -- \ - $(TEST_BIN) @@ - -cmin_bash_frida: $(TEST_BIN) - make -C .. - cd .. && \ - ./afl-cmin.bash \ - -O \ - -i $(TEST_DATA_DIR) \ - -o $(FRIDA_OUT) \ - -- \ - $(TEST_BIN) @@ + @gmake format diff --git a/frida_mode/README.md b/frida_mode/README.md index 8abee0dd..0d655d0f 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -10,23 +10,23 @@ a small harness around their target code of interest, FRIDA mode instead takes a different approach to avoid these limitations. # Current Progress -As FRIDA mode is new, it is missing a lot of features. Most importantly, -persistent mode. The design is such that it should be possible to add these -features in a similar manner to QEMU mode and perhaps leverage some of its -design and implementation. - - | Feature/Instrumentation | frida-mode | - | -------------------------|:----------:| - | NeverZero | | - | Persistent Mode | | - | LAF-Intel / CompCov | | - | CmpLog | | - | Selective Instrumentation| x | - | Non-Colliding Coverage | | - | Ngram prev_loc Coverage | | - | Context Coverage | | - | Auto Dictionary | | - | Snapshot LKM Support | | +As FRIDA mode is new, it is missing a lot of features. The design is such that it +should be possible to add these features in a similar manner to QEMU mode and +perhaps leverage some of its design and implementation. + + | Feature/Instrumentation | frida-mode | Notes | + | -------------------------|:----------:|:---------------------------------------:| + | NeverZero | x | | + | Persistent Mode | x | (x64 only)(Only on function boundaries) | + | LAF-Intel / CompCov | - | (Superseded by CmpLog) | + | CmpLog | x | (x64 only) | + | Selective Instrumentation| x | | + | Non-Colliding Coverage | - | | + | Ngram prev_loc Coverage | - | | + | Context Coverage | - | | + | Auto Dictionary | - | | + | Snapshot LKM Support | - | | + | In-Memory Test Cases | x |(x64 only) | # Compatibility Currently FRIDA mode supports Linux and macOS targets on both x86/x64 @@ -40,8 +40,9 @@ system does not support cross compilation. ## Getting Started To build everything run `make`. -To run the benchmark sample with qemu run `make png_qemu`. -To run the benchmark sample with frida run `make png_frida`. +Various tests can be found in subfolders within the `test/` directory. To use +these, first run `make` to build any dependencies. Then run `make qemu` or +`make frida` to run on either QEMU of FRIDA mode respectively. ## Usage FRIDA mode requires some small modifications to `afl-fuzz` and similar tools @@ -58,32 +59,32 @@ following options are currently supported. * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` +* `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR` +* `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT` +* `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK` + # Performance Additionally, the intention is to be able to make a direct performance -comparison between the two approaches. Accordingly, FRIDA mode includes a test -target based on the [libpng](https://libpng.sourceforge.io/) benchmark used by +comparison between the two approaches. Accordingly, FRIDA mode includes various +tests target based on the [libpng](https://libpng.sourceforge.io/) benchmark used by [fuzzbench](https://google.github.io/fuzzbench/) and integrated with the [StandaloneFuzzTargetMain](https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c) -from the llvm project. This is built and linked without any special -modifications to suit FRIDA or QEMU. We use the test data provided with libpng -as our corpus. +from the llvm project. These tests include basic fork-server support, persistent mode +and persistent mode with in-memory test-cases. These are built and linked without +any special modifications to suit FRIDA or QEMU. The test data provided with libpng +is used as the corpus. -Whilst not much performance tuning has been completed to date, performance is -around 30-50% of that of QEMU mode, however, this gap may reduce with the -introduction of persistent mode. Performance can be tested by running -`make compare`, albeit a longer time measurement may be required for more -accurate results. +The intention is to add support for FRIDA mode to the FuzzBench project and +perform a like-for-like comparison with QEMU mode to get an accurate +appreciation of its performance. Whilst [afl_frida](https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_frida) claims a 5-10x performance increase over QEMU, it has not been possible to -reproduce these claims. However, the number of executions per second can vary -dramatically as a result of the randomization of the fuzzer input. Some inputs -may traverse relatively few paths before being rejected as invalid whilst others -may be valid inputs or be subject to much more processing before rejection. -Accordingly, it is recommended that testing be carried out over prolongued -periods to gather timings which are more than indicative. +reproduce these claims. It is thought that `afl_frida` was running a test case +in persistent mode, whereas the qemu test it was compared against was not and +this may account for the differences since it isn't a like-for-like comparison. # Design FRIDA mode is supported by using `LD_PRELOAD` (`DYLD_INSERT_LIBRARIES` on macOS) @@ -102,12 +103,19 @@ this coverage information to AFL++ and also provide a fork server. It also makes use of the FRIDA [prefetch](https://github.com/frida/frida-gum/blob/56dd9ba3ee9a5511b4b0c629394bf122775f1ab7/gum/gumstalker.h#L115) support to feedback instrumented blocks from the child to the parent using a shared memory region to avoid the need to regenerate instrumented blocks on each -fork. +fork. Whilst FRIDA allows for a normal C function to be used to augment instrumented -code, to minimize the costs of storing and restoring all of the registers, FRIDA -mode instead makes use of optimized assembly instead on AARCH64 and x86/64 -targets. +code, FRIDA mode instead makes use of optimized assembly instead on AARCH64 and +x86/64 targets. By injecting these small snippets of assembly, we avoid having +to push and pop the full register context. Note that since this instrumentation +is used on every basic block to generate coverage, it has a large impact on +performance. + +CompLog support also adds code to the assembly, however, at present this code +makes use of a basic C function and is yet to be optimized. Since not all +instances run CompLog mode and instrumentation of the binary is less frequent +(only on CMP, SUB and CALL instructions) performance is not quite so critical. # Advanced configuration options * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage @@ -116,20 +124,11 @@ instrumentation (the default where available). Required to use * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork. -* `AFL_FRIDA_INST_STRICT` - Under certain conditions, Stalker may encroach into -excluded regions and generate both instrumented blocks and coverage data (e.g. -indirect calls on x86). The excluded block is generally honoured as soon as -another function is called within the excluded region and so such encroachment -is usually of little consequence. This detail may however, hinder you when -checking that the correct number of paths are found for testing purposes or -similar. There is a performance penatly for this option during block compilation -where we check the block isn't in a list of excluded ranges. * `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code. Requires `AFL_FRIDA_INST_NO_OPTIMIZE`. # TODO -As can be seen from the progress section above, there are a number of features -which are missing in its currently form. Chief amongst which is persistent mode. -The intention is to achieve feature parity with QEMU mode in due course. -Contributions are welcome, but please get in touch to ensure that efforts are -deconflicted. +The next features to be added are x86 support, integration with FuzzBench and +support for ASAN. The intention is to achieve feature parity with QEMU mode in +due course. Contributions are welcome, but please get in touch to ensure that +efforts are deconflicted. diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h new file mode 100644 index 00000000..094b7b93 --- /dev/null +++ b/frida_mode/include/complog.h @@ -0,0 +1,9 @@ +extern struct cmp_map *__afl_cmp_map; + +void complog_init(void); + +/* Functions to be implemented by the different architectures */ +void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); + +gboolean complog_is_readable(void *addr, size_t size); + diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index ff71bed4..1b6c6bba 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -1,7 +1,18 @@ #include "frida-gum.h" -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data); +#include "config.h" -void instrument_init(); +extern uint64_t __thread previous_pc; +extern uint8_t *__afl_area_ptr; +extern uint32_t __afl_map_size; + +void instrument_init(void); + +GumStalkerTransformer *instrument_get_transformer(void); + +/* Functions to be implemented by the different architectures */ +gboolean instrument_is_coverage_optimize_supported(void); + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output); diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h index 5ed3cf49..49c0630a 100644 --- a/frida_mode/include/interceptor.h +++ b/frida_mode/include/interceptor.h @@ -1,4 +1,6 @@ #include "frida-gum.h" void intercept(void *address, gpointer replacement, gpointer user_data); +void unintercept(void *address); +void unintercept_self(void); diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h new file mode 100644 index 00000000..1dc426a2 --- /dev/null +++ b/frida_mode/include/lib.h @@ -0,0 +1,8 @@ +#include "frida-gum.h" + +void lib_init(void); + +guint64 lib_get_text_base(void); + +guint64 lib_get_text_limit(void); + diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h new file mode 100644 index 00000000..14c8a268 --- /dev/null +++ b/frida_mode/include/persistent.h @@ -0,0 +1,26 @@ +#include "frida-gum.h" + +#include "config.h" + +typedef struct arch_api_regs api_regs; + +typedef void (*afl_persistent_hook_fn)(api_regs *regs, uint64_t guest_base, + uint8_t *input_buf, + uint32_t input_buf_len); + +extern int __afl_persistent_loop(unsigned int max_cnt); + +extern unsigned int * __afl_fuzz_len; +extern unsigned char *__afl_fuzz_ptr; + +guint64 persistent_start; +guint64 persistent_count; +afl_persistent_hook_fn hook; + +void persistent_init(void); + +/* Functions to be implemented by the different architectures */ +gboolean persistent_is_supported(void); + +void persistent_prologue(GumStalkerOutput *output); + diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h index b7f25a97..110f717f 100644 --- a/frida_mode/include/prefetch.h +++ b/frida_mode/include/prefetch.h @@ -1,5 +1,6 @@ -void prefetch_init(); -void prefetch_start(GumStalker *stalker); +#include "frida-gum.h" + +void prefetch_init(void); void prefetch_write(void *addr); -void prefetch_read(GumStalker *stalker); +void prefetch_read(void); diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index b9394dbc..a021f35c 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -1,6 +1,6 @@ #include "frida-gum.h" -void ranges_init(GumStalker *stalker); +void ranges_init(void); gboolean range_is_excluded(gpointer address); diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h new file mode 100644 index 00000000..1962eec9 --- /dev/null +++ b/frida_mode/include/stalker.h @@ -0,0 +1,8 @@ +#include "frida-gum.h" + +void stalker_init(void); +GumStalker *stalker_get(void); +void stalker_start(void); +void stalker_pause(void); +void stalker_resume(void); + diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h new file mode 100644 index 00000000..5b4ea76b --- /dev/null +++ b/frida_mode/include/util.h @@ -0,0 +1,6 @@ +#include "frida-gum.h" + +guint64 util_read_address(char *key); + +guint64 util_read_num(char *key); + diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c new file mode 100644 index 00000000..3b679a5c --- /dev/null +++ b/frida_mode/src/complog/complog.c @@ -0,0 +1,72 @@ +#include "frida-gum.h" + +#include "debug.h" +#include "cmplog.h" + +extern struct cmp_map *__afl_cmp_map; + +static GArray *complog_ranges = NULL; + +static gboolean complog_range(const GumRangeDetails *details, + gpointer user_data) { + + GumMemoryRange range = *details->range; + g_array_append_val(complog_ranges, range); + +} + +static gint complog_sort(gconstpointer a, gconstpointer b) { + + return ((GumMemoryRange *)b)->base_address - + ((GumMemoryRange *)a)->base_address; + +} + +void complog_init(void) { + + if (__afl_cmp_map != NULL) { OKF("CompLog mode enabled"); } + + complog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); + gum_process_enumerate_ranges(GUM_PAGE_READ, complog_range, NULL); + g_array_sort(complog_ranges, complog_sort); + + for (guint i = 0; i < complog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); + OKF("CompLog Range - 0x%016lX - 0x%016lX", range->base_address, + range->base_address + range->size); + + } + +} + +static gboolean complog_contains(GumAddress inner_base, GumAddress inner_limit, + GumAddress outer_base, + GumAddress outer_limit) { + + return (inner_base >= outer_base && inner_limit <= outer_limit); + +} + +gboolean complog_is_readable(void *addr, size_t size) { + + if (complog_ranges == NULL) FATAL("CompLog not initialized"); + + GumAddress inner_base = GUM_ADDRESS(addr); + GumAddress inner_limit = inner_base + size; + + for (guint i = 0; i < complog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); + GumAddress outer_base = range->base_address; + GumAddress outer_limit = outer_base + range->size; + + if (complog_contains(inner_base, inner_limit, outer_base, outer_limit)) + return true; + + } + + return false; + +} + diff --git a/frida_mode/src/complog/complog_arm.c b/frida_mode/src/complog/complog_arm.c new file mode 100644 index 00000000..82cc2557 --- /dev/null +++ b/frida_mode/src/complog/complog_arm.c @@ -0,0 +1,15 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "complog.h" + +#if defined(__arm64__) +void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + FATAL("Complog mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/complog/complog_arm64.c b/frida_mode/src/complog/complog_arm64.c new file mode 100644 index 00000000..e4dbf322 --- /dev/null +++ b/frida_mode/src/complog/complog_arm64.c @@ -0,0 +1,15 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "complog.h" + +#if defined(__i386__) +void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + FATAL("Complog mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/complog/complog_x64.c new file mode 100644 index 00000000..253ec041 --- /dev/null +++ b/frida_mode/src/complog/complog_x64.c @@ -0,0 +1,363 @@ +#include "frida-gum.h" + +#include "debug.h" +#include "cmplog.h" + +#include "complog.h" + +#if defined(__x86_64__) + + #define X86_REG_8L(LABEL, REG) \ + case LABEL: { \ + \ + return REG & GUM_INT8_MASK; \ + \ + } + + #define X86_REG_8H(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK) >> 8; \ + \ + } + + #define X86_REG_16(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK); \ + \ + } + + #define X86_REG_32(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT32_MASK); \ + \ + } + + #define X86_REG_64(LABEL, REG) \ + case LABEL: { \ + \ + return (REG); \ + \ + } + +typedef struct { + + x86_op_type type; + uint8_t size; + + union { + + x86_op_mem mem; + x86_reg reg; + int64_t imm; + + }; + +} complog_ctx_t; + +typedef struct { + + complog_ctx_t operand1; + complog_ctx_t operand2; + +} complog_pair_ctx_t; + +static guint64 complog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { + + switch (reg) { + + X86_REG_8L(X86_REG_AL, ctx->rax) + X86_REG_8L(X86_REG_BL, ctx->rbx) + X86_REG_8L(X86_REG_CL, ctx->rcx) + X86_REG_8L(X86_REG_DL, ctx->rdx) + X86_REG_8L(X86_REG_BPL, ctx->rbp) + X86_REG_8L(X86_REG_SIL, ctx->rsi) + X86_REG_8L(X86_REG_DIL, ctx->rdi) + + X86_REG_8H(X86_REG_AH, ctx->rax) + X86_REG_8H(X86_REG_BH, ctx->rbx) + X86_REG_8H(X86_REG_CH, ctx->rcx) + X86_REG_8H(X86_REG_DH, ctx->rdx) + + X86_REG_16(X86_REG_AX, ctx->rax) + X86_REG_16(X86_REG_BX, ctx->rbx) + X86_REG_16(X86_REG_CX, ctx->rcx) + X86_REG_16(X86_REG_DX, ctx->rdx) + X86_REG_16(X86_REG_DI, ctx->rdi) + X86_REG_16(X86_REG_SI, ctx->rsi) + X86_REG_16(X86_REG_BP, ctx->rbp) + + X86_REG_32(X86_REG_EAX, ctx->rax) + X86_REG_32(X86_REG_ECX, ctx->rcx) + X86_REG_32(X86_REG_EDX, ctx->rdx) + X86_REG_32(X86_REG_EBX, ctx->rbx) + X86_REG_32(X86_REG_ESP, ctx->rsp) + X86_REG_32(X86_REG_EBP, ctx->rbp) + X86_REG_32(X86_REG_ESI, ctx->rsi) + X86_REG_32(X86_REG_EDI, ctx->rdi) + X86_REG_32(X86_REG_R8D, ctx->r8) + X86_REG_32(X86_REG_R9D, ctx->r9) + X86_REG_32(X86_REG_R10D, ctx->r10) + X86_REG_32(X86_REG_R11D, ctx->r11) + X86_REG_32(X86_REG_R12D, ctx->r12) + X86_REG_32(X86_REG_R13D, ctx->r13) + X86_REG_32(X86_REG_R14D, ctx->r14) + X86_REG_32(X86_REG_R15D, ctx->r15) + X86_REG_32(X86_REG_EIP, ctx->rip) + + X86_REG_64(X86_REG_RAX, ctx->rax) + X86_REG_64(X86_REG_RCX, ctx->rcx) + X86_REG_64(X86_REG_RDX, ctx->rdx) + X86_REG_64(X86_REG_RBX, ctx->rbx) + X86_REG_64(X86_REG_RSP, ctx->rsp) + X86_REG_64(X86_REG_RBP, ctx->rbp) + X86_REG_64(X86_REG_RSI, ctx->rsi) + X86_REG_64(X86_REG_RDI, ctx->rdi) + X86_REG_64(X86_REG_R8, ctx->r8) + X86_REG_64(X86_REG_R9, ctx->r9) + X86_REG_64(X86_REG_R10, ctx->r10) + X86_REG_64(X86_REG_R11, ctx->r11) + X86_REG_64(X86_REG_R12, ctx->r12) + X86_REG_64(X86_REG_R13, ctx->r13) + X86_REG_64(X86_REG_R14, ctx->r14) + X86_REG_64(X86_REG_R15, ctx->r15) + X86_REG_64(X86_REG_RIP, ctx->rip) + + default: + FATAL("Failed to read register: %d", reg); + return 0; + + } + +} + +static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { + + guint64 base = 0; + guint64 index = 0; + guint64 address; + + if (mem->base != X86_REG_INVALID) base = complog_read_reg(ctx, mem->base); + + if (mem->index != X86_REG_INVALID) index = complog_read_reg(ctx, mem->index); + + address = base + (index * mem->scale) + mem->disp; + return address; + +} + +static void complog_handle_call(GumCpuContext *context, guint64 target) { + + guint64 address = complog_read_reg(context, X86_REG_RIP); + guint64 rdi = complog_read_reg(context, X86_REG_RDI); + guint64 rsi = complog_read_reg(context, X86_REG_RSI); + + void *ptr1 = GSIZE_TO_POINTER(rdi); + void *ptr2 = GSIZE_TO_POINTER(rsi); + + if (!complog_is_readable(ptr1, 32) || !complog_is_readable(ptr2, 32)) return; + + uintptr_t k = address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 31; + + hits &= CMP_MAP_RTN_H - 1; + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, + 32); + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, + 32); + +} + +static guint64 cmplog_get_operand_value(GumCpuContext *context, + complog_ctx_t *ctx) { + + switch (ctx->type) { + + case X86_OP_REG: + return complog_read_reg(context, ctx->reg); + case X86_OP_IMM: + return ctx->imm; + case X86_OP_MEM: + return complog_read_mem(context, &ctx->mem); + default: + FATAL("Invalid operand type: %d\n", ctx->type); + + } + +} + +static void complog_call_callout(GumCpuContext *context, gpointer user_data) { + + complog_ctx_t *ctx = (complog_ctx_t *)user_data; + + guint64 target = cmplog_get_operand_value(context, ctx); + complog_handle_call(context, target); + +} + +static void complog_instrument_put_operand(complog_ctx_t *ctx, + cs_x86_op * operand) { + + ctx->type = operand->type; + ctx->size = operand->size; + switch (operand->type) { + + case X86_OP_REG: + gum_memcpy(&ctx->reg, &operand->reg, sizeof(x86_reg)); + break; + case X86_OP_IMM: + gum_memcpy(&ctx->imm, &operand->imm, sizeof(int64_t)); + break; + case X86_OP_MEM: + gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); + break; + default: + FATAL("Invalid operand type: %d\n", operand->type); + + } + +} + +static void complog_instrument_call_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand) { + + complog_ctx_t *ctx = g_malloc(sizeof(complog_ctx_t)); + if (ctx == NULL) return; + + complog_instrument_put_operand(ctx, operand); + + gum_stalker_iterator_put_callout(iterator, complog_call_callout, ctx, g_free); + +} + +static void complog_instrument_call(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand; + + if (instr->id != X86_INS_CALL) return; + + if (x86.op_count != 1) return; + + operand = &x86.operands[0]; + + if (operand->type == X86_OP_INVALID) return; + if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID) + return; + + complog_instrument_call_put_callout(iterator, operand); + +} + +static void complog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, + guint64 operand2, uint8_t size) { + + guint64 address = complog_read_reg(context, X86_REG_RIP); + + register uintptr_t k = (uintptr_t)address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = (size - 1); + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = operand1; + __afl_cmp_map->log[k][hits].v1 = operand2; + +} + +static void complog_cmp_sub_callout(GumCpuContext *context, + gpointer user_data) { + + complog_pair_ctx_t *ctx = (complog_pair_ctx_t *)user_data; + + if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + + guint64 operand1 = cmplog_get_operand_value(context, &ctx->operand1); + guint64 operand2 = cmplog_get_operand_value(context, &ctx->operand2); + + complog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); + +} + +static void complog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand1, + cs_x86_op *operand2) { + + complog_pair_ctx_t *ctx = g_malloc(sizeof(complog_pair_ctx_t)); + if (ctx == NULL) return; + + complog_instrument_put_operand(&ctx->operand1, operand1); + complog_instrument_put_operand(&ctx->operand2, operand2); + + gum_stalker_iterator_put_callout(iterator, complog_cmp_sub_callout, ctx, + g_free); + +} + +static void complog_instrument_cmp_sub(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand1; + cs_x86_op *operand2; + + switch (instr->id) { + + case X86_INS_CMP: + case X86_INS_SUB: + break; + default: + return; + + } + + if (x86.op_count != 2) return; + + operand1 = &x86.operands[0]; + operand2 = &x86.operands[1]; + + if (operand1->type == X86_OP_INVALID) return; + if (operand2->type == X86_OP_INVALID) return; + + if ((operand1->type == X86_OP_MEM) && + (operand1->mem.segment != X86_REG_INVALID)) + return; + + if ((operand2->type == X86_OP_MEM) && + (operand2->mem.segment != X86_REG_INVALID)) + return; + + complog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); + +} + +void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + if (__afl_cmp_map == NULL) return; + + complog_instrument_call(instr, iterator); + complog_instrument_cmp_sub(instr, iterator); + +} + +#endif + diff --git a/frida_mode/src/complog/complog_x86.c b/frida_mode/src/complog/complog_x86.c new file mode 100644 index 00000000..df7b7cc1 --- /dev/null +++ b/frida_mode/src/complog/complog_x86.c @@ -0,0 +1,15 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "complog.h" + +#if defined(__arm__) +void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + FATAL("Complog mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/instrument.c b/frida_mode/src/instrument.c deleted file mode 100644 index 22910062..00000000 --- a/frida_mode/src/instrument.c +++ /dev/null @@ -1,271 +0,0 @@ -#include "frida-gum.h" -#include "config.h" -#include "debug.h" -#include "prefetch.h" -#include "ranges.h" -#include "unistd.h" - -extern uint8_t *__afl_area_ptr; -extern u32 __afl_map_size; - -uint64_t __thread previous_pc = 0; -GumAddress current_log_impl = GUM_ADDRESS(0); - -static gboolean tracing = false; -static gboolean optimize = false; -static gboolean strict = false; - -#if defined(__x86_64__) -static const guint8 afl_log_code[] = { - - 0x9c, /* pushfq */ - 0x50, /* push rax */ - 0x51, /* push rcx */ - 0x52, /* push rdx */ - - 0x48, 0x8d, 0x05, 0x27, - 0x00, 0x00, 0x00, /* lea rax, sym._afl_area_ptr_ptr */ - 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ - 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ - 0x48, 0x8d, 0x0d, 0x22, - 0x00, 0x00, 0x00, /* lea rcx, sym.previous_pc */ - 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ - 0x48, 0x8b, 0x12, /* mov rdx, qword [rdx] */ - 0x48, 0x31, 0xfa, /* xor rdx, rdi */ - 0xfe, 0x04, 0x10, /* inc byte [rax + rdx] */ - 0x48, 0xd1, 0xef, /* shr rdi, 1 */ - 0x48, 0x8b, 0x01, /* mov rax, qword [rcx] */ - 0x48, 0x89, 0x38, /* mov qword [rax], rdi */ - - 0x5a, /* pop rdx */ - 0x59, /* pop rcx */ - 0x58, /* pop rax */ - 0x9d, /* popfq */ - - 0xc3, /* ret */ - - /* Read-only data goes here: */ - /* uint8_t** afl_area_ptr_ptr */ - /* uint64_t* afl_prev_loc_ptr */ - -}; - -void instrument_coverage_optimize(const cs_insn * instr, - GumStalkerOutput *output) { - - guint64 current_pc = instr->address; - guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); - area_offset &= MAP_SIZE - 1; - GumX86Writer *cw = output->writer.x86; - - if (current_log_impl == 0 || - !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || - !gum_x86_writer_can_branch_directly_between(cw->pc + 128, - current_log_impl)) { - - gconstpointer after_log_impl = cw->code + 1; - - gum_x86_writer_put_jmp_near_label(cw, after_log_impl); - - current_log_impl = cw->pc; - gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); - - uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; - uint64_t *afl_prev_loc_ptr = &previous_pc; - gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, - sizeof(afl_area_ptr_ptr)); - gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, - sizeof(afl_prev_loc_ptr)); - - gum_x86_writer_put_label(cw, after_log_impl); - - } - - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - -GUM_RED_ZONE_SIZE); - gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset); - gum_x86_writer_put_call_address(cw, current_log_impl); - gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - GUM_RED_ZONE_SIZE); - -} - -#elif defined(__aarch64__) -static const guint8 afl_log_code[] = { - - // __afl_area_ptr[current_pc ^ previous_pc]++; - // previous_pc = current_pc >> 1; - 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! - 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! - - // x0 = current_pc - 0xc1, 0x01, 0x00, 0x58, // ldr x1, #0x38, =&__afl_area_ptr - 0x21, 0x00, 0x40, 0xf9, // ldr x1, [x1] (=__afl_area_ptr) - - 0xc2, 0x01, 0x00, 0x58, // ldr x2, #0x38, =&previous_pc - 0x42, 0x00, 0x40, 0xf9, // ldr x2, [x2] (=previous_pc) - - // __afl_area_ptr[current_pc ^ previous_pc]++; - 0x42, 0x00, 0x00, 0xca, // eor x2, x2, x0 - 0x23, 0x68, 0x62, 0xf8, // ldr x3, [x1, x2] - 0x63, 0x04, 0x00, 0x91, // add x3, x3, #1 - 0x23, 0x68, 0x22, 0xf8, // str x3, [x1, x2] - - // previous_pc = current_pc >> 1; - 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 - 0xe2, 0x00, 0x00, 0x58, // ldr x2, #0x1c, =&previous_pc - 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] - - 0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10 - 0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10 - 0xC0, 0x03, 0x5F, 0xD6, // ret - - // &afl_area_ptr_ptr - // &afl_prev_loc_ptr - -}; - -void instrument_coverage_optimize(const cs_insn * instr, - GumStalkerOutput *output) { - - guint64 current_pc = instr->address; - guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); - area_offset &= MAP_SIZE - 1; - GumArm64Writer *cw = output->writer.arm64; - - if (current_log_impl == 0 || - !gum_arm64_writer_can_branch_directly_between(cw, cw->pc, - current_log_impl) || - !gum_arm64_writer_can_branch_directly_between(cw, cw->pc + 128, - current_log_impl)) { - - gconstpointer after_log_impl = cw->code + 1; - - gum_arm64_writer_put_b_label(cw, after_log_impl); - - current_log_impl = cw->pc; - gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); - - uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; - uint64_t *afl_prev_loc_ptr = &previous_pc; - gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, - sizeof(afl_area_ptr_ptr)); - gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, - sizeof(afl_prev_loc_ptr)); - - gum_arm64_writer_put_label(cw, after_log_impl); - - } - - gum_arm64_writer_put_stp_reg_reg_reg_offset( - cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), - GUM_INDEX_PRE_ADJUST); - gum_arm64_writer_put_ldr_reg_u64(cw, ARM64_REG_X0, area_offset); - gum_arm64_writer_put_bl_imm(cw, current_log_impl); - gum_arm64_writer_put_ldp_reg_reg_reg_offset( - cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, - GUM_INDEX_POST_ADJUST); - -} - -#endif - -static void on_basic_block(GumCpuContext *context, gpointer user_data) { - - /* - * This function is performance critical as it is called to instrument every - * basic block. By moving our print buffer to a global, we avoid it affecting - * the critical path with additional stack adjustments if tracing is not - * enabled. If tracing is enabled, then we're printing a load of diagnostic - * information so this overhead is unlikely to be noticeable. - */ - static char buffer[200]; - int len; - guint64 current_pc = (guint64)user_data; - if (tracing) { - - /* Avoid any functions which may cause an allocation since the target app - * may already be running inside malloc and it isn't designed to be - * re-entrant on a single thread */ - len = snprintf(buffer, sizeof(buffer), - "current_pc: 0x%016" G_GINT64_MODIFIER - "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", - current_pc, previous_pc); - - write(STDOUT_FILENO, buffer, len + 1); - - } - - current_pc = (current_pc >> 4) ^ (current_pc << 8); - current_pc &= MAP_SIZE - 1; - - __afl_area_ptr[current_pc ^ previous_pc]++; - previous_pc = current_pc >> 1; - -} - -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data) { - - const cs_insn *instr; - gboolean begin = TRUE; - while (gum_stalker_iterator_next(iterator, &instr)) { - - if (begin) { - - prefetch_write((void *)instr->address); - if (!strict || !range_is_excluded((void *)instr->address)) { - - if (optimize) { - - instrument_coverage_optimize(instr, output); - - } else { - - gum_stalker_iterator_put_callout(iterator, on_basic_block, - (gpointer)instr->address, NULL); - - } - - } - - begin = FALSE; - - } - - gum_stalker_iterator_keep(iterator); - - } - -} - -void instrument_init() { - - optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); - tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); - strict = (getenv("AFL_FRIDA_INST_STRICT") != NULL); - -#if !defined(__x86_64__) && !defined(__aarch64__) - optimize = false; -#endif - - OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' '); - OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' '); - OKF("Instrumentation - strict [%c]", strict ? 'X' : ' '); - - if (tracing && optimize) { - - FATAL("AFL_FRIDA_INST_OPTIMIZE and AFL_FRIDA_INST_TRACE are incompatible"); - - } - - if (__afl_map_size != 0x10000) { - - FATAL("Bad map size: 0x%08x", __afl_map_size); - - } - -} - diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c new file mode 100644 index 00000000..81080bee --- /dev/null +++ b/frida_mode/src/instrument/instrument.c @@ -0,0 +1,150 @@ +#include + +#include "frida-gum.h" + +#include "config.h" +#include "debug.h" + +#include "complog.h" +#include "instrument.h" +#include "persistent.h" +#include "prefetch.h" +#include "ranges.h" +#include "stalker.h" + +static gboolean tracing = false; +static gboolean optimize = false; +static gboolean strict = false; +static GumStalkerTransformer *transformer = NULL; + +uint64_t __thread previous_pc = 0; + +__attribute__((hot)) static void on_basic_block(GumCpuContext *context, + gpointer user_data) { + + /* + * This function is performance critical as it is called to instrument every + * basic block. By moving our print buffer to a global, we avoid it affecting + * the critical path with additional stack adjustments if tracing is not + * enabled. If tracing is enabled, then we're printing a load of diagnostic + * information so this overhead is unlikely to be noticeable. + */ + static char buffer[200]; + int len; + guint64 current_pc = (guint64)user_data; + uint8_t * cursor; + uint64_t value; + if (unlikely(tracing)) { + + /* Avoid any functions which may cause an allocation since the target app + * may already be running inside malloc and it isn't designed to be + * re-entrant on a single thread */ + len = snprintf(buffer, sizeof(buffer), + "current_pc: 0x%016" G_GINT64_MODIFIER + "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", + current_pc, previous_pc); + + write(STDOUT_FILENO, buffer, len + 1); + + } + + current_pc = (current_pc >> 4) ^ (current_pc << 8); + current_pc &= MAP_SIZE - 1; + + cursor = &__afl_area_ptr[current_pc ^ previous_pc]; + value = *cursor; + + if (value == 0xff) { + + value = 1; + + } else { + + value++; + + } + + *cursor = value; + previous_pc = current_pc >> 1; + +} + +static void instr_basic_block(GumStalkerIterator *iterator, + GumStalkerOutput *output, gpointer user_data) { + + const cs_insn *instr; + gboolean begin = TRUE; + while (gum_stalker_iterator_next(iterator, &instr)) { + + if (instr->address == persistent_start) { persistent_prologue(output); } + + if (begin) { + + prefetch_write((void *)instr->address); + if (!range_is_excluded((void *)instr->address)) { + + if (optimize) { + + instrument_coverage_optimize(instr, output); + + } else { + + gum_stalker_iterator_put_callout(iterator, on_basic_block, + (gpointer)instr->address, NULL); + + } + + } + + begin = FALSE; + + } + + if (!range_is_excluded((void *)instr->address)) { + + complog_instrument(instr, iterator); + + } + + gum_stalker_iterator_keep(iterator); + + } + +} + +void instrument_init(void) { + + optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); + tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); + + if (!instrument_is_coverage_optimize_supported()) optimize = false; + + OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' '); + OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' '); + + if (tracing && optimize) { + + FATAL("AFL_FRIDA_INST_OPTIMIZE and AFL_FRIDA_INST_TRACE are incompatible"); + + } + + if (__afl_map_size != 0x10000) { + + FATAL("Bad map size: 0x%08x", __afl_map_size); + + } + + transformer = + gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + + complog_init(); + +} + +GumStalkerTransformer *instrument_get_transformer(void) { + + if (transformer == NULL) { FATAL("Instrumentation not initialized"); } + return transformer; + +} + diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c new file mode 100644 index 00000000..c2d720a7 --- /dev/null +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -0,0 +1,23 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "instrument.h" + +#if defined(__arm__) + +gboolean instrument_is_coverage_optimize_supported(void) { + + return false; + +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + FATAL("Optimized coverage not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c new file mode 100644 index 00000000..fa3afb48 --- /dev/null +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -0,0 +1,97 @@ +#include "frida-gum.h" + +#include "config.h" +#include "debug.h" + +#include "instrument.h" + +#if defined(__aarch64__) + +static GumAddress current_log_impl = GUM_ADDRESS(0); + +static const guint8 afl_log_code[] = { + + // __afl_area_ptr[current_pc ^ previous_pc]++; + // previous_pc = current_pc >> 1; + 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! + 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! + + // x0 = current_pc + 0xe1, 0x01, 0x00, 0x58, // ldr x1, #0x3c, =&__afl_area_ptr + 0x21, 0x00, 0x40, 0xf9, // ldr x1, [x1] (=__afl_area_ptr) + + 0xe2, 0x01, 0x00, 0x58, // ldr x2, #0x3c, =&previous_pc + 0x42, 0x00, 0x40, 0xf9, // ldr x2, [x2] (=previous_pc) + + // __afl_area_ptr[current_pc ^ previous_pc]++; + 0x42, 0x00, 0x00, 0xca, // eor x2, x2, x0 + 0x23, 0x68, 0x62, 0xf8, // ldr x3, [x1, x2] + 0x63, 0x04, 0x00, 0x91, // add x3, x3, #1 + 0x63, 0x00, 0x1f, 0x9a, // adc x3, x3, xzr + 0x23, 0x68, 0x22, 0xf8, // str x3, [x1, x2] + + // previous_pc = current_pc >> 1; + 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 + 0xe2, 0x00, 0x00, 0x58, // ldr x2, #0x1c, =&previous_pc + 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] + + 0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10 + 0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10 + 0xC0, 0x03, 0x5F, 0xD6, // ret + + // &afl_area_ptr_ptr + // &afl_prev_loc_ptr + +}; + +gboolean instrument_is_coverage_optimize_supported(void) { + + return true; + +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumArm64Writer *cw = output->writer.arm64; + + if (current_log_impl == 0 || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc, + current_log_impl) || + !gum_arm64_writer_can_branch_directly_between(cw, cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_arm64_writer_put_b_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, + sizeof(afl_area_ptr_ptr)); + gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_arm64_writer_put_label(cw, after_log_impl); + + } + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + gum_arm64_writer_put_ldr_reg_u64(cw, ARM64_REG_X0, area_offset); + gum_arm64_writer_put_bl_imm(cw, current_log_impl); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_LR, ARM64_REG_X0, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c new file mode 100644 index 00000000..901f3bd0 --- /dev/null +++ b/frida_mode/src/instrument/instrument_x64.c @@ -0,0 +1,93 @@ +#include "frida-gum.h" + +#include "config.h" + +#include "instrument.h" + +#if defined(__x86_64__) + +static GumAddress current_log_impl = GUM_ADDRESS(0); + +static const guint8 afl_log_code[] = { + + // 0xcc, + + 0x9c, /* pushfq */ + 0x51, /* push rcx */ + 0x52, /* push rdx */ + + 0x48, 0x8b, 0x0d, 0x28, + 0x00, 0x00, 0x00, /* mov rcx, sym.&previous_pc */ + 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ + 0x48, 0x31, 0xfa, /* xor rdx, rdi */ + + 0x48, 0x03, 0x15, 0x13, + 0x00, 0x00, 0x00, /* add rdx, sym._afl_area_ptr_ptr */ + + 0x80, 0x02, 0x01, /* add byte ptr [rdx], 1 */ + 0x80, 0x12, 0x00, /* adc byte ptr [rdx], 0 */ + 0x48, 0xd1, 0xef, /* shr rdi, 1 */ + 0x48, 0x89, 0x39, /* mov qword [rcx], rdi */ + + 0x5a, /* pop rdx */ + 0x59, /* pop rcx */ + 0x9d, /* popfq */ + + 0xc3, /* ret */ + 0x90, 0x90, 0x90 /* nop pad */ + + /* Read-only data goes here: */ + /* uint8_t* __afl_area_ptr */ + /* uint64_t* &previous_pc */ + +}; + +gboolean instrument_is_coverage_optimize_supported(void) { + + return true; + +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumX86Writer *cw = output->writer.x86; + + if (current_log_impl == 0 || + !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || + !gum_x86_writer_can_branch_directly_between(cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_x86_writer_put_jmp_near_label(cw, after_log_impl); + + current_log_impl = cw->pc; + gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + + uint64_t *afl_prev_loc_ptr = &previous_pc; + gum_x86_writer_put_bytes(cw, (const guint8 *)&__afl_area_ptr, + sizeof(__afl_area_ptr)); + gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, + sizeof(afl_prev_loc_ptr)); + + gum_x86_writer_put_label(cw, after_log_impl); + + } + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -GUM_RED_ZONE_SIZE); + gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset); + gum_x86_writer_put_call_address(cw, current_log_impl); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + GUM_RED_ZONE_SIZE); + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c new file mode 100644 index 00000000..5b8cbbba --- /dev/null +++ b/frida_mode/src/instrument/instrument_x86.c @@ -0,0 +1,23 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "instrument.h" + +#if defined(__i386__) + +gboolean instrument_is_coverage_optimize_supported(void) { + + return false; + +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + FATAL("Optimized coverage not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c index ba05a80a..8d41b075 100644 --- a/frida_mode/src/interceptor.c +++ b/frida_mode/src/interceptor.c @@ -1,4 +1,5 @@ #include "frida-gum.h" + #include "debug.h" #include "interceptor.h" @@ -14,3 +15,21 @@ void intercept(void *address, gpointer replacement, gpointer user_data) { } +void unintercept(void *address) { + + GumInterceptor *interceptor = gum_interceptor_obtain(); + + gum_interceptor_begin_transaction(interceptor); + gum_interceptor_revert(interceptor, address); + gum_interceptor_end_transaction(interceptor); + gum_interceptor_flush(interceptor); + +} + +void unintercept_self(void) { + + GumInvocationContext *ctx = gum_interceptor_get_current_invocation(); + unintercept(ctx->function); + +} + diff --git a/frida_mode/src/lib.c b/frida_mode/src/lib.c new file mode 100644 index 00000000..326d4819 --- /dev/null +++ b/frida_mode/src/lib.c @@ -0,0 +1,167 @@ +#include +#include +#include +#include +#include +#include + +#include "frida-gum.h" + +#include "debug.h" + +#include "lib.h" + +#if defined(__arm__) || defined(__i386__) + #define ELFCLASS ELFCLASS32 +typedef Elf32_Ehdr Elf_Ehdr; +typedef Elf32_Phdr Elf_Phdr; +typedef Elf32_Shdr Elf_Shdr; +#elif defined(__aarch64__) || defined(__x86_64__) + #define ELFCLASS ELFCLASS64 +typedef Elf64_Ehdr Elf_Ehdr; +typedef Elf64_Phdr Elf_Phdr; +typedef Elf64_Shdr Elf_Shdr; +#else + #error "Unsupported platform" +#endif + +typedef struct { + + gchar name[PATH_MAX + 1]; + gchar path[PATH_MAX + 1]; + GumAddress base_address; + gsize size; + +} lib_details_t; + +static guint64 text_base = 0; +static guint64 text_limit = 0; + +static gboolean lib_find_exe(const GumModuleDetails *details, + gpointer user_data) { + + lib_details_t *lib_details = (lib_details_t *)user_data; + + memcpy(lib_details->name, details->name, PATH_MAX); + memcpy(lib_details->path, details->path, PATH_MAX); + lib_details->base_address = details->range->base_address; + lib_details->size = details->range->size; + return FALSE; + +} + +static gboolean lib_is_little_endian(void) { + + int probe = 1; + return *(char *)&probe; + +} + +static void lib_validate_hdr(Elf_Ehdr *hdr) { + + if (hdr->e_ident[0] != ELFMAG0) FATAL("Invalid e_ident[0]"); + if (hdr->e_ident[1] != ELFMAG1) FATAL("Invalid e_ident[1]"); + if (hdr->e_ident[2] != ELFMAG2) FATAL("Invalid e_ident[2]"); + if (hdr->e_ident[3] != ELFMAG3) FATAL("Invalid e_ident[3]"); + if (hdr->e_ident[4] != ELFCLASS) FATAL("Invalid class"); + if (hdr->e_ident[5] != (lib_is_little_endian() ? ELFDATA2LSB : ELFDATA2MSB)) + FATAL("Invalid endian"); + if (hdr->e_ident[6] != EV_CURRENT) FATAL("Invalid version"); + if (hdr->e_type != ET_DYN) FATAL("Invalid type"); + if (hdr->e_version != EV_CURRENT) FATAL("Invalid e_version"); + if (hdr->e_phoff != sizeof(Elf_Ehdr)) FATAL("Invalid e_phoff"); + if (hdr->e_ehsize != sizeof(Elf_Ehdr)) FATAL("Invalid e_ehsize"); + if (hdr->e_phentsize != sizeof(Elf_Phdr)) FATAL("Invalid e_phentsize"); + if (hdr->e_shentsize != sizeof(Elf_Shdr)) FATAL("Invalid e_shentsize"); + +} + +static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { + + Elf_Shdr *shdr; + Elf_Shdr *shstrtab; + char * shstr; + char * section_name; + Elf_Shdr *curr; + char text_name[] = ".text"; + + shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff); + shstrtab = &shdr[hdr->e_shstrndx]; + shstr = (char *)hdr + shstrtab->sh_offset; + + OKF("shdr: %p", shdr); + OKF("shstrtab: %p", shstrtab); + OKF("shstr: %p", shstr); + + for (size_t i = 0; i < hdr->e_shnum; i++) { + + curr = &shdr[i]; + + if (curr->sh_name == 0) continue; + + section_name = &shstr[curr->sh_name]; + OKF("Section: %2lu - base: 0x%016lX size: 0x%016lX %s", i, curr->sh_addr, + curr->sh_size, section_name); + if (memcmp(section_name, text_name, sizeof(text_name)) == 0 && + text_base == 0) { + + text_base = lib_details->base_address + curr->sh_addr; + text_limit = lib_details->base_address + curr->sh_addr + curr->sh_size; + OKF("> text_addr: 0x%016lX", text_base); + OKF("> text_limit: 0x%016lX", text_limit); + + } + + } + +} + +static void lib_get_text_section(lib_details_t *details) { + + int fd = -1; + off_t len; + Elf_Ehdr *hdr; + + fd = open(details->path, O_RDONLY); + if (fd < 0) { FATAL("Failed to open %s", details->path); } + + len = lseek(fd, 0, SEEK_END); + + if (len == (off_t)-1) { FATAL("Failed to lseek %s", details->path); } + + OKF("len: %ld\n", len); + + hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0); + if (hdr == MAP_FAILED) { FATAL("Failed to map %s", details->path); } + + lib_validate_hdr(hdr); + lib_read_text_section(details, hdr); + + munmap(hdr, len); + close(fd); + +} + +void lib_init(void) { + + lib_details_t lib_details; + gum_process_enumerate_modules(lib_find_exe, &lib_details); + OKF("Executable: 0x%016lx - %s", lib_details.base_address, lib_details.path); + lib_get_text_section(&lib_details); + +} + +guint64 lib_get_text_base(void) { + + if (text_base == 0) FATAL("Lib not initialized"); + return text_base; + +} + +guint64 lib_get_text_limit(void) { + + if (text_limit == 0) FATAL("Lib not initialized"); + return text_limit; + +} + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 7505c2f9..f712a8c0 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -10,13 +10,17 @@ #endif #include "frida-gum.h" + #include "config.h" #include "debug.h" -#include "interceptor.h" #include "instrument.h" +#include "interceptor.h" +#include "lib.h" +#include "persistent.h" #include "prefetch.h" #include "ranges.h" +#include "stalker.h" #ifdef __APPLE__ extern mach_port_t mach_task_self(); @@ -30,16 +34,15 @@ extern int __libc_start_main(int *(main)(int, char **, char **), int argc, typedef int *(*main_fn_t)(int argc, char **argv, char **envp); -static main_fn_t main_fn = NULL; -static GumStalker * stalker = NULL; +static main_fn_t main_fn = NULL; + static GumMemoryRange code_range = {0}; -extern void __afl_manual_init(); -extern __thread uint64_t previous_pc; +extern void __afl_manual_init(); -static int on_fork() { +static int on_fork(void) { - prefetch_read(stalker); + prefetch_read(); return fork(); } @@ -70,37 +73,46 @@ static void on_main_os(int argc, char **argv, char **envp) { static int *on_main(int argc, char **argv, char **envp) { + void *fork_addr; on_main_os(argc, argv, envp); - stalker = gum_stalker_new(); - if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + unintercept_self(); - gum_stalker_set_trust_threshold(stalker, 0); - - GumStalkerTransformer *transformer = - gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + stalker_init(); + lib_init(); instrument_init(); + persistent_init(); prefetch_init(); - ranges_init(stalker); + ranges_init(); - intercept(fork, on_fork, stalker); + fork_addr = GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork")); + intercept(fork_addr, on_fork, NULL); - gum_stalker_follow_me(stalker, transformer, NULL); - gum_stalker_deactivate(stalker); + stalker_start(); + stalker_pause(); __afl_manual_init(); /* Child here */ previous_pc = 0; - prefetch_start(stalker); + stalker_resume(); main_fn(argc, argv, envp); - _exit(0); } -#ifdef __APPLE__ -static void intercept_main() { +#if defined(EMBEDDED) +extern int *main(int argc, char **argv, char **envp); + +static void intercept_main(void) { + + main_fn = main; + intercept(main, on_main, NULL); + +} + +#elif defined(__APPLE__) +static void intercept_main(void) { mach_port_t task = mach_task_self(); OKF("Task Id: %u", task); @@ -119,13 +131,14 @@ static int on_libc_start_main(int *(main)(int, char **, char **), int argc, void(*stack_end)) { main_fn = main; + unintercept_self(); intercept(main, on_main, NULL); return __libc_start_main(main, argc, ubp_av, init, fini, rtld_fini, stack_end); } -static void intercept_main() { +static void intercept_main(void) { intercept(__libc_start_main, on_libc_start_main, NULL); @@ -133,7 +146,7 @@ static void intercept_main() { #endif -__attribute__((constructor)) static void init() { +__attribute__((constructor)) static void init(void) { gum_init_embedded(); if (!gum_stalker_is_supported()) { diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c new file mode 100644 index 00000000..fe3a1d20 --- /dev/null +++ b/frida_mode/src/persistent/persistent.c @@ -0,0 +1,68 @@ +#include + +#include "frida-gum.h" + +#include "config.h" +#include "debug.h" + +#include "persistent.h" +#include "util.h" + +int __afl_sharedmem_fuzzing = 0; +afl_persistent_hook_fn hook = NULL; +guint64 persistent_start = 0; +guint64 persistent_count = 0; + +void persistent_init(void) { + + char *hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK"); + + persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR"); + persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT"); + + if (persistent_count != 0 && persistent_start == 0) + FATAL( + "AFL_FRIDA_PERSISTENT_ADDR must be specified if " + "AFL_FRIDA_PERSISTENT_CNT is"); + + if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; + + if (persistent_count != 0 && persistent_count < 100) + WARNF("Persistent count out of recommended range (<100)"); + + if (persistent_count > 10000) + WARNF("Persistent count out of recommended range (<10000)"); + + if (persistent_start != 0 && !persistent_is_supported()) + FATAL("Persistent mode not supported on this architecture"); + + OKF("Instrumentation - persistent mode [%c] (0x%016lX)", + persistent_start == 0 ? ' ' : 'X', persistent_start); + OKF("Instrumentation - persistent count [%c] (%ld)", + persistent_start == 0 ? ' ' : 'X', persistent_count); + OKF("Instrumentation - hook [%s]", hook_name); + + if (hook_name != NULL) { + + void *hook_obj = dlopen(hook_name, RTLD_NOW); + if (hook_obj == NULL) + FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); + + int (*afl_persistent_hook_init_ptr)(void) = + dlsym(hook_obj, "afl_persistent_hook_init"); + if (afl_persistent_hook_init_ptr == NULL) + FATAL("Failed to find afl_persistent_hook_init in %s", hook_name); + + if (afl_persistent_hook_init_ptr() == 0) + FATAL("afl_persistent_hook_init returned a failure"); + + hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook"); + if (hook == NULL) + FATAL("Failed to find afl_persistent_hook in %s", hook_name); + + __afl_sharedmem_fuzzing = 1; + + } + +} + diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c new file mode 100644 index 00000000..10dab3b2 --- /dev/null +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -0,0 +1,70 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "persistent.h" + +#if defined(__arm__) + +struct arm_regs { + + uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10; + + union { + + uint32_t r11; + uint32_t fp; + + }; + + union { + + uint32_t r12; + uint32_t ip; + + }; + + union { + + uint32_t r13; + uint32_t sp; + + }; + + union { + + uint32_t r14; + uint32_t lr; + + }; + + union { + + uint32_t r15; + uint32_t pc; + + }; + + uint32_t cpsr; + + uint8_t vfp_zregs[32][16]; + uint32_t vfp_xregs[16]; + +}; + +typedef struct arm_regs arch_api_regs; + +gboolean persistent_is_supported(void) { + + return false; + +} + +void persistent_prologue(GumStalkerOutput *output) { + + FATAL("Persistent mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c new file mode 100644 index 00000000..5a18ac2c --- /dev/null +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -0,0 +1,113 @@ +#include "frida-gum.h" + +#include "config.h" +#include "debug.h" + +#include "instrument.h" + +#if defined(__aarch64__) + +struct arm64_regs { + + uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10; + + union { + + uint64_t x11; + uint32_t fp_32; + + }; + + union { + + uint64_t x12; + uint32_t ip_32; + + }; + + union { + + uint64_t x13; + uint32_t sp_32; + + }; + + union { + + uint64_t x14; + uint32_t lr_32; + + }; + + union { + + uint64_t x15; + uint32_t pc_32; + + }; + + union { + + uint64_t x16; + uint64_t ip0; + + }; + + union { + + uint64_t x17; + uint64_t ip1; + + }; + + uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28; + + union { + + uint64_t x29; + uint64_t fp; + + }; + + union { + + uint64_t x30; + uint64_t lr; + + }; + + union { + + uint64_t x31; + uint64_t sp; + + }; + + // the zero register is not saved here ofc + + uint64_t pc; + + uint32_t cpsr; + + uint8_t vfp_zregs[32][16 * 16]; + uint8_t vfp_pregs[17][32]; + uint32_t vfp_xregs[16]; + +}; + +typedef struct arm64_regs arch_api_regs; + +gboolean persistent_is_supported(void) { + + return false; + +} + +void persistent_prologue(GumStalkerOutput *output) { + + FATAL("Persistent mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c new file mode 100644 index 00000000..0cabbf24 --- /dev/null +++ b/frida_mode/src/persistent/persistent_x64.c @@ -0,0 +1,337 @@ +#include "frida-gum.h" + +#include "config.h" + +#include "instrument.h" +#include "persistent.h" + +#if defined(__x86_64__) + +struct x86_64_regs { + + uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, + r15; + + union { + + uint64_t rip; + uint64_t pc; + + }; + + union { + + uint64_t rsp; + uint64_t sp; + + }; + + union { + + uint64_t rflags; + uint64_t flags; + + }; + + uint8_t zmm_regs[32][64]; + +}; + +typedef struct x86_64_regs arch_api_regs; + +static arch_api_regs saved_regs = {0}; +static void * saved_return = NULL; + +gboolean persistent_is_supported(void) { + + return true; + +} + +static void instrument_persitent_save_regs(GumX86Writer * cw, + struct x86_64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + + /* Should be pushing FPU here, but meh */ + gum_x86_writer_put_pushfx(cw); + gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 1), + GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 2), + GUM_REG_RCX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 3), + GUM_REG_RDX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 4), + GUM_REG_RDI); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 5), + GUM_REG_RSI); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 6), + GUM_REG_RBP); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 7), + GUM_REG_R8); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 8), + GUM_REG_R9); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 9), + GUM_REG_R10); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 10), + GUM_REG_R11); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 11), + GUM_REG_R12); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 12), + GUM_REG_R13); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 13), + GUM_REG_R14); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 14), + GUM_REG_R15); + + /* Store RIP */ + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RBX, + GUM_ADDRESS(persistent_start)); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 15), + GUM_REG_RBX); + + /* Store adjusted RSP */ + gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_RBX, GUM_REG_RSP); + + /* RED_ZONE + Saved flags, RAX, alignment */ + gum_x86_writer_put_add_reg_imm(cw, GUM_REG_RBX, + GUM_RED_ZONE_SIZE + (0x8 * 3)); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 16), + GUM_REG_RBX); + + /* Save the flags */ + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x8); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 17), + GUM_REG_RBX); + + /* Save the RAX */ + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x0); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 0), + GUM_REG_RBX); + + /* Pop the saved values */ + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 0x10); + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + (GUM_RED_ZONE_SIZE)); + +} + +static void instrument_persitent_restore_regs(GumX86Writer * cw, + struct x86_64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address); + + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RAX, + (0x8 * 2)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RAX, + (0x8 * 3)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDI, GUM_REG_RAX, + (0x8 * 4)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RAX, + (0x8 * 5)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBP, GUM_REG_RAX, + (0x8 * 6)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R8, GUM_REG_RAX, + (0x8 * 7)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R9, GUM_REG_RAX, + (0x8 * 8)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R10, GUM_REG_RAX, + (0x8 * 9)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R11, GUM_REG_RAX, + (0x8 * 10)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R12, GUM_REG_RAX, + (0x8 * 11)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R13, GUM_REG_RAX, + (0x8 * 12)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R14, GUM_REG_RAX, + (0x8 * 13)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R15, GUM_REG_RAX, + (0x8 * 14)); + + /* Don't restore RIP or RSP */ + + /* Restore RBX, RAX & Flags */ + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, + (0x8 * 1)); + gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); + + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, + (0x8 * 0)); + gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, + (0x8 * 17)); + gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); + + gum_x86_writer_put_popfx(cw); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX); + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + (GUM_RED_ZONE_SIZE)); + +} + +static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) { + + GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); + gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, + GUM_RED_ZONE_SIZE + 0x10); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, 0, GUM_REG_RBX); + + gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX); + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + (GUM_RED_ZONE_SIZE)); + +} + +static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) { + + GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + + /* Place holder for ret */ + gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); + gum_x86_writer_put_push_reg(cw, GUM_REG_RAX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RAX, GUM_REG_RAX, 0); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RSP, 0x8, GUM_REG_RAX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX); + gum_x86_writer_put_ret_imm(cw, GUM_RED_ZONE_SIZE); + +} + +static int instrument_afl_persistent_loop_func(void) { + + int ret = __afl_persistent_loop(persistent_count); + previous_pc = 0; + return ret; + +} + +static int instrument_afl_persistent_loop(GumX86Writer *cw) { + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + gum_x86_writer_put_call_address_with_arguments( + cw, GUM_CALL_CAPI, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0); + gum_x86_writer_put_test_reg_reg(cw, GUM_REG_RAX, GUM_REG_RAX); + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + (GUM_RED_ZONE_SIZE)); + +} + +static void persistent_prologue_hook(GumX86Writer * cw, + struct x86_64_regs *regs) { + + if (hook == NULL) return; + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + -(GUM_RED_ZONE_SIZE)); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RCX, + GUM_ADDRESS(__afl_fuzz_len)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0); + gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_RDI, 0xffffffff); + gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RCX, GUM_REG_RDI); + + gum_x86_writer_put_call_address_with_arguments( + cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, + GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS, + GUM_ADDRESS(__afl_fuzz_ptr), GUM_ARG_REGISTER, GUM_REG_RCX); + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + (GUM_RED_ZONE_SIZE)); + +} + +void persistent_prologue(GumStalkerOutput *output) { + + /* + * SAVE REGS + * SAVE RET + * POP RET + * loop: + * CALL instrument_afl_persistent_loop + * TEST EAX, EAX + * JZ end: + * call hook (optionally) + * RESTORE REGS + * call original + * jmp loop: + * + * end: + * JMP SAVED RET + * + * original: + * INSTRUMENTED PERSISTENT FUNC + */ + + GumX86Writer *cw = output->writer.x86; + + gconstpointer loop = cw->code + 1; + // gum_x86_writer_put_breakpoint(cw); + + /* Stack must be 16-byte aligned per ABI */ + instrument_persitent_save_regs(cw, &saved_regs); + + /* Stash and pop the return value */ + instrument_save_ret(cw, &saved_return); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (8)); + + /* loop: */ + gum_x86_writer_put_label(cw, loop); + + /* call instrument_prologue_func */ + instrument_afl_persistent_loop(cw); + + /* jz done */ + gconstpointer done = cw->code + 1; + gum_x86_writer_put_jcc_near_label(cw, X86_INS_JE, done, GUM_UNLIKELY); + + /* Optionally call the persistent hook */ + persistent_prologue_hook(cw, &saved_regs); + + instrument_persitent_restore_regs(cw, &saved_regs); + gconstpointer original = cw->code + 1; + /* call original */ + gum_x86_writer_put_call_near_label(cw, original); + /* jmp loop */ + gum_x86_writer_put_jmp_near_label(cw, loop); + + /* done: */ + gum_x86_writer_put_label(cw, done); + + instrument_jump_ret(cw, &saved_return); + + /* original: */ + gum_x86_writer_put_label(cw, original); + + gum_x86_writer_flush(cw); + +} + +#endif + diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c new file mode 100644 index 00000000..4daa61a9 --- /dev/null +++ b/frida_mode/src/persistent/persistent_x86.c @@ -0,0 +1,53 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "persistent.h" + +#if defined(__i386__) + +struct x86_regs { + + uint32_t eax, ebx, ecx, edx, edi, esi, ebp; + + union { + + uint32_t eip; + uint32_t pc; + + }; + + union { + + uint32_t esp; + uint32_t sp; + + }; + + union { + + uint32_t eflags; + uint32_t flags; + + }; + + uint8_t xmm_regs[8][16]; + +}; + +typedef struct x86_regs arch_api_regs; + +gboolean persistent_is_supported(void) { + + return false; + +} + +void persistent_prologue(GumStalkerOutput *output) { + + FATAL("Persistent mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 64633c1c..65c09fba 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -3,9 +3,12 @@ #include #include "frida-gum.h" -#include "prefetch.h" + #include "debug.h" +#include "prefetch.h" +#include "stalker.h" + #define TRUST 0 #define PREFETCH_SIZE 65536 #define PREFETCH_ENTRIES ((PREFETCH_SIZE - sizeof(size_t)) / sizeof(void *)) @@ -49,8 +52,9 @@ void prefetch_write(void *addr) { /* * Read the IPC region one block at the time and prefetch it */ -void prefetch_read(GumStalker *stalker) { +void prefetch_read(void) { + GumStalker *stalker = stalker_get(); if (prefetch_data == NULL) return; for (size_t i = 0; i < prefetch_data->count; i++) { @@ -68,7 +72,7 @@ void prefetch_read(GumStalker *stalker) { } -void prefetch_init() { +void prefetch_init(void) { g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE); gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL); @@ -106,16 +110,3 @@ void prefetch_init() { } -__attribute__((noinline)) static void prefetch_activation() { - - asm volatile(""); - -} - -void prefetch_start(GumStalker *stalker) { - - gum_stalker_activate(stalker, prefetch_activation); - prefetch_activation(); - -} - diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 49ef5a62..6fcbd258 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -1,9 +1,11 @@ -// 0x123-0x321 -// module.so +#include "frida-gum.h" -#include "ranges.h" #include "debug.h" +#include "lib.h" +#include "ranges.h" +#include "stalker.h" + #define MAX_RANGES 20 typedef struct { @@ -14,15 +16,11 @@ typedef struct { } convert_name_ctx_t; -typedef struct { - - GumStalker *stalker; - GArray * array; - -} include_range_ctx_t; - -GArray * ranges = NULL; -gboolean exclude_ranges = false; +GArray *module_ranges = NULL; +GArray *libs_ranges = NULL; +GArray *include_ranges = NULL; +GArray *exclude_ranges = NULL; +GArray *ranges = NULL; static void convert_address_token(gchar *token, GumMemoryRange *range) { @@ -159,214 +157,395 @@ static void convert_token(gchar *token, GumMemoryRange *range) { } -static gboolean include_ranges(const GumRangeDetails *details, - gpointer user_data) { +gint range_sort(gconstpointer a, gconstpointer b) { - include_range_ctx_t *ctx = (include_range_ctx_t *)user_data; - GArray * array = (GArray *)ctx->array; - GumAddress base = details->range->base_address; - GumAddress limit = details->range->base_address + details->range->size; + return ((GumMemoryRange *)a)->base_address - + ((GumMemoryRange *)b)->base_address; - OKF("Range for inclusion 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - base, limit); +} - for (int i = 0; i < array->len; i++) { +static gboolean print_ranges_callback(const GumRangeDetails *details, + gpointer user_data) { - GumMemoryRange *range = &g_array_index(array, GumMemoryRange, i); - GumAddress range_base = range->base_address; - GumAddress range_limit = range->base_address + range->size; + if (details->file == NULL) { - /* Before the region */ - if (range_limit < base) { continue; } + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", + details->range->base_address, + details->range->base_address + details->range->size); - /* After the region */ - if (range_base > limit) { + } else { - GumMemoryRange exclude = {.base_address = base, .size = limit - base}; - OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER - "x", - base, limit); - gum_stalker_exclude(ctx->stalker, &exclude); - return true; + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %s(0x%016" G_GINT64_MODIFIER "x)", + details->range->base_address, + details->range->base_address + details->range->size, + details->file->path, details->file->offset); - } + } - /* Overlap the start of the region */ - if (range_base < base) { + return true; - /* Range contains the region */ - if (range_limit > limit) { +} - return true; +static void print_ranges(char *key, GArray *ranges) { - } else { + OKF("Range: %s Length: %d", key, ranges->len); + for (int i = 0; i < ranges->len; i++) { - base = range_limit; - continue; + GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); + GumAddress curr_limit = curr->base_address + curr->size; + OKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + key, i, curr->base_address, curr_limit); - } + } - /* Overlap the end of the region */ +} - } else { +static gboolean collect_module_ranges_callback(const GumRangeDetails *details, + gpointer user_data) { - GumMemoryRange exclude = {.base_address = base, - .size = range_base - base}; - OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER - "x", - base, range_base); - gum_stalker_exclude(ctx->stalker, &exclude); - /* Extend past the end of the region */ - if (range_limit >= limit) { + GArray * ranges = (GArray *)user_data; + GumMemoryRange range = *details->range; + g_array_append_val(ranges, range); + return TRUE; - return true; +} - /* Contained within the region */ +static GArray *collect_module_ranges(void) { - } else { + GArray *result; + result = g_array_new(false, false, sizeof(GumMemoryRange)); + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, + collect_module_ranges_callback, result); + print_ranges("Modules", result); + return result; - base = range_limit; - continue; +} - } +static GArray *collect_ranges(char *env_key) { - } + char * env_val; + gchar ** tokens; + int token_count; + GumMemoryRange range; + int i; + GArray * result; + + result = g_array_new(false, false, sizeof(GumMemoryRange)); + + env_val = getenv(env_key); + if (env_val == NULL) return result; + + tokens = g_strsplit(env_val, ",", MAX_RANGES); + + for (token_count = 0; tokens[token_count] != NULL; token_count++) + ; + + for (i = 0; i < token_count; i++) { + + convert_token(tokens[i], &range); + g_array_append_val(result, range); } - GumMemoryRange exclude = {.base_address = base, .size = limit - base}; - OKF("\t Excluding 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", - base, limit); - gum_stalker_exclude(ctx->stalker, &exclude); - return true; + g_array_sort(result, range_sort); -} + /* Check for overlaps */ + for (i = 1; i < token_count; i++) { -gint range_sort(gconstpointer a, gconstpointer b) { + GumMemoryRange *prev = &g_array_index(result, GumMemoryRange, i - 1); + GumMemoryRange *curr = &g_array_index(result, GumMemoryRange, i); + GumAddress prev_limit = prev->base_address + prev->size; + GumAddress curr_limit = curr->base_address + curr->size; + if (prev_limit > curr->base_address) { - return ((GumMemoryRange *)a)->base_address - - ((GumMemoryRange *)b)->base_address; + FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); + + } + + } + + print_ranges(env_key, result); + + g_strfreev(tokens); + + return result; } -static gboolean print_ranges(const GumRangeDetails *details, - gpointer user_data) { +static GArray *collect_libs_ranges(void) { - if (details->file == NULL) { + GArray * result; + GumMemoryRange range; + result = g_array_new(false, false, sizeof(GumMemoryRange)); - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", - details->range->base_address, - details->range->base_address + details->range->size); + if (getenv("AFL_INST_LIBS") == NULL) { + + range.base_address = lib_get_text_base(); + range.size = lib_get_text_limit() - lib_get_text_base(); } else { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %s(0x%016" G_GINT64_MODIFIER "x)", - details->range->base_address, - details->range->base_address + details->range->size, - details->file->path, details->file->offset); + range.base_address = 0; + range.size = G_MAXULONG; } + g_array_append_val(result, range); + + print_ranges("AFL_INST_LIBS", result); + + return result; + +} + +static gboolean intersect_range(GumMemoryRange *rr, GumMemoryRange *ra, + GumMemoryRange *rb) { + + GumAddress rab = ra->base_address; + GumAddress ral = rab + ra->size; + + GumAddress rbb = rb->base_address; + GumAddress rbl = rbb + rb->size; + + GumAddress rrb = 0; + GumAddress rrl = 0; + + rr->base_address = 0; + rr->size = 0; + + /* ra is before rb */ + if (ral < rbb) { return false; } + + /* ra is after rb */ + if (rab > rbl) { return true; } + + /* The largest of the two base addresses */ + rrb = rab > rbb ? rab : rbb; + + /* The smallest of the two limits */ + rrl = ral < rbl ? ral : rbl; + + rr->base_address = rrb; + rr->size = rrl - rrb; return true; } -void ranges_init(GumStalker *stalker) { +static GArray *intersect_ranges(GArray *a, GArray *b) { - char * showmaps; - char * include; - char * exclude; - char * list; - gchar ** tokens; - int token_count; - GumMemoryRange range; + GArray * result; + GumMemoryRange *ra; + GumMemoryRange *rb; + GumMemoryRange ri; - int i; + result = g_array_new(false, false, sizeof(GumMemoryRange)); - showmaps = getenv("AFL_FRIDA_DEBUG_MAPS"); - include = getenv("AFL_FRIDA_INST_RANGES"); - exclude = getenv("AFL_FRIDA_EXCLUDE_RANGES"); + for (int i = 0; i < a->len; i++) { - if (showmaps) { + ra = &g_array_index(a, GumMemoryRange, i); + for (int j = 0; j < b->len; j++) { - gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges, NULL); + rb = &g_array_index(b, GumMemoryRange, j); - } + if (!intersect_range(&ri, ra, rb)) { break; } + + if (ri.size == 0) { continue; } - if (include != NULL && exclude != NULL) { + g_array_append_val(result, ri); - FATAL( - "Cannot specifify both AFL_FRIDA_INST_RANGES and " - "AFL_FRIDA_EXCLUDE_RANGES"); + } } - if (include == NULL && exclude == NULL) { return; } + return result; - list = include == NULL ? exclude : include; - exclude_ranges = include == NULL ? true : false; +} - tokens = g_strsplit(list, ",", MAX_RANGES); +static GArray *subtract_ranges(GArray *a, GArray *b) { - for (token_count = 0; tokens[token_count] != NULL; token_count++) - ; + GArray * result; + GumMemoryRange *ra; + GumAddress ral; + GumMemoryRange *rb; + GumMemoryRange ri; + GumMemoryRange rs; - ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), token_count); + result = g_array_new(false, false, sizeof(GumMemoryRange)); - for (i = 0; i < token_count; i++) { + for (int i = 0; i < a->len; i++) { - convert_token(tokens[i], &range); - g_array_append_val(ranges, range); + ra = &g_array_index(a, GumMemoryRange, i); + ral = ra->base_address + ra->size; + for (int j = 0; j < b->len; j++) { + + rb = &g_array_index(b, GumMemoryRange, j); + + /* + * If rb is after ra, we have no more possible intersections and we can + * simply keep the remaining range + */ + if (!intersect_range(&ri, ra, rb)) { break; } + + /* + * If there is no intersection, then rb must be before ra, so we must + * continue + */ + if (ri.size == 0) { continue; } + + /* + * If the intersection is part way through the range, then we keep the + * start of the range + */ + if (ra->base_address < ri.base_address) { + + rs.base_address = ra->base_address; + rs.size = ri.base_address - ra->base_address; + g_array_append_val(result, rs); + + } + + /* + * If the intersection extends past the limit of the range, then we should + * continue with the next range + */ + if ((ri.base_address + ri.size) > ral) { + + ra->base_address = ral; + ra->size = 0; + break; + + } + + /* + * Otherwise we advance the base of the range to the end of the + * intersection and continue with the remainder of the range + */ + ra->base_address = ri.base_address + ri.size; + ra->size = ral - ra->base_address; + + } + + /* + * When we have processed all the possible intersections, we add what is + * left + */ + if (ra->size != 0) g_array_append_val(result, *ra); } - g_array_sort(ranges, range_sort); + return result; - /* Check for overlaps */ - for (i = 1; i < token_count; i++) { +} - GumMemoryRange *prev = &g_array_index(ranges, GumMemoryRange, i - 1); - GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); - GumAddress prev_limit = prev->base_address + prev->size; - GumAddress curr_limit = curr->base_address + curr->size; - if (prev_limit > curr->base_address) { +static GArray *merge_ranges(GArray *a) { - FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - prev->base_address, prev_limit, curr->base_address, curr_limit); + GArray * result; + GumMemoryRange rp; + GumMemoryRange *r; + + result = g_array_new(false, false, sizeof(GumMemoryRange)); + if (a->len == 0) return result; + + rp = g_array_index(a, GumMemoryRange, 0); + + for (int i = 1; i < a->len; i++) { + + r = &g_array_index(a, GumMemoryRange, i); + + if (rp.base_address + rp.size == r->base_address) { + + rp.size += r->size; + + } else { + + g_array_append_val(result, rp); + rp.base_address = r->base_address; + rp.size = r->size; + continue; } } - for (i = 0; i < token_count; i++) { + g_array_append_val(result, rp); - GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); - GumAddress curr_limit = curr->base_address + curr->size; - OKF("Range %3d - 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", - i, curr->base_address, curr_limit); + return result; + +} + +void ranges_init(void) { + + GumMemoryRange ri; + GArray * step1; + GArray * step2; + GArray * step3; + GArray * step4; + GumMemoryRange *r; + GumStalker * stalker; + + if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { + + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, + NULL); } - if (include == NULL) { + module_ranges = collect_module_ranges(); + libs_ranges = collect_libs_ranges(); + include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES"); - for (i = 0; i < token_count; i++) { + /* If include ranges is empty, then assume everything is included */ + if (include_ranges->len == 0) { - gum_stalker_exclude(stalker, &g_array_index(ranges, GumMemoryRange, i)); + ri.base_address = 0; + ri.size = G_MAXULONG; + g_array_append_val(include_ranges, ri); - } + } - } else { + exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES"); - include_range_ctx_t ctx = {.stalker = stalker, .array = ranges}; - gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, include_ranges, &ctx); + /* Intersect with .text section of main executable unless AFL_INST_LIBS */ + step1 = intersect_ranges(module_ranges, libs_ranges); + print_ranges("step1", step1); + + /* Intersect with AFL_FRIDA_INST_RANGES */ + step2 = intersect_ranges(step1, include_ranges); + print_ranges("step2", step2); + + /* Subtract AFL_FRIDA_EXCLUDE_RANGES */ + step3 = subtract_ranges(step2, exclude_ranges); + print_ranges("step3", step3); + + /* + * After step3, we have the total ranges to be instrumented, we now subtract + * that from the original ranges of the modules to configure stalker. + */ + + step4 = subtract_ranges(module_ranges, step3); + print_ranges("step4", step4); + + ranges = merge_ranges(step4); + print_ranges("final", ranges); + + stalker = stalker_get(); + + for (int i = 0; i < ranges->len; i++) { + + r = &g_array_index(ranges, GumMemoryRange, i); + gum_stalker_exclude(stalker, r); } - g_strfreev(tokens); + g_array_free(step4, TRUE); + g_array_free(step3, TRUE); + g_array_free(step2, TRUE); + g_array_free(step1, TRUE); } @@ -382,13 +561,13 @@ gboolean range_is_excluded(gpointer address) { GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); GumAddress curr_limit = curr->base_address + curr->size; - if (test < curr->base_address) { return !exclude_ranges; } + if (test < curr->base_address) { return false; } - if (test < curr_limit) { return exclude_ranges; } + if (test < curr_limit) { return true; } } - return !exclude_ranges; + return false; } diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c new file mode 100644 index 00000000..5ee519ba --- /dev/null +++ b/frida_mode/src/stalker.c @@ -0,0 +1,49 @@ +#include "debug.h" + +#include "instrument.h" +#include "stalker.h" + +static GumStalker *stalker = NULL; + +void stalker_init(void) { + + stalker = gum_stalker_new(); + if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + + gum_stalker_set_trust_threshold(stalker, 0); + +} + +GumStalker *stalker_get(void) { + + if (stalker == NULL) { FATAL("Stalker uninitialized"); } + return stalker; + +} + +__attribute__((noinline)) static void stalker_activation(void) { + + asm volatile(""); + +} + +void stalker_start(void) { + + GumStalkerTransformer *transformer = instrument_get_transformer(); + gum_stalker_follow_me(stalker, transformer, NULL); + +} + +void stalker_pause(void) { + + gum_stalker_deactivate(stalker); + +} + +void stalker_resume(void) { + + gum_stalker_activate(stalker, stalker_activation); + stalker_activation(); + +} + diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c new file mode 100644 index 00000000..f42afd64 --- /dev/null +++ b/frida_mode/src/util.c @@ -0,0 +1,66 @@ +#include "util.h" + +#include "debug.h" + +guint64 util_read_address(char *key) { + + char *value_str = getenv(key); + + if (value_str == NULL) { return 0; } + + if (!g_str_has_prefix(value_str, "0x")) { + + FATAL("Invalid address should have 0x prefix: %s\n", value_str); + + } + + value_str = &value_str[2]; + + for (char *c = value_str; *c != '\0'; c++) { + + if (!g_ascii_isxdigit(*c)) { + + FATAL("Invalid address not formed of hex digits: %s\n", value_str); + + } + + } + + guint64 value = g_ascii_strtoull(value_str, NULL, 16); + if (value == 0) { + + FATAL("Invalid address failed hex conversion: %s\n", value_str); + + } + + return value; + +} + +guint64 util_read_num(char *key) { + + char *value_str = getenv(key); + + if (value_str == NULL) { return 0; } + + for (char *c = value_str; *c != '\0'; c++) { + + if (!g_ascii_isdigit(*c)) { + + FATAL("Invalid address not formed of decimal digits: %s\n", value_str); + + } + + } + + guint64 value = g_ascii_strtoull(value_str, NULL, 10); + if (value == 0) { + + FATAL("Invalid address failed numeric conversion: %s\n", value_str); + + } + + return value; + +} + diff --git a/frida_mode/test/cmplog/GNUmakefile b/frida_mode/test/cmplog/GNUmakefile new file mode 100644 index 00000000..c203fc5e --- /dev/null +++ b/frida_mode/test/cmplog/GNUmakefile @@ -0,0 +1,66 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../../)/ +BUILD_DIR:=$(PWD)build/ + +TEST_CMPLOG_DIR:=$(ROOT)qemu_mode/libcompcov/ +TEST_CMPLOG_OBJ=$(TEST_CMPLOG_DIR)compcovtest + +TEST_BIN:=$(PWD)../../build/test + + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +CMP_LOG_INPUT:=$(TEST_DATA_DIR)in +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_INST_RANGES=$(shell $(PWD)get_section_addrs.py -f $(TEST_CMPLOG_OBJ) -s .text -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_INST_RANGES=$(shell $(PWD)get_section_addrs.py -f $(TEST_CMPLOG_OBJ) -s .text -b 0x0000555555554000) +endif + +.PHONY: all clean qemu frida + +all: + make -C $(ROOT)frida_mode/ + +$(BUILD_DIR): + mkdir -p $@ + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(CMP_LOG_INPUT): | $(TEST_DATA_DIR) + truncate -s 64 $@ + +$(TEST_CMPLOG_OBJ): $(TEST_CMPLOG_DIR)compcovtest.cc + make -C $(TEST_CMPLOG_DIR) compcovtest + +qemu: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + $(ROOT)afl-fuzz \ + -D \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -c 0 \ + -l 3AT \ + -- \ + $(TEST_CMPLOG_OBJ) @@ + +frida: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + XAFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -c 0 \ + -l 3AT \ + -- \ + $(TEST_CMPLOG_OBJ) @@ + +clean: + rm -rf $(BUILD_DIR) \ No newline at end of file diff --git a/frida_mode/test/cmplog/Makefile b/frida_mode/test/cmplog/Makefile new file mode 100644 index 00000000..f322d1f5 --- /dev/null +++ b/frida_mode/test/cmplog/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/cmplog/get_section_addrs.py b/frida_mode/test/cmplog/get_section_addrs.py new file mode 100755 index 00000000..f648808b --- /dev/null +++ b/frida_mode/test/cmplog/get_section_addrs.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +import argparse +from elftools.elf.elffile import ELFFile + + +def process_file(file, section, base): + with open(file, "rb") as f: + for sect in ELFFile(f).iter_sections(): + if sect.name == section: + start = base + sect.header["sh_offset"] + end = start + sect.header["sh_size"] + print("0x%016x-0x%016x" % (start, end)) + return + + print("Section '%s' not found in '%s'" % (section, file)) + + +def hex_value(x): + return int(x, 16) + + +def main(): + parser = argparse.ArgumentParser(description="Process some integers.") + parser.add_argument( + "-f", "--file", dest="file", type=str, help="elf file name", required=True + ) + parser.add_argument( + "-s", + "--section", + dest="section", + type=str, + help="elf section name", + required=True, + ) + parser.add_argument( + "-b", + "--base", + dest="base", + type=hex_value, + help="elf base address", + required=True, + ) + + args = parser.parse_args() + process_file(args.file, args.section, args.base) + + +if __name__ == "__main__": + main() diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile new file mode 100644 index 00000000..c381f5ab --- /dev/null +++ b/frida_mode/test/png/GNUmakefile @@ -0,0 +1,106 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ + +LIBPNG_BUILD_DIR:=$(BUILD_DIR)libpng/ +HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ +PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/ + +LIBPNG_FILE:=$(LIBPNG_BUILD_DIR)libpng-1.2.56.tar.gz +LIBPNG_URL:=https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz +LIBPNG_DIR:=$(LIBPNG_BUILD_DIR)libpng-1.2.56/ +LIBPNG_MAKEFILE:=$(LIBPNG_DIR)Makefile +LIBPNG_LIB:=$(LIBPNG_DIR).libs/libpng12.a + +HARNESS_FILE:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.o +HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" + +PNGTEST_FILE:=$(PNGTEST_BUILD_DIR)target.cc +PNGTEST_OBJ:=$(PNGTEST_BUILD_DIR)target.o +PNGTEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpng-1.2.56/target.cc" + +TEST_BIN:=$(BUILD_DIR)test + +TEST_DATA_DIR:=$(LIBPNG_DIR)contrib/pngsuite/ + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +.PHONY: all clean qemu frida + +all: $(TEST_BIN) + make -C $(ROOT)frida_mode/ + +$(BUILD_DIR): + mkdir -p $@ + +######### HARNESS ######## +$(HARNESS_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(HARNESS_FILE): | $(HARNESS_BUILD_DIR) + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_FILE) + $(CC) -o $@ -c $< + +######### PNGTEST ######## + +$(PNGTEST_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(PNGTEST_FILE): | $(PNGTEST_BUILD_DIR) + wget -O $@ $(PNGTEST_URL) + +$(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR) + $(CXX) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< + +######### LIBPNG ######## + +$(LIBPNG_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(LIBPNG_FILE): | $(LIBPNG_BUILD_DIR) + wget -O $@ $(LIBPNG_URL) + +$(LIBPNG_DIR): $(LIBPNG_FILE) + tar zxvf $(LIBPNG_FILE) -C $(LIBPNG_BUILD_DIR) + +$(LIBPNG_MAKEFILE): | $(LIBPNG_DIR) + cd $(LIBPNG_DIR) && ./configure + +$(LIBPNG_LIB): $(LIBPNG_MAKEFILE) + make -C $(LIBPNG_DIR) + +######### TEST ######## + +$(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) + $(CXX) \ + -o $@ \ + $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ + -lz \ + $(TEST_LDFLAGS) + +clean: + rm -rf $(BUILD_DIR) + +qemu: $(TEST_BIN) + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +frida: $(TEST_BIN) + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile new file mode 100644 index 00000000..f322d1f5 --- /dev/null +++ b/frida_mode/test/png/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile new file mode 100644 index 00000000..25ddc782 --- /dev/null +++ b/frida_mode/test/png/persistent/GNUmakefile @@ -0,0 +1,54 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../../..)/ +BUILD_DIR:=$(PWD)build/ + +TEST_BIN:=$(PWD)../build/test +TEST_DATA_DIR:=../build/libpng/libpng-1.2.56/contrib/pngsuite/ + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x4000000000) + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000555555554000) +endif + +.PHONY: all clean qemu frida + +all: + make -C $(ROOT)frida_mode/test/png/ + +$(BUILD_DIR): + mkdir -p $@ + +qemu: | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + +frida: | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + +clean: + rm -rf $(BUILD_DIR) \ No newline at end of file diff --git a/frida_mode/test/png/persistent/Makefile b/frida_mode/test/png/persistent/Makefile new file mode 100644 index 00000000..f322d1f5 --- /dev/null +++ b/frida_mode/test/png/persistent/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/png/persistent/get_symbol_addr.py b/frida_mode/test/png/persistent/get_symbol_addr.py new file mode 100755 index 00000000..6458c212 --- /dev/null +++ b/frida_mode/test/png/persistent/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) \ No newline at end of file diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile new file mode 100644 index 00000000..2457287d --- /dev/null +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -0,0 +1,70 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../../../..)/ +BUILD_DIR:=$(PWD)build/ + +AFLPP_DRIVER_HOOK_DIR=$(ROOT)utils/aflpp_driver/ +AFLPP_DRIVER_HOOK_OBJ=$(AFLPP_DRIVER_HOOK_DIR)aflpp_qemu_driver_hook.so + +TEST_BIN:=$(PWD)../../build/test +TEST_DATA_DIR:=../../build/libpng/libpng-1.2.56/contrib/pngsuite/ + +AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)in +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000) +endif + +.PHONY: all clean qemu frida + +all: + make -C $(ROOT)frida_mode/test/png/persistent/ + +$(BUILD_DIR): + mkdir -p $@ + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) + truncate -s 1M $@ + +$(AFLPP_DRIVER_HOOK_OBJ): | $(AFLPP_DRIVER_HOOK_DIR) + make -C $(AFLPP_DRIVER_HOOK_DIR) + +qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + $(ROOT)/afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +clean: + rm -rf $(BUILD_DIR) + diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile new file mode 100644 index 00000000..f322d1f5 --- /dev/null +++ b/frida_mode/test/png/persistent/hook/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/testinstr.c b/frida_mode/test/testinstr.c deleted file mode 100644 index 37d47f91..00000000 --- a/frida_mode/test/testinstr.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - american fuzzy lop++ - a trivial program to test the build - -------------------------------------------------------- - Originally written by Michal Zalewski - Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 - */ - -#include -#include -#include -#include -#include - -#ifdef __APPLE__ - #define TESTINSTR_SECTION -#else - #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) -#endif - -TESTINSTR_SECTION void testinstr(char *buf, int len) { - - if (len < 1) return; - buf[len] = 0; - - // we support three input cases - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else if (buf[0] == '1') - printf("Pretty sure that is a one!\n"); - else - printf("Neither one or zero? How quaint!\n"); - -} - -int main(int argc, char **argv) { - - char * file; - int fd = -1; - off_t len; - char * buf = NULL; - size_t n_read; - int result = -1; - - if (argc != 2) { return 1; } - - do { - - file = argv[1]; - - dprintf(STDERR_FILENO, "Running: %s\n", file); - - fd = open(file, O_RDONLY); - if (fd < 0) { - - perror("open"); - break; - - } - - len = lseek(fd, 0, SEEK_END); - if (len < 0) { - - perror("lseek (SEEK_END)"); - break; - - } - - if (lseek(fd, 0, SEEK_SET) != 0) { - - perror("lseek (SEEK_SET)"); - break; - - } - - buf = malloc(len); - if (buf == NULL) { - - perror("malloc"); - break; - - } - - n_read = read(fd, buf, len); - if (n_read != len) { - - perror("read"); - break; - - } - - dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); - - testinstr(buf, len); - dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); - - result = 0; - - } while (false); - - if (buf != NULL) { free(buf); } - - if (fd != -1) { close(fd); } - - return result; - -} - diff --git a/frida_mode/test/testinstr.py b/frida_mode/test/testinstr.py deleted file mode 100755 index f648808b..00000000 --- a/frida_mode/test/testinstr.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python3 -import argparse -from elftools.elf.elffile import ELFFile - - -def process_file(file, section, base): - with open(file, "rb") as f: - for sect in ELFFile(f).iter_sections(): - if sect.name == section: - start = base + sect.header["sh_offset"] - end = start + sect.header["sh_size"] - print("0x%016x-0x%016x" % (start, end)) - return - - print("Section '%s' not found in '%s'" % (section, file)) - - -def hex_value(x): - return int(x, 16) - - -def main(): - parser = argparse.ArgumentParser(description="Process some integers.") - parser.add_argument( - "-f", "--file", dest="file", type=str, help="elf file name", required=True - ) - parser.add_argument( - "-s", - "--section", - dest="section", - type=str, - help="elf section name", - required=True, - ) - parser.add_argument( - "-b", - "--base", - dest="base", - type=hex_value, - help="elf base address", - required=True, - ) - - args = parser.parse_args() - process_file(args.file, args.section, args.base) - - -if __name__ == "__main__": - main() diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile new file mode 100644 index 00000000..9aa24ee5 --- /dev/null +++ b/frida_mode/test/testinstr/GNUmakefile @@ -0,0 +1,50 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +.PHONY: all clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + + +qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + $(ROOT)afl-fuzz \ + -D \ + -Q \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ \ No newline at end of file diff --git a/frida_mode/test/testinstr/Makefile b/frida_mode/test/testinstr/Makefile new file mode 100644 index 00000000..f322d1f5 --- /dev/null +++ b/frida_mode/test/testinstr/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/testinstr/testinstr.c b/frida_mode/test/testinstr/testinstr.c new file mode 100644 index 00000000..5e26fc46 --- /dev/null +++ b/frida_mode/test/testinstr/testinstr.c @@ -0,0 +1,112 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +TESTINSTR_SECTION int main(int argc, char **argv) { + + char * file; + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + do { + + file = argv[1]; + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + diff --git a/include/envs.h b/include/envs.h index ebe98257..cd23ca3f 100644 --- a/include/envs.h +++ b/include/envs.h @@ -59,6 +59,9 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_INST_RANGES", "AFL_FRIDA_INST_STRICT", "AFL_FRIDA_INST_TRACE", + "AFL_FRIDA_PERSISTENT_ADDR", + "AFL_FRIDA_PERSISTENT_CNT", + "AFL_FRIDA_PERSISTENT_HOOK", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 552bbea8..2089ce78 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -79,8 +79,9 @@ #endif #if defined(__HAIKU__) - extern ssize_t _kern_write(int fd, off_t pos, const void *buffer, size_t bufferSize); -#endif // HAIKU +extern ssize_t _kern_write(int fd, off_t pos, const void *buffer, + size_t bufferSize); +#endif // HAIKU u8 __afl_area_initial[MAP_INITIAL_SIZE]; u8 * __afl_area_ptr_dummy = __afl_area_initial; @@ -1754,11 +1755,11 @@ static int area_is_valid(void *ptr, size_t len) { if (unlikely(!ptr || __asan_region_is_poisoned(ptr, len))) { return 0; } - #ifndef __HAIKU__ - long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len); - #else - long r = _kern_write(__afl_dummy_fd[1], -1, ptr, len); - #endif // HAIKU +#ifndef __HAIKU__ + long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len); +#else + long r = _kern_write(__afl_dummy_fd[1], -1, ptr, len); +#endif // HAIKU if (r <= 0 || r > len) return 0; diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index f6cdbe9e..68bd2fa5 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -89,11 +89,11 @@ class AFLLTOPass : public ModulePass { bool runOnModule(Module &M) override; protected: - uint32_t afl_global_id = 1, autodictionary = 1; - uint32_t function_minimum_size = 1; - uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; + uint32_t afl_global_id = 1, autodictionary = 1; + uint32_t function_minimum_size = 1; + uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; unsigned long long int map_addr = 0x10000; - char * skip_nozero = NULL; + char * skip_nozero = NULL; }; diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index d73b0336..d1ca56b8 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit d73b0336b451fd034e5f469089fb7ee96c80adf2 +Subproject commit d1ca56b84e78f821406eef28d836918edfc8d610 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 727e7f8d..d533fd4a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -416,7 +416,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, struct rlimit r; - if (!fsrv->cmplog_binary && fsrv->qemu_mode == false) { + if (!fsrv->cmplog_binary && fsrv->qemu_mode == false && + fsrv->frida_mode == false) { unsetenv(CMPLOG_SHM_ENV_VAR); // we do not want that in non-cmplog fsrv diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 27c6c413..c2e9c80f 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -35,7 +35,7 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { if (fsrv->qemu_mode) { setenv("AFL_DISABLE_LLVM_INSTRUMENTATION", "1", 0); } - if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { + if (!fsrv->qemu_mode && !fsrv->frida_mode && argv[0] != fsrv->cmplog_binary) { argv[0] = fsrv->cmplog_binary; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index b6bfbc29..547311c7 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2774,6 +2774,14 @@ void check_binary(afl_state_t *afl, u8 *fname) { WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) { + + OKF("FRIDA Persistent mode configuration options detected."); + setenv(PERSIST_ENV_VAR, "1", 1); + afl->persistent_mode = 1; + + afl->shmem_testcase_mode = 1; + } if (afl->fsrv.frida_mode || diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3606533d..58b0a5c2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1697,13 +1697,14 @@ int main(int argc, char **argv_orig, char **envp) { // TODO: this is semi-nice afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; + afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; if ((map_size <= DEFAULT_SHMEM_SIZE || afl->cmplog_fsrv.map_size < map_size) && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && - !afl->unicorn_mode) { + !afl->fsrv.frida_mode && !afl->unicorn_mode) { afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE); char vbuf[16]; -- cgit 1.4.1 From da65eef57279dae7b652c40bdb31bc6cd749f63d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 28 Apr 2021 12:57:29 +0200 Subject: fix frida mode --- frida_mode/GNUmakefile | 6 +++--- frida_mode/include/persistent.h | 7 ++++++- frida_mode/src/lib.c | 2 +- frida_mode/src/persistent/persistent.c | 3 --- 4 files changed, 10 insertions(+), 8 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 51107910..6b193806 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -5,7 +5,7 @@ SRC_DIR:=$(PWD)src/ INCLUDES:=$(wildcard $(INC_DIR)*.h) SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) BUILD_DIR:=$(PWD)build/ -CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor +CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor -fcommon -Wl,--allow-multiple-definition FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so @@ -71,8 +71,8 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_A -I $(ROOT) \ -I $(ROOT)include \ -I $(INC_DIR) \ - $(ROOT)instrumentation/afl-compiler-rt.o.c \ - -lpthread -ldl -lresolv -lelf + $(ROOT)instrumentation/afl-compiler-rt.o.c +# -lpthread -ldl -lresolv -lelf cp -v $(FRIDA_TRACE) $(ROOT) diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index 14c8a268..017c26c7 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -1,5 +1,9 @@ -#include "frida-gum.h" +#ifndef _PERSISTENT_H + +#define _PERSISTENT_H + +#include "frida-gum.h" #include "config.h" typedef struct arch_api_regs api_regs; @@ -24,3 +28,4 @@ gboolean persistent_is_supported(void); void persistent_prologue(GumStalkerOutput *output); +#endif diff --git a/frida_mode/src/lib.c b/frida_mode/src/lib.c index 326d4819..6e27c170 100644 --- a/frida_mode/src/lib.c +++ b/frida_mode/src/lib.c @@ -1,6 +1,6 @@ #include #include -#include +#include #include #include #include diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index fe3a1d20..34e4093e 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -9,9 +9,6 @@ #include "util.h" int __afl_sharedmem_fuzzing = 0; -afl_persistent_hook_fn hook = NULL; -guint64 persistent_start = 0; -guint64 persistent_count = 0; void persistent_init(void) { -- cgit 1.4.1 From 3a0d4fe0d0a585d152a59ca4601d1981cedbf113 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 28 Apr 2021 18:26:19 +0100 Subject: Bumped warnings up to the max and fixed remaining issues (#890) Co-authored-by: Your Name --- frida_mode/GNUmakefile | 64 +++++++++++++++++++++++++----- frida_mode/include/complog.h | 5 +++ frida_mode/include/instrument.h | 11 +++-- frida_mode/include/interceptor.h | 5 +++ frida_mode/include/lib.h | 5 +++ frida_mode/include/persistent.h | 8 ++-- frida_mode/include/prefetch.h | 5 +++ frida_mode/include/ranges.h | 5 +++ frida_mode/include/stalker.h | 5 +++ frida_mode/include/util.h | 8 ++++ frida_mode/src/complog/complog.c | 3 ++ frida_mode/src/complog/complog_x64.c | 50 ++++++++++------------- frida_mode/src/instrument/instrument.c | 9 +++-- frida_mode/src/interceptor.c | 2 +- frida_mode/src/main.c | 7 ++-- frida_mode/src/persistent/persistent.c | 3 ++ frida_mode/src/persistent/persistent_x64.c | 2 +- frida_mode/src/ranges.c | 19 ++++----- frida_mode/test/png/GNUmakefile | 1 - 19 files changed, 153 insertions(+), 64 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 6b193806..e317237a 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -3,9 +3,25 @@ ROOT:=$(shell realpath $(PWD)..)/ INC_DIR:=$(PWD)include/ SRC_DIR:=$(PWD)src/ INCLUDES:=$(wildcard $(INC_DIR)*.h) -SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) BUILD_DIR:=$(PWD)build/ -CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor -fcommon -Wl,--allow-multiple-definition +OBJ_DIR:=$(BUILD_DIR)obj/ +SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) +OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src)))) +CFLAGS+=-fPIC \ + -D_GNU_SOURCE \ + -D_FORTIFY_SOURCE=2 \ + -Werror \ + -Wall \ + -Wextra \ + -Wpointer-arith \ + -g \ + -O3 \ + -funroll-loops \ + +LDFLAGS+=-shared \ + -lpthread \ + -lresolv \ + -ldl \ FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so @@ -36,7 +52,8 @@ GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME) GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h -TEST_BUILD_DIR:=$(BUILD_DIR)test/ +AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c +AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o .PHONY: all clean format @@ -49,6 +66,9 @@ all: $(FRIDA_TRACE) $(BUILD_DIR): mkdir -p $(BUILD_DIR) +$(OBJ_DIR): | $(BUILD_DIR) + mkdir -p $@ + $(FRIDA_BUILD_DIR): | $(BUILD_DIR) mkdir -p $@ @@ -61,18 +81,40 @@ $(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) $(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) -$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_API) Makefile | $(BUILD_DIR) - $(CC) -shared \ +$(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) + $(CC) \ $(CFLAGS) \ - -o $@ \ - $(SOURCES) \ - $(GUM_DEVIT_LIBRARY) \ - -I $(FRIDA_BUILD_DIR) \ -I $(ROOT) \ -I $(ROOT)include \ + -Wno-unused-parameter \ + -Wno-sign-compare \ + -Wno-unused-function \ + -Wno-prio-ctor-dtor \ + -Wno-unused-result \ + -o $@ \ + -c $< + + +define BUILD_SOURCE = +$(2): $(1) GNUmakefile | $(OBJ_DIR) + $(CC) \ + $(CFLAGS) \ + -I $(ROOT)include \ + -I $(FRIDA_BUILD_DIR) \ -I $(INC_DIR) \ - $(ROOT)instrumentation/afl-compiler-rt.o.c -# -lpthread -ldl -lresolv -lelf + -c $1 \ + -o $2 +endef + +$(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src)))))) + +$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR) + $(CC) \ + -o $@ \ + $(OBJS) \ + $(GUM_DEVIT_LIBRARY) \ + $(AFL_COMPILER_RT_OBJ) \ + $(LDFLAGS) \ cp -v $(FRIDA_TRACE) $(ROOT) diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h index 094b7b93..1c1adb6d 100644 --- a/frida_mode/include/complog.h +++ b/frida_mode/include/complog.h @@ -1,3 +1,6 @@ +#ifndef _COMPLOG_H +#define _COMPLOG_H + extern struct cmp_map *__afl_cmp_map; void complog_init(void); @@ -7,3 +10,5 @@ void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); gboolean complog_is_readable(void *addr, size_t size); +#endif + diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 1b6c6bba..03fd33e5 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -1,10 +1,13 @@ +#ifndef _INSTRUMENT_H +#define _INSTRUMENT_H + #include "frida-gum.h" #include "config.h" -extern uint64_t __thread previous_pc; -extern uint8_t *__afl_area_ptr; -extern uint32_t __afl_map_size; +extern __thread uint64_t previous_pc; +extern uint8_t * __afl_area_ptr; +extern uint32_t __afl_map_size; void instrument_init(void); @@ -16,3 +19,5 @@ gboolean instrument_is_coverage_optimize_supported(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); +#endif + diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h index 49c0630a..0ff754a4 100644 --- a/frida_mode/include/interceptor.h +++ b/frida_mode/include/interceptor.h @@ -1,6 +1,11 @@ +#ifndef _INTERCEPTOR_H +#define _INTERCEPTOR_H + #include "frida-gum.h" void intercept(void *address, gpointer replacement, gpointer user_data); void unintercept(void *address); void unintercept_self(void); +#endif + diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h index 1dc426a2..237aecb0 100644 --- a/frida_mode/include/lib.h +++ b/frida_mode/include/lib.h @@ -1,3 +1,6 @@ +#ifndef _LIB_H +#define _LIB_H + #include "frida-gum.h" void lib_init(void); @@ -6,3 +9,5 @@ guint64 lib_get_text_base(void); guint64 lib_get_text_limit(void); +#endif + diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index 017c26c7..e58c5301 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -1,6 +1,5 @@ #ifndef _PERSISTENT_H - #define _PERSISTENT_H #include "frida-gum.h" @@ -17,9 +16,9 @@ extern int __afl_persistent_loop(unsigned int max_cnt); extern unsigned int * __afl_fuzz_len; extern unsigned char *__afl_fuzz_ptr; -guint64 persistent_start; -guint64 persistent_count; -afl_persistent_hook_fn hook; +extern guint64 persistent_start; +extern guint64 persistent_count; +extern afl_persistent_hook_fn hook; void persistent_init(void); @@ -29,3 +28,4 @@ gboolean persistent_is_supported(void); void persistent_prologue(GumStalkerOutput *output); #endif + diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h index 110f717f..8f0cee68 100644 --- a/frida_mode/include/prefetch.h +++ b/frida_mode/include/prefetch.h @@ -1,6 +1,11 @@ +#ifndef _PREFETCH_H +#define _PREFETCH_H + #include "frida-gum.h" void prefetch_init(void); void prefetch_write(void *addr); void prefetch_read(void); +#endif + diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index a021f35c..f652eb8a 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -1,6 +1,11 @@ +#ifndef _RANGES_H +#define _RANGES_H + #include "frida-gum.h" void ranges_init(void); gboolean range_is_excluded(gpointer address); +#endif + diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 1962eec9..1f1abb6b 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -1,3 +1,6 @@ +#ifndef _STALKER_H +#define _STALKER_H + #include "frida-gum.h" void stalker_init(void); @@ -6,3 +9,5 @@ void stalker_start(void); void stalker_pause(void); void stalker_resume(void); +#endif + diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 5b4ea76b..afd0b9c1 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -1,6 +1,14 @@ +#ifndef _UTIL_H +#define _UTIL_H + #include "frida-gum.h" +#define UNUSED_PARAMETER(x) (void)(x) +#define IGNORED_RERURN(x) (void)!(x) + guint64 util_read_address(char *key); guint64 util_read_num(char *key); +#endif + diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c index 3b679a5c..1857ea3b 100644 --- a/frida_mode/src/complog/complog.c +++ b/frida_mode/src/complog/complog.c @@ -2,6 +2,7 @@ #include "debug.h" #include "cmplog.h" +#include "util.h" extern struct cmp_map *__afl_cmp_map; @@ -10,8 +11,10 @@ static GArray *complog_ranges = NULL; static gboolean complog_range(const GumRangeDetails *details, gpointer user_data) { + UNUSED_PARAMETER(user_data); GumMemoryRange range = *details->range; g_array_append_val(complog_ranges, range); + return TRUE; } diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/complog/complog_x64.c index 253ec041..28010e7f 100644 --- a/frida_mode/src/complog/complog_x64.c +++ b/frida_mode/src/complog/complog_x64.c @@ -4,6 +4,7 @@ #include "cmplog.h" #include "complog.h" +#include "util.h" #if defined(__x86_64__) @@ -148,7 +149,27 @@ static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { } -static void complog_handle_call(GumCpuContext *context, guint64 target) { +static guint64 cmplog_get_operand_value(GumCpuContext *context, + complog_ctx_t *ctx) { + + switch (ctx->type) { + + case X86_OP_REG: + return complog_read_reg(context, ctx->reg); + case X86_OP_IMM: + return ctx->imm; + case X86_OP_MEM: + return complog_read_mem(context, &ctx->mem); + default: + FATAL("Invalid operand type: %d\n", ctx->type); + + } + +} + +static void complog_call_callout(GumCpuContext *context, gpointer user_data) { + + UNUSED_PARAMETER(user_data); guint64 address = complog_read_reg(context, X86_REG_RIP); guint64 rdi = complog_read_reg(context, X86_REG_RDI); @@ -179,33 +200,6 @@ static void complog_handle_call(GumCpuContext *context, guint64 target) { } -static guint64 cmplog_get_operand_value(GumCpuContext *context, - complog_ctx_t *ctx) { - - switch (ctx->type) { - - case X86_OP_REG: - return complog_read_reg(context, ctx->reg); - case X86_OP_IMM: - return ctx->imm; - case X86_OP_MEM: - return complog_read_mem(context, &ctx->mem); - default: - FATAL("Invalid operand type: %d\n", ctx->type); - - } - -} - -static void complog_call_callout(GumCpuContext *context, gpointer user_data) { - - complog_ctx_t *ctx = (complog_ctx_t *)user_data; - - guint64 target = cmplog_get_operand_value(context, ctx); - complog_handle_call(context, target); - -} - static void complog_instrument_put_operand(complog_ctx_t *ctx, cs_x86_op * operand) { diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 81080bee..3806136a 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -11,17 +11,18 @@ #include "prefetch.h" #include "ranges.h" #include "stalker.h" +#include "util.h" static gboolean tracing = false; static gboolean optimize = false; -static gboolean strict = false; static GumStalkerTransformer *transformer = NULL; -uint64_t __thread previous_pc = 0; +__thread uint64_t previous_pc = 0; __attribute__((hot)) static void on_basic_block(GumCpuContext *context, gpointer user_data) { + UNUSED_PARAMETER(context); /* * This function is performance critical as it is called to instrument every * basic block. By moving our print buffer to a global, we avoid it affecting @@ -44,7 +45,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", current_pc, previous_pc); - write(STDOUT_FILENO, buffer, len + 1); + IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1)); } @@ -72,6 +73,8 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, static void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, gpointer user_data) { + UNUSED_PARAMETER(user_data); + const cs_insn *instr; gboolean begin = TRUE; while (gum_stalker_iterator_next(iterator, &instr)) { diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c index 8d41b075..d2802752 100644 --- a/frida_mode/src/interceptor.c +++ b/frida_mode/src/interceptor.c @@ -10,7 +10,7 @@ void intercept(void *address, gpointer replacement, gpointer user_data) { gum_interceptor_begin_transaction(interceptor); GumReplaceReturn ret = gum_interceptor_replace(interceptor, address, replacement, user_data); - if (ret != GUM_ATTACH_OK) { FATAL("gum_interceptor_attach: %d", ret); } + if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); } gum_interceptor_end_transaction(interceptor); } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index f712a8c0..11cf041c 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -21,6 +21,7 @@ #include "prefetch.h" #include "ranges.h" #include "stalker.h" +#include "util.h" #ifdef __APPLE__ extern mach_port_t mach_task_self(); @@ -36,8 +37,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp); static main_fn_t main_fn = NULL; -static GumMemoryRange code_range = {0}; - extern void __afl_manual_init(); static int on_fork(void) { @@ -55,6 +54,8 @@ static void on_main_os(int argc, char **argv, char **envp) { #else static void on_main_os(int argc, char **argv, char **envp) { + UNUSED_PARAMETER(argc); + /* Personality doesn't affect the current process, it only takes effect on * evec */ int persona = personality(ADDR_NO_RANDOMIZE); @@ -97,7 +98,7 @@ static int *on_main(int argc, char **argv, char **envp) { /* Child here */ previous_pc = 0; stalker_resume(); - main_fn(argc, argv, envp); + return main_fn(argc, argv, envp); } diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index 34e4093e..fe3a1d20 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -9,6 +9,9 @@ #include "util.h" int __afl_sharedmem_fuzzing = 0; +afl_persistent_hook_fn hook = NULL; +guint64 persistent_start = 0; +guint64 persistent_count = 0; void persistent_init(void) { diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 0cabbf24..5b8493b2 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -231,7 +231,7 @@ static int instrument_afl_persistent_loop_func(void) { } -static int instrument_afl_persistent_loop(GumX86Writer *cw) { +static void instrument_afl_persistent_loop(GumX86Writer *cw) { gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -(GUM_RED_ZONE_SIZE)); diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 6fcbd258..e3f09f9e 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -5,6 +5,7 @@ #include "lib.h" #include "ranges.h" #include "stalker.h" +#include "util.h" #define MAX_RANGES 20 @@ -167,6 +168,7 @@ gint range_sort(gconstpointer a, gconstpointer b) { static gboolean print_ranges_callback(const GumRangeDetails *details, gpointer user_data) { + UNUSED_PARAMETER(user_data); if (details->file == NULL) { OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", @@ -190,7 +192,7 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, static void print_ranges(char *key, GArray *ranges) { OKF("Range: %s Length: %d", key, ranges->len); - for (int i = 0; i < ranges->len; i++) { + for (guint i = 0; i < ranges->len; i++) { GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); GumAddress curr_limit = curr->base_address + curr->size; @@ -345,10 +347,10 @@ static GArray *intersect_ranges(GArray *a, GArray *b) { result = g_array_new(false, false, sizeof(GumMemoryRange)); - for (int i = 0; i < a->len; i++) { + for (guint i = 0; i < a->len; i++) { ra = &g_array_index(a, GumMemoryRange, i); - for (int j = 0; j < b->len; j++) { + for (guint j = 0; j < b->len; j++) { rb = &g_array_index(b, GumMemoryRange, j); @@ -377,11 +379,11 @@ static GArray *subtract_ranges(GArray *a, GArray *b) { result = g_array_new(false, false, sizeof(GumMemoryRange)); - for (int i = 0; i < a->len; i++) { + for (guint i = 0; i < a->len; i++) { ra = &g_array_index(a, GumMemoryRange, i); ral = ra->base_address + ra->size; - for (int j = 0; j < b->len; j++) { + for (guint j = 0; j < b->len; j++) { rb = &g_array_index(b, GumMemoryRange, j); @@ -453,7 +455,7 @@ static GArray *merge_ranges(GArray *a) { rp = g_array_index(a, GumMemoryRange, 0); - for (int i = 1; i < a->len; i++) { + for (guint i = 1; i < a->len; i++) { r = &g_array_index(a, GumMemoryRange, i); @@ -535,7 +537,7 @@ void ranges_init(void) { stalker = stalker_get(); - for (int i = 0; i < ranges->len; i++) { + for (guint i = 0; i < ranges->len; i++) { r = &g_array_index(ranges, GumMemoryRange, i); gum_stalker_exclude(stalker, r); @@ -551,12 +553,11 @@ void ranges_init(void) { gboolean range_is_excluded(gpointer address) { - int i; GumAddress test = GUM_ADDRESS(address); if (ranges == NULL) { return false; } - for (i = 0; i < ranges->len; i++) { + for (guint i = 0; i < ranges->len; i++) { GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); GumAddress curr_limit = curr->base_address + curr->size; diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index c381f5ab..7de3e85a 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -80,7 +80,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) -o $@ \ $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ -lz \ - $(TEST_LDFLAGS) clean: rm -rf $(BUILD_DIR) -- cgit 1.4.1 From 094cd917b6bb1b179b737ca34ed08b386974ec4a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 30 Apr 2021 13:39:43 +0200 Subject: frida: complog -> cmplog --- frida_mode/README.md | 10 +- frida_mode/include/complog.h | 14 -- frida_mode/include/frida_cmplog.h | 14 ++ frida_mode/src/cmplog/cmplog.c | 75 +++++++ frida_mode/src/cmplog/cmplog_arm.c | 19 ++ frida_mode/src/cmplog/cmplog_arm64.c | 19 ++ frida_mode/src/cmplog/cmplog_x64.c | 356 ++++++++++++++++++++++++++++++++ frida_mode/src/cmplog/cmplog_x86.c | 19 ++ frida_mode/src/complog/complog.c | 76 ------- frida_mode/src/complog/complog_arm.c | 19 -- frida_mode/src/complog/complog_arm64.c | 19 -- frida_mode/src/complog/complog_x64.c | 357 --------------------------------- frida_mode/src/complog/complog_x86.c | 19 -- frida_mode/src/instrument/instrument.c | 6 +- frida_mode/src/lib/lib | Bin 4144 -> 0 bytes frida_mode/test/fuzzbench/fuzzer | Bin 1703936 -> 0 bytes frida_mode/test/libxml/xml | Bin 1849872 -> 0 bytes 17 files changed, 510 insertions(+), 512 deletions(-) delete mode 100644 frida_mode/include/complog.h create mode 100644 frida_mode/include/frida_cmplog.h create mode 100644 frida_mode/src/cmplog/cmplog.c create mode 100644 frida_mode/src/cmplog/cmplog_arm.c create mode 100644 frida_mode/src/cmplog/cmplog_arm64.c create mode 100644 frida_mode/src/cmplog/cmplog_x64.c create mode 100644 frida_mode/src/cmplog/cmplog_x86.c delete mode 100644 frida_mode/src/complog/complog.c delete mode 100644 frida_mode/src/complog/complog_arm.c delete mode 100644 frida_mode/src/complog/complog_arm64.c delete mode 100644 frida_mode/src/complog/complog_x64.c delete mode 100644 frida_mode/src/complog/complog_x86.c delete mode 100755 frida_mode/src/lib/lib delete mode 100755 frida_mode/test/fuzzbench/fuzzer delete mode 100755 frida_mode/test/libxml/xml (limited to 'frida_mode/include') diff --git a/frida_mode/README.md b/frida_mode/README.md index ddba6928..67dc6048 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -18,15 +18,15 @@ perhaps leverage some of its design and implementation. | -------------------------|:----------:|:---------------------------------------:| | NeverZero | x | | | Persistent Mode | x | (x64 only)(Only on function boundaries) | - | LAF-Intel / CompCov | - | (Superseded by CmpLog) | - | CmpLog | x | (x64 only) | + | LAF-Intel / CompCov | - | (CMPLOG is better 90% of the time) | + | CMPLOG | x | (x64 only) | | Selective Instrumentation| x | | | Non-Colliding Coverage | - | | | Ngram prev_loc Coverage | - | | | Context Coverage | - | | | Auto Dictionary | - | | | Snapshot LKM Support | - | | - | In-Memory Test Cases | x |(x64 only) | + | In-Memory Test Cases | x | (x64 only) | # Compatibility Currently FRIDA mode supports Linux and macOS targets on both x86/x64 @@ -112,9 +112,9 @@ to push and pop the full register context. Note that since this instrumentation is used on every basic block to generate coverage, it has a large impact on performance. -CmpLog support also adds code to the assembly, however, at present this code +CMPLOG support also adds code to the assembly, however, at present this code makes use of a basic C function and is yet to be optimized. Since not all -instances run CmpLog mode and instrumentation of the binary is less frequent +instances run CMPLOG mode and instrumentation of the binary is less frequent (only on CMP, SUB and CALL instructions) performance is not quite so critical. # Advanced configuration options diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h deleted file mode 100644 index 1c1adb6d..00000000 --- a/frida_mode/include/complog.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef _COMPLOG_H -#define _COMPLOG_H - -extern struct cmp_map *__afl_cmp_map; - -void complog_init(void); - -/* Functions to be implemented by the different architectures */ -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); - -gboolean complog_is_readable(void *addr, size_t size); - -#endif - diff --git a/frida_mode/include/frida_cmplog.h b/frida_mode/include/frida_cmplog.h new file mode 100644 index 00000000..28864c0e --- /dev/null +++ b/frida_mode/include/frida_cmplog.h @@ -0,0 +1,14 @@ +#ifndef _CMPLOG_H +#define _CMPLOG_H + +extern struct cmp_map *__afl_cmp_map; + +void cmplog_init(void); + +/* Functions to be implemented by the different architectures */ +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); + +gboolean cmplog_is_readable(void *addr, size_t size); + +#endif + diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c new file mode 100644 index 00000000..84412c0b --- /dev/null +++ b/frida_mode/src/cmplog/cmplog.c @@ -0,0 +1,75 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "util.h" + +extern struct cmp_map *__afl_cmp_map; + +static GArray *cmplog_ranges = NULL; + +static gboolean cmplog_range(const GumRangeDetails *details, + gpointer user_data) { + + UNUSED_PARAMETER(user_data); + GumMemoryRange range = *details->range; + g_array_append_val(cmplog_ranges, range); + return TRUE; + +} + +static gint cmplog_sort(gconstpointer a, gconstpointer b) { + + return ((GumMemoryRange *)b)->base_address - + ((GumMemoryRange *)a)->base_address; + +} + +void cmplog_init(void) { + + if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); } + + cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); + gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, NULL); + g_array_sort(cmplog_ranges, cmplog_sort); + + for (guint i = 0; i < cmplog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); + OKF("CMPLOG Range - 0x%016" G_GINT64_MODIFIER "X - 0x%016" G_GINT64_MODIFIER + "X", + range->base_address, range->base_address + range->size); + + } + +} + +static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit, + GumAddress outer_base, GumAddress outer_limit) { + + return (inner_base >= outer_base && inner_limit <= outer_limit); + +} + +gboolean cmplog_is_readable(void *addr, size_t size) { + + if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); + + GumAddress inner_base = GUM_ADDRESS(addr); + GumAddress inner_limit = inner_base + size; + + for (guint i = 0; i < cmplog_ranges->len; i++) { + + GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); + GumAddress outer_base = range->base_address; + GumAddress outer_limit = outer_base + range->size; + + if (cmplog_contains(inner_base, inner_limit, outer_base, outer_limit)) + return true; + + } + + return false; + +} + diff --git a/frida_mode/src/cmplog/cmplog_arm.c b/frida_mode/src/cmplog/cmplog_arm.c new file mode 100644 index 00000000..5af28f3f --- /dev/null +++ b/frida_mode/src/cmplog/cmplog_arm.c @@ -0,0 +1,19 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "frida_cmplog.h" +#include "util.h" + +#if defined(__arm__) +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (__afl_cmp_map == NULL) { return; } + FATAL("CMPLOG mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c new file mode 100644 index 00000000..187d0162 --- /dev/null +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -0,0 +1,19 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "frida_cmplog.h" +#include "util.h" + +#if defined(__aarch64__) +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (__afl_cmp_map == NULL) { return; } + FATAL("CMPLOG mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c new file mode 100644 index 00000000..cdb698d5 --- /dev/null +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -0,0 +1,356 @@ +#include "frida-gum.h" + +#include "debug.h" +#include "cmplog.h" + +#include "frida_cmplog.h" +#include "util.h" + +#if defined(__x86_64__) + + #define X86_REG_8L(LABEL, REG) \ + case LABEL: { \ + \ + return REG & GUM_INT8_MASK; \ + \ + } + + #define X86_REG_8H(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK) >> 8; \ + \ + } + + #define X86_REG_16(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK); \ + \ + } + + #define X86_REG_32(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT32_MASK); \ + \ + } + + #define X86_REG_64(LABEL, REG) \ + case LABEL: { \ + \ + return (REG); \ + \ + } + +typedef struct { + + x86_op_type type; + uint8_t size; + + union { + + x86_op_mem mem; + x86_reg reg; + int64_t imm; + + }; + +} cmplog_ctx_t; + +typedef struct { + + cmplog_ctx_t operand1; + cmplog_ctx_t operand2; + +} cmplog_pair_ctx_t; + +static guint64 cmplog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { + + switch (reg) { + + X86_REG_8L(X86_REG_AL, ctx->rax) + X86_REG_8L(X86_REG_BL, ctx->rbx) + X86_REG_8L(X86_REG_CL, ctx->rcx) + X86_REG_8L(X86_REG_DL, ctx->rdx) + X86_REG_8L(X86_REG_BPL, ctx->rbp) + X86_REG_8L(X86_REG_SIL, ctx->rsi) + X86_REG_8L(X86_REG_DIL, ctx->rdi) + + X86_REG_8H(X86_REG_AH, ctx->rax) + X86_REG_8H(X86_REG_BH, ctx->rbx) + X86_REG_8H(X86_REG_CH, ctx->rcx) + X86_REG_8H(X86_REG_DH, ctx->rdx) + + X86_REG_16(X86_REG_AX, ctx->rax) + X86_REG_16(X86_REG_BX, ctx->rbx) + X86_REG_16(X86_REG_CX, ctx->rcx) + X86_REG_16(X86_REG_DX, ctx->rdx) + X86_REG_16(X86_REG_DI, ctx->rdi) + X86_REG_16(X86_REG_SI, ctx->rsi) + X86_REG_16(X86_REG_BP, ctx->rbp) + + X86_REG_32(X86_REG_EAX, ctx->rax) + X86_REG_32(X86_REG_ECX, ctx->rcx) + X86_REG_32(X86_REG_EDX, ctx->rdx) + X86_REG_32(X86_REG_EBX, ctx->rbx) + X86_REG_32(X86_REG_ESP, ctx->rsp) + X86_REG_32(X86_REG_EBP, ctx->rbp) + X86_REG_32(X86_REG_ESI, ctx->rsi) + X86_REG_32(X86_REG_EDI, ctx->rdi) + X86_REG_32(X86_REG_R8D, ctx->r8) + X86_REG_32(X86_REG_R9D, ctx->r9) + X86_REG_32(X86_REG_R10D, ctx->r10) + X86_REG_32(X86_REG_R11D, ctx->r11) + X86_REG_32(X86_REG_R12D, ctx->r12) + X86_REG_32(X86_REG_R13D, ctx->r13) + X86_REG_32(X86_REG_R14D, ctx->r14) + X86_REG_32(X86_REG_R15D, ctx->r15) + X86_REG_32(X86_REG_EIP, ctx->rip) + + X86_REG_64(X86_REG_RAX, ctx->rax) + X86_REG_64(X86_REG_RCX, ctx->rcx) + X86_REG_64(X86_REG_RDX, ctx->rdx) + X86_REG_64(X86_REG_RBX, ctx->rbx) + X86_REG_64(X86_REG_RSP, ctx->rsp) + X86_REG_64(X86_REG_RBP, ctx->rbp) + X86_REG_64(X86_REG_RSI, ctx->rsi) + X86_REG_64(X86_REG_RDI, ctx->rdi) + X86_REG_64(X86_REG_R8, ctx->r8) + X86_REG_64(X86_REG_R9, ctx->r9) + X86_REG_64(X86_REG_R10, ctx->r10) + X86_REG_64(X86_REG_R11, ctx->r11) + X86_REG_64(X86_REG_R12, ctx->r12) + X86_REG_64(X86_REG_R13, ctx->r13) + X86_REG_64(X86_REG_R14, ctx->r14) + X86_REG_64(X86_REG_R15, ctx->r15) + X86_REG_64(X86_REG_RIP, ctx->rip) + + default: + FATAL("Failed to read register: %d", reg); + return 0; + + } + +} + +static guint64 cmplog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { + + guint64 base = 0; + guint64 index = 0; + guint64 address; + + if (mem->base != X86_REG_INVALID) base = cmplog_read_reg(ctx, mem->base); + + if (mem->index != X86_REG_INVALID) index = cmplog_read_reg(ctx, mem->index); + + address = base + (index * mem->scale) + mem->disp; + return address; + +} + +static guint64 cmplog_get_operand_value(GumCpuContext *context, + cmplog_ctx_t * ctx) { + + switch (ctx->type) { + + case X86_OP_REG: + return cmplog_read_reg(context, ctx->reg); + case X86_OP_IMM: + return ctx->imm; + case X86_OP_MEM: + return cmplog_read_mem(context, &ctx->mem); + default: + FATAL("Invalid operand type: %d\n", ctx->type); + + } + +} + +static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + guint64 address = cmplog_read_reg(context, X86_REG_RIP); + guint64 rdi = cmplog_read_reg(context, X86_REG_RDI); + guint64 rsi = cmplog_read_reg(context, X86_REG_RSI); + + void *ptr1 = GSIZE_TO_POINTER(rdi); + void *ptr2 = GSIZE_TO_POINTER(rsi); + + if (!cmplog_is_readable(ptr1, 32) || !cmplog_is_readable(ptr2, 32)) return; + + uintptr_t k = address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 31; + + hits &= CMP_MAP_RTN_H - 1; + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, + 32); + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, + 32); + +} + +static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, + cs_x86_op * operand) { + + ctx->type = operand->type; + ctx->size = operand->size; + switch (operand->type) { + + case X86_OP_REG: + gum_memcpy(&ctx->reg, &operand->reg, sizeof(x86_reg)); + break; + case X86_OP_IMM: + gum_memcpy(&ctx->imm, &operand->imm, sizeof(int64_t)); + break; + case X86_OP_MEM: + gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); + break; + default: + FATAL("Invalid operand type: %d\n", operand->type); + + } + +} + +static void cmplog_instrument_call_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand) { + + cmplog_ctx_t *ctx = g_malloc(sizeof(cmplog_ctx_t)); + if (ctx == NULL) return; + + cmplog_instrument_put_operand(ctx, operand); + + gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, ctx, g_free); + +} + +static void cmplog_instrument_call(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand; + + if (instr->id != X86_INS_CALL) return; + + if (x86.op_count != 1) return; + + operand = &x86.operands[0]; + + if (operand->type == X86_OP_INVALID) return; + if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID) + return; + + cmplog_instrument_call_put_callout(iterator, operand); + +} + +static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, + guint64 operand2, uint8_t size) { + + guint64 address = cmplog_read_reg(context, X86_REG_RIP); + + register uintptr_t k = (uintptr_t)address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = (size - 1); + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = operand1; + __afl_cmp_map->log[k][hits].v1 = operand2; + +} + +static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { + + cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; + + if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + + guint64 operand1 = cmplog_get_operand_value(context, &ctx->operand1); + guint64 operand2 = cmplog_get_operand_value(context, &ctx->operand2); + + cmplog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); + +} + +static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand1, + cs_x86_op *operand2) { + + cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t)); + if (ctx == NULL) return; + + cmplog_instrument_put_operand(&ctx->operand1, operand1); + cmplog_instrument_put_operand(&ctx->operand2, operand2); + + gum_stalker_iterator_put_callout(iterator, cmplog_cmp_sub_callout, ctx, + g_free); + +} + +static void cmplog_instrument_cmp_sub(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand1; + cs_x86_op *operand2; + + switch (instr->id) { + + case X86_INS_CMP: + case X86_INS_SUB: + break; + default: + return; + + } + + if (x86.op_count != 2) return; + + operand1 = &x86.operands[0]; + operand2 = &x86.operands[1]; + + if (operand1->type == X86_OP_INVALID) return; + if (operand2->type == X86_OP_INVALID) return; + + if ((operand1->type == X86_OP_MEM) && + (operand1->mem.segment != X86_REG_INVALID)) + return; + + if ((operand2->type == X86_OP_MEM) && + (operand2->mem.segment != X86_REG_INVALID)) + return; + + cmplog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); + +} + +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + if (__afl_cmp_map == NULL) return; + + cmplog_instrument_call(instr, iterator); + cmplog_instrument_cmp_sub(instr, iterator); + +} + +#endif + diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c new file mode 100644 index 00000000..2401180c --- /dev/null +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -0,0 +1,19 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "frida_cmplog.h" +#include "util.h" + +#if defined(__i386__) +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (__afl_cmp_map == NULL) { return; } + FATAL("CMPLOG mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c deleted file mode 100644 index ce8a3f62..00000000 --- a/frida_mode/src/complog/complog.c +++ /dev/null @@ -1,76 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" -#include "cmplog.h" -#include "util.h" - -extern struct cmp_map *__afl_cmp_map; - -static GArray *complog_ranges = NULL; - -static gboolean complog_range(const GumRangeDetails *details, - gpointer user_data) { - - UNUSED_PARAMETER(user_data); - GumMemoryRange range = *details->range; - g_array_append_val(complog_ranges, range); - return TRUE; - -} - -static gint complog_sort(gconstpointer a, gconstpointer b) { - - return ((GumMemoryRange *)b)->base_address - - ((GumMemoryRange *)a)->base_address; - -} - -void complog_init(void) { - - if (__afl_cmp_map != NULL) { OKF("CompLog mode enabled"); } - - complog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); - gum_process_enumerate_ranges(GUM_PAGE_READ, complog_range, NULL); - g_array_sort(complog_ranges, complog_sort); - - for (guint i = 0; i < complog_ranges->len; i++) { - - GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); - OKF("CompLog Range - 0x%016" G_GINT64_MODIFIER - "X - 0x%016" G_GINT64_MODIFIER "X", - range->base_address, range->base_address + range->size); - - } - -} - -static gboolean complog_contains(GumAddress inner_base, GumAddress inner_limit, - GumAddress outer_base, - GumAddress outer_limit) { - - return (inner_base >= outer_base && inner_limit <= outer_limit); - -} - -gboolean complog_is_readable(void *addr, size_t size) { - - if (complog_ranges == NULL) FATAL("CompLog not initialized"); - - GumAddress inner_base = GUM_ADDRESS(addr); - GumAddress inner_limit = inner_base + size; - - for (guint i = 0; i < complog_ranges->len; i++) { - - GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i); - GumAddress outer_base = range->base_address; - GumAddress outer_limit = outer_base + range->size; - - if (complog_contains(inner_base, inner_limit, outer_base, outer_limit)) - return true; - - } - - return false; - -} - diff --git a/frida_mode/src/complog/complog_arm.c b/frida_mode/src/complog/complog_arm.c deleted file mode 100644 index 1b8eb8f1..00000000 --- a/frida_mode/src/complog/complog_arm.c +++ /dev/null @@ -1,19 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "complog.h" -#include "util.h" - -#if defined(__arm__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/complog/complog_arm64.c b/frida_mode/src/complog/complog_arm64.c deleted file mode 100644 index ce62f6fd..00000000 --- a/frida_mode/src/complog/complog_arm64.c +++ /dev/null @@ -1,19 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "complog.h" -#include "util.h" - -#if defined(__aarch64__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/complog/complog_x64.c deleted file mode 100644 index 28010e7f..00000000 --- a/frida_mode/src/complog/complog_x64.c +++ /dev/null @@ -1,357 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" -#include "cmplog.h" - -#include "complog.h" -#include "util.h" - -#if defined(__x86_64__) - - #define X86_REG_8L(LABEL, REG) \ - case LABEL: { \ - \ - return REG & GUM_INT8_MASK; \ - \ - } - - #define X86_REG_8H(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT16_MASK) >> 8; \ - \ - } - - #define X86_REG_16(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT16_MASK); \ - \ - } - - #define X86_REG_32(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT32_MASK); \ - \ - } - - #define X86_REG_64(LABEL, REG) \ - case LABEL: { \ - \ - return (REG); \ - \ - } - -typedef struct { - - x86_op_type type; - uint8_t size; - - union { - - x86_op_mem mem; - x86_reg reg; - int64_t imm; - - }; - -} complog_ctx_t; - -typedef struct { - - complog_ctx_t operand1; - complog_ctx_t operand2; - -} complog_pair_ctx_t; - -static guint64 complog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { - - switch (reg) { - - X86_REG_8L(X86_REG_AL, ctx->rax) - X86_REG_8L(X86_REG_BL, ctx->rbx) - X86_REG_8L(X86_REG_CL, ctx->rcx) - X86_REG_8L(X86_REG_DL, ctx->rdx) - X86_REG_8L(X86_REG_BPL, ctx->rbp) - X86_REG_8L(X86_REG_SIL, ctx->rsi) - X86_REG_8L(X86_REG_DIL, ctx->rdi) - - X86_REG_8H(X86_REG_AH, ctx->rax) - X86_REG_8H(X86_REG_BH, ctx->rbx) - X86_REG_8H(X86_REG_CH, ctx->rcx) - X86_REG_8H(X86_REG_DH, ctx->rdx) - - X86_REG_16(X86_REG_AX, ctx->rax) - X86_REG_16(X86_REG_BX, ctx->rbx) - X86_REG_16(X86_REG_CX, ctx->rcx) - X86_REG_16(X86_REG_DX, ctx->rdx) - X86_REG_16(X86_REG_DI, ctx->rdi) - X86_REG_16(X86_REG_SI, ctx->rsi) - X86_REG_16(X86_REG_BP, ctx->rbp) - - X86_REG_32(X86_REG_EAX, ctx->rax) - X86_REG_32(X86_REG_ECX, ctx->rcx) - X86_REG_32(X86_REG_EDX, ctx->rdx) - X86_REG_32(X86_REG_EBX, ctx->rbx) - X86_REG_32(X86_REG_ESP, ctx->rsp) - X86_REG_32(X86_REG_EBP, ctx->rbp) - X86_REG_32(X86_REG_ESI, ctx->rsi) - X86_REG_32(X86_REG_EDI, ctx->rdi) - X86_REG_32(X86_REG_R8D, ctx->r8) - X86_REG_32(X86_REG_R9D, ctx->r9) - X86_REG_32(X86_REG_R10D, ctx->r10) - X86_REG_32(X86_REG_R11D, ctx->r11) - X86_REG_32(X86_REG_R12D, ctx->r12) - X86_REG_32(X86_REG_R13D, ctx->r13) - X86_REG_32(X86_REG_R14D, ctx->r14) - X86_REG_32(X86_REG_R15D, ctx->r15) - X86_REG_32(X86_REG_EIP, ctx->rip) - - X86_REG_64(X86_REG_RAX, ctx->rax) - X86_REG_64(X86_REG_RCX, ctx->rcx) - X86_REG_64(X86_REG_RDX, ctx->rdx) - X86_REG_64(X86_REG_RBX, ctx->rbx) - X86_REG_64(X86_REG_RSP, ctx->rsp) - X86_REG_64(X86_REG_RBP, ctx->rbp) - X86_REG_64(X86_REG_RSI, ctx->rsi) - X86_REG_64(X86_REG_RDI, ctx->rdi) - X86_REG_64(X86_REG_R8, ctx->r8) - X86_REG_64(X86_REG_R9, ctx->r9) - X86_REG_64(X86_REG_R10, ctx->r10) - X86_REG_64(X86_REG_R11, ctx->r11) - X86_REG_64(X86_REG_R12, ctx->r12) - X86_REG_64(X86_REG_R13, ctx->r13) - X86_REG_64(X86_REG_R14, ctx->r14) - X86_REG_64(X86_REG_R15, ctx->r15) - X86_REG_64(X86_REG_RIP, ctx->rip) - - default: - FATAL("Failed to read register: %d", reg); - return 0; - - } - -} - -static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { - - guint64 base = 0; - guint64 index = 0; - guint64 address; - - if (mem->base != X86_REG_INVALID) base = complog_read_reg(ctx, mem->base); - - if (mem->index != X86_REG_INVALID) index = complog_read_reg(ctx, mem->index); - - address = base + (index * mem->scale) + mem->disp; - return address; - -} - -static guint64 cmplog_get_operand_value(GumCpuContext *context, - complog_ctx_t *ctx) { - - switch (ctx->type) { - - case X86_OP_REG: - return complog_read_reg(context, ctx->reg); - case X86_OP_IMM: - return ctx->imm; - case X86_OP_MEM: - return complog_read_mem(context, &ctx->mem); - default: - FATAL("Invalid operand type: %d\n", ctx->type); - - } - -} - -static void complog_call_callout(GumCpuContext *context, gpointer user_data) { - - UNUSED_PARAMETER(user_data); - - guint64 address = complog_read_reg(context, X86_REG_RIP); - guint64 rdi = complog_read_reg(context, X86_REG_RDI); - guint64 rsi = complog_read_reg(context, X86_REG_RSI); - - void *ptr1 = GSIZE_TO_POINTER(rdi); - void *ptr2 = GSIZE_TO_POINTER(rsi); - - if (!complog_is_readable(ptr1, 32) || !complog_is_readable(ptr2, 32)) return; - - uintptr_t k = address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; - - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; - - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; - - __afl_cmp_map->headers[k].shape = 31; - - hits &= CMP_MAP_RTN_H - 1; - gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); - gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); - -} - -static void complog_instrument_put_operand(complog_ctx_t *ctx, - cs_x86_op * operand) { - - ctx->type = operand->type; - ctx->size = operand->size; - switch (operand->type) { - - case X86_OP_REG: - gum_memcpy(&ctx->reg, &operand->reg, sizeof(x86_reg)); - break; - case X86_OP_IMM: - gum_memcpy(&ctx->imm, &operand->imm, sizeof(int64_t)); - break; - case X86_OP_MEM: - gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); - break; - default: - FATAL("Invalid operand type: %d\n", operand->type); - - } - -} - -static void complog_instrument_call_put_callout(GumStalkerIterator *iterator, - cs_x86_op * operand) { - - complog_ctx_t *ctx = g_malloc(sizeof(complog_ctx_t)); - if (ctx == NULL) return; - - complog_instrument_put_operand(ctx, operand); - - gum_stalker_iterator_put_callout(iterator, complog_call_callout, ctx, g_free); - -} - -static void complog_instrument_call(const cs_insn * instr, - GumStalkerIterator *iterator) { - - cs_x86 x86 = instr->detail->x86; - cs_x86_op *operand; - - if (instr->id != X86_INS_CALL) return; - - if (x86.op_count != 1) return; - - operand = &x86.operands[0]; - - if (operand->type == X86_OP_INVALID) return; - if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID) - return; - - complog_instrument_call_put_callout(iterator, operand); - -} - -static void complog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, - guint64 operand2, uint8_t size) { - - guint64 address = complog_read_reg(context, X86_REG_RIP); - - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; - - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; - - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; - - __afl_cmp_map->headers[k].shape = (size - 1); - - hits &= CMP_MAP_H - 1; - __afl_cmp_map->log[k][hits].v0 = operand1; - __afl_cmp_map->log[k][hits].v1 = operand2; - -} - -static void complog_cmp_sub_callout(GumCpuContext *context, - gpointer user_data) { - - complog_pair_ctx_t *ctx = (complog_pair_ctx_t *)user_data; - - if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); - - guint64 operand1 = cmplog_get_operand_value(context, &ctx->operand1); - guint64 operand2 = cmplog_get_operand_value(context, &ctx->operand2); - - complog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); - -} - -static void complog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, - cs_x86_op * operand1, - cs_x86_op *operand2) { - - complog_pair_ctx_t *ctx = g_malloc(sizeof(complog_pair_ctx_t)); - if (ctx == NULL) return; - - complog_instrument_put_operand(&ctx->operand1, operand1); - complog_instrument_put_operand(&ctx->operand2, operand2); - - gum_stalker_iterator_put_callout(iterator, complog_cmp_sub_callout, ctx, - g_free); - -} - -static void complog_instrument_cmp_sub(const cs_insn * instr, - GumStalkerIterator *iterator) { - - cs_x86 x86 = instr->detail->x86; - cs_x86_op *operand1; - cs_x86_op *operand2; - - switch (instr->id) { - - case X86_INS_CMP: - case X86_INS_SUB: - break; - default: - return; - - } - - if (x86.op_count != 2) return; - - operand1 = &x86.operands[0]; - operand2 = &x86.operands[1]; - - if (operand1->type == X86_OP_INVALID) return; - if (operand2->type == X86_OP_INVALID) return; - - if ((operand1->type == X86_OP_MEM) && - (operand1->mem.segment != X86_REG_INVALID)) - return; - - if ((operand2->type == X86_OP_MEM) && - (operand2->mem.segment != X86_REG_INVALID)) - return; - - complog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); - -} - -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - if (__afl_cmp_map == NULL) return; - - complog_instrument_call(instr, iterator); - complog_instrument_cmp_sub(instr, iterator); - -} - -#endif - diff --git a/frida_mode/src/complog/complog_x86.c b/frida_mode/src/complog/complog_x86.c deleted file mode 100644 index b2e5ddcf..00000000 --- a/frida_mode/src/complog/complog_x86.c +++ /dev/null @@ -1,19 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "complog.h" -#include "util.h" - -#if defined(__i386__) -void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("Complog mode not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 3806136a..d93f37c7 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -5,7 +5,7 @@ #include "config.h" #include "debug.h" -#include "complog.h" +#include "frida_cmplog.h" #include "instrument.h" #include "persistent.h" #include "prefetch.h" @@ -105,7 +105,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (!range_is_excluded((void *)instr->address)) { - complog_instrument(instr, iterator); + cmplog_instrument(instr, iterator); } @@ -140,7 +140,7 @@ void instrument_init(void) { transformer = gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); - complog_init(); + cmplog_init(); } diff --git a/frida_mode/src/lib/lib b/frida_mode/src/lib/lib deleted file mode 100755 index 8f09a3b1..00000000 Binary files a/frida_mode/src/lib/lib and /dev/null differ diff --git a/frida_mode/test/fuzzbench/fuzzer b/frida_mode/test/fuzzbench/fuzzer deleted file mode 100755 index 5e8b7f70..00000000 Binary files a/frida_mode/test/fuzzbench/fuzzer and /dev/null differ diff --git a/frida_mode/test/libxml/xml b/frida_mode/test/libxml/xml deleted file mode 100755 index fb5c7c76..00000000 Binary files a/frida_mode/test/libxml/xml and /dev/null differ -- cgit 1.4.1 From c6e8314446344d3a65b828feb31f627ce11ba352 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Fri, 30 Apr 2021 22:42:50 +0100 Subject: Support for AFL_ENTRYPOINT (#898) Co-authored-by: Your Name --- frida_mode/GNUmakefile | 2 +- frida_mode/include/entry.h | 15 +++ frida_mode/include/stalker.h | 2 - frida_mode/src/entry.c | 50 ++++++++++ frida_mode/src/instrument/instrument.c | 2 + frida_mode/src/main.c | 12 +-- frida_mode/src/persistent/persistent_x64.c | 11 ++- frida_mode/src/stalker.c | 19 ---- frida_mode/test/entry_point/GNUmakefile | 61 ++++++++++++ frida_mode/test/entry_point/Makefile | 12 +++ frida_mode/test/entry_point/testinstr.c | 119 ++++++++++++++++++++++++ frida_mode/test/fuzzbench/fuzzer | Bin 0 -> 1703936 bytes frida_mode/test/libxml/xml | Bin 0 -> 1849872 bytes frida_mode/test/png/persistent/GNUmakefile | 27 +++++- frida_mode/test/png/persistent/Makefile | 8 +- frida_mode/test/png/persistent/hook/GNUmakefile | 30 +++++- frida_mode/test/png/persistent/hook/Makefile | 8 +- 17 files changed, 341 insertions(+), 37 deletions(-) create mode 100644 frida_mode/include/entry.h create mode 100644 frida_mode/src/entry.c create mode 100644 frida_mode/test/entry_point/GNUmakefile create mode 100644 frida_mode/test/entry_point/Makefile create mode 100644 frida_mode/test/entry_point/testinstr.c create mode 100755 frida_mode/test/fuzzbench/fuzzer create mode 100755 frida_mode/test/libxml/xml (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 8199b337..7284cf86 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -137,7 +137,7 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) ############################# SOURCE ########################################### define BUILD_SOURCE -$(2): $(1) GNUmakefile | $(OBJ_DIR) +$(2): $(1) $(INCLUDES) GNUmakefile | $(OBJ_DIR) $(CC) \ $(CFLAGS) \ -I $(ROOT)include \ diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h new file mode 100644 index 00000000..967831af --- /dev/null +++ b/frida_mode/include/entry.h @@ -0,0 +1,15 @@ +#ifndef _ENTRY_H +#define _ENTRY_H + +#include "frida-gum.h" + +extern guint64 entry_start; + +void entry_init(void); + +void entry_run(void); + +void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); + +#endif + diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 1f1abb6b..186ead11 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -6,8 +6,6 @@ void stalker_init(void); GumStalker *stalker_get(void); void stalker_start(void); -void stalker_pause(void); -void stalker_resume(void); #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c new file mode 100644 index 00000000..e71386a0 --- /dev/null +++ b/frida_mode/src/entry.c @@ -0,0 +1,50 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "entry.h" +#include "instrument.h" +#include "stalker.h" +#include "util.h" + +extern void __afl_manual_init(); + +guint64 entry_start = 0; + +static void entry_launch(void) { + + __afl_manual_init(); + + /* Child here */ + previous_pc = 0; + +} + +void entry_init(void) { + + entry_start = util_read_address("AFL_ENTRYPOINT"); + OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_start); + +} + +void entry_run(void) { + + if (entry_start == 0) { entry_launch(); } + +} + +static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { + + UNUSED_PARAMETER(cpu_context); + UNUSED_PARAMETER(user_data); + entry_launch(); + +} + +void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { + + UNUSED_PARAMETER(output); + gum_stalker_iterator_put_callout(iterator, entry_callout, NULL, NULL); + +} + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index d93f37c7..971f80c0 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -5,6 +5,7 @@ #include "config.h" #include "debug.h" +#include "entry.h" #include "frida_cmplog.h" #include "instrument.h" #include "persistent.h" @@ -79,6 +80,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, gboolean begin = TRUE; while (gum_stalker_iterator_next(iterator, &instr)) { + if (instr->address == entry_start) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } if (begin) { diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 5c64d192..e031dbed 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -14,6 +14,7 @@ #include "config.h" #include "debug.h" +#include "entry.h" #include "instrument.h" #include "interceptor.h" #include "lib.h" @@ -37,8 +38,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp); static main_fn_t main_fn = NULL; -extern void __afl_manual_init(); - static int on_fork(void) { prefetch_read(); @@ -79,6 +78,7 @@ static void on_main_os(int argc, char **argv, char **envp) { static int *on_main(int argc, char **argv, char **envp) { void *fork_addr; + on_main_os(argc, argv, envp); unintercept_self(); @@ -86,6 +86,7 @@ static int *on_main(int argc, char **argv, char **envp) { stalker_init(); lib_init(); + entry_init(); instrument_init(); persistent_init(); prefetch_init(); @@ -95,13 +96,8 @@ static int *on_main(int argc, char **argv, char **envp) { intercept(fork_addr, on_fork, NULL); stalker_start(); - stalker_pause(); - - __afl_manual_init(); + entry_run(); - /* Child here */ - previous_pc = 0; - stalker_resume(); return main_fn(argc, argv, envp); } diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 5b8493b2..49f1988c 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -252,15 +252,20 @@ static void persistent_prologue_hook(GumX86Writer * cw, -(GUM_RED_ZONE_SIZE)); gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RCX, - GUM_ADDRESS(__afl_fuzz_len)); + GUM_ADDRESS(&__afl_fuzz_len)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0); gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_RDI, 0xffffffff); gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RCX, GUM_REG_RDI); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX, + GUM_ADDRESS(&__afl_fuzz_ptr)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0); + gum_x86_writer_put_call_address_with_arguments( cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, - GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS, - GUM_ADDRESS(__afl_fuzz_ptr), GUM_ARG_REGISTER, GUM_REG_RCX); + GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, + GUM_REG_RDX, GUM_ARG_REGISTER, GUM_REG_RCX); gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (GUM_RED_ZONE_SIZE)); diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 5ee519ba..81973e9c 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -21,12 +21,6 @@ GumStalker *stalker_get(void) { } -__attribute__((noinline)) static void stalker_activation(void) { - - asm volatile(""); - -} - void stalker_start(void) { GumStalkerTransformer *transformer = instrument_get_transformer(); @@ -34,16 +28,3 @@ void stalker_start(void) { } -void stalker_pause(void) { - - gum_stalker_deactivate(stalker); - -} - -void stalker_resume(void) { - - gum_stalker_activate(stalker, stalker_activation); - stalker_activation(); - -} - diff --git a/frida_mode/test/entry_point/GNUmakefile b/frida_mode/test/entry_point/GNUmakefile new file mode 100644 index 00000000..891827eb --- /dev/null +++ b/frida_mode/test/entry_point/GNUmakefile @@ -0,0 +1,61 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/test/png/persistent/get_symbol_addr.py + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000555555554000) +endif + +.PHONY: all clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +frida_entry: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_ENTRYPOINT=$(AFL_ENTRYPOINT) \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ \ No newline at end of file diff --git a/frida_mode/test/entry_point/Makefile b/frida_mode/test/entry_point/Makefile new file mode 100644 index 00000000..3b41b94e --- /dev/null +++ b/frida_mode/test/entry_point/Makefile @@ -0,0 +1,12 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida + +frida_entry: + @gmake frida \ No newline at end of file diff --git a/frida_mode/test/entry_point/testinstr.c b/frida_mode/test/entry_point/testinstr.c new file mode 100644 index 00000000..a6c655f9 --- /dev/null +++ b/frida_mode/test/entry_point/testinstr.c @@ -0,0 +1,119 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int run(char *file) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + do { + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + +void slow() { + usleep(100000); +} + +int main(int argc, char **argv) { + + if (argc != 2) { return 1; } + slow(); + return run(argv[1]); + +} + diff --git a/frida_mode/test/fuzzbench/fuzzer b/frida_mode/test/fuzzbench/fuzzer new file mode 100755 index 00000000..5e8b7f70 Binary files /dev/null and b/frida_mode/test/fuzzbench/fuzzer differ diff --git a/frida_mode/test/libxml/xml b/frida_mode/test/libxml/xml new file mode 100755 index 00000000..fb5c7c76 Binary files /dev/null and b/frida_mode/test/libxml/xml differ diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile index 25ddc782..531f9bce 100644 --- a/frida_mode/test/png/persistent/GNUmakefile +++ b/frida_mode/test/png/persistent/GNUmakefile @@ -19,7 +19,7 @@ ifeq "$(ARCH)" "x86_64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000555555554000) endif -.PHONY: all clean qemu frida +.PHONY: all clean qemu qemu_entry frida frida_entry all: make -C $(ROOT)frida_mode/test/png/ @@ -39,6 +39,19 @@ qemu: | $(BUILD_DIR) -- \ $(TEST_BIN) @@ +qemu_entry: | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) @@ + frida: | $(BUILD_DIR) AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ @@ -50,5 +63,17 @@ frida: | $(BUILD_DIR) -- \ $(TEST_BIN) @@ +frida_entry: | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) @@ + clean: rm -rf $(BUILD_DIR) \ No newline at end of file diff --git a/frida_mode/test/png/persistent/Makefile b/frida_mode/test/png/persistent/Makefile index f322d1f5..5fde63c2 100644 --- a/frida_mode/test/png/persistent/Makefile +++ b/frida_mode/test/png/persistent/Makefile @@ -8,5 +8,11 @@ clean: qemu: @gmake qemu +qemu_entry: + @gmake qemu_entry + frida: - @gmake frida \ No newline at end of file + @gmake frida + +frida_entry: + @gmake frida_entry \ No newline at end of file diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 2457287d..4f55fe98 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -23,7 +23,7 @@ ifeq "$(ARCH)" "x86_64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000) endif -.PHONY: all clean qemu frida +.PHONY: all clean qemu qemu_entry frida frida_entry all: make -C $(ROOT)frida_mode/test/png/persistent/ @@ -53,6 +53,20 @@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) +qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + $(ROOT)/afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ @@ -65,6 +79,20 @@ frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile index f322d1f5..5fde63c2 100644 --- a/frida_mode/test/png/persistent/hook/Makefile +++ b/frida_mode/test/png/persistent/hook/Makefile @@ -8,5 +8,11 @@ clean: qemu: @gmake qemu +qemu_entry: + @gmake qemu_entry + frida: - @gmake frida \ No newline at end of file + @gmake frida + +frida_entry: + @gmake frida_entry \ No newline at end of file -- cgit 1.4.1 From 8929da339191152cdc69e4c99ddeaeff6d0bc777 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Tue, 11 May 2021 19:29:28 +0100 Subject: Fixes to memory operands for complog (#916) Co-authored-by: Your Name --- frida_mode/include/frida_cmplog.h | 2 +- frida_mode/src/cmplog/cmplog.c | 6 ++--- frida_mode/src/cmplog/cmplog_x64.c | 51 ++++++++++++++++++++++++++++++-------- frida_mode/test/cmplog/GNUmakefile | 6 ++--- 4 files changed, 47 insertions(+), 18 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/include/frida_cmplog.h b/frida_mode/include/frida_cmplog.h index 28864c0e..b620a472 100644 --- a/frida_mode/include/frida_cmplog.h +++ b/frida_mode/include/frida_cmplog.h @@ -8,7 +8,7 @@ void cmplog_init(void); /* Functions to be implemented by the different architectures */ void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); -gboolean cmplog_is_readable(void *addr, size_t size); +gboolean cmplog_is_readable(guint64 addr, size_t size); #endif diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index 3fab1951..7b11c350 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -53,7 +53,7 @@ static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit, } -gboolean cmplog_is_readable(void *addr, size_t size) { +gboolean cmplog_is_readable(guint64 addr, size_t size) { if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); @@ -65,9 +65,9 @@ gboolean cmplog_is_readable(void *addr, size_t size) { * is lower than this. This should avoid some overhead when functions are * called where one of the parameters is a size, or a some other small value. */ - if (GPOINTER_TO_SIZE(addr) < DEFAULT_MMAP_MIN_ADDR) { return false; } + if (addr < DEFAULT_MMAP_MIN_ADDR) { return false; } - GumAddress inner_base = GUM_ADDRESS(addr); + GumAddress inner_base = addr; GumAddress inner_limit = inner_base + size; for (guint i = 0; i < cmplog_ranges->len; i++) { diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 9bf09ad5..4d8f243a 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -134,7 +134,8 @@ static guint64 cmplog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { } -static guint64 cmplog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { +static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, + x86_op_mem *mem, guint64 *val) { guint64 base = 0; guint64 index = 0; @@ -145,26 +146,52 @@ static guint64 cmplog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) { if (mem->index != X86_REG_INVALID) index = cmplog_read_reg(ctx, mem->index); address = base + (index * mem->scale) + mem->disp; - return address; + + if (!cmplog_is_readable(address, size)) { return FALSE; } + + switch (size) { + + case 1: + *val = *((guint8 *)address); + return TRUE; + case 2: + *val = *((guint16 *)address); + return TRUE; + case 4: + *val = *((guint32 *)address); + return TRUE; + case 8: + *val = *((guint64 *)address); + return TRUE; + default: + FATAL("Invalid operand size: %d\n", size); + + } + + return FALSE; } -static guint64 cmplog_get_operand_value(GumCpuContext *context, - cmplog_ctx_t * ctx) { +static gboolean cmplog_get_operand_value(GumCpuContext *context, + cmplog_ctx_t *ctx, guint64 *val) { switch (ctx->type) { case X86_OP_REG: - return cmplog_read_reg(context, ctx->reg); + *val = cmplog_read_reg(context, ctx->reg); + return TRUE; case X86_OP_IMM: - return ctx->imm; + *val = ctx->imm; + return TRUE; case X86_OP_MEM: - return cmplog_read_mem(context, &ctx->mem); + return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: FATAL("Invalid operand type: %d\n", ctx->type); } + return FALSE; + } static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { @@ -177,11 +204,11 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return; + if (!cmplog_is_readable(rdi, 32) || !cmplog_is_readable(rsi, 32)) return; + void *ptr1 = GSIZE_TO_POINTER(rdi); void *ptr2 = GSIZE_TO_POINTER(rsi); - if (!cmplog_is_readable(ptr1, 32) || !cmplog_is_readable(ptr2, 32)) return; - uintptr_t k = address; k = (k >> 4) ^ (k << 8); @@ -271,11 +298,13 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; + guint64 operand1; + guint64 operand2; if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); - guint64 operand1 = cmplog_get_operand_value(context, &ctx->operand1); - guint64 operand2 = cmplog_get_operand_value(context, &ctx->operand2); + if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } + if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } cmplog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); diff --git a/frida_mode/test/cmplog/GNUmakefile b/frida_mode/test/cmplog/GNUmakefile index c203fc5e..37c7450c 100644 --- a/frida_mode/test/cmplog/GNUmakefile +++ b/frida_mode/test/cmplog/GNUmakefile @@ -41,26 +41,26 @@ $(TEST_CMPLOG_OBJ): $(TEST_CMPLOG_DIR)compcovtest.cc qemu: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) $(ROOT)afl-fuzz \ - -D \ -Q \ -i $(TEST_DATA_DIR) \ -o $(QEMU_OUT) \ -c 0 \ -l 3AT \ + -Z \ -- \ $(TEST_CMPLOG_OBJ) @@ frida: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) XAFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ $(ROOT)afl-fuzz \ - -D \ -O \ -i $(TEST_DATA_DIR) \ -o $(FRIDA_OUT) \ -c 0 \ -l 3AT \ + -Z \ -- \ $(TEST_CMPLOG_OBJ) @@ clean: - rm -rf $(BUILD_DIR) \ No newline at end of file + rm -rf $(BUILD_DIR) -- cgit 1.4.1 From e40c0c2da16f14dfddb5641f6f825903879534a9 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Mon, 17 May 2021 19:02:45 +0100 Subject: FASAN Support (#918) * FASAN Support * Fix handling of Address Sanitizer DSO * Changes to identification of Address Sanitizer DSO Co-authored-by: Your Name --- frida_mode/include/asan.h | 13 +++ frida_mode/include/ctx.h | 11 +++ frida_mode/src/asan/asan.c | 24 +++++ frida_mode/src/asan/asan_arm.c | 22 +++++ frida_mode/src/asan/asan_arm64.c | 22 +++++ frida_mode/src/asan/asan_x64.c | 93 ++++++++++++++++++++ frida_mode/src/asan/asan_x86.c | 22 +++++ frida_mode/src/cmplog/cmplog_x64.c | 119 ++----------------------- frida_mode/src/ctx/ctx_x64.c | 114 ++++++++++++++++++++++++ frida_mode/src/instrument/instrument.c | 3 + frida_mode/test/fasan/GNUmakefile | 156 +++++++++++++++++++++++++++++++++ frida_mode/test/fasan/Makefile | 18 ++++ frida_mode/test/fasan/test.c | 85 ++++++++++++++++++ include/envs.h | 1 + include/forkserver.h | 2 + src/afl-fuzz.c | 81 ++++++++++++++--- 16 files changed, 664 insertions(+), 122 deletions(-) create mode 100644 frida_mode/include/asan.h create mode 100644 frida_mode/include/ctx.h create mode 100644 frida_mode/src/asan/asan.c create mode 100644 frida_mode/src/asan/asan_arm.c create mode 100644 frida_mode/src/asan/asan_arm64.c create mode 100644 frida_mode/src/asan/asan_x64.c create mode 100644 frida_mode/src/asan/asan_x86.c create mode 100644 frida_mode/src/ctx/ctx_x64.c create mode 100644 frida_mode/test/fasan/GNUmakefile create mode 100644 frida_mode/test/fasan/Makefile create mode 100644 frida_mode/test/fasan/test.c (limited to 'frida_mode/include') diff --git a/frida_mode/include/asan.h b/frida_mode/include/asan.h new file mode 100644 index 00000000..7a8726e0 --- /dev/null +++ b/frida_mode/include/asan.h @@ -0,0 +1,13 @@ +#ifndef _ASAN_H +#define _ASAN_H + +#include "frida-gum.h" + +extern gboolean asan_initialized; + +void asan_init(void); +void asan_arch_init(void); +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator); + +#endif + diff --git a/frida_mode/include/ctx.h b/frida_mode/include/ctx.h new file mode 100644 index 00000000..030d124a --- /dev/null +++ b/frida_mode/include/ctx.h @@ -0,0 +1,11 @@ +#ifndef _CTX_H +#define _CTX_H + +#include "frida-gum.h" + +#if defined(__x86_64__) +guint64 ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg); +#endif + +#endif + diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c new file mode 100644 index 00000000..f78f690c --- /dev/null +++ b/frida_mode/src/asan/asan.c @@ -0,0 +1,24 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" + +gboolean asan_initialized = FALSE; + +void asan_init(void) { + + if (getenv("AFL_USE_FASAN") != NULL) { + + OKF("Frida ASAN mode enabled"); + asan_arch_init(); + asan_initialized = TRUE; + + } else { + + OKF("Frida ASAN mode disabled"); + + } + +} + diff --git a/frida_mode/src/asan/asan_arm.c b/frida_mode/src/asan/asan_arm.c new file mode 100644 index 00000000..526017be --- /dev/null +++ b/frida_mode/src/asan/asan_arm.c @@ -0,0 +1,22 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" +#include "util.h" + +#if defined(__arm__) +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (asan_initialized) { + + FATAL("ASAN mode not supported on this architecture"); + + } + +} + +#endif + diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c new file mode 100644 index 00000000..4e3fbafd --- /dev/null +++ b/frida_mode/src/asan/asan_arm64.c @@ -0,0 +1,22 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" +#include "util.h" + +#if defined(__aarch64__) +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (asan_initialized) { + + FATAL("ASAN mode not supported on this architecture"); + + } + +} + +#endif + diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c new file mode 100644 index 00000000..bdf4ac30 --- /dev/null +++ b/frida_mode/src/asan/asan_x64.c @@ -0,0 +1,93 @@ +#include +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" +#include "ctx.h" +#include "util.h" + +typedef void (*asan_loadN_t)(uint64_t address, uint8_t size); +typedef void (*asan_storeN_t)(uint64_t address, uint8_t size); + +asan_loadN_t asan_loadN = NULL; +asan_storeN_t asan_storeN = NULL; + +#if defined(__x86_64__) + +static void asan_callout(GumCpuContext *ctx, gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + cs_x86_op * operand = (cs_x86_op *)user_data; + x86_op_mem *mem = &operand->mem; + uint64_t base = 0; + uint64_t index = 0; + uint64_t address; + uint8_t size; + + if (mem->base != X86_REG_INVALID) { base = ctx_read_reg(ctx, mem->base); } + + if (mem->index != X86_REG_INVALID) { index = ctx_read_reg(ctx, mem->index); } + + address = base + (mem->scale * index) + mem->disp; + size = operand->size; + + if (operand->access == CS_AC_READ) { + + asan_loadN(address, size); + + } else if (operand->access == CS_AC_WRITE) { + + asan_storeN(address, size); + + } + +} + +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(iterator); + + cs_x86 x86 = instr->detail->x86; + cs_x86_op * operand; + x86_op_mem *mem; + cs_x86_op * ctx; + + if (!asan_initialized) return; + + if (instr->id == X86_INS_LEA) return; + + if (instr->id == X86_INS_NOP) return; + + for (uint8_t i = 0; i < x86.op_count; i++) { + + operand = &x86.operands[i]; + + if (operand->type != X86_OP_MEM) { continue; } + + mem = &operand->mem; + if (mem->segment != X86_REG_INVALID) { continue; } + + ctx = g_malloc0(sizeof(cs_x86_op)); + memcpy(ctx, operand, sizeof(cs_x86_op)); + gum_stalker_iterator_put_callout(iterator, asan_callout, ctx, g_free); + + } + +} + +void asan_arch_init(void) { + + asan_loadN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_loadN"); + asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); + if (asan_loadN == NULL || asan_storeN == NULL) { + + FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + + } + +} + +#endif + diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c new file mode 100644 index 00000000..b946b3bf --- /dev/null +++ b/frida_mode/src/asan/asan_x86.c @@ -0,0 +1,22 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" +#include "util.h" + +#if defined(__i386__) +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (asan_initialized) { + + FATAL("ASAN mode not supported on this architecture"); + + } + +} + +#endif + diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 4d8f243a..c3621a29 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -3,46 +3,12 @@ #include "debug.h" #include "cmplog.h" +#include "ctx.h" #include "frida_cmplog.h" #include "util.h" #if defined(__x86_64__) - #define X86_REG_8L(LABEL, REG) \ - case LABEL: { \ - \ - return REG & GUM_INT8_MASK; \ - \ - } - - #define X86_REG_8H(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT16_MASK) >> 8; \ - \ - } - - #define X86_REG_16(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT16_MASK); \ - \ - } - - #define X86_REG_32(LABEL, REG) \ - case LABEL: { \ - \ - return (REG & GUM_INT32_MASK); \ - \ - } - - #define X86_REG_64(LABEL, REG) \ - case LABEL: { \ - \ - return (REG); \ - \ - } - typedef struct { x86_op_type type; @@ -65,75 +31,6 @@ typedef struct { } cmplog_pair_ctx_t; -static guint64 cmplog_read_reg(GumX64CpuContext *ctx, x86_reg reg) { - - switch (reg) { - - X86_REG_8L(X86_REG_AL, ctx->rax) - X86_REG_8L(X86_REG_BL, ctx->rbx) - X86_REG_8L(X86_REG_CL, ctx->rcx) - X86_REG_8L(X86_REG_DL, ctx->rdx) - X86_REG_8L(X86_REG_BPL, ctx->rbp) - X86_REG_8L(X86_REG_SIL, ctx->rsi) - X86_REG_8L(X86_REG_DIL, ctx->rdi) - - X86_REG_8H(X86_REG_AH, ctx->rax) - X86_REG_8H(X86_REG_BH, ctx->rbx) - X86_REG_8H(X86_REG_CH, ctx->rcx) - X86_REG_8H(X86_REG_DH, ctx->rdx) - - X86_REG_16(X86_REG_AX, ctx->rax) - X86_REG_16(X86_REG_BX, ctx->rbx) - X86_REG_16(X86_REG_CX, ctx->rcx) - X86_REG_16(X86_REG_DX, ctx->rdx) - X86_REG_16(X86_REG_DI, ctx->rdi) - X86_REG_16(X86_REG_SI, ctx->rsi) - X86_REG_16(X86_REG_BP, ctx->rbp) - - X86_REG_32(X86_REG_EAX, ctx->rax) - X86_REG_32(X86_REG_ECX, ctx->rcx) - X86_REG_32(X86_REG_EDX, ctx->rdx) - X86_REG_32(X86_REG_EBX, ctx->rbx) - X86_REG_32(X86_REG_ESP, ctx->rsp) - X86_REG_32(X86_REG_EBP, ctx->rbp) - X86_REG_32(X86_REG_ESI, ctx->rsi) - X86_REG_32(X86_REG_EDI, ctx->rdi) - X86_REG_32(X86_REG_R8D, ctx->r8) - X86_REG_32(X86_REG_R9D, ctx->r9) - X86_REG_32(X86_REG_R10D, ctx->r10) - X86_REG_32(X86_REG_R11D, ctx->r11) - X86_REG_32(X86_REG_R12D, ctx->r12) - X86_REG_32(X86_REG_R13D, ctx->r13) - X86_REG_32(X86_REG_R14D, ctx->r14) - X86_REG_32(X86_REG_R15D, ctx->r15) - X86_REG_32(X86_REG_EIP, ctx->rip) - - X86_REG_64(X86_REG_RAX, ctx->rax) - X86_REG_64(X86_REG_RCX, ctx->rcx) - X86_REG_64(X86_REG_RDX, ctx->rdx) - X86_REG_64(X86_REG_RBX, ctx->rbx) - X86_REG_64(X86_REG_RSP, ctx->rsp) - X86_REG_64(X86_REG_RBP, ctx->rbp) - X86_REG_64(X86_REG_RSI, ctx->rsi) - X86_REG_64(X86_REG_RDI, ctx->rdi) - X86_REG_64(X86_REG_R8, ctx->r8) - X86_REG_64(X86_REG_R9, ctx->r9) - X86_REG_64(X86_REG_R10, ctx->r10) - X86_REG_64(X86_REG_R11, ctx->r11) - X86_REG_64(X86_REG_R12, ctx->r12) - X86_REG_64(X86_REG_R13, ctx->r13) - X86_REG_64(X86_REG_R14, ctx->r14) - X86_REG_64(X86_REG_R15, ctx->r15) - X86_REG_64(X86_REG_RIP, ctx->rip) - - default: - FATAL("Failed to read register: %d", reg); - return 0; - - } - -} - static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, x86_op_mem *mem, guint64 *val) { @@ -141,9 +38,9 @@ static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, guint64 index = 0; guint64 address; - if (mem->base != X86_REG_INVALID) base = cmplog_read_reg(ctx, mem->base); + if (mem->base != X86_REG_INVALID) base = ctx_read_reg(ctx, mem->base); - if (mem->index != X86_REG_INVALID) index = cmplog_read_reg(ctx, mem->index); + if (mem->index != X86_REG_INVALID) index = ctx_read_reg(ctx, mem->index); address = base + (index * mem->scale) + mem->disp; @@ -178,7 +75,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, switch (ctx->type) { case X86_OP_REG: - *val = cmplog_read_reg(context, ctx->reg); + *val = ctx_read_reg(context, ctx->reg); return TRUE; case X86_OP_IMM: *val = ctx->imm; @@ -198,9 +95,9 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { UNUSED_PARAMETER(user_data); - guint64 address = cmplog_read_reg(context, X86_REG_RIP); - guint64 rdi = cmplog_read_reg(context, X86_REG_RDI); - guint64 rsi = cmplog_read_reg(context, X86_REG_RSI); + guint64 address = ctx_read_reg(context, X86_REG_RIP); + guint64 rdi = ctx_read_reg(context, X86_REG_RDI); + guint64 rsi = ctx_read_reg(context, X86_REG_RSI); if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return; @@ -275,7 +172,7 @@ static void cmplog_instrument_call(const cs_insn * instr, static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, guint64 operand2, uint8_t size) { - guint64 address = cmplog_read_reg(context, X86_REG_RIP); + guint64 address = ctx_read_reg(context, X86_REG_RIP); register uintptr_t k = (uintptr_t)address; diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c new file mode 100644 index 00000000..dec759f4 --- /dev/null +++ b/frida_mode/src/ctx/ctx_x64.c @@ -0,0 +1,114 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "ctx.h" + +#if defined(__x86_64__) + + #define X86_REG_8L(LABEL, REG) \ + case LABEL: { \ + \ + return REG & GUM_INT8_MASK; \ + \ + } + + #define X86_REG_8H(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK) >> 8; \ + \ + } + + #define X86_REG_16(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK); \ + \ + } + + #define X86_REG_32(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT32_MASK); \ + \ + } + + #define X86_REG_64(LABEL, REG) \ + case LABEL: { \ + \ + return (REG); \ + \ + } + +guint64 ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg) { + + switch (reg) { + + X86_REG_8L(X86_REG_AL, ctx->rax) + X86_REG_8L(X86_REG_BL, ctx->rbx) + X86_REG_8L(X86_REG_CL, ctx->rcx) + X86_REG_8L(X86_REG_DL, ctx->rdx) + X86_REG_8L(X86_REG_BPL, ctx->rbp) + X86_REG_8L(X86_REG_SIL, ctx->rsi) + X86_REG_8L(X86_REG_DIL, ctx->rdi) + + X86_REG_8H(X86_REG_AH, ctx->rax) + X86_REG_8H(X86_REG_BH, ctx->rbx) + X86_REG_8H(X86_REG_CH, ctx->rcx) + X86_REG_8H(X86_REG_DH, ctx->rdx) + + X86_REG_16(X86_REG_AX, ctx->rax) + X86_REG_16(X86_REG_BX, ctx->rbx) + X86_REG_16(X86_REG_CX, ctx->rcx) + X86_REG_16(X86_REG_DX, ctx->rdx) + X86_REG_16(X86_REG_DI, ctx->rdi) + X86_REG_16(X86_REG_SI, ctx->rsi) + X86_REG_16(X86_REG_BP, ctx->rbp) + + X86_REG_32(X86_REG_EAX, ctx->rax) + X86_REG_32(X86_REG_ECX, ctx->rcx) + X86_REG_32(X86_REG_EDX, ctx->rdx) + X86_REG_32(X86_REG_EBX, ctx->rbx) + X86_REG_32(X86_REG_ESP, ctx->rsp) + X86_REG_32(X86_REG_EBP, ctx->rbp) + X86_REG_32(X86_REG_ESI, ctx->rsi) + X86_REG_32(X86_REG_EDI, ctx->rdi) + X86_REG_32(X86_REG_R8D, ctx->r8) + X86_REG_32(X86_REG_R9D, ctx->r9) + X86_REG_32(X86_REG_R10D, ctx->r10) + X86_REG_32(X86_REG_R11D, ctx->r11) + X86_REG_32(X86_REG_R12D, ctx->r12) + X86_REG_32(X86_REG_R13D, ctx->r13) + X86_REG_32(X86_REG_R14D, ctx->r14) + X86_REG_32(X86_REG_R15D, ctx->r15) + X86_REG_32(X86_REG_EIP, ctx->rip) + + X86_REG_64(X86_REG_RAX, ctx->rax) + X86_REG_64(X86_REG_RCX, ctx->rcx) + X86_REG_64(X86_REG_RDX, ctx->rdx) + X86_REG_64(X86_REG_RBX, ctx->rbx) + X86_REG_64(X86_REG_RSP, ctx->rsp) + X86_REG_64(X86_REG_RBP, ctx->rbp) + X86_REG_64(X86_REG_RSI, ctx->rsi) + X86_REG_64(X86_REG_RDI, ctx->rdi) + X86_REG_64(X86_REG_R8, ctx->r8) + X86_REG_64(X86_REG_R9, ctx->r9) + X86_REG_64(X86_REG_R10, ctx->r10) + X86_REG_64(X86_REG_R11, ctx->r11) + X86_REG_64(X86_REG_R12, ctx->r12) + X86_REG_64(X86_REG_R13, ctx->r13) + X86_REG_64(X86_REG_R14, ctx->r14) + X86_REG_64(X86_REG_R15, ctx->r15) + X86_REG_64(X86_REG_RIP, ctx->rip) + + default: + FATAL("Failed to read register: %d", reg); + return 0; + + } + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 971f80c0..5c77ade6 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -5,6 +5,7 @@ #include "config.h" #include "debug.h" +#include "asan.h" #include "entry.h" #include "frida_cmplog.h" #include "instrument.h" @@ -107,6 +108,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (!range_is_excluded((void *)instr->address)) { + asan_instrument(instr, iterator); cmplog_instrument(instr, iterator); } @@ -142,6 +144,7 @@ void instrument_init(void) { transformer = gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + asan_init(); cmplog_init(); } diff --git a/frida_mode/test/fasan/GNUmakefile b/frida_mode/test/fasan/GNUmakefile new file mode 100644 index 00000000..22689395 --- /dev/null +++ b/frida_mode/test/fasan/GNUmakefile @@ -0,0 +1,156 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +TEST_DATA_FILE:=$(TEST_DATA_DIR)in +FRIDA_OUT:=$(BUILD_DIR)frida-out + +TEST_SRC:=$(PWD)/test.c +TEST_BIN:=$(BUILD_DIR)test + +CFLAGS+=-fPIC \ + -D_GNU_SOURCE \ + -g \ + -fno-omit-frame-pointer \ + -Wno-stringop-overflow \ + +LDFLAGS+=-ldl \ + +ifdef DEBUG +CFLAGS+=-Werror \ + -Wall \ + -Wextra \ + -Wpointer-arith +else +CFLAGS+=-Wno-pointer-arith +endif + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +ifeq "$(ARCH)" "x86" +LIBASAN_FILE:=libclang_rt.asan-i386.so +endif + +ifeq "$(ARCH)" "x64" +LIBASAN_FILE:=libclang_rt.asan-x86_64.so +endif + +ifeq "$(ARCH)" "aarch64" +LIBASAN_FILE:=libclang_rt.asan-aarch64.so +endif + +# LIBASAN:=/usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so +# LIBASAN:=/usr/lib/x86_64-linux-gnu/libasan.so.6.0.0 + +LLVM_CONFIG ?= llvm-config +ifeq "$(shell test -e '$(shell which $(LLVM_CONFIG))' && echo 1)" "1" + $(info Found llvm-config: '$(shell which $(LLVM_CONFIG))') +else + $(warning Cannot find llvm-config) +endif + +LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)/ +$(info LLVM_BINDIR: $(LLVM_BINDIR)) + +CLANG ?= $(LLVM_BINDIR)clang +ifeq "$(shell test -e '$(CLANG)' && echo 1)" "1" + $(info Found clang: '$(CLANG)') +else + $(warning Cannot find clang) +endif + +CLANGVER = $(shell $(CLANG) --version | sed -E -ne '/^.*version\ (1?[0-9]\.[0-9]\.[0-9]).*/s//\1/p') +$(info Clang version $(CLANGVER)) + +LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) +$(info LLVM_LIBDIR: $(LLVM_LIBDIR)) + +LIBASAN:=$(LLVM_LIBDIR)/clang/$(CLANGVER)/lib/linux/$(LIBASAN_FILE) + +ifeq "$(shell test -e '$(LIBASAN)' && echo 1)" "1" + $(info Found Address Sanitizer DSO: '$(LIBASAN)') +else + $(error Error cannot find Address Sanitizer DSO) +endif + + +.PHONY: all clean format frida-noasan frida debug run + +############################## ALL ############################################# + +all: $(TEST_BIN) + +$(TEST_BIN): $(TEST_SRC) GNUmakefile | $(BUILD_DIR) + $(CC) \ + $(CFLAGS) \ + $(LDFLAGS) \ + -o $@ \ + $< + +$(BUILD_DIR): + mkdir -p $(BUILD_DIR) + +############################# TESTS ############################################ + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TEST_DATA_FILE): | $(TEST_DATA_DIR) + echo -n "TUODATM" > $@ + +frida-noasan: $(TEST_BIN) $(TEST_DATA_FILE) + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) + + +frida: $(TEST_BIN) $(TEST_DATA_FILE) + AFL_PRELOAD=/usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so \ + AFL_USE_FASAN=1 \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) + +debug: $(TEST_BIN) $(TEST_DATA_FILE) + gdb \ + --ex 'set environment LD_PRELOAD=$(LIBASAN):$(ROOT)afl-frida-trace.so' \ + --ex 'set environment ASAN_OPTIONS=detect_leaks=false,halt_on_error=0' \ + --ex 'set environment AFL_USE_FASAN=1' \ + --ex 'set disassembly-flavor intel' \ + --ex 'r < $(TEST_DATA_FILE)' \ + --args $(TEST_BIN) \ + +run: $(TEST_BIN) $(TEST_DATA_FILE) + LD_PRELOAD=$(LIBASAN):$(ROOT)afl-frida-trace.so \ + ASAN_OPTIONS=detect_leaks=false \ + AFL_USE_FASAN=1 \ + $(TEST_BIN) < $(TEST_DATA_FILE) + +############################# CLEAN ############################################ +clean: + rm -rf $(BUILD_DIR) + +############################# FORMAT ########################################### +format: + cd $(ROOT) && echo $(TEST_SRC) | xargs -L1 ./.custom-format.py -i + +############################# RUN ############################################# diff --git a/frida_mode/test/fasan/Makefile b/frida_mode/test/fasan/Makefile new file mode 100644 index 00000000..a7bf44c7 --- /dev/null +++ b/frida_mode/test/fasan/Makefile @@ -0,0 +1,18 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +clean: + @gmake clean + +frida-noasan: + @gmake frida-noasan + +frida: + @gmake frida + +debug: + @gmake debug + +run: + @gmake run \ No newline at end of file diff --git a/frida_mode/test/fasan/test.c b/frida_mode/test/fasan/test.c new file mode 100644 index 00000000..a7d03017 --- /dev/null +++ b/frida_mode/test/fasan/test.c @@ -0,0 +1,85 @@ +#include +#include +#include +#include +#include +#include + +#define LOG(x) \ + do { \ + \ + char buf[] = x; \ + write(STDOUT_FILENO, buf, sizeof(buf)); \ + \ + } while (false); + +void test(char data) { + + char *buf = malloc(10); + + if (buf == NULL) return; + + switch (data) { + + /* Underflow */ + case 'U': + LOG("Underflow\n"); + buf[-1] = '\0'; + free(buf); + break; + /* Overflow */ + case 'O': + LOG("Overflow\n"); + buf[10] = '\0'; + free(buf); + break; + /* Double free */ + case 'D': + LOG("Double free\n"); + free(buf); + free(buf); + break; + /* Use after free */ + case 'A': + LOG("Use after free\n"); + free(buf); + buf[0] = '\0'; + break; + /* Test Limits (OK) */ + case 'T': + LOG("Test-Limits - No Error\n"); + buf[0] = 'A'; + buf[9] = 'I'; + free(buf); + break; + case 'M': + LOG("Memset too many\n"); + memset(buf, '\0', 11); + free(buf); + break; + default: + LOG("Nop - No Error\n"); + break; + + } + +} + +int main(int argc, char **argv) { + + char input = '\0'; + + if (read(STDIN_FILENO, &input, 1) < 0) { + + LOG("Failed to read stdin\n"); + return 1; + + } + + test(input); + + LOG("DONE\n"); + return 0; + +} + diff --git a/include/envs.h b/include/envs.h index 9175005e..4fff1e3a 100644 --- a/include/envs.h +++ b/include/envs.h @@ -191,6 +191,7 @@ static char *afl_environment_variables[] = { "AFL_WINE_PATH", "AFL_NO_SNAPSHOT", "AFL_EXPAND_HAVOC_NOW", + "AFL_USE_FASAN", "AFL_USE_QASAN", NULL diff --git a/include/forkserver.h b/include/forkserver.h index 48db94c7..2baa6f0a 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -79,6 +79,8 @@ typedef struct afl_forkserver { bool frida_mode; /* if running in frida mode or not */ + bool frida_asan; /* if running with asan in frida mode */ + bool use_stdin; /* use stdin for sending data */ bool no_unlink; /* do not unlink cur_input */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a4599b4a..903068b2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -328,6 +328,50 @@ static int stricmp(char const *a, char const *b) { } +static void fasan_check_afl_preload(char *afl_preload) { + + char first_preload[PATH_MAX + 1] = {0}; + char * separator = strchr(afl_preload, ':'); + size_t first_preload_len = PATH_MAX; + char * basename; + char clang_runtime_prefix[] = "libclang_rt.asan-"; + + if (separator != NULL && (separator - afl_preload) < PATH_MAX) { + + first_preload_len = separator - afl_preload; + + } + + strncpy(first_preload, afl_preload, first_preload_len); + + basename = strrchr(first_preload, '/'); + if (basename == NULL) { + + basename = first_preload; + + } else { + + basename = basename + 1; + + } + + if (strncmp(basename, clang_runtime_prefix, + sizeof(clang_runtime_prefix) - 1) != 0) { + + FATAL("Address Sanitizer DSO must be the first DSO in AFL_PRELOAD"); + + } + + if (access(first_preload, R_OK) != 0) { + + FATAL("Address Sanitizer DSO not found"); + + } + + OKF("Found ASAN DSO: %s", first_preload); + +} + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -785,6 +829,7 @@ int main(int argc, char **argv_orig, char **envp) { } afl->fsrv.frida_mode = 1; + if (get_afl_env("AFL_USE_FASAN")) { afl->fsrv.frida_asan = 1; } break; @@ -1365,18 +1410,21 @@ int main(int argc, char **argv_orig, char **envp) { } else if (afl->fsrv.frida_mode) { afl_preload = getenv("AFL_PRELOAD"); - u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); - OKF("Injecting %s ...", frida_binary); - if (afl_preload) { - frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + if (afl->fsrv.frida_asan) { - } else { + OKF("Using Frida Address Sanitizer Mode"); + + fasan_check_afl_preload(afl_preload); - frida_afl_preload = alloc_printf("%s", frida_binary); + setenv("ASAN_OPTIONS", "detect_leaks=false", 1); } + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + OKF("Injecting %s ...", frida_binary); + frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); + ck_free(frida_binary); setenv("LD_PRELOAD", frida_afl_preload, 1); @@ -1391,11 +1439,22 @@ int main(int argc, char **argv_orig, char **envp) { } else if (afl->fsrv.frida_mode) { - u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); - OKF("Injecting %s ...", frida_binary); - setenv("LD_PRELOAD", frida_binary, 1); - setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - ck_free(frida_binary); + if (afl->fsrv.frida_asan) { + + OKF("Using Frida Address Sanitizer Mode"); + FATAL( + "Address Sanitizer DSO must be loaded using AFL_PRELOAD in Frida " + "Address Sanitizer Mode"); + + } else { + + u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + OKF("Injecting %s ...", frida_binary); + setenv("LD_PRELOAD", frida_binary, 1); + setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); + ck_free(frida_binary); + + } } -- cgit 1.4.1 From d0af55e78f85427983ddafd0af07dff654b3ea65 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Mon, 17 May 2021 20:14:40 +0100 Subject: Support for x86 (#920) Co-authored-by: Your Name --- frida_mode/GNUmakefile | 11 +- frida_mode/Makefile | 4 + frida_mode/include/ctx.h | 4 +- frida_mode/src/asan/asan_arm.c | 6 + frida_mode/src/asan/asan_arm64.c | 6 + frida_mode/src/asan/asan_x64.c | 10 +- frida_mode/src/asan/asan_x86.c | 77 +++++- frida_mode/src/cmplog/cmplog_x64.c | 36 +-- frida_mode/src/cmplog/cmplog_x86.c | 266 ++++++++++++++++++++- frida_mode/src/ctx/ctx_x64.c | 2 +- frida_mode/src/ctx/ctx_x86.c | 81 +++++++ frida_mode/src/instrument/instrument.c | 12 +- frida_mode/src/instrument/instrument_arm32.c | 3 + frida_mode/src/instrument/instrument_x86.c | 66 ++++- frida_mode/src/lib/lib.c | 15 +- frida_mode/src/persistent/persistent_x86.c | 233 +++++++++++++++++- frida_mode/test/cmplog/GNUmakefile | 37 +-- frida_mode/test/cmplog/Makefile | 12 +- frida_mode/test/cmplog/cmplog.c | 100 ++++++++ frida_mode/test/entry_point/GNUmakefile | 23 +- frida_mode/test/entry_point/Makefile | 6 +- frida_mode/test/entry_point/testinstr.c | 2 + frida_mode/test/exe/GNUmakefile | 9 +- frida_mode/test/exe/Makefile | 6 +- frida_mode/test/fasan/GNUmakefile | 9 +- frida_mode/test/fasan/Makefile | 6 +- frida_mode/test/fasan/test.c | 5 + frida_mode/test/png/GNUmakefile | 9 +- frida_mode/test/png/Makefile | 6 +- frida_mode/test/png/persistent/GNUmakefile | 23 +- frida_mode/test/png/persistent/Makefile | 6 +- frida_mode/test/png/persistent/get_symbol_addr.py | 2 +- frida_mode/test/png/persistent/hook/GNUmakefile | 52 +++- frida_mode/test/png/persistent/hook/Makefile | 12 +- .../png/persistent/hook/aflpp_qemu_driver_hook.c | 97 ++++++++ frida_mode/test/testinstr/GNUmakefile | 15 +- frida_mode/test/testinstr/Makefile | 9 +- 37 files changed, 1176 insertions(+), 102 deletions(-) create mode 100644 frida_mode/src/ctx/ctx_x86.c create mode 100644 frida_mode/test/cmplog/cmplog.c create mode 100644 frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index a15f5c32..e915f157 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -19,6 +19,7 @@ RT_CFLAGS:=-Wno-unused-parameter \ -Wno-sign-compare \ -Wno-unused-function \ -Wno-unused-result \ + -Wno-int-to-pointer-cast \ LDFLAGS+=-shared \ -lpthread \ @@ -38,6 +39,8 @@ FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded +ifndef ARCH + ARCH=$(shell uname -m) ifeq "$(ARCH)" "aarch64" ARCH:=arm64 @@ -46,6 +49,7 @@ endif ifeq "$(ARCH)" "i686" ARCH:=x86 endif +endif ifeq "$(shell uname)" "Darwin" OS:=macos @@ -83,13 +87,16 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o -.PHONY: all clean format $(FRIDA_GUM) +.PHONY: all 32 clean format $(FRIDA_GUM) ############################## ALL ############################################# all: $(FRIDA_TRACE) make -C $(ROOT) +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $(BUILD_DIR) @@ -161,11 +168,11 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $( $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR) $(CC) \ - -o $@ \ $(OBJS) \ $(GUM_DEVIT_LIBRARY) \ $(AFL_COMPILER_RT_OBJ) \ $(LDFLAGS) \ + -o $@ \ cp -v $(FRIDA_TRACE) $(ROOT) diff --git a/frida_mode/Makefile b/frida_mode/Makefile index b6d64bff..6cd1a64e 100644 --- a/frida_mode/Makefile +++ b/frida_mode/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean diff --git a/frida_mode/include/ctx.h b/frida_mode/include/ctx.h index 030d124a..cbcc892a 100644 --- a/frida_mode/include/ctx.h +++ b/frida_mode/include/ctx.h @@ -3,8 +3,8 @@ #include "frida-gum.h" -#if defined(__x86_64__) -guint64 ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg); +#if defined(__x86_64__) || defined(__i386__) +gsize ctx_read_reg(GumCpuContext *ctx, x86_reg reg); #endif #endif diff --git a/frida_mode/src/asan/asan_arm.c b/frida_mode/src/asan/asan_arm.c index 526017be..79475ced 100644 --- a/frida_mode/src/asan/asan_arm.c +++ b/frida_mode/src/asan/asan_arm.c @@ -18,5 +18,11 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { } +void asan_arch_init(void) { + + FATAL("ASAN mode not supported on this architecture"); + +} + #endif diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 4e3fbafd..6262ee18 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -18,5 +18,11 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { } +void asan_arch_init(void) { + + FATAL("ASAN mode not supported on this architecture"); + +} + #endif diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c index bdf4ac30..a2eabe3c 100644 --- a/frida_mode/src/asan/asan_x64.c +++ b/frida_mode/src/asan/asan_x64.c @@ -7,23 +7,23 @@ #include "ctx.h" #include "util.h" +#if defined(__x86_64__) + typedef void (*asan_loadN_t)(uint64_t address, uint8_t size); typedef void (*asan_storeN_t)(uint64_t address, uint8_t size); asan_loadN_t asan_loadN = NULL; asan_storeN_t asan_storeN = NULL; -#if defined(__x86_64__) - static void asan_callout(GumCpuContext *ctx, gpointer user_data) { UNUSED_PARAMETER(user_data); cs_x86_op * operand = (cs_x86_op *)user_data; x86_op_mem *mem = &operand->mem; - uint64_t base = 0; - uint64_t index = 0; - uint64_t address; + gsize base = 0; + gsize index = 0; + gsize address; uint8_t size; if (mem->base != X86_REG_INVALID) { base = ctx_read_reg(ctx, mem->base); } diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c index b946b3bf..8490b490 100644 --- a/frida_mode/src/asan/asan_x86.c +++ b/frida_mode/src/asan/asan_x86.c @@ -1,18 +1,89 @@ +#include #include "frida-gum.h" #include "debug.h" #include "asan.h" +#include "ctx.h" #include "util.h" #if defined(__i386__) + +typedef void (*asan_loadN_t)(gsize address, uint8_t size); +typedef void (*asan_storeN_t)(gsize address, uint8_t size); + +asan_loadN_t asan_loadN = NULL; +asan_storeN_t asan_storeN = NULL; + +static void asan_callout(GumCpuContext *ctx, gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + cs_x86_op * operand = (cs_x86_op *)user_data; + x86_op_mem *mem = &operand->mem; + gsize base = 0; + gsize index = 0; + gsize address; + uint8_t size; + + if (mem->base != X86_REG_INVALID) { base = ctx_read_reg(ctx, mem->base); } + + if (mem->index != X86_REG_INVALID) { index = ctx_read_reg(ctx, mem->index); } + + address = base + (mem->scale * index) + mem->disp; + size = operand->size; + + if (operand->access == CS_AC_READ) { + + asan_loadN(address, size); + + } else if (operand->access == CS_AC_WRITE) { + + asan_storeN(address, size); + + } + +} + void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); - if (asan_initialized) { - FATAL("ASAN mode not supported on this architecture"); + cs_x86 x86 = instr->detail->x86; + cs_x86_op * operand; + x86_op_mem *mem; + cs_x86_op * ctx; + + if (!asan_initialized) return; + + if (instr->id == X86_INS_LEA) return; + + if (instr->id == X86_INS_NOP) return; + + for (uint8_t i = 0; i < x86.op_count; i++) { + + operand = &x86.operands[i]; + + if (operand->type != X86_OP_MEM) { continue; } + + mem = &operand->mem; + if (mem->segment != X86_REG_INVALID) { continue; } + + ctx = g_malloc0(sizeof(cs_x86_op)); + memcpy(ctx, operand, sizeof(cs_x86_op)); + gum_stalker_iterator_put_callout(iterator, asan_callout, ctx, g_free); + + } + +} + +void asan_arch_init(void) { + + asan_loadN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_loadN"); + asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); + if (asan_loadN == NULL || asan_storeN == NULL) { + + FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index c3621a29..9f56c32a 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -31,12 +31,12 @@ typedef struct { } cmplog_pair_ctx_t; -static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, - x86_op_mem *mem, guint64 *val) { +static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, + x86_op_mem *mem, gsize *val) { - guint64 base = 0; - guint64 index = 0; - guint64 address; + gsize base = 0; + gsize index = 0; + gsize address; if (mem->base != X86_REG_INVALID) base = ctx_read_reg(ctx, mem->base); @@ -49,16 +49,16 @@ static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, switch (size) { case 1: - *val = *((guint8 *)address); + *val = *((guint8 *)GSIZE_TO_POINTER(address)); return TRUE; case 2: - *val = *((guint16 *)address); + *val = *((guint16 *)GSIZE_TO_POINTER(address)); return TRUE; case 4: - *val = *((guint32 *)address); + *val = *((guint32 *)GSIZE_TO_POINTER(address)); return TRUE; case 8: - *val = *((guint64 *)address); + *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: FATAL("Invalid operand size: %d\n", size); @@ -70,7 +70,7 @@ static gboolean cmplog_read_mem(GumX64CpuContext *ctx, uint8_t size, } static gboolean cmplog_get_operand_value(GumCpuContext *context, - cmplog_ctx_t *ctx, guint64 *val) { + cmplog_ctx_t *ctx, gsize *val) { switch (ctx->type) { @@ -95,9 +95,9 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { UNUSED_PARAMETER(user_data); - guint64 address = ctx_read_reg(context, X86_REG_RIP); - guint64 rdi = ctx_read_reg(context, X86_REG_RDI); - guint64 rsi = ctx_read_reg(context, X86_REG_RSI); + gsize address = ctx_read_reg(context, X86_REG_RIP); + gsize rdi = ctx_read_reg(context, X86_REG_RDI); + gsize rsi = ctx_read_reg(context, X86_REG_RSI); if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return; @@ -169,10 +169,10 @@ static void cmplog_instrument_call(const cs_insn * instr, } -static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, - guint64 operand2, uint8_t size) { +static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, + gsize operand2, uint8_t size) { - guint64 address = ctx_read_reg(context, X86_REG_RIP); + gsize address = ctx_read_reg(context, X86_REG_RIP); register uintptr_t k = (uintptr_t)address; @@ -195,8 +195,8 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, guint64 operand1, static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; - guint64 operand1; - guint64 operand2; + gsize operand1; + gsize operand2; if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index 2401180c..a27df0af 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -1,17 +1,275 @@ #include "frida-gum.h" #include "debug.h" +#include "cmplog.h" +#include "ctx.h" #include "frida_cmplog.h" #include "util.h" #if defined(__i386__) + +typedef struct { + + x86_op_type type; + uint8_t size; + + union { + + x86_op_mem mem; + x86_reg reg; + int64_t imm; + + }; + +} cmplog_ctx_t; + +typedef struct { + + cmplog_ctx_t operand1; + cmplog_ctx_t operand2; + +} cmplog_pair_ctx_t; + +static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, + x86_op_mem *mem, gsize *val) { + + gsize base = 0; + gsize index = 0; + gsize address; + + if (mem->base != X86_REG_INVALID) base = ctx_read_reg(ctx, mem->base); + + if (mem->index != X86_REG_INVALID) index = ctx_read_reg(ctx, mem->index); + + address = base + (index * mem->scale) + mem->disp; + + if (!cmplog_is_readable(address, size)) { return FALSE; } + + switch (size) { + + case 1: + *val = *((guint8 *)GSIZE_TO_POINTER(address)); + return TRUE; + case 2: + *val = *((guint16 *)GSIZE_TO_POINTER(address)); + return TRUE; + case 4: + *val = *((guint32 *)GSIZE_TO_POINTER(address)); + return TRUE; + default: + FATAL("Invalid operand size: %d\n", size); + + } + + return FALSE; + +} + +static gboolean cmplog_get_operand_value(GumCpuContext *context, + cmplog_ctx_t *ctx, gsize *val) { + + switch (ctx->type) { + + case X86_OP_REG: + *val = ctx_read_reg(context, ctx->reg); + return TRUE; + case X86_OP_IMM: + *val = ctx->imm; + return TRUE; + case X86_OP_MEM: + return cmplog_read_mem(context, ctx->size, &ctx->mem, val); + default: + FATAL("Invalid operand type: %d\n", ctx->type); + + } + + return FALSE; + +} + +static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + gsize address = ctx_read_reg(context, X86_REG_EIP); + gsize *esp = (gsize *)ctx_read_reg(context, X86_REG_ESP); + + if (!cmplog_is_readable(GPOINTER_TO_SIZE(esp), 12)) return; + + /* + * This callout is place immediately before the call instruction, and hence + * the return address is not yet pushed on the top of the stack. + */ + gsize arg1 = esp[0]; + gsize arg2 = esp[1]; + + if (((G_MAXULONG - arg1) < 32) || ((G_MAXULONG - arg2) < 32)) return; + + if (!cmplog_is_readable(arg1, 32) || !cmplog_is_readable(arg2, 32)) return; + + void *ptr1 = GSIZE_TO_POINTER(arg1); + void *ptr2 = GSIZE_TO_POINTER(arg2); + + uintptr_t k = address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 31; + + hits &= CMP_MAP_RTN_H - 1; + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, + 32); + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, + 32); + +} + +static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, + cs_x86_op * operand) { + + ctx->type = operand->type; + ctx->size = operand->size; + switch (operand->type) { + + case X86_OP_REG: + gum_memcpy(&ctx->reg, &operand->reg, sizeof(x86_reg)); + break; + case X86_OP_IMM: + gum_memcpy(&ctx->imm, &operand->imm, sizeof(int64_t)); + break; + case X86_OP_MEM: + gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); + break; + default: + FATAL("Invalid operand type: %d\n", operand->type); + + } + +} + +static void cmplog_instrument_call(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand; + + if (instr->id != X86_INS_CALL) return; + + if (x86.op_count != 1) return; + + operand = &x86.operands[0]; + + if (operand->type == X86_OP_INVALID) return; + if (operand->type == X86_OP_MEM && operand->mem.segment != X86_REG_INVALID) + return; + + gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, NULL, NULL); + +} + +static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, + gsize operand2, uint8_t size) { + + gsize address = ctx_read_reg(context, X86_REG_EIP); + + register uintptr_t k = (uintptr_t)address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = (size - 1); + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = operand1; + __afl_cmp_map->log[k][hits].v1 = operand2; + +} + +static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { + + cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; + gsize operand1; + gsize operand2; + + if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + + if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } + if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } + + cmplog_handle_cmp_sub(context, operand1, operand2, ctx->operand1.size); + +} + +static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, + cs_x86_op * operand1, + cs_x86_op *operand2) { + + cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t)); + if (ctx == NULL) return; + + cmplog_instrument_put_operand(&ctx->operand1, operand1); + cmplog_instrument_put_operand(&ctx->operand2, operand2); + + gum_stalker_iterator_put_callout(iterator, cmplog_cmp_sub_callout, ctx, + g_free); + +} + +static void cmplog_instrument_cmp_sub(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_x86 x86 = instr->detail->x86; + cs_x86_op *operand1; + cs_x86_op *operand2; + + switch (instr->id) { + + case X86_INS_CMP: + case X86_INS_SUB: + break; + default: + return; + + } + + if (x86.op_count != 2) return; + + operand1 = &x86.operands[0]; + operand2 = &x86.operands[1]; + + if (operand1->type == X86_OP_INVALID) return; + if (operand2->type == X86_OP_INVALID) return; + + if ((operand1->type == X86_OP_MEM) && + (operand1->mem.segment != X86_REG_INVALID)) + return; + + if ((operand2->type == X86_OP_MEM) && + (operand2->mem.segment != X86_REG_INVALID)) + return; + + cmplog_instrument_cmp_sub_put_callout(iterator, operand1, operand2); + +} + void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); + if (__afl_cmp_map == NULL) return; + + cmplog_instrument_call(instr, iterator); + cmplog_instrument_cmp_sub(instr, iterator); } diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c index dec759f4..c5900533 100644 --- a/frida_mode/src/ctx/ctx_x64.c +++ b/frida_mode/src/ctx/ctx_x64.c @@ -41,7 +41,7 @@ \ } -guint64 ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg) { +gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg) { switch (reg) { diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c new file mode 100644 index 00000000..45308272 --- /dev/null +++ b/frida_mode/src/ctx/ctx_x86.c @@ -0,0 +1,81 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "ctx.h" + +#if defined(__i386__) + + #define X86_REG_8L(LABEL, REG) \ + case LABEL: { \ + \ + return REG & GUM_INT8_MASK; \ + \ + } + + #define X86_REG_8H(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK) >> 8; \ + \ + } + + #define X86_REG_16(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK); \ + \ + } + + #define X86_REG_32(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT32_MASK); \ + \ + } + +gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg) { + + switch (reg) { + + X86_REG_8L(X86_REG_AL, ctx->eax) + X86_REG_8L(X86_REG_BL, ctx->ebx) + X86_REG_8L(X86_REG_CL, ctx->ecx) + X86_REG_8L(X86_REG_DL, ctx->edx) + X86_REG_8L(X86_REG_BPL, ctx->ebp) + X86_REG_8L(X86_REG_SIL, ctx->esi) + X86_REG_8L(X86_REG_DIL, ctx->edi) + + X86_REG_8H(X86_REG_AH, ctx->eax) + X86_REG_8H(X86_REG_BH, ctx->ebx) + X86_REG_8H(X86_REG_CH, ctx->ecx) + X86_REG_8H(X86_REG_DH, ctx->edx) + + X86_REG_16(X86_REG_AX, ctx->eax) + X86_REG_16(X86_REG_BX, ctx->ebx) + X86_REG_16(X86_REG_CX, ctx->ecx) + X86_REG_16(X86_REG_DX, ctx->edx) + X86_REG_16(X86_REG_DI, ctx->edi) + X86_REG_16(X86_REG_SI, ctx->esi) + X86_REG_16(X86_REG_BP, ctx->ebp) + + X86_REG_32(X86_REG_EAX, ctx->eax) + X86_REG_32(X86_REG_ECX, ctx->ecx) + X86_REG_32(X86_REG_EDX, ctx->edx) + X86_REG_32(X86_REG_EBX, ctx->ebx) + X86_REG_32(X86_REG_ESP, ctx->esp) + X86_REG_32(X86_REG_EBP, ctx->ebp) + X86_REG_32(X86_REG_ESI, ctx->esi) + X86_REG_32(X86_REG_EDI, ctx->edi) + X86_REG_32(X86_REG_EIP, ctx->eip) + + default: + FATAL("Failed to read register: %d", reg); + return 0; + + } + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 5c77ade6..67eadc3f 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -34,7 +34,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, */ static char buffer[200]; int len; - guint64 current_pc = (guint64)user_data; + GumAddress current_pc = GUM_ADDRESS(user_data); uint8_t * cursor; uint64_t value; if (unlikely(tracing)) { @@ -86,8 +86,8 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (begin) { - prefetch_write((void *)instr->address); - if (!range_is_excluded((void *)instr->address)) { + prefetch_write(GSIZE_TO_POINTER(instr->address)); + if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) { if (optimize) { @@ -95,8 +95,8 @@ static void instr_basic_block(GumStalkerIterator *iterator, } else { - gum_stalker_iterator_put_callout(iterator, on_basic_block, - (gpointer)instr->address, NULL); + gum_stalker_iterator_put_callout( + iterator, on_basic_block, GSIZE_TO_POINTER(instr->address), NULL); } @@ -106,7 +106,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, } - if (!range_is_excluded((void *)instr->address)) { + if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) { asan_instrument(instr, iterator); cmplog_instrument(instr, iterator); diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index c2d720a7..1a3c40bb 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -3,6 +3,7 @@ #include "debug.h" #include "instrument.h" +#include "util.h" #if defined(__arm__) @@ -15,6 +16,8 @@ gboolean instrument_is_coverage_optimize_supported(void) { void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(output); FATAL("Optimized coverage not supported on this architecture"); } diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 5b8cbbba..585bb5b8 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -3,19 +3,81 @@ #include "debug.h" #include "instrument.h" +#include "util.h" #if defined(__i386__) +static GumAddress current_log_impl = GUM_ADDRESS(0); + +static void instrument_coverage_function(GumX86Writer *cw) { + + gum_x86_writer_put_pushfx(cw); + gum_x86_writer_put_push_reg(cw, GUM_REG_ECX); + gum_x86_writer_put_push_reg(cw, GUM_REG_EDX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX, + GUM_ADDRESS(&previous_pc)); + gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_EDX, GUM_REG_ECX); + gum_x86_writer_put_xor_reg_reg(cw, GUM_REG_EDX, GUM_REG_EDI); + + gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EDX, GUM_ADDRESS(__afl_area_ptr)); + + /* add byte ptr [edx], 1 */ + uint8_t add_byte_ptr_edx_1[] = {0x80, 0x02, 0x01}; + gum_x86_writer_put_bytes(cw, add_byte_ptr_edx_1, sizeof(add_byte_ptr_edx_1)); + + /* adc byte ptr [edx], 0 */ + uint8_t adc_byte_ptr_edx_0[] = {0x80, 0x12, 0x00}; + gum_x86_writer_put_bytes(cw, adc_byte_ptr_edx_0, sizeof(adc_byte_ptr_edx_0)); + + gum_x86_writer_put_shr_reg_u8(cw, GUM_REG_EDI, 1); + gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_ECX, GUM_REG_EDI); + + gum_x86_writer_put_pop_reg(cw, GUM_REG_EDX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_ECX); + gum_x86_writer_put_popfx(cw); + gum_x86_writer_put_ret(cw); + +} + gboolean instrument_is_coverage_optimize_supported(void) { - return false; + return true; } void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { - FATAL("Optimized coverage not supported on this architecture"); + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(output); + + guint64 current_pc = instr->address; + guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); + area_offset &= MAP_SIZE - 1; + GumX86Writer *cw = output->writer.x86; + + if (current_log_impl == 0 || + !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || + !gum_x86_writer_can_branch_directly_between(cw->pc + 128, + current_log_impl)) { + + gconstpointer after_log_impl = cw->code + 1; + + gum_x86_writer_put_jmp_near_label(cw, after_log_impl); + + current_log_impl = cw->pc; + instrument_coverage_function(cw); + + gum_x86_writer_put_label(cw, after_log_impl); + + } + + // gum_x86_writer_put_breakpoint(cw); + gum_x86_writer_put_push_reg(cw, GUM_REG_EDI); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EDI, area_offset); + gum_x86_writer_put_call_address(cw, current_log_impl); + gum_x86_writer_put_pop_reg(cw, GUM_REG_EDI); } diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index c5045533..13a7d1e7 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -90,7 +90,8 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { if (!found_preferred_base) { FATAL("Failed to find preferred load address"); } - OKF("Image preferred load address 0x%016lx", preferred_base); + OKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x", + preferred_base); shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff); shstrtab = &shdr[hdr->e_shstrndx]; @@ -107,15 +108,16 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { if (curr->sh_name == 0) continue; section_name = &shstr[curr->sh_name]; - OKF("Section: %2lu - base: 0x%016lX size: 0x%016lX %s", i, curr->sh_addr, - curr->sh_size, section_name); + OKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER + "X size: 0x%016" G_GSIZE_MODIFIER "X %s", + i, curr->sh_addr, curr->sh_size, section_name); if (memcmp(section_name, text_name, sizeof(text_name)) == 0 && text_base == 0) { text_base = lib_details->base_address + curr->sh_addr - preferred_base; text_limit = text_base + curr->sh_size; - OKF("> text_addr: 0x%016lX", text_base); - OKF("> text_limit: 0x%016lX", text_limit); + OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); + OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); } @@ -153,7 +155,8 @@ void lib_init(void) { lib_details_t lib_details; gum_process_enumerate_modules(lib_find_exe, &lib_details); - OKF("Executable: 0x%016lx - %s", lib_details.base_address, lib_details.path); + OKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s", lib_details.base_address, + lib_details.path); lib_get_text_section(&lib_details); } diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 9d39c4e9..bd7171b9 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -1,9 +1,9 @@ #include "frida-gum.h" -#include "debug.h" +#include "config.h" +#include "instrument.h" #include "persistent.h" -#include "util.h" #if defined(__i386__) @@ -38,16 +38,239 @@ struct x86_regs { typedef struct x86_regs arch_api_regs; +static arch_api_regs saved_regs = {0}; +static void * saved_return = NULL; + gboolean persistent_is_supported(void) { - return false; + return true; + +} + +static void instrument_persitent_save_regs(GumX86Writer * cw, + struct x86_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + + /* Should be pushing FPU here, but meh */ + gum_x86_writer_put_pushfx(cw); + gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 1), + GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 2), + GUM_REG_ECX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 3), + GUM_REG_EDX); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 4), + GUM_REG_EDI); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 5), + GUM_REG_ESI); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 6), + GUM_REG_EBP); + + /* Store RIP */ + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EBX, + GUM_ADDRESS(persistent_start)); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 7), + GUM_REG_EBX); + + /* Store adjusted RSP */ + gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_EBX, GUM_REG_ESP); + + /* RED_ZONE + Saved flags, RAX */ + gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EBX, (0x4 * 2)); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 8), + GUM_REG_EBX); + + /* Save the flags */ + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x4); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 9), + GUM_REG_EBX); + + /* Save the RAX */ + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x0); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 0), + GUM_REG_EBX); + + /* Pop the saved values */ + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 0x8); + +} + +static void instrument_persitent_restore_regs(GumX86Writer * cw, + struct x86_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address); + + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_EAX, + (0x4 * 2)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EAX, + (0x4 * 3)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDI, GUM_REG_EAX, + (0x4 * 4)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESI, GUM_REG_EAX, + (0x4 * 5)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBP, GUM_REG_EAX, + (0x4 * 6)); + + /* Don't restore RIP or RSP */ + + /* Restore RBX, RAX & Flags */ + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, + (0x4 * 1)); + gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); + + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, + (0x4 * 0)); + gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, + (0x4 * 9)); + gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); + + gum_x86_writer_put_popfx(cw); + gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX); + +} + +static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) { + + GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); + + gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); + gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x8); + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, 0, GUM_REG_EBX); + + gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX); + +} + +static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) { + + GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr); + + /* Place holder for ret */ + gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); + gum_x86_writer_put_push_reg(cw, GUM_REG_EAX); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EAX, GUM_REG_EAX, 0); + + gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_ESP, 0x4, GUM_REG_EAX); + gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX); + gum_x86_writer_put_ret(cw); + +} + +static int instrument_afl_persistent_loop_func(void) { + + int ret = __afl_persistent_loop(persistent_count); + previous_pc = 0; + return ret; + +} + +static void instrument_afl_persistent_loop(GumX86Writer *cw) { + + gum_x86_writer_put_call_address_with_arguments( + cw, GUM_CALL_CAPI, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0); + gum_x86_writer_put_test_reg_reg(cw, GUM_REG_EAX, GUM_REG_EAX); + +} + +static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) { + + if (hook == NULL) return; + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX, + GUM_ADDRESS(&__afl_fuzz_len)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_ECX, 0); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_ECX, 0); + + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EDX, + GUM_ADDRESS(&__afl_fuzz_ptr)); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EDX, 0); + + /* Base address is 64-bits (hence two zero arguments) */ + gum_x86_writer_put_call_address_with_arguments( + cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 5, GUM_ARG_ADDRESS, + GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS, + GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER, + GUM_REG_ECX); } void persistent_prologue(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + /* + * SAVE REGS + * SAVE RET + * POP RET + * loop: + * CALL instrument_afl_persistent_loop + * TEST EAX, EAX + * JZ end: + * call hook (optionally) + * RESTORE REGS + * call original + * jmp loop: + * + * end: + * JMP SAVED RET + * + * original: + * INSTRUMENTED PERSISTENT FUNC + */ + + GumX86Writer *cw = output->writer.x86; + + gconstpointer loop = cw->code + 1; + + /* Stack must be 16-byte aligned per ABI */ + instrument_persitent_save_regs(cw, &saved_regs); + + /* Stash and pop the return value */ + instrument_save_ret(cw, &saved_return); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, (4)); + + /* loop: */ + gum_x86_writer_put_label(cw, loop); + + /* call instrument_prologue_func */ + instrument_afl_persistent_loop(cw); + + /* jz done */ + gconstpointer done = cw->code + 1; + gum_x86_writer_put_jcc_near_label(cw, X86_INS_JE, done, GUM_UNLIKELY); + + /* Optionally call the persistent hook */ + persistent_prologue_hook(cw, &saved_regs); + + instrument_persitent_restore_regs(cw, &saved_regs); + gconstpointer original = cw->code + 1; + /* call original */ + gum_x86_writer_put_call_near_label(cw, original); + /* jmp loop */ + gum_x86_writer_put_jmp_near_label(cw, loop); + + /* done: */ + gum_x86_writer_put_label(cw, done); + + instrument_jump_ret(cw, &saved_return); + + /* original: */ + gum_x86_writer_put_label(cw, original); + + gum_x86_writer_flush(cw); } diff --git a/frida_mode/test/cmplog/GNUmakefile b/frida_mode/test/cmplog/GNUmakefile index 37c7450c..40de6a09 100644 --- a/frida_mode/test/cmplog/GNUmakefile +++ b/frida_mode/test/cmplog/GNUmakefile @@ -2,8 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../../)/ BUILD_DIR:=$(PWD)build/ -TEST_CMPLOG_DIR:=$(ROOT)qemu_mode/libcompcov/ -TEST_CMPLOG_OBJ=$(TEST_CMPLOG_DIR)compcovtest +TEST_CMPLOG_SRC=$(PWD)cmplog.c +TEST_CMPLOG_OBJ=$(BUILD_DIR)compcovtest TEST_BIN:=$(PWD)../../build/test @@ -13,20 +13,14 @@ CMP_LOG_INPUT:=$(TEST_DATA_DIR)in QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -ARCH=$(shell uname -m) -ifeq "$(ARCH)" "aarch64" - AFL_FRIDA_INST_RANGES=$(shell $(PWD)get_section_addrs.py -f $(TEST_CMPLOG_OBJ) -s .text -b 0x0000aaaaaaaaa000) -endif +.PHONY: all 32 clean qemu frida format -ifeq "$(ARCH)" "x86_64" - AFL_FRIDA_INST_RANGES=$(shell $(PWD)get_section_addrs.py -f $(TEST_CMPLOG_OBJ) -s .text -b 0x0000555555554000) -endif - -.PHONY: all clean qemu frida - -all: +all: $(TEST_CMPLOG_OBJ) make -C $(ROOT)frida_mode/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -34,10 +28,10 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) mkdir -p $@ $(CMP_LOG_INPUT): | $(TEST_DATA_DIR) - truncate -s 64 $@ + echo -n "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" > $@ -$(TEST_CMPLOG_OBJ): $(TEST_CMPLOG_DIR)compcovtest.cc - make -C $(TEST_CMPLOG_DIR) compcovtest +$(TEST_CMPLOG_OBJ): $(TEST_CMPLOG_SRC) | $(BUILD_DIR) + $(CXX) -std=c++11 -g $(CFLAGS) $(LDFLAGS) $< -o $@ qemu: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) $(ROOT)afl-fuzz \ @@ -51,7 +45,6 @@ qemu: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) $(TEST_CMPLOG_OBJ) @@ frida: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) - XAFL_FRIDA_INST_RANGES=$(AFL_FRIDA_INST_RANGES) \ $(ROOT)afl-fuzz \ -O \ -i $(TEST_DATA_DIR) \ @@ -62,5 +55,15 @@ frida: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) -- \ $(TEST_CMPLOG_OBJ) @@ +debug: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --ex 'r $(CMP_LOG_INPUT)' \ + --args $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + clean: rm -rf $(BUILD_DIR) + +format: + cd $(ROOT) && echo $(TEST_CMPLOG_SRC) | xargs -L1 ./.custom-format.py -i diff --git a/frida_mode/test/cmplog/Makefile b/frida_mode/test/cmplog/Makefile index f322d1f5..606b43a5 100644 --- a/frida_mode/test/cmplog/Makefile +++ b/frida_mode/test/cmplog/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -9,4 +13,10 @@ qemu: @gmake qemu frida: - @gmake frida \ No newline at end of file + @gmake frida + +format: + @gmake format + +debug: + @gmake debug diff --git a/frida_mode/test/cmplog/cmplog.c b/frida_mode/test/cmplog/cmplog.c new file mode 100644 index 00000000..99010645 --- /dev/null +++ b/frida_mode/test/cmplog/cmplog.c @@ -0,0 +1,100 @@ +///////////////////////////////////////////////////////////////////////// +// +// Author: Mateusz Jurczyk (mjurczyk@google.com) +// +// Copyright 2019-2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// solution: echo -ne 'The quick brown fox jumps over the lazy +// dog\xbe\xba\xfe\xca\xbe\xba\xfe\xca\xde\xc0\xad\xde\xef\xbe' | ./compcovtest + +#include +#include +#include +#include + +int main(int argc, char **argv) { + + char buffer[44] = {/* zero padding */}; + + FILE *file = stdin; + + if (argc > 1) { + + if ((file = fopen(argv[1], "r")) == NULL) { + + perror(argv[1]); + exit(-1); + + } + + } + + fread(buffer, 1, sizeof(buffer) - 1, file); + + if (memcmp(&buffer[0], "The quick brown fox ", 20) != 0 || + strncmp(&buffer[20], "jumps over ", 11) != 0 || + strcmp(&buffer[31], "the lazy dog") != 0) { + + if (argc > 1) { fclose(file); } + return 1; + + } + +#if defined(__x86_64__) + uint64_t x = 0; + fread(&x, sizeof(x), 1, file); + if (x != 0xCAFEBABECAFEBABE) { + + if (argc > 1) { fclose(file); } + return 2; + + } + +#endif + + uint32_t y = 0; + fread(&y, sizeof(y), 1, file); + + if (y != 0xDEADC0DE) { + + if (argc > 1) { fclose(file); } + return 3; + + } + + uint16_t z = 0; + fread(&z, sizeof(z), 1, file); + + switch (z) { + + case 0xBEEF: + break; + + default: + if (argc > 1) { fclose(file); } + return 4; + + } + + printf("Puzzle solved, congrats!\n"); + abort(); + + if (argc > 1) { fclose(file); } + + return 0; + +} + diff --git a/frida_mode/test/entry_point/GNUmakefile b/frida_mode/test/entry_point/GNUmakefile index 891827eb..c99bcecb 100644 --- a/frida_mode/test/entry_point/GNUmakefile +++ b/frida_mode/test/entry_point/GNUmakefile @@ -12,6 +12,18 @@ FRIDA_OUT:=$(BUILD_DIR)frida-out GET_SYMBOL_ADDR:=$(ROOT)frida_mode/test/png/persistent/get_symbol_addr.py +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + ARCH=$(shell uname -m) ifeq "$(ARCH)" "aarch64" AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000aaaaaaaaa000) @@ -21,11 +33,18 @@ ifeq "$(ARCH)" "x86_64" AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000555555554000) endif +ifeq "$(ARCH)" "x86" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x56555000) +endif + .PHONY: all clean qemu frida all: $(TESTINSTBIN) make -C $(ROOT)frida_mode/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -36,7 +55,7 @@ $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) echo -n "000" > $@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) - $(CC) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: rm -rf $(BUILD_DIR) @@ -58,4 +77,4 @@ frida_entry: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -i $(TESTINSTR_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ - $(TESTINSTBIN) @@ \ No newline at end of file + $(TESTINSTBIN) @@ diff --git a/frida_mode/test/entry_point/Makefile b/frida_mode/test/entry_point/Makefile index 3b41b94e..75c57e66 100644 --- a/frida_mode/test/entry_point/Makefile +++ b/frida_mode/test/entry_point/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -9,4 +13,4 @@ frida: @gmake frida frida_entry: - @gmake frida \ No newline at end of file + @gmake frida diff --git a/frida_mode/test/entry_point/testinstr.c b/frida_mode/test/entry_point/testinstr.c index a6c655f9..bd605c52 100644 --- a/frida_mode/test/entry_point/testinstr.c +++ b/frida_mode/test/entry_point/testinstr.c @@ -106,7 +106,9 @@ int run(char *file) { } void slow() { + usleep(100000); + } int main(int argc, char **argv) { diff --git a/frida_mode/test/exe/GNUmakefile b/frida_mode/test/exe/GNUmakefile index c543cca8..86e5a461 100644 --- a/frida_mode/test/exe/GNUmakefile +++ b/frida_mode/test/exe/GNUmakefile @@ -10,11 +10,14 @@ TESTINSTSRC:=$(PWD)testinstr.c QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -.PHONY: all clean qemu frida +.PHONY: all 32 clean qemu frida all: $(TESTINSTBIN) make -C $(ROOT)frida_mode/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -25,7 +28,7 @@ $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) echo -n "000" > $@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) - $(CC) -o $@ $< -no-pie + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -no-pie clean: rm -rf $(BUILD_DIR) @@ -47,4 +50,4 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -i $(TESTINSTR_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ - $(TESTINSTBIN) @@ \ No newline at end of file + $(TESTINSTBIN) @@ diff --git a/frida_mode/test/exe/Makefile b/frida_mode/test/exe/Makefile index f322d1f5..4bef1ccb 100644 --- a/frida_mode/test/exe/Makefile +++ b/frida_mode/test/exe/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -9,4 +13,4 @@ qemu: @gmake qemu frida: - @gmake frida \ No newline at end of file + @gmake frida diff --git a/frida_mode/test/fasan/GNUmakefile b/frida_mode/test/fasan/GNUmakefile index 22689395..08b271de 100644 --- a/frida_mode/test/fasan/GNUmakefile +++ b/frida_mode/test/fasan/GNUmakefile @@ -42,7 +42,7 @@ ifeq "$(ARCH)" "x86" LIBASAN_FILE:=libclang_rt.asan-i386.so endif -ifeq "$(ARCH)" "x64" +ifeq "$(ARCH)" "x86_64" LIBASAN_FILE:=libclang_rt.asan-x86_64.so endif @@ -85,12 +85,15 @@ else endif -.PHONY: all clean format frida-noasan frida debug run +.PHONY: all 32 clean format frida-noasan frida debug run ############################## ALL ############################################# all: $(TEST_BIN) +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(TEST_BIN): $(TEST_SRC) GNUmakefile | $(BUILD_DIR) $(CC) \ $(CFLAGS) \ @@ -120,7 +123,7 @@ frida-noasan: $(TEST_BIN) $(TEST_DATA_FILE) frida: $(TEST_BIN) $(TEST_DATA_FILE) - AFL_PRELOAD=/usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so \ + AFL_PRELOAD=$(LIBASAN) \ AFL_USE_FASAN=1 \ $(ROOT)afl-fuzz \ -D \ diff --git a/frida_mode/test/fasan/Makefile b/frida_mode/test/fasan/Makefile index a7bf44c7..3b4c71db 100644 --- a/frida_mode/test/fasan/Makefile +++ b/frida_mode/test/fasan/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -15,4 +19,4 @@ debug: @gmake debug run: - @gmake run \ No newline at end of file + @gmake run diff --git a/frida_mode/test/fasan/test.c b/frida_mode/test/fasan/test.c index a7d03017..b9a119e6 100644 --- a/frida_mode/test/fasan/test.c +++ b/frida_mode/test/fasan/test.c @@ -5,6 +5,8 @@ #include #include +#define UNUSED_PARAMETER(x) (void)(x) + #define LOG(x) \ do { \ \ @@ -67,6 +69,9 @@ void test(char data) { int main(int argc, char **argv) { + UNUSED_PARAMETER(argc); + UNUSED_PARAMETER(argv); + char input = '\0'; if (read(STDIN_FILENO, &input, 1) < 0) { diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index 515728c4..e05bade2 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -35,6 +35,9 @@ FRIDA_OUT:=$(BUILD_DIR)frida-out all: $(TEST_BIN) make -C $(ROOT)frida_mode/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -46,7 +49,7 @@ $(HARNESS_FILE): | $(HARNESS_BUILD_DIR) wget -O $@ $(HARNESS_URL) $(HARNESS_OBJ): $(HARNESS_FILE) - $(CC) -o $@ -c $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ -c $< ######### PNGTEST ######## @@ -57,7 +60,7 @@ $(PNGTEST_FILE): | $(PNGTEST_BUILD_DIR) wget -O $@ $(PNGTEST_URL) $(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR) - $(CXX) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< + $(CXX) $(CFLAGS) $(LDFLAGS) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< ######### LIBPNG ######## @@ -80,6 +83,8 @@ $(LIBPNG_LIB): $(LIBPNG_MAKEFILE) $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) $(CXX) \ + $(CFLAGS) \ + $(LDFLAGS) \ -o $@ \ $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ -lz \ diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile index f322d1f5..4bef1ccb 100644 --- a/frida_mode/test/png/Makefile +++ b/frida_mode/test/png/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -9,4 +13,4 @@ qemu: @gmake qemu frida: - @gmake frida \ No newline at end of file + @gmake frida diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile index 531f9bce..ca6f0ff2 100644 --- a/frida_mode/test/png/persistent/GNUmakefile +++ b/frida_mode/test/png/persistent/GNUmakefile @@ -8,6 +8,18 @@ TEST_DATA_DIR:=../build/libpng/libpng-1.2.56/contrib/pngsuite/ QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x4000000000) ARCH=$(shell uname -m) @@ -19,11 +31,18 @@ ifeq "$(ARCH)" "x86_64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000555555554000) endif -.PHONY: all clean qemu qemu_entry frida frida_entry +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x56555000) +endif + +.PHONY: all 32 clean qemu qemu_entry frida frida_entry all: make -C $(ROOT)frida_mode/test/png/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -76,4 +95,4 @@ frida_entry: | $(BUILD_DIR) $(TEST_BIN) @@ clean: - rm -rf $(BUILD_DIR) \ No newline at end of file + rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/png/persistent/Makefile b/frida_mode/test/png/persistent/Makefile index 5fde63c2..cde0cf30 100644 --- a/frida_mode/test/png/persistent/Makefile +++ b/frida_mode/test/png/persistent/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -15,4 +19,4 @@ frida: @gmake frida frida_entry: - @gmake frida_entry \ No newline at end of file + @gmake frida_entry diff --git a/frida_mode/test/png/persistent/get_symbol_addr.py b/frida_mode/test/png/persistent/get_symbol_addr.py index 6458c212..1c46e010 100755 --- a/frida_mode/test/png/persistent/get_symbol_addr.py +++ b/frida_mode/test/png/persistent/get_symbol_addr.py @@ -33,4 +33,4 @@ def main(): if __name__ == "__main__": ret = main() - exit(ret) \ No newline at end of file + exit(ret) diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 4f55fe98..3eee4c2b 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -2,8 +2,16 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_DIR=$(ROOT)utils/aflpp_driver/ -AFLPP_DRIVER_HOOK_OBJ=$(AFLPP_DRIVER_HOOK_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c +AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so + +CFLAGS+=-O3 \ + -funroll-loops \ + -g \ + -fPIC \ + -funroll-loops \ + +LDFLAGS+=-shared \ TEST_BIN:=$(PWD)../../build/test TEST_DATA_DIR:=../../build/libpng/libpng-1.2.56/contrib/pngsuite/ @@ -12,9 +20,20 @@ AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)in QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) +ifndef ARCH ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) + ifeq "$(ARCH)" "aarch64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000) endif @@ -23,11 +42,18 @@ ifeq "$(ARCH)" "x86_64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000) endif -.PHONY: all clean qemu qemu_entry frida frida_entry +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000) +endif + +.PHONY: all 32 clean format qemu qemu_entry frida frida_entry debug -all: +all: $(AFLPP_DRIVER_HOOK_OBJ) make -C $(ROOT)frida_mode/test/png/persistent/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -37,8 +63,8 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) truncate -s 1M $@ -$(AFLPP_DRIVER_HOOK_OBJ): | $(AFLPP_DRIVER_HOOK_DIR) - make -C $(AFLPP_DRIVER_HOOK_DIR) +$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ @@ -93,6 +119,18 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) +debug: + echo $(AFL_FRIDA_PERSISTENT_ADDR) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + clean: rm -rf $(BUILD_DIR) +format: + cd $(ROOT) && echo $(AFLPP_DRIVER_HOOK_SRC) | xargs -L1 ./.custom-format.py -i + diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile index 5fde63c2..983d009e 100644 --- a/frida_mode/test/png/persistent/hook/Makefile +++ b/frida_mode/test/png/persistent/hook/Makefile @@ -2,9 +2,16 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean +format: + @gmake format + qemu: @gmake qemu @@ -15,4 +22,7 @@ frida: @gmake frida frida_entry: - @gmake frida_entry \ No newline at end of file + @gmake frida_entry + +debug: + @gmake debug diff --git a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c new file mode 100644 index 00000000..059d438d --- /dev/null +++ b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c @@ -0,0 +1,97 @@ +#include +#include + +#if defined(__x86_64__) + +struct x86_64_regs { + + uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, + r15; + + union { + + uint64_t rip; + uint64_t pc; + + }; + + union { + + uint64_t rsp; + uint64_t sp; + + }; + + union { + + uint64_t rflags; + uint64_t flags; + + }; + + uint8_t zmm_regs[32][64]; + +}; + +void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + +} + +#elif defined(__i386__) + +struct x86_regs { + + uint32_t eax, ebx, ecx, edx, edi, esi, ebp; + + union { + + uint32_t eip; + uint32_t pc; + + }; + + union { + + uint32_t esp; + uint32_t sp; + + }; + + union { + + uint32_t eflags; + uint32_t flags; + + }; + + uint8_t xmm_regs[8][16]; + +}; + +void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + void **esp = (void **)regs->esp; + void * arg1 = esp[1]; + void **arg2 = &esp[2]; + memcpy(arg1, input_buf, input_buf_len); + *arg2 = (void *)input_buf_len; + +} + +#else + #pragma error "Unsupported architecture" +#endif + +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) + return 1; + +} + diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile index 4addbad8..a35073ab 100644 --- a/frida_mode/test/testinstr/GNUmakefile +++ b/frida_mode/test/testinstr/GNUmakefile @@ -10,11 +10,14 @@ TESTINSTSRC:=$(PWD)testinstr.c QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -.PHONY: all clean qemu frida +.PHONY: all 32 clean qemu frida all: $(TESTINSTBIN) make -C $(ROOT)frida_mode/ +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + $(BUILD_DIR): mkdir -p $@ @@ -25,7 +28,7 @@ $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) echo -n "000" > $@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) - $(CC) -o $@ $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: rm -rf $(BUILD_DIR) @@ -47,4 +50,10 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -i $(TESTINSTR_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ - $(TESTINSTBIN) @@ \ No newline at end of file + $(TESTINSTBIN) @@ + +debug: + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) diff --git a/frida_mode/test/testinstr/Makefile b/frida_mode/test/testinstr/Makefile index f322d1f5..f843af19 100644 --- a/frida_mode/test/testinstr/Makefile +++ b/frida_mode/test/testinstr/Makefile @@ -2,6 +2,10 @@ all: @echo trying to use GNU make... @gmake all || echo please install GNUmake +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + clean: @gmake clean @@ -9,4 +13,7 @@ qemu: @gmake qemu frida: - @gmake frida \ No newline at end of file + @gmake frida + +debug: + @gmake debug -- cgit 1.4.1 From 14178141dcdc1a81ea4f4461790ec87f60606985 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Thu, 27 May 2021 09:49:34 +0100 Subject: Frida (#940) * Added re2 test * Added libpcap test * Fix validation of setting of ADDR_NO_RANDOMIZE * Added support for printing original and instrumented code Co-authored-by: Your Name --- frida_mode/include/instrument.h | 3 + frida_mode/include/util.h | 2 +- frida_mode/src/instrument/instrument.c | 45 +- frida_mode/src/instrument/instrument_debug.c | 128 +++ frida_mode/src/main.c | 3 +- frida_mode/src/ranges.c | 67 +- frida_mode/test/libpcap/GNUmakefile | 188 ++++ frida_mode/test/libpcap/Makefile | 1143 ++++++++++++++++++++++ frida_mode/test/libpcap/aflpp_qemu_driver_hook.c | 97 ++ frida_mode/test/libpcap/get_symbol_addr.py | 36 + frida_mode/test/re2/GNUmakefile | 170 ++++ frida_mode/test/re2/Makefile | 22 + frida_mode/test/re2/aflpp_qemu_driver_hook.c | 97 ++ frida_mode/test/re2/get_symbol_addr.py | 36 + 14 files changed, 2014 insertions(+), 23 deletions(-) create mode 100644 frida_mode/src/instrument/instrument_debug.c create mode 100644 frida_mode/test/libpcap/GNUmakefile create mode 100644 frida_mode/test/libpcap/Makefile create mode 100644 frida_mode/test/libpcap/aflpp_qemu_driver_hook.c create mode 100755 frida_mode/test/libpcap/get_symbol_addr.py create mode 100644 frida_mode/test/re2/GNUmakefile create mode 100644 frida_mode/test/re2/Makefile create mode 100644 frida_mode/test/re2/aflpp_qemu_driver_hook.c create mode 100755 frida_mode/test/re2/get_symbol_addr.py (limited to 'frida_mode/include') diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 03fd33e5..75ee6396 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -19,5 +19,8 @@ gboolean instrument_is_coverage_optimize_supported(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); +void instrument_debug_start(uint64_t address, GumStalkerOutput *output); +void instrument_debug_instruction(uint64_t address, uint16_t size); +void instrument_debug_end(GumStalkerOutput *output); #endif diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index afd0b9c1..7b443b5e 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -4,7 +4,7 @@ #include "frida-gum.h" #define UNUSED_PARAMETER(x) (void)(x) -#define IGNORED_RERURN(x) (void)!(x) +#define IGNORED_RETURN(x) (void)!(x) guint64 util_read_address(char *key); diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 67eadc3f..f21849a6 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -47,7 +47,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n", current_pc, previous_pc); - IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1)); + IGNORED_RETURN(write(STDOUT_FILENO, buffer, len + 1)); } @@ -79,17 +79,48 @@ static void instr_basic_block(GumStalkerIterator *iterator, const cs_insn *instr; gboolean begin = TRUE; + gboolean excluded; + while (gum_stalker_iterator_next(iterator, &instr)) { if (instr->address == entry_start) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } - if (begin) { + /* + * Until we reach AFL_ENTRYPOINT (assumed to be main if not specified) or + * AFL_FRIDA_PERSISTENT_ADDR (if specified), we don't mark our ranges + * excluded as we wish to remain inside stalker at all times so that we can + * instrument our entry point and persistent loop (if present). This allows + * the user to exclude ranges which would be traversed between main and the + * AFL_ENTRYPOINT, but which they don't want included in their coverage + * information when fuzzing. + * + * Since we have no means to discard the instrumented copies of blocks + * (setting the trust threshold simply causes a new copy to be made on each + * execution), we instead ensure that we honour the additional + * instrumentation requested (e.g. coverage, asan and complog) when a block + * is compiled no matter where we are during initialization. We will end up + * re-using these blocks if the code under test calls a block which is also + * used during initialization. + * + * Coverage data generated during initialization isn't a problem since the + * map is zeroed each time the target is forked or each time the persistent + * loop is run. + * + * Lastly, we don't enable pre-fetching back to the parent until we reach + * our AFL_ENTRYPOINT, since it is not until then that we start the + * fork-server and thus start executing in the child. + */ + excluded = range_is_excluded(GSIZE_TO_POINTER(instr->address)); + if (unlikely(begin)) { + + instrument_debug_start(instr->address, output); prefetch_write(GSIZE_TO_POINTER(instr->address)); - if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) { - if (optimize) { + if (likely(!excluded)) { + + if (likely(optimize)) { instrument_coverage_optimize(instr, output); @@ -106,7 +137,9 @@ static void instr_basic_block(GumStalkerIterator *iterator, } - if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) { + instrument_debug_instruction(instr->address, instr->size); + + if (likely(!excluded)) { asan_instrument(instr, iterator); cmplog_instrument(instr, iterator); @@ -117,6 +150,8 @@ static void instr_basic_block(GumStalkerIterator *iterator, } + instrument_debug_end(output); + } void instrument_init(void) { diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c new file mode 100644 index 00000000..3a554ad0 --- /dev/null +++ b/frida_mode/src/instrument/instrument_debug.c @@ -0,0 +1,128 @@ +#include +#include +#include + +#include "frida-gum.h" + +#include "util.h" + +#ifdef FRIDA_DEBUG + +static gpointer instrument_gen_start = NULL; + +static void instrument_debug(char *format, ...) { + + va_list ap; + char buffer[4096] = {0}; + + va_start(ap, format); + + vsnprintf(buffer, sizeof(buffer) - 1, format, ap); + va_end(ap); + + IGNORED_RETURN(write(STDOUT_FILENO, buffer, sizeof(buffer))); + +} + +static void instrument_disasm(guint8 *code, guint size) { + + csh capstone; + cs_err err; + cs_insn *insn; + size_t count, i; + + err = cs_open(GUM_DEFAULT_CS_ARCH, + GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone); + g_assert(err == CS_ERR_OK); + + count = cs_disasm(capstone, code, size, GPOINTER_TO_SIZE(code), 0, &insn); + g_assert(insn != NULL); + + for (i = 0; i != count; i++) { + + instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t%s %s\n", insn[i].address, + insn[i].mnemonic, insn[i].op_str); + + } + + cs_free(insn, count); + + cs_close(&capstone); + +} + +static gpointer instrument_cur(GumStalkerOutput *output) { + + #if defined(__i386__) || defined(__x86_64__) + return gum_x86_writer_cur(output->writer.x86); + #elif defined(__aarch64__) + return gum_arm64_writer_cur(output->writer.arm64); + #elif defined(__arm__) + return gum_arm_writer_cur(output->writer.arm); + #else + #error "Unsupported architecture" + #endif + +} + +void instrument_debug_start(uint64_t address, GumStalkerOutput *output) { + + GumDebugSymbolDetails details; + + instrument_gen_start = instrument_cur(output); + + if (gum_symbol_details_from_address(GSIZE_TO_POINTER(address), &details)) { + + instrument_debug("\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER + "x (%s!%s):\n", + address, details.module_name, details.symbol_name); + + } else { + + instrument_debug( + "\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER "x:\n", address); + + } + +} + +void instrument_debug_instruction(uint64_t address, uint16_t size) { + + uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); + instrument_disasm(start, size); + +} + +void instrument_debug_end(GumStalkerOutput *output) { + + gpointer instrument_gen_end = instrument_cur(output); + uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) - + GPOINTER_TO_SIZE(instrument_gen_start); + + instrument_debug("\nGenerated block %p\n", instrument_gen_start); + instrument_disasm(instrument_gen_start, size); + +} + +#else +void instrument_debug_start(void *address) { + + UNUSED_PARAMETER(address); + +} + +void instrument_debug_instruction(uint64_t address, uint16_t size) { + + UNUSED_PARAMETER(address); + UNUSED_PARAMETER(size); + +} + +void instrument_debug_end(GumStalkerOutput *output) { + + UNUSED_PARAMETER(output); + +} + +#endif + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 21073cbe..e8015905 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -1,3 +1,4 @@ +#include #include #include @@ -58,10 +59,10 @@ static void on_main_os(int argc, char **argv, char **envp) { static void on_main_os(int argc, char **argv, char **envp) { UNUSED_PARAMETER(argc); - /* Personality doesn't affect the current process, it only takes effect on * evec */ int persona = personality(ADDR_NO_RANDOMIZE); + if (persona == -1) { WARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); } if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } GumInterceptor *interceptor = gum_interceptor_obtain(); diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index e3f09f9e..aa140708 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -480,15 +480,40 @@ static GArray *merge_ranges(GArray *a) { } +static gboolean exclude_ranges_callback(const GumRangeDetails *details, + gpointer user_data) { + + UNUSED_PARAMETER(user_data); + gchar * name; + gboolean found; + GumStalker *stalker; + if (details->file == NULL) { return TRUE; } + name = g_path_get_basename(details->file->path); + + found = (g_strcmp0(name, "afl-frida-trace.so") == 0); + g_free(name); + if (!found) { return TRUE; } + + stalker = stalker_get(); + gum_stalker_exclude(stalker, details->range); + + return FALSE; + +} + +static void ranges_exclude_self(void) { + + gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, exclude_ranges_callback, NULL); + +} + void ranges_init(void) { - GumMemoryRange ri; - GArray * step1; - GArray * step2; - GArray * step3; - GArray * step4; - GumMemoryRange *r; - GumStalker * stalker; + GumMemoryRange ri; + GArray * step1; + GArray * step2; + GArray * step3; + GArray * step4; if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { @@ -535,20 +560,14 @@ void ranges_init(void) { ranges = merge_ranges(step4); print_ranges("final", ranges); - stalker = stalker_get(); - - for (guint i = 0; i < ranges->len; i++) { - - r = &g_array_index(ranges, GumMemoryRange, i); - gum_stalker_exclude(stalker, r); - - } - g_array_free(step4, TRUE); g_array_free(step3, TRUE); g_array_free(step2, TRUE); g_array_free(step1, TRUE); + /* *NEVER* stalk the stalker, only bad things will ever come of this! */ + ranges_exclude_self(); + } gboolean range_is_excluded(gpointer address) { @@ -572,3 +591,19 @@ gboolean range_is_excluded(gpointer address) { } +void ranges_exclude() { + + GumMemoryRange *r; + GumStalker * stalker = stalker_get(); + + OKF("Excluding ranges"); + + for (guint i = 0; i < ranges->len; i++) { + + r = &g_array_index(ranges, GumMemoryRange, i); + gum_stalker_exclude(stalker, r); + + } + +} + diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile new file mode 100644 index 00000000..e30f2049 --- /dev/null +++ b/frida_mode/test/libpcap/GNUmakefile @@ -0,0 +1,188 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ + +AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c +AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so + +LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/ +HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ +PCAPTEST_BUILD_DIR:=$(BUILD_DIR)libpcaptest/ +TCPDUMP_BUILD_DIR:=$(BUILD_DIR)tcpdump/ + +LIBPCAP_PATCH_URL:=https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpcap_fuzz_both/patch.diff +LIBPCAP_PATCH_FILE:=$(LIBPCAP_BUILD_DIR)patch.diff +LIBPCAP_URL:=https://github.com/the-tcpdump-group/libpcap.git +LIBPCAP_DIR:=$(LIBPCAP_BUILD_DIR)libpcap/ +LIBPCAP_CMAKEFILE:=$(LIBPCAP_DIR)CMakeLists.txt +LIBPCAP_MAKEFILE:=$(LIBPCAP_DIR)Makefile +LIBPCAP_LIB:=$(LIBPCAP_DIR)libpcap.a + +HARNESS_FILE:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.o +HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" + +PCAPTEST_SRC_DIR:=$(LIBPCAP_DIR)testprogs/fuzz/ +PCAPTEST_FILE:=$(PCAPTEST_SRC_DIR)fuzz_both.c +PCAPTEST_OBJ:=$(PCAPTEST_BUILD_DIR)fuzz_both.o + +TCPDUMP_URL:=https://github.com/the-tcpdump-group/tcpdump.git +TCPDUMP_TESTS_DIR:=$(TCPDUMP_BUILD_DIR)tests/ + +CFLAGS += -fpermissive + +LDFLAGS += -lpthread + +TEST_BIN:=$(BUILD_DIR)test +ifeq "$(shell uname)" "Darwin" +TEST_BIN_LDFLAGS:=-undefined dynamic_lookup +endif + +AFLPP_DRIVER_DUMMY_INPUT:=$(TCPDUMP_TESTS_DIR)in + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) + +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000) +endif + +.PHONY: all clean qemu frida hook + +all: $(TEST_BIN) + make -C $(ROOT)frida_mode/ + +32: + CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +######### HARNESS ######## +$(HARNESS_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(HARNESS_FILE): | $(HARNESS_BUILD_DIR) + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_FILE) + $(CC) $(CXXFLAGS) $(LDFLAGS) -o $@ -c $< + +######### PCAPTEST ######## + +$(PCAPTEST_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(PCAPTEST_FILE): | $(LIBPCAP_CMAKEFILE) + +$(PCAPTEST_OBJ): $(PCAPTEST_FILE) | $(PCAPTEST_BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -I $(LIBPCAP_DIR) -o $@ -c $< + +######### LIBPCAP ######## + +$(LIBPCAP_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(LIBPCAP_PATCH_FILE): | $(LIBPCAP_BUILD_DIR) + wget -O $@ $(LIBPCAP_PATCH_URL) + +$(LIBPCAP_CMAKEFILE): $(LIBPCAP_PATCH_FILE) | $(LIBPCAP_BUILD_DIR) + git clone --depth 1 $(LIBPCAP_URL) $(LIBPCAP_DIR) + git apply $(LIBPCAP_PATCH_FILE) + +$(LIBPCAP_MAKEFILE): $(LIBPCAP_CMAKEFILE) + cd $(LIBPCAP_DIR) && cmake . + +$(LIBPCAP_LIB): $(LIBPCAP_MAKEFILE) $(LIBPCAP_PATCH_FILE) + make -C $(LIBPCAP_DIR) + +######## TCPDUMP ###### + +$(TCPDUMP_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TCPDUMP_TESTS_DIR): | $(TCPDUMP_BUILD_DIR) + git clone --depth=1 $(TCPDUMP_URL) $(TCPDUMP_BUILD_DIR) + +######### TEST ######## + +$(TEST_BIN): $(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB) + $(CXX) \ + $(CFLAGS) \ + -o $@ \ + $(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB) \ + -lz \ + $(LDFLAGS) \ + $(TEST_BIN_LDFLAGS) \ + +########## HOOK ######## + +$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) + $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ + +########## DUMMY ####### + +$(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR) + truncate -s 1M $@ + +###### TEST DATA ####### + +hook: $(AFLPP_DRIVER_HOOK_OBJ) + +clean: + rm -rf $(BUILD_DIR) + +qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TCPDUMP_TESTS_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TCPDUMP_TESTS_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +debug: + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) diff --git a/frida_mode/test/libpcap/Makefile b/frida_mode/test/libpcap/Makefile new file mode 100644 index 00000000..31cacb67 --- /dev/null +++ b/frida_mode/test/libpcap/Makefile @@ -0,0 +1,1143 @@ +# CMAKE generated file: DO NOT EDIT! +# Generated by "Unix Makefiles" Generator, CMake Version 3.16 + +# Default target executed when no arguments are given to make. +default_target: all + +.PHONY : default_target + +# Allow only one "make -f Makefile2" at a time, but pass parallelism. +.NOTPARALLEL: + + +#============================================================================= +# Special targets provided by cmake. + +# Disable implicit rules so canonical targets will work. +.SUFFIXES: + + +# Remove some rules from gmake that .SUFFIXES does not remove. +SUFFIXES = + +.SUFFIXES: .hpux_make_needs_suffix_list + + +# Suppress display of executed commands. +$(VERBOSE).SILENT: + + +# A target that is always out of date. +cmake_force: + +.PHONY : cmake_force + +#============================================================================= +# Set environment variables for the build. + +# The shell in which to execute make rules. +SHELL = /bin/sh + +# The CMake executable. +CMAKE_COMMAND = /usr/bin/cmake + +# The command to remove a file. +RM = /usr/bin/cmake -E remove -f + +# Escaping for special characters. +EQUALS = = + +# The top-level source directory on which CMake was run. +CMAKE_SOURCE_DIR = /home/jon/git/AFLplusplus/frida_mode/test/libpcap/build/libpcap/libpcap + +# The top-level build directory on which CMake was run. +CMAKE_BINARY_DIR = /home/jon/git/AFLplusplus/frida_mode/test/libpcap + +#============================================================================= +# Targets provided globally by CMake. + +# Special rule for the target install/strip +install/strip: preinstall + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Installing the project stripped..." + /usr/bin/cmake -DCMAKE_INSTALL_DO_STRIP=1 -P cmake_install.cmake +.PHONY : install/strip + +# Special rule for the target install/strip +install/strip/fast: preinstall/fast + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Installing the project stripped..." + /usr/bin/cmake -DCMAKE_INSTALL_DO_STRIP=1 -P cmake_install.cmake +.PHONY : install/strip/fast + +# Special rule for the target install/local +install/local: preinstall + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Installing only the local directory..." + /usr/bin/cmake -DCMAKE_INSTALL_LOCAL_ONLY=1 -P cmake_install.cmake +.PHONY : install/local + +# Special rule for the target install/local +install/local/fast: preinstall/fast + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Installing only the local directory..." + /usr/bin/cmake -DCMAKE_INSTALL_LOCAL_ONLY=1 -P cmake_install.cmake +.PHONY : install/local/fast + +# Special rule for the target install +install: preinstall + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Install the project..." + /usr/bin/cmake -P cmake_install.cmake +.PHONY : install + +# Special rule for the target install +install/fast: preinstall/fast + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Install the project..." + /usr/bin/cmake -P cmake_install.cmake +.PHONY : install/fast + +# Special rule for the target list_install_components +list_install_components: + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Available install components are: \"Unspecified\"" +.PHONY : list_install_components + +# Special rule for the target list_install_components +list_install_components/fast: list_install_components + +.PHONY : list_install_components/fast + +# Special rule for the target rebuild_cache +rebuild_cache: + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "Running CMake to regenerate build system..." + /usr/bin/cmake -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) +.PHONY : rebuild_cache + +# Special rule for the target rebuild_cache +rebuild_cache/fast: rebuild_cache + +.PHONY : rebuild_cache/fast + +# Special rule for the target edit_cache +edit_cache: + @$(CMAKE_COMMAND) -E cmake_echo_color --switch=$(COLOR) --cyan "No interactive CMake dialog available..." + /usr/bin/cmake -E echo No\ interactive\ CMake\ dialog\ available. +.PHONY : edit_cache + +# Special rule for the target edit_cache +edit_cache/fast: edit_cache + +.PHONY : edit_cache/fast + +# The main all target +all: cmake_check_build_system + $(CMAKE_COMMAND) -E cmake_progress_start /home/jon/git/AFLplusplus/frida_mode/test/libpcap/CMakeFiles /home/jon/git/AFLplusplus/frida_mode/test/libpcap/CMakeFiles/progress.marks + $(MAKE) -f CMakeFiles/Makefile2 all + $(CMAKE_COMMAND) -E cmake_progress_start /home/jon/git/AFLplusplus/frida_mode/test/libpcap/CMakeFiles 0 +.PHONY : all + +# The main clean target +clean: + $(MAKE) -f CMakeFiles/Makefile2 clean +.PHONY : clean + +# The main clean target +clean/fast: clean + +.PHONY : clean/fast + +# Prepare targets for installation. +preinstall: all + $(MAKE) -f CMakeFiles/Makefile2 preinstall +.PHONY : preinstall + +# Prepare targets for installation. +preinstall/fast: + $(MAKE) -f CMakeFiles/Makefile2 preinstall +.PHONY : preinstall/fast + +# clear depends +depend: + $(CMAKE_COMMAND) -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) --check-build-system CMakeFiles/Makefile.cmake 1 +.PHONY : depend + +#============================================================================= +# Target rules for targets named pcap + +# Build rule for target. +pcap: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 pcap +.PHONY : pcap + +# fast build rule for target. +pcap/fast: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/build +.PHONY : pcap/fast + +#============================================================================= +# Target rules for targets named uninstall + +# Build rule for target. +uninstall: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 uninstall +.PHONY : uninstall + +# fast build rule for target. +uninstall/fast: + $(MAKE) -f CMakeFiles/uninstall.dir/build.make CMakeFiles/uninstall.dir/build +.PHONY : uninstall/fast + +#============================================================================= +# Target rules for targets named pcap_static + +# Build rule for target. +pcap_static: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 pcap_static +.PHONY : pcap_static + +# fast build rule for target. +pcap_static/fast: + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/build +.PHONY : pcap_static/fast + +#============================================================================= +# Target rules for targets named SerializeTarget + +# Build rule for target. +SerializeTarget: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 SerializeTarget +.PHONY : SerializeTarget + +# fast build rule for target. +SerializeTarget/fast: + $(MAKE) -f CMakeFiles/SerializeTarget.dir/build.make CMakeFiles/SerializeTarget.dir/build +.PHONY : SerializeTarget/fast + +#============================================================================= +# Target rules for targets named testprogs + +# Build rule for target. +testprogs: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 testprogs +.PHONY : testprogs + +# fast build rule for target. +testprogs/fast: + $(MAKE) -f testprogs/CMakeFiles/testprogs.dir/build.make testprogs/CMakeFiles/testprogs.dir/build +.PHONY : testprogs/fast + +#============================================================================= +# Target rules for targets named capturetest + +# Build rule for target. +capturetest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 capturetest +.PHONY : capturetest + +# fast build rule for target. +capturetest/fast: + $(MAKE) -f testprogs/CMakeFiles/capturetest.dir/build.make testprogs/CMakeFiles/capturetest.dir/build +.PHONY : capturetest/fast + +#============================================================================= +# Target rules for targets named findalldevstest + +# Build rule for target. +findalldevstest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 findalldevstest +.PHONY : findalldevstest + +# fast build rule for target. +findalldevstest/fast: + $(MAKE) -f testprogs/CMakeFiles/findalldevstest.dir/build.make testprogs/CMakeFiles/findalldevstest.dir/build +.PHONY : findalldevstest/fast + +#============================================================================= +# Target rules for targets named filtertest + +# Build rule for target. +filtertest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 filtertest +.PHONY : filtertest + +# fast build rule for target. +filtertest/fast: + $(MAKE) -f testprogs/CMakeFiles/filtertest.dir/build.make testprogs/CMakeFiles/filtertest.dir/build +.PHONY : filtertest/fast + +#============================================================================= +# Target rules for targets named findalldevstest-perf + +# Build rule for target. +findalldevstest-perf: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 findalldevstest-perf +.PHONY : findalldevstest-perf + +# fast build rule for target. +findalldevstest-perf/fast: + $(MAKE) -f testprogs/CMakeFiles/findalldevstest-perf.dir/build.make testprogs/CMakeFiles/findalldevstest-perf.dir/build +.PHONY : findalldevstest-perf/fast + +#============================================================================= +# Target rules for targets named can_set_rfmon_test + +# Build rule for target. +can_set_rfmon_test: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 can_set_rfmon_test +.PHONY : can_set_rfmon_test + +# fast build rule for target. +can_set_rfmon_test/fast: + $(MAKE) -f testprogs/CMakeFiles/can_set_rfmon_test.dir/build.make testprogs/CMakeFiles/can_set_rfmon_test.dir/build +.PHONY : can_set_rfmon_test/fast + +#============================================================================= +# Target rules for targets named opentest + +# Build rule for target. +opentest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 opentest +.PHONY : opentest + +# fast build rule for target. +opentest/fast: + $(MAKE) -f testprogs/CMakeFiles/opentest.dir/build.make testprogs/CMakeFiles/opentest.dir/build +.PHONY : opentest/fast + +#============================================================================= +# Target rules for targets named reactivatetest + +# Build rule for target. +reactivatetest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 reactivatetest +.PHONY : reactivatetest + +# fast build rule for target. +reactivatetest/fast: + $(MAKE) -f testprogs/CMakeFiles/reactivatetest.dir/build.make testprogs/CMakeFiles/reactivatetest.dir/build +.PHONY : reactivatetest/fast + +#============================================================================= +# Target rules for targets named writecaptest + +# Build rule for target. +writecaptest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 writecaptest +.PHONY : writecaptest + +# fast build rule for target. +writecaptest/fast: + $(MAKE) -f testprogs/CMakeFiles/writecaptest.dir/build.make testprogs/CMakeFiles/writecaptest.dir/build +.PHONY : writecaptest/fast + +#============================================================================= +# Target rules for targets named selpolltest + +# Build rule for target. +selpolltest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 selpolltest +.PHONY : selpolltest + +# fast build rule for target. +selpolltest/fast: + $(MAKE) -f testprogs/CMakeFiles/selpolltest.dir/build.make testprogs/CMakeFiles/selpolltest.dir/build +.PHONY : selpolltest/fast + +#============================================================================= +# Target rules for targets named threadsignaltest + +# Build rule for target. +threadsignaltest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 threadsignaltest +.PHONY : threadsignaltest + +# fast build rule for target. +threadsignaltest/fast: + $(MAKE) -f testprogs/CMakeFiles/threadsignaltest.dir/build.make testprogs/CMakeFiles/threadsignaltest.dir/build +.PHONY : threadsignaltest/fast + +#============================================================================= +# Target rules for targets named valgrindtest + +# Build rule for target. +valgrindtest: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 valgrindtest +.PHONY : valgrindtest + +# fast build rule for target. +valgrindtest/fast: + $(MAKE) -f testprogs/CMakeFiles/valgrindtest.dir/build.make testprogs/CMakeFiles/valgrindtest.dir/build +.PHONY : valgrindtest/fast + +#============================================================================= +# Target rules for targets named fuzz_both + +# Build rule for target. +fuzz_both: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 fuzz_both +.PHONY : fuzz_both + +# fast build rule for target. +fuzz_both/fast: + $(MAKE) -f testprogs/fuzz/CMakeFiles/fuzz_both.dir/build.make testprogs/fuzz/CMakeFiles/fuzz_both.dir/build +.PHONY : fuzz_both/fast + +#============================================================================= +# Target rules for targets named fuzz_filter + +# Build rule for target. +fuzz_filter: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 fuzz_filter +.PHONY : fuzz_filter + +# fast build rule for target. +fuzz_filter/fast: + $(MAKE) -f testprogs/fuzz/CMakeFiles/fuzz_filter.dir/build.make testprogs/fuzz/CMakeFiles/fuzz_filter.dir/build +.PHONY : fuzz_filter/fast + +#============================================================================= +# Target rules for targets named fuzz_pcap + +# Build rule for target. +fuzz_pcap: cmake_check_build_system + $(MAKE) -f CMakeFiles/Makefile2 fuzz_pcap +.PHONY : fuzz_pcap + +# fast build rule for target. +fuzz_pcap/fast: + $(MAKE) -f testprogs/fuzz/CMakeFiles/fuzz_pcap.dir/build.make testprogs/fuzz/CMakeFiles/fuzz_pcap.dir/build +.PHONY : fuzz_pcap/fast + +bpf_dump.o: bpf_dump.c.o + +.PHONY : bpf_dump.o + +# target to build an object file +bpf_dump.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_dump.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_dump.c.o +.PHONY : bpf_dump.c.o + +bpf_dump.i: bpf_dump.c.i + +.PHONY : bpf_dump.i + +# target to preprocess a source file +bpf_dump.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_dump.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_dump.c.i +.PHONY : bpf_dump.c.i + +bpf_dump.s: bpf_dump.c.s + +.PHONY : bpf_dump.s + +# target to generate assembly for a file +bpf_dump.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_dump.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_dump.c.s +.PHONY : bpf_dump.c.s + +bpf_filter.o: bpf_filter.c.o + +.PHONY : bpf_filter.o + +# target to build an object file +bpf_filter.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_filter.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_filter.c.o +.PHONY : bpf_filter.c.o + +bpf_filter.i: bpf_filter.c.i + +.PHONY : bpf_filter.i + +# target to preprocess a source file +bpf_filter.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_filter.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_filter.c.i +.PHONY : bpf_filter.c.i + +bpf_filter.s: bpf_filter.c.s + +.PHONY : bpf_filter.s + +# target to generate assembly for a file +bpf_filter.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_filter.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_filter.c.s +.PHONY : bpf_filter.c.s + +bpf_image.o: bpf_image.c.o + +.PHONY : bpf_image.o + +# target to build an object file +bpf_image.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_image.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_image.c.o +.PHONY : bpf_image.c.o + +bpf_image.i: bpf_image.c.i + +.PHONY : bpf_image.i + +# target to preprocess a source file +bpf_image.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_image.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_image.c.i +.PHONY : bpf_image.c.i + +bpf_image.s: bpf_image.c.s + +.PHONY : bpf_image.s + +# target to generate assembly for a file +bpf_image.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/bpf_image.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/bpf_image.c.s +.PHONY : bpf_image.c.s + +etherent.o: etherent.c.o + +.PHONY : etherent.o + +# target to build an object file +etherent.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/etherent.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/etherent.c.o +.PHONY : etherent.c.o + +etherent.i: etherent.c.i + +.PHONY : etherent.i + +# target to preprocess a source file +etherent.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/etherent.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/etherent.c.i +.PHONY : etherent.c.i + +etherent.s: etherent.c.s + +.PHONY : etherent.s + +# target to generate assembly for a file +etherent.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/etherent.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/etherent.c.s +.PHONY : etherent.c.s + +fad-getad.o: fad-getad.c.o + +.PHONY : fad-getad.o + +# target to build an object file +fad-getad.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fad-getad.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fad-getad.c.o +.PHONY : fad-getad.c.o + +fad-getad.i: fad-getad.c.i + +.PHONY : fad-getad.i + +# target to preprocess a source file +fad-getad.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fad-getad.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fad-getad.c.i +.PHONY : fad-getad.c.i + +fad-getad.s: fad-getad.c.s + +.PHONY : fad-getad.s + +# target to generate assembly for a file +fad-getad.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fad-getad.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fad-getad.c.s +.PHONY : fad-getad.c.s + +fmtutils.o: fmtutils.c.o + +.PHONY : fmtutils.o + +# target to build an object file +fmtutils.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fmtutils.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fmtutils.c.o +.PHONY : fmtutils.c.o + +fmtutils.i: fmtutils.c.i + +.PHONY : fmtutils.i + +# target to preprocess a source file +fmtutils.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fmtutils.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fmtutils.c.i +.PHONY : fmtutils.c.i + +fmtutils.s: fmtutils.c.s + +.PHONY : fmtutils.s + +# target to generate assembly for a file +fmtutils.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/fmtutils.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/fmtutils.c.s +.PHONY : fmtutils.c.s + +gencode.o: gencode.c.o + +.PHONY : gencode.o + +# target to build an object file +gencode.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/gencode.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/gencode.c.o +.PHONY : gencode.c.o + +gencode.i: gencode.c.i + +.PHONY : gencode.i + +# target to preprocess a source file +gencode.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/gencode.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/gencode.c.i +.PHONY : gencode.c.i + +gencode.s: gencode.c.s + +.PHONY : gencode.s + +# target to generate assembly for a file +gencode.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/gencode.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/gencode.c.s +.PHONY : gencode.c.s + +grammar.o: grammar.c.o + +.PHONY : grammar.o + +# target to build an object file +grammar.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/grammar.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/grammar.c.o +.PHONY : grammar.c.o + +grammar.i: grammar.c.i + +.PHONY : grammar.i + +# target to preprocess a source file +grammar.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/grammar.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/grammar.c.i +.PHONY : grammar.c.i + +grammar.s: grammar.c.s + +.PHONY : grammar.s + +# target to generate assembly for a file +grammar.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/grammar.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/grammar.c.s +.PHONY : grammar.c.s + +missing/strlcat.o: missing/strlcat.c.o + +.PHONY : missing/strlcat.o + +# target to build an object file +missing/strlcat.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcat.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcat.c.o +.PHONY : missing/strlcat.c.o + +missing/strlcat.i: missing/strlcat.c.i + +.PHONY : missing/strlcat.i + +# target to preprocess a source file +missing/strlcat.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcat.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcat.c.i +.PHONY : missing/strlcat.c.i + +missing/strlcat.s: missing/strlcat.c.s + +.PHONY : missing/strlcat.s + +# target to generate assembly for a file +missing/strlcat.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcat.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcat.c.s +.PHONY : missing/strlcat.c.s + +missing/strlcpy.o: missing/strlcpy.c.o + +.PHONY : missing/strlcpy.o + +# target to build an object file +missing/strlcpy.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcpy.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcpy.c.o +.PHONY : missing/strlcpy.c.o + +missing/strlcpy.i: missing/strlcpy.c.i + +.PHONY : missing/strlcpy.i + +# target to preprocess a source file +missing/strlcpy.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcpy.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcpy.c.i +.PHONY : missing/strlcpy.c.i + +missing/strlcpy.s: missing/strlcpy.c.s + +.PHONY : missing/strlcpy.s + +# target to generate assembly for a file +missing/strlcpy.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/missing/strlcpy.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/missing/strlcpy.c.s +.PHONY : missing/strlcpy.c.s + +nametoaddr.o: nametoaddr.c.o + +.PHONY : nametoaddr.o + +# target to build an object file +nametoaddr.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/nametoaddr.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/nametoaddr.c.o +.PHONY : nametoaddr.c.o + +nametoaddr.i: nametoaddr.c.i + +.PHONY : nametoaddr.i + +# target to preprocess a source file +nametoaddr.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/nametoaddr.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/nametoaddr.c.i +.PHONY : nametoaddr.c.i + +nametoaddr.s: nametoaddr.c.s + +.PHONY : nametoaddr.s + +# target to generate assembly for a file +nametoaddr.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/nametoaddr.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/nametoaddr.c.s +.PHONY : nametoaddr.c.s + +optimize.o: optimize.c.o + +.PHONY : optimize.o + +# target to build an object file +optimize.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/optimize.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/optimize.c.o +.PHONY : optimize.c.o + +optimize.i: optimize.c.i + +.PHONY : optimize.i + +# target to preprocess a source file +optimize.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/optimize.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/optimize.c.i +.PHONY : optimize.c.i + +optimize.s: optimize.c.s + +.PHONY : optimize.s + +# target to generate assembly for a file +optimize.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/optimize.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/optimize.c.s +.PHONY : optimize.c.s + +pcap-common.o: pcap-common.c.o + +.PHONY : pcap-common.o + +# target to build an object file +pcap-common.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-common.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-common.c.o +.PHONY : pcap-common.c.o + +pcap-common.i: pcap-common.c.i + +.PHONY : pcap-common.i + +# target to preprocess a source file +pcap-common.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-common.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-common.c.i +.PHONY : pcap-common.c.i + +pcap-common.s: pcap-common.c.s + +.PHONY : pcap-common.s + +# target to generate assembly for a file +pcap-common.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-common.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-common.c.s +.PHONY : pcap-common.c.s + +pcap-linux.o: pcap-linux.c.o + +.PHONY : pcap-linux.o + +# target to build an object file +pcap-linux.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-linux.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-linux.c.o +.PHONY : pcap-linux.c.o + +pcap-linux.i: pcap-linux.c.i + +.PHONY : pcap-linux.i + +# target to preprocess a source file +pcap-linux.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-linux.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-linux.c.i +.PHONY : pcap-linux.c.i + +pcap-linux.s: pcap-linux.c.s + +.PHONY : pcap-linux.s + +# target to generate assembly for a file +pcap-linux.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-linux.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-linux.c.s +.PHONY : pcap-linux.c.s + +pcap-netfilter-linux.o: pcap-netfilter-linux.c.o + +.PHONY : pcap-netfilter-linux.o + +# target to build an object file +pcap-netfilter-linux.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-netfilter-linux.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-netfilter-linux.c.o +.PHONY : pcap-netfilter-linux.c.o + +pcap-netfilter-linux.i: pcap-netfilter-linux.c.i + +.PHONY : pcap-netfilter-linux.i + +# target to preprocess a source file +pcap-netfilter-linux.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-netfilter-linux.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-netfilter-linux.c.i +.PHONY : pcap-netfilter-linux.c.i + +pcap-netfilter-linux.s: pcap-netfilter-linux.c.s + +.PHONY : pcap-netfilter-linux.s + +# target to generate assembly for a file +pcap-netfilter-linux.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-netfilter-linux.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-netfilter-linux.c.s +.PHONY : pcap-netfilter-linux.c.s + +pcap-usb-linux.o: pcap-usb-linux.c.o + +.PHONY : pcap-usb-linux.o + +# target to build an object file +pcap-usb-linux.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-usb-linux.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-usb-linux.c.o +.PHONY : pcap-usb-linux.c.o + +pcap-usb-linux.i: pcap-usb-linux.c.i + +.PHONY : pcap-usb-linux.i + +# target to preprocess a source file +pcap-usb-linux.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-usb-linux.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-usb-linux.c.i +.PHONY : pcap-usb-linux.c.i + +pcap-usb-linux.s: pcap-usb-linux.c.s + +.PHONY : pcap-usb-linux.s + +# target to generate assembly for a file +pcap-usb-linux.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap-usb-linux.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap-usb-linux.c.s +.PHONY : pcap-usb-linux.c.s + +pcap.o: pcap.c.o + +.PHONY : pcap.o + +# target to build an object file +pcap.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap.c.o +.PHONY : pcap.c.o + +pcap.i: pcap.c.i + +.PHONY : pcap.i + +# target to preprocess a source file +pcap.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap.c.i +.PHONY : pcap.c.i + +pcap.s: pcap.c.s + +.PHONY : pcap.s + +# target to generate assembly for a file +pcap.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/pcap.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/pcap.c.s +.PHONY : pcap.c.s + +savefile.o: savefile.c.o + +.PHONY : savefile.o + +# target to build an object file +savefile.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/savefile.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/savefile.c.o +.PHONY : savefile.c.o + +savefile.i: savefile.c.i + +.PHONY : savefile.i + +# target to preprocess a source file +savefile.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/savefile.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/savefile.c.i +.PHONY : savefile.c.i + +savefile.s: savefile.c.s + +.PHONY : savefile.s + +# target to generate assembly for a file +savefile.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/savefile.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/savefile.c.s +.PHONY : savefile.c.s + +scanner.o: scanner.c.o + +.PHONY : scanner.o + +# target to build an object file +scanner.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/scanner.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/scanner.c.o +.PHONY : scanner.c.o + +scanner.i: scanner.c.i + +.PHONY : scanner.i + +# target to preprocess a source file +scanner.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/scanner.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/scanner.c.i +.PHONY : scanner.c.i + +scanner.s: scanner.c.s + +.PHONY : scanner.s + +# target to generate assembly for a file +scanner.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/scanner.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/scanner.c.s +.PHONY : scanner.c.s + +sf-pcap.o: sf-pcap.c.o + +.PHONY : sf-pcap.o + +# target to build an object file +sf-pcap.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcap.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcap.c.o +.PHONY : sf-pcap.c.o + +sf-pcap.i: sf-pcap.c.i + +.PHONY : sf-pcap.i + +# target to preprocess a source file +sf-pcap.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcap.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcap.c.i +.PHONY : sf-pcap.c.i + +sf-pcap.s: sf-pcap.c.s + +.PHONY : sf-pcap.s + +# target to generate assembly for a file +sf-pcap.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcap.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcap.c.s +.PHONY : sf-pcap.c.s + +sf-pcapng.o: sf-pcapng.c.o + +.PHONY : sf-pcapng.o + +# target to build an object file +sf-pcapng.c.o: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcapng.c.o + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcapng.c.o +.PHONY : sf-pcapng.c.o + +sf-pcapng.i: sf-pcapng.c.i + +.PHONY : sf-pcapng.i + +# target to preprocess a source file +sf-pcapng.c.i: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcapng.c.i + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcapng.c.i +.PHONY : sf-pcapng.c.i + +sf-pcapng.s: sf-pcapng.c.s + +.PHONY : sf-pcapng.s + +# target to generate assembly for a file +sf-pcapng.c.s: + $(MAKE) -f CMakeFiles/pcap.dir/build.make CMakeFiles/pcap.dir/sf-pcapng.c.s + $(MAKE) -f CMakeFiles/pcap_static.dir/build.make CMakeFiles/pcap_static.dir/sf-pcapng.c.s +.PHONY : sf-pcapng.c.s + +# Help Target +help: + @echo "The following are some of the valid targets for this Makefile:" + @echo "... all (the default if no target is provided)" + @echo "... clean" + @echo "... depend" + @echo "... install/strip" + @echo "... install/local" + @echo "... install" + @echo "... list_install_components" + @echo "... rebuild_cache" + @echo "... edit_cache" + @echo "... pcap" + @echo "... uninstall" + @echo "... pcap_static" + @echo "... SerializeTarget" + @echo "... testprogs" + @echo "... capturetest" + @echo "... findalldevstest" + @echo "... filtertest" + @echo "... findalldevstest-perf" + @echo "... can_set_rfmon_test" + @echo "... opentest" + @echo "... reactivatetest" + @echo "... writecaptest" + @echo "... selpolltest" + @echo "... threadsignaltest" + @echo "... valgrindtest" + @echo "... fuzz_both" + @echo "... fuzz_filter" + @echo "... fuzz_pcap" + @echo "... bpf_dump.o" + @echo "... bpf_dump.i" + @echo "... bpf_dump.s" + @echo "... bpf_filter.o" + @echo "... bpf_filter.i" + @echo "... bpf_filter.s" + @echo "... bpf_image.o" + @echo "... bpf_image.i" + @echo "... bpf_image.s" + @echo "... etherent.o" + @echo "... etherent.i" + @echo "... etherent.s" + @echo "... fad-getad.o" + @echo "... fad-getad.i" + @echo "... fad-getad.s" + @echo "... fmtutils.o" + @echo "... fmtutils.i" + @echo "... fmtutils.s" + @echo "... gencode.o" + @echo "... gencode.i" + @echo "... gencode.s" + @echo "... grammar.o" + @echo "... grammar.i" + @echo "... grammar.s" + @echo "... missing/strlcat.o" + @echo "... missing/strlcat.i" + @echo "... missing/strlcat.s" + @echo "... missing/strlcpy.o" + @echo "... missing/strlcpy.i" + @echo "... missing/strlcpy.s" + @echo "... nametoaddr.o" + @echo "... nametoaddr.i" + @echo "... nametoaddr.s" + @echo "... optimize.o" + @echo "... optimize.i" + @echo "... optimize.s" + @echo "... pcap-common.o" + @echo "... pcap-common.i" + @echo "... pcap-common.s" + @echo "... pcap-linux.o" + @echo "... pcap-linux.i" + @echo "... pcap-linux.s" + @echo "... pcap-netfilter-linux.o" + @echo "... pcap-netfilter-linux.i" + @echo "... pcap-netfilter-linux.s" + @echo "... pcap-usb-linux.o" + @echo "... pcap-usb-linux.i" + @echo "... pcap-usb-linux.s" + @echo "... pcap.o" + @echo "... pcap.i" + @echo "... pcap.s" + @echo "... savefile.o" + @echo "... savefile.i" + @echo "... savefile.s" + @echo "... scanner.o" + @echo "... scanner.i" + @echo "... scanner.s" + @echo "... sf-pcap.o" + @echo "... sf-pcap.i" + @echo "... sf-pcap.s" + @echo "... sf-pcapng.o" + @echo "... sf-pcapng.i" + @echo "... sf-pcapng.s" +.PHONY : help + + + +#============================================================================= +# Special targets to cleanup operation of make. + +# Special rule to run CMake to check the build system integrity. +# No rule that depends on this can have commands that come from listfiles +# because they might be regenerated. +cmake_check_build_system: + $(CMAKE_COMMAND) -S$(CMAKE_SOURCE_DIR) -B$(CMAKE_BINARY_DIR) --check-build-system CMakeFiles/Makefile.cmake 0 +.PHONY : cmake_check_build_system + diff --git a/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c b/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c new file mode 100644 index 00000000..059d438d --- /dev/null +++ b/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c @@ -0,0 +1,97 @@ +#include +#include + +#if defined(__x86_64__) + +struct x86_64_regs { + + uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, + r15; + + union { + + uint64_t rip; + uint64_t pc; + + }; + + union { + + uint64_t rsp; + uint64_t sp; + + }; + + union { + + uint64_t rflags; + uint64_t flags; + + }; + + uint8_t zmm_regs[32][64]; + +}; + +void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + +} + +#elif defined(__i386__) + +struct x86_regs { + + uint32_t eax, ebx, ecx, edx, edi, esi, ebp; + + union { + + uint32_t eip; + uint32_t pc; + + }; + + union { + + uint32_t esp; + uint32_t sp; + + }; + + union { + + uint32_t eflags; + uint32_t flags; + + }; + + uint8_t xmm_regs[8][16]; + +}; + +void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + void **esp = (void **)regs->esp; + void * arg1 = esp[1]; + void **arg2 = &esp[2]; + memcpy(arg1, input_buf, input_buf_len); + *arg2 = (void *)input_buf_len; + +} + +#else + #pragma error "Unsupported architecture" +#endif + +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) + return 1; + +} + diff --git a/frida_mode/test/libpcap/get_symbol_addr.py b/frida_mode/test/libpcap/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/libpcap/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile new file mode 100644 index 00000000..9f0b31d3 --- /dev/null +++ b/frida_mode/test/re2/GNUmakefile @@ -0,0 +1,170 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ + +AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c +AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so + +LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/ +HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ +RE2TEST_BUILD_DIR:=$(BUILD_DIR)re2test/ + +LIBRE2_URL:=https://github.com/google/re2.git +LIBRE2_DIR:=$(LIBRE2_BUILD_DIR)libre2/ +LIBRE2_MAKEFILE:=$(LIBRE2_DIR)Makefile +LIBRE2_LIB:=$(LIBRE2_DIR)obj/libre2.a + +HARNESS_FILE:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(HARNESS_BUILD_DIR)StandaloneFuzzTargetMain.o +HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" + +RE2TEST_FILE:=$(RE2TEST_BUILD_DIR)target.cc +RE2TEST_OBJ:=$(RE2TEST_BUILD_DIR)target.o +RE2TEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/re2-2014-12-09/target.cc" + +LDFLAGS += -lpthread + +TEST_BIN:=$(BUILD_DIR)test +ifeq "$(shell uname)" "Darwin" +TEST_BIN_LDFLAGS:=-undefined dynamic_lookup +endif + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +AFLPP_DRIVER_DUMMY_INPUT:=$(TEST_DATA_DIR)in + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) + +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x56555000) +endif + +.PHONY: all clean qemu frida hook + +all: $(TEST_BIN) + make -C $(ROOT)frida_mode/ + +32: + CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +######### HARNESS ######## +$(HARNESS_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(HARNESS_FILE): | $(HARNESS_BUILD_DIR) + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_FILE) + $(CC) $(CXXFLAGS) $(LDFLAGS) -o $@ -c $< + +######### RE2TEST ######## + +$(RE2TEST_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(RE2TEST_FILE): | $(RE2TEST_BUILD_DIR) + wget -O $@ $(RE2TEST_URL) + +$(RE2TEST_OBJ): $(RE2TEST_FILE) | $(LIBRE2_MAKEFILE) + $(CXX) $(CXXFLAGS) $(LDFLAGS) -std=c++11 -I $(LIBRE2_DIR) -o $@ -c $< + +######### LIBRE2 ######## + +$(LIBRE2_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(LIBRE2_MAKEFILE): $(LIBRE2_BUILD_DIR) + git clone https://github.com/google/re2.git $(LIBRE2_DIR) + cd $(LIBRE2_DIR) && git checkout 499ef7eff7455ce9c9fae86111d4a77b6ac335de + +$(LIBRE2_LIB): $(LIBRE2_MAKEFILE) + make -C $(LIBRE2_DIR) -j $(shell nproc) + +######### TEST ######## + +$(TEST_BIN): $(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB) + $(CXX) \ + $(CFLAGS) \ + -o $@ \ + $(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB) \ + -lz \ + $(LDFLAGS) \ + $(TEST_BIN_LDFLAGS) \ + +########## HOOK ######## + +$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) + $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ + +########## DUMMY ####### + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR) + truncate -s 1M $@ + +###### TEST DATA ####### + +hook: $(AFLPP_DRIVER_HOOK_OBJ) + +clean: + rm -rf $(BUILD_DIR) + +qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_QEMU_PERSISTENT_GPR=1 \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -Q \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +debug: + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.re2 diff --git a/frida_mode/test/re2/Makefile b/frida_mode/test/re2/Makefile new file mode 100644 index 00000000..00b2b287 --- /dev/null +++ b/frida_mode/test/re2/Makefile @@ -0,0 +1,22 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +qemu: + @gmake qemu + +frida: + @gmake frida + +debug: + @gmake debug + +hook: + @gmake hook diff --git a/frida_mode/test/re2/aflpp_qemu_driver_hook.c b/frida_mode/test/re2/aflpp_qemu_driver_hook.c new file mode 100644 index 00000000..059d438d --- /dev/null +++ b/frida_mode/test/re2/aflpp_qemu_driver_hook.c @@ -0,0 +1,97 @@ +#include +#include + +#if defined(__x86_64__) + +struct x86_64_regs { + + uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, + r15; + + union { + + uint64_t rip; + uint64_t pc; + + }; + + union { + + uint64_t rsp; + uint64_t sp; + + }; + + union { + + uint64_t rflags; + uint64_t flags; + + }; + + uint8_t zmm_regs[32][64]; + +}; + +void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + +} + +#elif defined(__i386__) + +struct x86_regs { + + uint32_t eax, ebx, ecx, edx, edi, esi, ebp; + + union { + + uint32_t eip; + uint32_t pc; + + }; + + union { + + uint32_t esp; + uint32_t sp; + + }; + + union { + + uint32_t eflags; + uint32_t flags; + + }; + + uint8_t xmm_regs[8][16]; + +}; + +void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + void **esp = (void **)regs->esp; + void * arg1 = esp[1]; + void **arg2 = &esp[2]; + memcpy(arg1, input_buf, input_buf_len); + *arg2 = (void *)input_buf_len; + +} + +#else + #pragma error "Unsupported architecture" +#endif + +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) + return 1; + +} + diff --git a/frida_mode/test/re2/get_symbol_addr.py b/frida_mode/test/re2/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/re2/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) -- cgit 1.4.1 From f677be5e86a096edbba74cb8c739e8b10850a379 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Thu, 27 May 2021 21:33:44 +0100 Subject: Support for AFL_FRIDA_PERSISTENT_RET (#941) Co-authored-by: Your Name --- frida_mode/GNUmakefile | 7 +- frida_mode/include/persistent.h | 4 + frida_mode/src/instrument/instrument.c | 1 + frida_mode/src/persistent/persistent.c | 34 +++++- frida_mode/src/persistent/persistent_arm32.c | 7 ++ frida_mode/src/persistent/persistent_arm64.c | 7 ++ frida_mode/src/persistent/persistent_x64.c | 19 +++- frida_mode/src/persistent/persistent_x86.c | 15 +++ frida_mode/src/util.c | 13 +-- frida_mode/test/persistent_ret/GNUmakefile | 105 +++++++++++++++++++ frida_mode/test/persistent_ret/Makefile | 22 ++++ frida_mode/test/persistent_ret/get_symbol_addr.py | 36 +++++++ frida_mode/test/persistent_ret/testinstr.c | 120 ++++++++++++++++++++++ include/envs.h | 3 + 14 files changed, 382 insertions(+), 11 deletions(-) create mode 100644 frida_mode/test/persistent_ret/GNUmakefile create mode 100644 frida_mode/test/persistent_ret/Makefile create mode 100755 frida_mode/test/persistent_ret/get_symbol_addr.py create mode 100644 frida_mode/test/persistent_ret/testinstr.c (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 20fbb544..f9c0f1f7 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -36,6 +36,10 @@ else CFLAGS+=-Wno-pointer-arith endif +ifdef FRIDA_DEBUG +CFLAGS += -DFRIDA_DEBUG +endif + FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded @@ -94,9 +98,6 @@ AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o all: $(FRIDA_TRACE) -32: - CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all - 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index e58c5301..25b44ab0 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -18,6 +18,9 @@ extern unsigned char *__afl_fuzz_ptr; extern guint64 persistent_start; extern guint64 persistent_count; +extern guint64 persistent_ret; +extern guint64 persistent_ret_offset; +extern gboolean persistent_debug; extern afl_persistent_hook_fn hook; void persistent_init(void); @@ -26,6 +29,7 @@ void persistent_init(void); gboolean persistent_is_supported(void); void persistent_prologue(GumStalkerOutput *output); +void persistent_epilogue(GumStalkerOutput *output); #endif diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index f21849a6..c4f18797 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -85,6 +85,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (instr->address == entry_start) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } + if (instr->address == persistent_ret) { persistent_epilogue(output); } /* * Until we reach AFL_ENTRYPOINT (assumed to be main if not specified) or diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index 918ff153..2ec5b9cc 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -12,6 +12,9 @@ int __afl_sharedmem_fuzzing = 0; afl_persistent_hook_fn hook = NULL; guint64 persistent_start = 0; guint64 persistent_count = 0; +guint64 persistent_ret = 0; +guint64 persistent_ret_offset = 0; +gboolean persistent_debug = FALSE; void persistent_init(void) { @@ -19,12 +22,36 @@ void persistent_init(void) { persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR"); persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT"); + persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET"); + persistent_ret_offset = + util_read_address("AFL_FRIDA_PERSISTENT_RETADDR_OFFSET"); + + if (getenv("AFL_FRIDA_PERSISTENT_DEBUG") != NULL) { persistent_debug = TRUE; } + + if (persistent_count != 0 && persistent_start == 0) { - if (persistent_count != 0 && persistent_start == 0) FATAL( "AFL_FRIDA_PERSISTENT_ADDR must be specified if " "AFL_FRIDA_PERSISTENT_CNT is"); + } + + if (persistent_ret != 0 && persistent_start == 0) { + + FATAL( + "AFL_FRIDA_PERSISTENT_ADDR must be specified if " + "AFL_FRIDA_PERSISTENT_RET is"); + + } + + if (persistent_ret_offset != 0 && persistent_ret == 0) { + + FATAL( + "AFL_FRIDA_PERSISTENT_RET must be specified if " + "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET is"); + + } + if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; if (persistent_count != 0 && persistent_count < 100) @@ -39,6 +66,11 @@ void persistent_init(void) { persistent_start == 0 ? ' ' : 'X', persistent_count); OKF("Instrumentation - hook [%s]", hook_name); + OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_ret == 0 ? ' ' : 'X', persistent_ret); + OKF("Instrumentation - persistent ret offset [%c] (%" G_GINT64_MODIFIER "d)", + persistent_ret_offset == 0 ? ' ' : 'X', persistent_ret_offset); + if (hook_name != NULL) { void *hook_obj = dlopen(hook_name, RTLD_NOW); diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index bc021ff3..6a3c06fa 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -68,5 +68,12 @@ void persistent_prologue(GumStalkerOutput *output) { } +void persistent_epilogue(GumStalkerOutput *output) { + + UNUSED_PARAMETER(output); + FATAL("Persistent mode not supported on this architecture"); + +} + #endif diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index c198da69..1215d8da 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -111,5 +111,12 @@ void persistent_prologue(GumStalkerOutput *output) { } +void persistent_epilogue(GumStalkerOutput *output) { + + UNUSED_PARAMETER(output); + FATAL("Persistent mode not supported on this architecture"); + +} + #endif diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index aa772b7f..4c495d47 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -1,9 +1,11 @@ #include "frida-gum.h" #include "config.h" +#include "debug.h" #include "instrument.h" #include "persistent.h" +#include "util.h" #if defined(__x86_64__) @@ -264,7 +266,6 @@ void persistent_prologue(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; gconstpointer loop = cw->code + 1; - // gum_x86_writer_put_breakpoint(cw); /* Stack must be 16-byte aligned per ABI */ instrument_persitent_save_regs(cw, &saved_regs); @@ -288,7 +289,9 @@ void persistent_prologue(GumStalkerOutput *output) { instrument_persitent_restore_regs(cw, &saved_regs); gconstpointer original = cw->code + 1; /* call original */ + gum_x86_writer_put_call_near_label(cw, original); + /* jmp loop */ gum_x86_writer_put_jmp_near_label(cw, loop); @@ -300,9 +303,23 @@ void persistent_prologue(GumStalkerOutput *output) { /* original: */ gum_x86_writer_put_label(cw, original); + if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } + gum_x86_writer_flush(cw); } +void persistent_epilogue(GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + + if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, + persistent_ret_offset); + gum_x86_writer_put_ret(cw); + +} + #endif diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 20a3dc42..b30dfadf 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -244,9 +244,24 @@ void persistent_prologue(GumStalkerOutput *output) { /* original: */ gum_x86_writer_put_label(cw, original); + if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } + gum_x86_writer_flush(cw); } +void persistent_epilogue(GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + + if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } + + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, + persistent_ret_offset); + + gum_x86_writer_put_ret(cw); + +} + #endif diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index 86b94970..09e8a58b 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -10,7 +10,7 @@ guint64 util_read_address(char *key) { if (!g_str_has_prefix(value_str, "0x")) { - FATAL("Invalid address should have 0x prefix: %s\n", value_str); + FATAL("Invalid address should have 0x prefix: %s=%s\n", key, value_str); } @@ -20,8 +20,8 @@ guint64 util_read_address(char *key) { if (!g_ascii_isxdigit(*c)) { - FATAL("Invalid address not formed of hex digits: %s ('%c')\n", value_str, - *c); + FATAL("Invalid address not formed of hex digits: %s=%s ('%c')\n", key, + value_str, *c); } @@ -30,7 +30,7 @@ guint64 util_read_address(char *key) { guint64 value = g_ascii_strtoull(value_str2, NULL, 16); if (value == 0) { - FATAL("Invalid address failed hex conversion: %s\n", value_str2); + FATAL("Invalid address failed hex conversion: %s=%s\n", key, value_str2); } @@ -48,7 +48,8 @@ guint64 util_read_num(char *key) { if (!g_ascii_isdigit(*c)) { - FATAL("Invalid address not formed of decimal digits: %s\n", value_str); + FATAL("Invalid address not formed of decimal digits: %s=%s\n", key, + value_str); } @@ -57,7 +58,7 @@ guint64 util_read_num(char *key) { guint64 value = g_ascii_strtoull(value_str, NULL, 10); if (value == 0) { - FATAL("Invalid address failed numeric conversion: %s\n", value_str); + FATAL("Invalid address failed numeric conversion: %s=%s\n", key, value_str); } diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile new file mode 100644 index 00000000..df48d065 --- /dev/null +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -0,0 +1,105 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000aaaaaaaaa000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000555555554000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x56555000) + AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x56555000) +endif + +AFL_FRIDA_PERSISTENT_RETADDR_OFFSET:=0x50 + +.PHONY: all 32 clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ + AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +debug: $(TESTINSTR_DATA_FILE) + gdb \ + --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \ + --ex 'set environment AFL_DEBUG_CHILD=1' \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + +run: $(TESTINSTR_DATA_FILE) + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ + AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \ + AFL_DEBUG_CHILD=1 \ + LD_PRELOAD=$(ROOT)afl-frida-trace.so \ + $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) diff --git a/frida_mode/test/persistent_ret/Makefile b/frida_mode/test/persistent_ret/Makefile new file mode 100644 index 00000000..e3deddbd --- /dev/null +++ b/frida_mode/test/persistent_ret/Makefile @@ -0,0 +1,22 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida + +frida_ret: + @gmake frida_ret + +debug: + @gmake debug + +run: + @gmake run diff --git a/frida_mode/test/persistent_ret/get_symbol_addr.py b/frida_mode/test/persistent_ret/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/persistent_ret/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c new file mode 100644 index 00000000..6cb88a50 --- /dev/null +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -0,0 +1,120 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +void slow() { + + usleep(100000); + +} + +TESTINSTR_SECTION int main(int argc, char **argv) { + + char * file; + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + do { + + file = argv[1]; + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + slow(); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + diff --git a/include/envs.h b/include/envs.h index e7162c0f..73cd82a8 100644 --- a/include/envs.h +++ b/include/envs.h @@ -62,7 +62,10 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_INST_TRACE", "AFL_FRIDA_PERSISTENT_ADDR", "AFL_FRIDA_PERSISTENT_CNT", + "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK", + "AFL_FRIDA_PERSISTENT_RET", + "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", -- cgit 1.4.1 From e5083fbf254cb7f0bffffaeda5c70beff965627c Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Fri, 28 May 2021 12:25:18 +0100 Subject: Changes to add missing exclusion of ranges (#943) Co-authored-by: Your Name --- frida_mode/include/ranges.h | 2 + frida_mode/src/ranges.c | 2 + frida_mode/test/deferred/GNUmakefile | 71 ++++++++++++++++++++ frida_mode/test/deferred/Makefile | 13 ++++ frida_mode/test/deferred/testinstr.c | 125 +++++++++++++++++++++++++++++++++++ 5 files changed, 213 insertions(+) create mode 100644 frida_mode/test/deferred/GNUmakefile create mode 100644 frida_mode/test/deferred/Makefile create mode 100644 frida_mode/test/deferred/testinstr.c (limited to 'frida_mode/include') diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index f652eb8a..c623f473 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -7,5 +7,7 @@ void ranges_init(void); gboolean range_is_excluded(gpointer address); +void ranges_exclude(); + #endif diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index aa140708..ef25b371 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -568,6 +568,8 @@ void ranges_init(void) { /* *NEVER* stalk the stalker, only bad things will ever come of this! */ ranges_exclude_self(); + ranges_exclude(); + } gboolean range_is_excluded(gpointer address) { diff --git a/frida_mode/test/deferred/GNUmakefile b/frida_mode/test/deferred/GNUmakefile new file mode 100644 index 00000000..c268ef66 --- /dev/null +++ b/frida_mode/test/deferred/GNUmakefile @@ -0,0 +1,71 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/test/png/persistent/get_symbol_addr.py + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x56555000) +endif + +.PHONY: all clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_ENTRYPOINT=$(AFL_ENTRYPOINT) \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ diff --git a/frida_mode/test/deferred/Makefile b/frida_mode/test/deferred/Makefile new file mode 100644 index 00000000..07b139e9 --- /dev/null +++ b/frida_mode/test/deferred/Makefile @@ -0,0 +1,13 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida diff --git a/frida_mode/test/deferred/testinstr.c b/frida_mode/test/deferred/testinstr.c new file mode 100644 index 00000000..8b3688d7 --- /dev/null +++ b/frida_mode/test/deferred/testinstr.c @@ -0,0 +1,125 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int run(char *file) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + do { + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + +void slow() { + + usleep(100000); + +} + +TESTINSTR_SECTION int do_run(char * file) { + return run(file); +} + +int main(int argc, char **argv) { + + if (argc != 2) { return 1; } + slow(); + return do_run(argv[1]); + +} + -- cgit 1.4.1 From 6883605d1314503ad6ef8aadcadc90222da5c576 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Fri, 28 May 2021 23:43:14 +0100 Subject: Support writing Stalker stats (#945) * Support writing Stalker stats * Fixed string handling in print functions Co-authored-by: Your Name --- frida_mode/GNUmakefile | 4 - frida_mode/README.md | 148 +- frida_mode/include/instrument.h | 1 + frida_mode/include/output.h | 9 + frida_mode/include/stats.h | 28 + frida_mode/src/instrument/instrument.c | 5 + frida_mode/src/instrument/instrument_debug.c | 88 +- frida_mode/src/main.c | 4 + frida_mode/src/output.c | 45 + frida_mode/src/stats/stats.c | 208 ++ frida_mode/src/stats/stats_arm.c | 36 + frida_mode/src/stats/stats_arm64.c | 36 + frida_mode/src/stats/stats_x64.c | 307 +++ frida_mode/src/stats/stats_x86.c | 36 + frida_mode/test/output/GNUmakefile | 47 + frida_mode/test/output/Makefile | 13 + frida_mode/test/output/frida_stderr.txt | 2824 ++++++++++++++++++++++++++ frida_mode/test/output/frida_stdout.txt | 349 ++++ frida_mode/test/output/testinstr.c | 112 + include/envs.h | 7 +- 20 files changed, 4241 insertions(+), 66 deletions(-) create mode 100644 frida_mode/include/output.h create mode 100644 frida_mode/include/stats.h create mode 100644 frida_mode/src/output.c create mode 100644 frida_mode/src/stats/stats.c create mode 100644 frida_mode/src/stats/stats_arm.c create mode 100644 frida_mode/src/stats/stats_arm64.c create mode 100644 frida_mode/src/stats/stats_x64.c create mode 100644 frida_mode/src/stats/stats_x86.c create mode 100644 frida_mode/test/output/GNUmakefile create mode 100644 frida_mode/test/output/Makefile create mode 100644 frida_mode/test/output/frida_stderr.txt create mode 100644 frida_mode/test/output/frida_stdout.txt create mode 100644 frida_mode/test/output/testinstr.c (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index f9c0f1f7..a0387cac 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -36,10 +36,6 @@ else CFLAGS+=-Wno-pointer-arith endif -ifdef FRIDA_DEBUG -CFLAGS += -DFRIDA_DEBUG -endif - FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded diff --git a/frida_mode/README.md b/frida_mode/README.md index ecce0bfd..0103a395 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -21,7 +21,7 @@ perhaps leverage some of its design and implementation. | Feature/Instrumentation | frida-mode | Notes | | -------------------------|:----------:|:--------------------------------------------:| | NeverZero | x | | - | Persistent Mode | x | (x86/x64 only)(Only on function boundaries) | + | Persistent Mode | x | (x86/x64 only)(Only on function boundaries) | | LAF-Intel / CompCov | - | (CMPLOG is better 90% of the time) | | CMPLOG | x | (x86/x64 only) | | Selective Instrumentation| x | | @@ -43,16 +43,16 @@ system does not support cross compilation. ## Getting Started -To build everything run `make`. To build for x86 run `make 32`. Note that in +To build everything run `make`. To build for x86 run `make 32`. Note that in x86 bit mode, it is not necessary for afl-fuzz to be built for 32-bit. However, the shared library for frida_mode must be since it is injected into the target process. Various tests can be found in subfolders within the `test/` directory. To use these, first run `make` to build any dependencies. Then run `make qemu` or -`make frida` to run on either QEMU of FRIDA mode respectively. To run frida -tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between -architectures it may be necessary to run `make clean` first for a given build +`make frida` to run on either QEMU of FRIDA mode respectively. To run frida +tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between +architectures it may be necessary to run `make clean` first for a given build target to remove previously generated binaries for a different architecture. ## Usage @@ -74,6 +74,8 @@ following options are currently supported: * `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR` * `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT` * `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK` +* `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET` +* `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` - See `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`. @@ -127,34 +129,144 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent ## Advanced configuration options +* `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks +and their instrumented counterparts during block compilation. +``` +*** + +Creating block for 0x7ffff7953313: + 0x7ffff7953313 mov qword ptr [rax], 0 + 0x7ffff795331a add rsp, 8 + 0x7ffff795331e ret + +Generated block 0x7ffff75e98e2 + 0x7ffff75e98e2 mov qword ptr [rax], 0 + 0x7ffff75e98e9 add rsp, 8 + 0x7ffff75e98ed lea rsp, [rsp - 0x80] + 0x7ffff75e98f5 push rcx + 0x7ffff75e98f6 movabs rcx, 0x7ffff795331e + 0x7ffff75e9900 jmp 0x7ffff75e9384 + + +*** +``` * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage instrumentation (the default where available). Required to use `AFL_FRIDA_INST_TRACE`. * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork. -* `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code. -Requires `AFL_FRIDA_INST_NO_OPTIMIZE`. - +* `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks +`AFL_FRIDA_INST_NO_OPTIMIZE`. +* `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target +application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) +* `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target +application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) +* `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code +at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the user +to determine the value of `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` using a +debugger. + +``` + +gdb \ + --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=XXXXXXXXXX' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_RET=XXXXXXXXXX' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \ + --ex 'set environment AFL_DEBUG_CHILD=1' \ + --ex 'set environment LD_PRELOAD=afl-frida-trace.so' \ + --args [my arguments] + +``` +* `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being +instrumented to the given file name. The statistics are written only for the +child process when new block is instrumented (when the +`AFL_FRIDA_STATS_INTERVAL` has expired). Note that simply because a new path is +found does not mean a new block needs to be compiled. It could simply be that +the existing blocks instrumented have been executed in a different order. +``` +stats +----- +Index: 2 +Pid: 1815944 +Time: 2021-05-28 15:26:41 +Blocks: 1985 +Instructions: 9192 +Avg Instructions / Block: 4 + +Call Immediates: 391 (4.25%) +Call Immediates Excluded: 65 (0.71%) +Call Register: 0 (0.00%) +Call Memory: 0 (0.00%) + +Jump Immediates: 202 (2.20%) +Jump Register: 10 (0.11%) +Jump Memory: 12 (0.13%) + +Conditional Jump Immediates: 1210 (13.16%) +Conditional Jump CX Immediate: 0 (0.00%) +Conditional Jump Register: 0 (0.00%) +Conditional Jump Memory: 0 (0.00%) + +Returns: 159 (0.00%) + +Rip Relative: 247 (0.00%) + +``` +* `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics +information. Stats will be written whenever they are updated if the given +interval has elapsed since last time they were written. +* `AFL_FRIDA_STATS_TRANSITIONS` - Also dump the internal stalker counters to +stderr when the regular stats are written. Note that these stats are reset in +the child each time a new fork occurs since they are not stored in shared +memory. Unfortunately, these stats are internal to stalker, so this is the best +we can do for now. +``` +stats +----- +Index: 2 +Pid: 1816794 +Time: 2021-05-28 15:26:41 + + +total_transitions: 786 + call_imms: 97 + call_regs: 0 + call_mems: 0 + post_call_invokes: 86 + excluded_call_imms: 29 + ret_slow_paths: 23 + + jmp_imms: 58 + jmp_mems: 7 + jmp_regs: 26 + + jmp_cond_imms: 460 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 +``` ## FASAN - Frida Address Sanitizer Mode Frida mode also supports FASAN. The design of this is actually quite simple and very similar to that used when instrumenting applications compiled from source. ### Address Sanitizer Basics -When Address Sanitizer is used to instrument programs built from source, the +When Address Sanitizer is used to instrument programs built from source, the compiler first adds a dependency (`DT_NEEDED` entry) for the Address Sanitizer dynamic shared object (DSO). This shared object contains the main logic for Address Sanitizer, including setting and managing up the shadow memory. It also provides -replacement implementations for a number of functions in standard libraries. +replacement implementations for a number of functions in standard libraries. These replacements include things like `malloc` and `free` which allows for those allocations to be marked in the shadow memory, but also a number of other fuctions. -Consider `memcpy` for example, this is instrumented to validate the paramters -(test the source and destination buffers against the shadow memory. This is much -easier than instrumenting those standard libraries since, first it would require +Consider `memcpy` for example, this is instrumented to validate the paramters +(test the source and destination buffers against the shadow memory. This is much +easier than instrumenting those standard libraries since, first it would require you to re-compile them and secondly it would mean that the instrumentation would -be applied at a more expensive granular level. Lastly, load-widening (typically +be applied at a more expensive granular level. Lastly, load-widening (typically found in highy optimized code) can also make this instrumentation more difficult. Since the DSO is loaded before all of the standard libraries (in fact it insists @@ -165,9 +277,9 @@ modules which depend on it. FASAN takes a similar approach. It requires the user to add the Address Sanitizer DSO to the `AFL_PRELOAD` environment variable such that it is loaded into the target. -Again, it must be first in the list. This means that it is not necessary to -instrument the standard libraries to detect when an application has provided an -incorrect argument to `memcpy` for example. This avoids issues with load-widening +Again, it must be first in the list. This means that it is not necessary to +instrument the standard libraries to detect when an application has provided an +incorrect argument to `memcpy` for example. This avoids issues with load-widening and should also mean a huge improvement in performance. FASAN then adds instrumentation for any instrucutions which use memory operands and @@ -176,7 +288,7 @@ to validate memory accesses against the shadow memory. ## TODO -The next features to be added are Aarch64 and Aarch32 support as well as looking at +The next features to be added are Aarch64 and Aarch32 support as well as looking at potential performance improvements. The intention is to achieve feature parity with QEMU mode in due course. Contributions are welcome, but please get in touch to ensure that efforts are deconflicted. diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 75ee6396..ed92c25a 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -19,6 +19,7 @@ gboolean instrument_is_coverage_optimize_supported(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); +void instrument_debug_init(void); void instrument_debug_start(uint64_t address, GumStalkerOutput *output); void instrument_debug_instruction(uint64_t address, uint16_t size); void instrument_debug_end(GumStalkerOutput *output); diff --git a/frida_mode/include/output.h b/frida_mode/include/output.h new file mode 100644 index 00000000..53a9fdd3 --- /dev/null +++ b/frida_mode/include/output.h @@ -0,0 +1,9 @@ +#ifndef _OUTPUT_H +#define _OUTPUT_H + +#include "frida-gum.h" + +void output_init(void); + +#endif + diff --git a/frida_mode/include/stats.h b/frida_mode/include/stats.h new file mode 100644 index 00000000..4271132a --- /dev/null +++ b/frida_mode/include/stats.h @@ -0,0 +1,28 @@ +#ifndef _STATS_H +#define _STATS_H + +#include "frida-gum.h" + +typedef struct { + + guint64 num_blocks; + guint64 num_instructions; + guint64 stats_last_time; + guint64 stats_idx; + guint64 transitions_idx; + +} stats_data_header_t; + +extern stats_data_header_t *stats_data; + +void stats_init(void); +void stats_collect(const cs_insn *instr, gboolean begin); +void stats_print(char *format, ...); + +gboolean stats_is_supported_arch(void); +size_t stats_data_size_arch(void); +void stats_collect_arch(const cs_insn *instr); +void stats_write_arch(void); + +#endif + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index c4f18797..cd1ac0be 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -13,6 +13,7 @@ #include "prefetch.h" #include "ranges.h" #include "stalker.h" +#include "stats.h" #include "util.h" static gboolean tracing = false; @@ -113,6 +114,9 @@ static void instr_basic_block(GumStalkerIterator *iterator, * fork-server and thus start executing in the child. */ excluded = range_is_excluded(GSIZE_TO_POINTER(instr->address)); + + stats_collect(instr, begin); + if (unlikely(begin)) { instrument_debug_start(instr->address, output); @@ -180,6 +184,7 @@ void instrument_init(void) { transformer = gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + instrument_debug_init(); asan_init(); cmplog_init(); diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index 3a554ad0..124843d8 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -1,26 +1,34 @@ +#include #include #include #include #include "frida-gum.h" -#include "util.h" +#include "debug.h" -#ifdef FRIDA_DEBUG +#include "util.h" +static int debugging_fd = -1; static gpointer instrument_gen_start = NULL; static void instrument_debug(char *format, ...) { va_list ap; char buffer[4096] = {0}; + int ret; + int len; va_start(ap, format); - vsnprintf(buffer, sizeof(buffer) - 1, format, ap); + ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap); va_end(ap); - IGNORED_RETURN(write(STDOUT_FILENO, buffer, sizeof(buffer))); + if (ret < 0) { return; } + + len = strnlen(buffer, sizeof(buffer)); + + IGNORED_RETURN(write(debugging_fd, buffer, len)); } @@ -53,76 +61,70 @@ static void instrument_disasm(guint8 *code, guint size) { static gpointer instrument_cur(GumStalkerOutput *output) { - #if defined(__i386__) || defined(__x86_64__) +#if defined(__i386__) || defined(__x86_64__) return gum_x86_writer_cur(output->writer.x86); - #elif defined(__aarch64__) +#elif defined(__aarch64__) return gum_arm64_writer_cur(output->writer.arm64); - #elif defined(__arm__) +#elif defined(__arm__) return gum_arm_writer_cur(output->writer.arm); - #else - #error "Unsupported architecture" - #endif +#else + #error "Unsupported architecture" +#endif } -void instrument_debug_start(uint64_t address, GumStalkerOutput *output) { - - GumDebugSymbolDetails details; +void instrument_debug_init(void) { - instrument_gen_start = instrument_cur(output); + char *filename = getenv("AFL_FRIDA_INST_DEBUG_FILE"); + OKF("Instrumentation debugging - enabled [%c]", filename == NULL ? ' ' : 'X'); - if (gum_symbol_details_from_address(GSIZE_TO_POINTER(address), &details)) { + if (filename == NULL) { return; } - instrument_debug("\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER - "x (%s!%s):\n", - address, details.module_name, details.symbol_name); + OKF("Instrumentation debugging - file [%s]", filename); - } else { + if (filename == NULL) { return; } - instrument_debug( - "\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER "x:\n", address); + char *path = g_canonicalize_filename(filename, g_get_current_dir()); - } + OKF("Instrumentation debugging - path [%s]", path); -} + debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); -void instrument_debug_instruction(uint64_t address, uint16_t size) { + if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); } - uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); - instrument_disasm(start, size); + g_free(path); } -void instrument_debug_end(GumStalkerOutput *output) { - - gpointer instrument_gen_end = instrument_cur(output); - uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) - - GPOINTER_TO_SIZE(instrument_gen_start); - - instrument_debug("\nGenerated block %p\n", instrument_gen_start); - instrument_disasm(instrument_gen_start, size); +void instrument_debug_start(uint64_t address, GumStalkerOutput *output) { -} + if (likely(debugging_fd < 0)) { return; } -#else -void instrument_debug_start(void *address) { + instrument_gen_start = instrument_cur(output); - UNUSED_PARAMETER(address); + instrument_debug("\n\n***\n\nCreating block for 0x%" G_GINT64_MODIFIER "x:\n", + address); } void instrument_debug_instruction(uint64_t address, uint16_t size) { - UNUSED_PARAMETER(address); - UNUSED_PARAMETER(size); + if (likely(debugging_fd < 0)) { return; } + uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); + instrument_disasm(start, size); } void instrument_debug_end(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); + if (likely(debugging_fd < 0)) { return; } + gpointer instrument_gen_end = instrument_cur(output); + uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) - + GPOINTER_TO_SIZE(instrument_gen_start); -} + instrument_debug("\nGenerated block %p\n", instrument_gen_start); + instrument_disasm(instrument_gen_start, size); -#endif +} diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index e8015905..1ab9993f 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -19,10 +19,12 @@ #include "instrument.h" #include "interceptor.h" #include "lib.h" +#include "output.h" #include "persistent.h" #include "prefetch.h" #include "ranges.h" #include "stalker.h" +#include "stats.h" #include "util.h" #ifdef __APPLE__ @@ -95,9 +97,11 @@ void afl_frida_start() { lib_init(); entry_init(); instrument_init(); + output_init(); persistent_init(); prefetch_init(); ranges_init(); + stats_init(); void *fork_addr = GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork")); diff --git a/frida_mode/src/output.c b/frida_mode/src/output.c new file mode 100644 index 00000000..8a222b25 --- /dev/null +++ b/frida_mode/src/output.c @@ -0,0 +1,45 @@ +#include +#include +#include + +#include "frida-gum.h" + +#include "debug.h" + +#include "output.h" + +static int output_fd = -1; + +static void output_redirect(int fd, char *variable) { + + char *filename = getenv(variable); + char *path = NULL; + + if (filename == NULL) { return; } + + path = g_canonicalize_filename(filename, g_get_current_dir()); + + OKF("Redirect %d -> '%s'", fd, path); + + output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + + g_free(path); + + if (output_fd < 0) { FATAL("Failed to open fd(%d) error %d", fd, errno); } + + if (dup2(output_fd, fd) < 0) { + + FATAL("Failed to set fd(%d) error %d", fd, errno); + + } + +} + +void output_init(void) { + + output_redirect(STDOUT_FILENO, "AFL_FRIDA_OUTPUT_STDOUT"); + output_redirect(STDERR_FILENO, "AFL_FRIDA_OUTPUT_STDERR"); + +} + diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c new file mode 100644 index 00000000..890a8d6b --- /dev/null +++ b/frida_mode/src/stats/stats.c @@ -0,0 +1,208 @@ +#include +#include +#include +#include +#include +#include + +#include "frida-gum.h" + +#include "config.h" +#include "debug.h" +#include "util.h" + +#include "stats.h" + +#define MICRO_TO_SEC 1000000 + +stats_data_header_t *stats_data = NULL; + +static int stats_parent_pid = -1; +static int stats_fd = -1; +static gboolean stats_transitions = FALSE; +static guint64 stats_interval = 0; + +void stats_init(void) { + + stats_parent_pid = getpid(); + char *filename = getenv("AFL_FRIDA_STATS_FILE"); + stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL"); + if (getenv("AFL_FRIDA_STATS_TRANSITIONS") != NULL) { + + stats_transitions = TRUE; + + } + + OKF("Stats - file [%s]", filename); + OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); + + if (stats_interval != 0 && filename == NULL) { + + FATAL( + "AFL_FRIDA_STATS_FILE must be specified if " + "AFL_FRIDA_STATS_INTERVAL is"); + + } + + if (stats_interval == 0) { stats_interval = 10; } + + if (filename == NULL) { return; } + + if (!stats_is_supported_arch()) { + + FATAL("Stats is not supported on this architecture"); + + } + + char *path = NULL; + + if (filename == NULL) { return; } + + if (stats_transitions) { gum_stalker_set_counters_enabled(TRUE); } + + path = g_canonicalize_filename(filename, g_get_current_dir()); + + OKF("Stats - path [%s]", path); + + stats_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + + if (stats_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + + g_free(path); + + size_t data_size = stats_data_size_arch(); + + int shm_id = shmget(IPC_PRIVATE, data_size, IPC_CREAT | IPC_EXCL | 0600); + if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + + stats_data = shmat(shm_id, NULL, 0); + g_assert(stats_data != MAP_FAILED); + + /* + * Configure the shared memory region to be removed once the process dies. + */ + if (shmctl(shm_id, IPC_RMID, NULL) < 0) { + + FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + + } + + /* Clear it, not sure it's necessary, just seems like good practice */ + memset(stats_data, '\0', data_size); + +} + +void stats_vprint(int fd, char *format, va_list ap) { + + char buffer[4096] = {0}; + int ret; + int len; + + if(vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } + + len = strnlen(buffer, sizeof(buffer)); + IGNORED_RETURN(write(fd, buffer, len)); + +} + +void stats_print_fd(int fd, char *format, ...) { + + va_list ap; + va_start(ap, format); + stats_vprint(fd, format, ap); + va_end(ap); + +} + +void stats_print(char *format, ...) { + + va_list ap; + va_start(ap, format); + stats_vprint(stats_fd, format, ap); + va_end(ap); + +} + +void stats_write(void) { + + if (stats_parent_pid == getpid()) { return; } + + GDateTime *date_time = g_date_time_new_now_local(); + char *date_time_string = g_date_time_format(date_time, "%Y-%m-%e %H:%M:%S"); + + stats_print("stats\n"); + stats_print("-----\n"); + + stats_print("Index: %" G_GINT64_MODIFIER "u\n", + stats_data->stats_idx++); + stats_print("Pid: %d\n", getpid()); + stats_print("Time: %s\n", date_time_string); + stats_print("Blocks: %" G_GINT64_MODIFIER "u\n", + stats_data->num_blocks); + stats_print("Instructions: %" G_GINT64_MODIFIER "u\n", + stats_data->num_instructions); + stats_print("Avg Instructions / Block: %" G_GINT64_MODIFIER "u\n", + stats_data->num_instructions / stats_data->num_blocks); + + stats_print("\n"); + + g_free(date_time_string); + g_date_time_unref(date_time); + + stats_write_arch(); + + if (stats_transitions) { + + GDateTime *date_time = g_date_time_new_now_local(); + char *date_time_string = g_date_time_format(date_time, "%Y-%m-%e %H:%M:%S"); + + stats_print_fd(STDERR_FILENO, "stats\n"); + stats_print_fd(STDERR_FILENO, "-----\n"); + stats_print_fd(STDERR_FILENO, "Index: %" G_GINT64_MODIFIER "u\n", + stats_data->transitions_idx++); + stats_print_fd(STDERR_FILENO, "Pid: %d\n", getpid()); + stats_print_fd(STDERR_FILENO, "Time: %s\n", date_time_string); + + g_free(date_time_string); + g_date_time_unref(date_time); + gum_stalker_dump_counters(); + + } + +} + +static void stats_maybe_write(void) { + + guint64 current_time; + + if (stats_interval == 0) { return; } + + current_time = g_get_monotonic_time(); + + if ((current_time - stats_data->stats_last_time) > + (stats_interval * MICRO_TO_SEC)) { + + stats_write(); + stats_data->stats_last_time = current_time; + + } + +} + +void stats_collect(const cs_insn *instr, gboolean begin) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(begin); + + if (stats_fd < 0) { return; } + + if (begin) { stats_data->num_blocks++; } + stats_data->num_instructions++; + + stats_collect_arch(instr); + + stats_maybe_write(); + +} + diff --git a/frida_mode/src/stats/stats_arm.c b/frida_mode/src/stats/stats_arm.c new file mode 100644 index 00000000..7eea7f91 --- /dev/null +++ b/frida_mode/src/stats/stats_arm.c @@ -0,0 +1,36 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "stats.h" +#include "util.h" + +#if defined(__arm__) + +gboolean stats_is_supported_arch(void) { + + return FALSE; + +} + +size_t stats_data_size_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_write_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_collect_arch(const cs_insn *instr) { + + UNUSED_PARAMETER(instr); + FATAL("Stats not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c new file mode 100644 index 00000000..592af87a --- /dev/null +++ b/frida_mode/src/stats/stats_arm64.c @@ -0,0 +1,36 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "stats.h" +#include "util.h" + +#if defined(__aarch64__) + +gboolean stats_is_supported_arch(void) { + + return FALSE; + +} + +size_t stats_data_size_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_write_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_collect_arch(const cs_insn *instr) { + + UNUSED_PARAMETER(instr); + FATAL("Stats not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c new file mode 100644 index 00000000..c3e8742a --- /dev/null +++ b/frida_mode/src/stats/stats_x64.c @@ -0,0 +1,307 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "ranges.h" +#include "stats.h" +#include "util.h" + +#if defined(__x86_64__) + +typedef struct { + + stats_data_header_t header; + + guint64 num_call_imm; + guint64 num_call_imm_excluded; + guint64 num_call_reg; + guint64 num_call_mem; + + guint64 num_jmp_imm; + guint64 num_jmp_reg; + guint64 num_jmp_mem; + + guint64 num_jmp_cond_imm; + guint64 num_jmp_cond_reg; + guint64 num_jmp_cond_mem; + + guint64 num_jmp_cond_jcxz; + + guint64 num_ret; + + guint64 num_rip_relative; + +} stats_data_arch_t; + +gboolean stats_is_supported_arch(void) { + + return TRUE; + +} + +size_t stats_data_size_arch(void) { + + return sizeof(stats_data_arch_t); + +} + +void stats_write_arch(void) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + guint64 num_instructions = stats_data_arch->header.num_instructions; + + stats_print( + "Call Immediates: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_call_imm, + ((float)(stats_data_arch->num_call_imm * 100) / num_instructions)); + stats_print("Call Immediates Excluded: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_call_imm_excluded, + ((float)(stats_data_arch->num_call_imm_excluded * 100) / + num_instructions)); + stats_print( + "Call Register: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_call_reg, + ((float)(stats_data_arch->num_call_reg * 100) / num_instructions)); + stats_print( + "Call Memory: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_call_mem, + ((float)(stats_data_arch->num_call_mem * 100) / num_instructions)); + + stats_print("\n"); + + stats_print("Jump Immediates: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_imm, + ((float)(stats_data_arch->num_jmp_imm * 100) / num_instructions)); + stats_print("Jump Register: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_reg, + ((float)(stats_data_arch->num_jmp_reg * 100) / num_instructions)); + stats_print("Jump Memory: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_mem, + ((float)(stats_data_arch->num_jmp_mem * 100) / num_instructions)); + + stats_print("\n"); + + stats_print( + "Conditional Jump Immediates: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_cond_imm, + ((float)(stats_data_arch->num_jmp_cond_imm * 100) / num_instructions)); + stats_print( + "Conditional Jump CX Immediate: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_cond_jcxz, + ((float)(stats_data_arch->num_jmp_cond_jcxz * 100) / num_instructions)); + stats_print( + "Conditional Jump Register: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_cond_reg, + ((float)(stats_data_arch->num_jmp_cond_reg * 100) / num_instructions)); + stats_print( + "Conditional Jump Memory: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_jmp_cond_mem, + ((float)(stats_data_arch->num_jmp_cond_mem * 100) / num_instructions)); + + stats_print("\n"); + + stats_print("Returns: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_ret, + (stats_data_arch->num_ret * 100 / num_instructions)); + + stats_print("\n"); + + stats_print("Rip Relative: %" G_GINT64_MODIFIER + "u " + "(%3.2f%%)\n", + stats_data_arch->num_rip_relative, + (stats_data_arch->num_rip_relative * 100 / num_instructions)); + + stats_print("\n"); + stats_print("\n"); + +} + +static x86_op_type stats_get_operand_type(const cs_insn *instr) { + + cs_x86 * x86 = &instr->detail->x86; + cs_x86_op *operand; + + if (x86->op_count != 1) { + + FATAL("Unexpected operand count (%d): %s %s\n", x86->op_count, + instr->mnemonic, instr->op_str); + + } + + operand = &x86->operands[0]; + + return operand->type; + +} + +static void stats_collect_call_imm_excluded_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + cs_x86 * x86 = &instr->detail->x86; + cs_x86_op * operand = &x86->operands[0]; + + if (range_is_excluded((gpointer)operand->imm)) { + + stats_data_arch->num_call_imm_excluded++; + + } + +} + +static void stats_collect_call_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + x86_op_type type = stats_get_operand_type(instr); + switch (type) { + + case X86_OP_IMM: + stats_data_arch->num_call_imm++; + stats_collect_call_imm_excluded_arch(instr); + break; + case X86_OP_REG: + stats_data_arch->num_call_reg++; + break; + case X86_OP_MEM: + stats_data_arch->num_call_mem++; + break; + default: + FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + + } + +} + +static void stats_collect_jump_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + x86_op_type type = stats_get_operand_type(instr); + switch (type) { + + case X86_OP_IMM: + stats_data_arch->num_jmp_imm++; + break; + case X86_OP_REG: + stats_data_arch->num_jmp_reg++; + break; + case X86_OP_MEM: + stats_data_arch->num_jmp_mem++; + break; + default: + FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + + } + +} + +static void stats_collect_jump_cond_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + x86_op_type type = stats_get_operand_type(instr); + switch (type) { + + case X86_OP_IMM: + stats_data_arch->num_jmp_cond_imm++; + break; + case X86_OP_REG: + stats_data_arch->num_jmp_cond_reg++; + break; + case X86_OP_MEM: + stats_data_arch->num_jmp_cond_mem++; + break; + default: + FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + + } + +} + +static void stats_collect_rip_relative_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + cs_x86 * x86 = &instr->detail->x86; + guint mod; + guint rm; + + if (x86->encoding.modrm_offset == 0) { return; } + + mod = (x86->modrm & 0xc0) >> 6; + if (mod != 0) { return; } + + rm = (x86->modrm & 0x07) >> 0; + if (rm != 5) { return; } + + stats_data_arch->num_rip_relative++; + +} + +void stats_collect_arch(const cs_insn *instr) { + + stats_data_arch_t *stats_data_arch = (stats_data_arch_t *)stats_data; + switch (instr->id) { + + case X86_INS_CALL: + stats_collect_call_arch(instr); + break; + case X86_INS_JMP: + stats_collect_jump_arch(instr); + break; + case X86_INS_JA: + case X86_INS_JAE: + case X86_INS_JB: + case X86_INS_JBE: + case X86_INS_JE: + case X86_INS_JG: + case X86_INS_JGE: + case X86_INS_JL: + case X86_INS_JLE: + case X86_INS_JNE: + case X86_INS_JNO: + case X86_INS_JNP: + case X86_INS_JNS: + case X86_INS_JO: + case X86_INS_JP: + case X86_INS_JS: + stats_collect_jump_cond_arch(instr); + break; + case X86_INS_JECXZ: + case X86_INS_JRCXZ: + stats_data_arch->num_jmp_cond_jcxz++; + break; + case X86_INS_RET: + stats_data_arch->num_ret++; + break; + default: + stats_collect_rip_relative_arch(instr); + break; + + } + +} + +#endif + diff --git a/frida_mode/src/stats/stats_x86.c b/frida_mode/src/stats/stats_x86.c new file mode 100644 index 00000000..1906e809 --- /dev/null +++ b/frida_mode/src/stats/stats_x86.c @@ -0,0 +1,36 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "stats.h" +#include "util.h" + +#if defined(__i386__) + +gboolean stats_is_supported_arch(void) { + + return FALSE; + +} + +size_t stats_data_size_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_write_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_collect_arch(const cs_insn *instr) { + + UNUSED_PARAMETER(instr); + FATAL("Stats not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/test/output/GNUmakefile b/frida_mode/test/output/GNUmakefile new file mode 100644 index 00000000..eaa1c4dc --- /dev/null +++ b/frida_mode/test/output/GNUmakefile @@ -0,0 +1,47 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +.PHONY: all 32 clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_FRIDA_OUTPUT_STDOUT=frida_stdout.txt \ + AFL_FRIDA_OUTPUT_STDERR=frida_stderr.txt \ + AFL_FRIDA_STATS_FILE=frida_stats.txt \ + AFL_FRIDA_STATS_INTERVAL=1 \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ diff --git a/frida_mode/test/output/Makefile b/frida_mode/test/output/Makefile new file mode 100644 index 00000000..07b139e9 --- /dev/null +++ b/frida_mode/test/output/Makefile @@ -0,0 +1,13 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida diff --git a/frida_mode/test/output/frida_stderr.txt b/frida_mode/test/output/frida_stderr.txt new file mode 100644 index 00000000..103216cf --- /dev/null +++ b/frida_mode/test/output/frida_stderr.txt @@ -0,0 +1,2824 @@ + + +total_transitions: 9 + call_imms: 1 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 1 + jmp_mems: 2 + jmp_regs: 0 + + jmp_cond_imms: 2 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 19 + call_imms: 4 + call_regs: 0 + call_mems: 0 + post_call_invokes: 2 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 1 + jmp_mems: 3 + jmp_regs: 0 + + jmp_cond_imms: 6 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 29 + call_imms: 6 + call_regs: 1 + call_mems: 0 + post_call_invokes: 3 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 2 + jmp_mems: 3 + jmp_regs: 0 + + jmp_cond_imms: 11 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 39 + call_imms: 6 + call_regs: 2 + call_mems: 0 + post_call_invokes: 5 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 2 + jmp_mems: 3 + jmp_regs: 0 + + jmp_cond_imms: 18 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 49 + call_imms: 7 + call_regs: 2 + call_mems: 1 + post_call_invokes: 6 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 2 + jmp_mems: 3 + jmp_regs: 0 + + jmp_cond_imms: 25 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 59 + call_imms: 8 + call_regs: 2 + call_mems: 3 + post_call_invokes: 6 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 3 + jmp_mems: 3 + jmp_regs: 0 + + jmp_cond_imms: 31 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 69 + call_imms: 9 + call_regs: 2 + call_mems: 3 + post_call_invokes: 7 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 3 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 38 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 79 + call_imms: 10 + call_regs: 2 + call_mems: 3 + post_call_invokes: 7 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 4 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 46 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 89 + call_imms: 10 + call_regs: 2 + call_mems: 3 + post_call_invokes: 7 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 4 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 56 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 99 + call_imms: 11 + call_regs: 2 + call_mems: 3 + post_call_invokes: 9 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 4 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 63 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 109 + call_imms: 12 + call_regs: 2 + call_mems: 3 + post_call_invokes: 12 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 5 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 68 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 119 + call_imms: 12 + call_regs: 2 + call_mems: 4 + post_call_invokes: 14 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 6 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 74 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 129 + call_imms: 14 + call_regs: 2 + call_mems: 4 + post_call_invokes: 16 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 6 + jmp_mems: 4 + jmp_regs: 0 + + jmp_cond_imms: 80 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 139 + call_imms: 14 + call_regs: 2 + call_mems: 5 + post_call_invokes: 17 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 6 + jmp_mems: 5 + jmp_regs: 0 + + jmp_cond_imms: 87 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 149 + call_imms: 14 + call_regs: 2 + call_mems: 6 + post_call_invokes: 17 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 6 + jmp_mems: 5 + jmp_regs: 0 + + jmp_cond_imms: 96 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 159 + call_imms: 15 + call_regs: 2 + call_mems: 6 + post_call_invokes: 18 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 8 + jmp_mems: 5 + jmp_regs: 0 + + jmp_cond_imms: 102 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 170 + call_imms: 15 + call_regs: 2 + call_mems: 6 + post_call_invokes: 18 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 10 + jmp_mems: 5 + jmp_regs: 0 + + jmp_cond_imms: 111 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 180 + call_imms: 15 + call_regs: 2 + call_mems: 6 + post_call_invokes: 20 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 11 + jmp_mems: 5 + jmp_regs: 0 + + jmp_cond_imms: 118 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 190 + call_imms: 16 + call_regs: 2 + call_mems: 6 + post_call_invokes: 20 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 11 + jmp_mems: 6 + jmp_regs: 1 + + jmp_cond_imms: 125 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 201 + call_imms: 16 + call_regs: 2 + call_mems: 7 + post_call_invokes: 21 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 13 + jmp_mems: 6 + jmp_regs: 1 + + jmp_cond_imms: 132 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 211 + call_imms: 17 + call_regs: 2 + call_mems: 7 + post_call_invokes: 22 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 14 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 138 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 223 + call_imms: 18 + call_regs: 2 + call_mems: 8 + post_call_invokes: 24 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 15 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 145 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 233 + call_imms: 18 + call_regs: 2 + call_mems: 8 + post_call_invokes: 25 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 16 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 153 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 244 + call_imms: 19 + call_regs: 2 + call_mems: 9 + post_call_invokes: 26 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 16 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 161 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input + + +total_transitions: 254 + call_imms: 20 + call_regs: 2 + call_mems: 9 + post_call_invokes: 27 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 18 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 167 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 264 + call_imms: 20 + call_regs: 2 + call_mems: 9 + post_call_invokes: 29 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 20 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 173 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 275 + call_imms: 21 + call_regs: 2 + call_mems: 10 + post_call_invokes: 30 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 22 + jmp_mems: 7 + jmp_regs: 1 + + jmp_cond_imms: 179 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 285 + call_imms: 22 + call_regs: 2 + call_mems: 10 + post_call_invokes: 30 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 23 + jmp_mems: 8 + jmp_regs: 1 + + jmp_cond_imms: 186 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 295 + call_imms: 22 + call_regs: 2 + call_mems: 10 + post_call_invokes: 30 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 23 + jmp_mems: 8 + jmp_regs: 1 + + jmp_cond_imms: 196 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 305 + call_imms: 22 + call_regs: 2 + call_mems: 10 + post_call_invokes: 30 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 24 + jmp_mems: 8 + jmp_regs: 1 + + jmp_cond_imms: 205 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 315 + call_imms: 22 + call_regs: 2 + call_mems: 10 + post_call_invokes: 31 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 26 + jmp_mems: 8 + jmp_regs: 1 + + jmp_cond_imms: 212 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 326 + call_imms: 22 + call_regs: 3 + call_mems: 10 + post_call_invokes: 32 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 27 + jmp_mems: 8 + jmp_regs: 1 + + jmp_cond_imms: 220 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 337 + call_imms: 23 + call_regs: 4 + call_mems: 10 + post_call_invokes: 36 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 27 + jmp_mems: 9 + jmp_regs: 1 + + jmp_cond_imms: 224 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 348 + call_imms: 24 + call_regs: 4 + call_mems: 10 + post_call_invokes: 38 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 27 + jmp_mems: 10 + jmp_regs: 1 + + jmp_cond_imms: 231 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 362 + call_imms: 26 + call_regs: 4 + call_mems: 10 + post_call_invokes: 39 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 28 + jmp_mems: 11 + jmp_regs: 1 + + jmp_cond_imms: 240 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 375 + call_imms: 27 + call_regs: 4 + call_mems: 10 + post_call_invokes: 40 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 28 + jmp_mems: 12 + jmp_regs: 1 + + jmp_cond_imms: 250 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 387 + call_imms: 28 + call_regs: 4 + call_mems: 10 + post_call_invokes: 41 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 28 + jmp_mems: 12 + jmp_regs: 3 + + jmp_cond_imms: 258 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 397 + call_imms: 29 + call_regs: 4 + call_mems: 10 + post_call_invokes: 42 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 30 + jmp_mems: 12 + jmp_regs: 3 + + jmp_cond_imms: 264 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 407 + call_imms: 29 + call_regs: 4 + call_mems: 10 + post_call_invokes: 42 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 31 + jmp_mems: 12 + jmp_regs: 3 + + jmp_cond_imms: 273 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 418 + call_imms: 29 + call_regs: 4 + call_mems: 11 + post_call_invokes: 43 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 32 + jmp_mems: 12 + jmp_regs: 3 + + jmp_cond_imms: 281 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) + + +total_transitions: 430 + call_imms: 32 + call_regs: 4 + call_mems: 11 + post_call_invokes: 45 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 33 + jmp_mems: 13 + jmp_regs: 3 + + jmp_cond_imms: 286 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 441 + call_imms: 32 + call_regs: 4 + call_mems: 12 + post_call_invokes: 46 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 33 + jmp_mems: 13 + jmp_regs: 3 + + jmp_cond_imms: 295 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) + + +total_transitions: 453 + call_imms: 33 + call_regs: 4 + call_mems: 12 + post_call_invokes: 49 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 34 + jmp_mems: 13 + jmp_regs: 3 + + jmp_cond_imms: 302 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 465 + call_imms: 35 + call_regs: 4 + call_mems: 12 + post_call_invokes: 50 + excluded_call_imms: 2 + ret_slow_paths: 1 + + jmp_imms: 35 + jmp_mems: 15 + jmp_regs: 3 + + jmp_cond_imms: 308 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 475 + call_imms: 38 + call_regs: 4 + call_mems: 12 + post_call_invokes: 51 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 35 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 310 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 485 + call_imms: 38 + call_regs: 5 + call_mems: 12 + post_call_invokes: 52 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 36 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 317 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 495 + call_imms: 38 + call_regs: 5 + call_mems: 13 + post_call_invokes: 52 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 38 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 324 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 506 + call_imms: 38 + call_regs: 5 + call_mems: 13 + post_call_invokes: 53 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 39 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 333 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 516 + call_imms: 40 + call_regs: 5 + call_mems: 13 + post_call_invokes: 53 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 40 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 340 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 526 + call_imms: 40 + call_regs: 5 + call_mems: 13 + post_call_invokes: 54 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 40 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 349 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 540 + call_imms: 42 + call_regs: 5 + call_mems: 13 + post_call_invokes: 55 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 42 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 358 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 552 + call_imms: 43 + call_regs: 5 + call_mems: 13 + post_call_invokes: 57 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 43 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 366 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 563 + call_imms: 43 + call_regs: 5 + call_mems: 14 + post_call_invokes: 58 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 43 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 375 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 573 + call_imms: 43 + call_regs: 5 + call_mems: 15 + post_call_invokes: 59 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 44 + jmp_mems: 16 + jmp_regs: 3 + + jmp_cond_imms: 382 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 583 + call_imms: 44 + call_regs: 5 + call_mems: 15 + post_call_invokes: 59 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 45 + jmp_mems: 17 + jmp_regs: 3 + + jmp_cond_imms: 389 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 593 + call_imms: 45 + call_regs: 5 + call_mems: 15 + post_call_invokes: 60 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 46 + jmp_mems: 17 + jmp_regs: 3 + + jmp_cond_imms: 396 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 603 + call_imms: 46 + call_regs: 6 + call_mems: 15 + post_call_invokes: 64 + excluded_call_imms: 3 + ret_slow_paths: 3 + + jmp_imms: 46 + jmp_mems: 17 + jmp_regs: 3 + + jmp_cond_imms: 400 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 615 + call_imms: 46 + call_regs: 7 + call_mems: 17 + post_call_invokes: 64 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 46 + jmp_mems: 17 + jmp_regs: 3 + + jmp_cond_imms: 407 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 626 + call_imms: 48 + call_regs: 8 + call_mems: 18 + post_call_invokes: 66 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 46 + jmp_mems: 18 + jmp_regs: 3 + + jmp_cond_imms: 411 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 637 + call_imms: 50 + call_regs: 9 + call_mems: 19 + post_call_invokes: 68 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 47 + jmp_mems: 19 + jmp_regs: 3 + + jmp_cond_imms: 414 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 648 + call_imms: 52 + call_regs: 9 + call_mems: 20 + post_call_invokes: 70 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 47 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 419 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 660 + call_imms: 52 + call_regs: 10 + call_mems: 20 + post_call_invokes: 72 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 49 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 426 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 672 + call_imms: 52 + call_regs: 10 + call_mems: 20 + post_call_invokes: 72 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 51 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 436 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 683 + call_imms: 53 + call_regs: 11 + call_mems: 21 + post_call_invokes: 73 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 52 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 442 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 697 + call_imms: 53 + call_regs: 11 + call_mems: 22 + post_call_invokes: 74 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 53 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 453 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 709 + call_imms: 53 + call_regs: 13 + call_mems: 22 + post_call_invokes: 77 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 53 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 460 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 720 + call_imms: 53 + call_regs: 13 + call_mems: 22 + post_call_invokes: 77 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 55 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 469 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 730 + call_imms: 54 + call_regs: 13 + call_mems: 24 + post_call_invokes: 77 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 56 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 475 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 740 + call_imms: 54 + call_regs: 13 + call_mems: 24 + post_call_invokes: 80 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 57 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 481 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 753 + call_imms: 54 + call_regs: 14 + call_mems: 24 + post_call_invokes: 81 + excluded_call_imms: 5 + ret_slow_paths: 3 + + jmp_imms: 58 + jmp_mems: 20 + jmp_regs: 3 + + jmp_cond_imms: 491 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 + + +total_transitions: 3 + call_imms: 0 + call_regs: 0 + call_mems: 0 + post_call_invokes: 0 + excluded_call_imms: 0 + ret_slow_paths: 0 + + jmp_imms: 1 + jmp_mems: 1 + jmp_regs: 0 + + jmp_cond_imms: 1 + jmp_cond_mems: 0 + jmp_cond_regs: 0 + jmp_cond_jcxzs: 0 + + jmp_continuations: 0 +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input +Running: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) +Done: /home/jon/git/AFLplusplus/frida_mode/test/output/build/frida-out/default/.cur_input: (3 bytes) diff --git a/frida_mode/test/output/frida_stdout.txt b/frida_mode/test/output/frida_stdout.txt new file mode 100644 index 00000000..8832681d --- /dev/null +++ b/frida_mode/test/output/frida_stdout.txt @@ -0,0 +1,349 @@ +OG Range - 0x00007FFFF7FFE000 - 0x00007FFFF7FFF000 +[+] CMPLOG Range - 0x00007FFFF7FFD000 - 0x00007FFFF7FFE000 +[+] CMPLOG Range - 0x00007FFFF7FFC000 - 0x00007FFFF7FFD000 +[+] CMPLOG Range - 0x00007FFFF7FF3000 - 0x00007FFFF7FFB000 +[+] CMPLOG Range - 0x00007FFFF7FD0000 - 0x00007FFFF7FF3000 +[+] CMPLOG Range - 0x00007FFFF7FCF000 - 0x00007FFFF7FD0000 +[+] CMPLOG Range - 0x00007FFFF7FCE000 - 0x00007FFFF7FCF000 +[+] CMPLOG Range - 0x00007FFFF7FCB000 - 0x00007FFFF7FCE000 +[+] CMPLOG Range - 0x00007FFFF7DC4000 - 0x00007FFFF7FCB000 +[+] CMPLOG Range - 0x00007FFFF7DBC000 - 0x00007FFFF7DC4000 +[+] CMPLOG Range - 0x00007FFFF7DB0000 - 0x00007FFFF7DBC000 +[+] CMPLOG Range - 0x00007FFFF7A94000 - 0x00007FFFF7DB0000 +[+] CMPLOG Range - 0x00007FFFF7942000 - 0x00007FFFF7A94000 +[+] CMPLOG Range - 0x00007FFFF78BF000 - 0x00007FFFF7942000 +[+] CMPLOG Range - 0x00007FFFF78AF000 - 0x00007FFFF78BF000 +[+] CMPLOG Range - 0x00007FFFF78AA000 - 0x00007FFFF78AB000 +[+] CMPLOG Range - 0x00007FFFF78A9000 - 0x00007FFFF78AA000 +[+] CMPLOG Range - 0x00007FFFF78A2000 - 0x00007FFFF78A6000 +[+] CMPLOG Range - 0x00007FFFF789F000 - 0x00007FFFF78A2000 +[+] CMPLOG Range - 0x00007FFFF789C000 - 0x00007FFFF789F000 +[+] CMPLOG Range - 0x00007FFFF7851000 - 0x00007FFFF789B000 +[+] CMPLOG Range - 0x00007FFFF76DB000 - 0x00007FFFF7851000 +[+] CMPLOG Range - 0x00007FFFF76DA000 - 0x00007FFFF76DB000 +[+] CMPLOG Range - 0x00007FFFF76D9000 - 0x00007FFFF76DA000 +[+] CMPLOG Range - 0x00007FFFF76B4000 - 0x00007FFFF76D9000 +[+] CMPLOG Range - 0x00007FFFF76B0000 - 0x00007FFFF76B4000 +[+] CMPLOG Range - 0x00007FFFF76AF000 - 0x00007FFFF76B0000 +[+] CMPLOG Range - 0x00007FFFF76AE000 - 0x00007FFFF76AF000 +[+] CMPLOG Range - 0x00007FFFF76A9000 - 0x00007FFFF76AE000 +[+] CMPLOG Range - 0x00007FFFF7698000 - 0x00007FFFF76A9000 +[+] CMPLOG Range - 0x00007FFFF7691000 - 0x00007FFFF7698000 +[+] CMPLOG Range - 0x00007FFFF768F000 - 0x00007FFFF7691000 +[+] CMPLOG Range - 0x00007FFFF768E000 - 0x00007FFFF768F000 +[+] CMPLOG Range - 0x00007FFFF768D000 - 0x00007FFFF768E000 +[+] CMPLOG Range - 0x00007FFFF7689000 - 0x00007FFFF768C000 +[+] CMPLOG Range - 0x00007FFFF7679000 - 0x00007FFFF7689000 +[+] CMPLOG Range - 0x00007FFFF7675000 - 0x00007FFFF7679000 +[+] CMPLOG Range - 0x00007FFFF7674000 - 0x00007FFFF7675000 +[+] CMPLOG Range - 0x00007FFFF7673000 - 0x00007FFFF7674000 +[+] CMPLOG Range - 0x00007FFFF7672000 - 0x00007FFFF7673000 +[+] CMPLOG Range - 0x00007FFFF7670000 - 0x00007FFFF7672000 +[+] CMPLOG Range - 0x00007FFFF766F000 - 0x00007FFFF7670000 +[+] CMPLOG Range - 0x00007FFFF766D000 - 0x00007FFFF766F000 +[+] Redirect 1 -> '/home/jon/git/AFLplusplus/frida_mode/test/output/frida_stdout.txt' +[+] Redirect 2 -> '/home/jon/git/AFLplusplus/frida_mode/test/output/frida_stderr.txt' +[+] Instrumentation - persistent mode [ ] (0x0000000000000000) +[+] Instrumentation - persistent count [ ] (0) +[+] Instrumentation - hook [(null)] +[+] Instrumentation - persistent ret [ ] (0x0000000000000000) +[+] Instrumentation - persistent ret offset [ ] (0) +[+] Instrumentation - prefetch [X] +[+] Range: Modules Length: 54 +[+] Range: Modules Idx: 0 - 0x0000555555554000-0x0000555555555000 +[+] Range: Modules Idx: 1 - 0x0000555555555000-0x0000555555556000 +[+] Range: Modules Idx: 2 - 0x0000555555556000-0x0000555555557000 +[+] Range: Modules Idx: 3 - 0x0000555555557000-0x0000555555558000 +[+] Range: Modules Idx: 4 - 0x0000555555558000-0x0000555555559000 +[+] Range: Modules Idx: 5 - 0x0000555555559000-0x000055555557a000 +[+] Range: Modules Idx: 6 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: Modules Idx: 7 - 0x00007ffff766d000-0x00007ffff766f000 +[+] Range: Modules Idx: 8 - 0x00007ffff766f000-0x00007ffff7670000 +[+] Range: Modules Idx: 9 - 0x00007ffff7670000-0x00007ffff7672000 +[+] Range: Modules Idx: 10 - 0x00007ffff7672000-0x00007ffff7673000 +[+] Range: Modules Idx: 11 - 0x00007ffff7673000-0x00007ffff7674000 +[+] Range: Modules Idx: 12 - 0x00007ffff7674000-0x00007ffff7675000 +[+] Range: Modules Idx: 13 - 0x00007ffff7675000-0x00007ffff7679000 +[+] Range: Modules Idx: 14 - 0x00007ffff7679000-0x00007ffff7689000 +[+] Range: Modules Idx: 15 - 0x00007ffff7689000-0x00007ffff768c000 +[+] Range: Modules Idx: 16 - 0x00007ffff768c000-0x00007ffff768d000 +[+] Range: Modules Idx: 17 - 0x00007ffff768d000-0x00007ffff768e000 +[+] Range: Modules Idx: 18 - 0x00007ffff768e000-0x00007ffff768f000 +[+] Range: Modules Idx: 19 - 0x00007ffff768f000-0x00007ffff7691000 +[+] Range: Modules Idx: 20 - 0x00007ffff7691000-0x00007ffff7698000 +[+] Range: Modules Idx: 21 - 0x00007ffff7698000-0x00007ffff76a9000 +[+] Range: Modules Idx: 22 - 0x00007ffff76a9000-0x00007ffff76ae000 +[+] Range: Modules Idx: 23 - 0x00007ffff76ae000-0x00007ffff76af000 +[+] Range: Modules Idx: 24 - 0x00007ffff76af000-0x00007ffff76b0000 +[+] Range: Modules Idx: 25 - 0x00007ffff76b0000-0x00007ffff76b4000 +[+] Range: Modules Idx: 26 - 0x00007ffff76b4000-0x00007ffff76d9000 +[+] Range: Modules Idx: 27 - 0x00007ffff76d9000-0x00007ffff76da000 +[+] Range: Modules Idx: 28 - 0x00007ffff76da000-0x00007ffff76db000 +[+] Range: Modules Idx: 29 - 0x00007ffff76db000-0x00007ffff7851000 +[+] Range: Modules Idx: 30 - 0x00007ffff7851000-0x00007ffff789b000 +[+] Range: Modules Idx: 31 - 0x00007ffff789b000-0x00007ffff789c000 +[+] Range: Modules Idx: 32 - 0x00007ffff789c000-0x00007ffff789f000 +[+] Range: Modules Idx: 33 - 0x00007ffff789f000-0x00007ffff78a2000 +[+] Range: Modules Idx: 34 - 0x00007ffff78a2000-0x00007ffff78a6000 +[+] Range: Modules Idx: 35 - 0x00007ffff78a9000-0x00007ffff78aa000 +[+] Range: Modules Idx: 36 - 0x00007ffff78aa000-0x00007ffff78ab000 +[+] Range: Modules Idx: 37 - 0x00007ffff78af000-0x00007ffff78bf000 +[+] Range: Modules Idx: 38 - 0x00007ffff78bf000-0x00007ffff7942000 +[+] Range: Modules Idx: 39 - 0x00007ffff7942000-0x00007ffff7a94000 +[+] Range: Modules Idx: 40 - 0x00007ffff7a94000-0x00007ffff7db0000 +[+] Range: Modules Idx: 41 - 0x00007ffff7db0000-0x00007ffff7dbc000 +[+] Range: Modules Idx: 42 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: Modules Idx: 43 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: Modules Idx: 44 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: Modules Idx: 45 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: Modules Idx: 46 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: Modules Idx: 47 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: Modules Idx: 48 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: Modules Idx: 49 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: Modules Idx: 50 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: Modules Idx: 51 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: Modules Idx: 52 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: Modules Idx: 53 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: AFL_INST_LIBS Length: 1 +[+] Range: AFL_INST_LIBS Idx: 0 - 0x0000555555555160-0x0000555555555335 +[+] Range: step1 Length: 1 +[+] Range: step1 Idx: 0 - 0x0000555555555160-0x0000555555555335 +[+] Range: step2 Length: 1 +[+] Range: step2 Idx: 0 - 0x0000555555555160-0x0000555555555335 +[+] Range: step3 Length: 1 +[+] Range: step3 Idx: 0 - 0x0000555555555160-0x0000555555555335 +[+] Range: step4 Length: 55 +[+] Range: step4 Idx: 0 - 0x0000555555554000-0x0000555555555000 +[+] Range: step4 Idx: 1 - 0x0000555555555000-0x0000555555555160 +[+] Range: step4 Idx: 2 - 0x0000555555555335-0x0000555555556000 +[+] Range: step4 Idx: 3 - 0x0000555555556000-0x0000555555557000 +[+] Range: step4 Idx: 4 - 0x0000555555557000-0x0000555555558000 +[+] Range: step4 Idx: 5 - 0x0000555555558000-0x0000555555559000 +[+] Range: step4 Idx: 6 - 0x0000555555559000-0x000055555557a000 +[+] Range: step4 Idx: 7 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: step4 Idx: 8 - 0x00007ffff766d000-0x00007ffff766f000 +[+] Range: step4 Idx: 9 - 0x00007ffff766f000-0x00007ffff7670000 +[+] Range: step4 Idx: 10 - 0x00007ffff7670000-0x00007ffff7672000 +[+] Range: step4 Idx: 11 - 0x00007ffff7672000-0x00007ffff7673000 +[+] Range: step4 Idx: 12 - 0x00007ffff7673000-0x00007ffff7674000 +[+] Range: step4 Idx: 13 - 0x00007ffff7674000-0x00007ffff7675000 +[+] Range: step4 Idx: 14 - 0x00007ffff7675000-0x00007ffff7679000 +[+] Range: step4 Idx: 15 - 0x00007ffff7679000-0x00007ffff7689000 +[+] Range: step4 Idx: 16 - 0x00007ffff7689000-0x00007ffff768c000 +[+] Range: step4 Idx: 17 - 0x00007ffff768c000-0x00007ffff768d000 +[+] Range: step4 Idx: 18 - 0x00007ffff768d000-0x00007ffff768e000 +[+] Range: step4 Idx: 19 - 0x00007ffff768e000-0x00007ffff768f000 +[+] Range: step4 Idx: 20 - 0x00007ffff768f000-0x00007ffff7691000 +[+] Range: step4 Idx: 21 - 0x00007ffff7691000-0x00007ffff7698000 +[+] Range: step4 Idx: 22 - 0x00007ffff7698000-0x00007ffff76a9000 +[+] Range: step4 Idx: 23 - 0x00007ffff76a9000-0x00007ffff76ae000 +[+] Range: step4 Idx: 24 - 0x00007ffff76ae000-0x00007ffff76af000 +[+] Range: step4 Idx: 25 - 0x00007ffff76af000-0x00007ffff76b0000 +[+] Range: step4 Idx: 26 - 0x00007ffff76b0000-0x00007ffff76b4000 +[+] Range: step4 Idx: 27 - 0x00007ffff76b4000-0x00007ffff76d9000 +[+] Range: step4 Idx: 28 - 0x00007ffff76d9000-0x00007ffff76da000 +[+] Range: step4 Idx: 29 - 0x00007ffff76da000-0x00007ffff76db000 +[+] Range: step4 Idx: 30 - 0x00007ffff76db000-0x00007ffff7851000 +[+] Range: step4 Idx: 31 - 0x00007ffff7851000-0x00007ffff789b000 +[+] Range: step4 Idx: 32 - 0x00007ffff789b000-0x00007ffff789c000 +[+] Range: step4 Idx: 33 - 0x00007ffff789c000-0x00007ffff789f000 +[+] Range: step4 Idx: 34 - 0x00007ffff789f000-0x00007ffff78a2000 +[+] Range: step4 Idx: 35 - 0x00007ffff78a2000-0x00007ffff78a6000 +[+] Range: step4 Idx: 36 - 0x00007ffff78a9000-0x00007ffff78aa000 +[+] Range: step4 Idx: 37 - 0x00007ffff78aa000-0x00007ffff78ab000 +[+] Range: step4 Idx: 38 - 0x00007ffff78af000-0x00007ffff78bf000 +[+] Range: step4 Idx: 39 - 0x00007ffff78bf000-0x00007ffff7942000 +[+] Range: step4 Idx: 40 - 0x00007ffff7942000-0x00007ffff7a94000 +[+] Range: step4 Idx: 41 - 0x00007ffff7a94000-0x00007ffff7db0000 +[+] Range: step4 Idx: 42 - 0x00007ffff7db0000-0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! +0x00007ffff7dbc000 +[+] Range: step4 Idx: 43 - 0x00007ffff7dbc000-0x00007ffff7dc4000 +[+] Range: step4 Idx: 44 - 0x00007ffff7dc4000-0x00007ffff7fcb000 +[+] Range: step4 Idx: 45 - 0x00007ffff7fcb000-0x00007ffff7fce000 +[+] Range: step4 Idx: 46 - 0x00007ffff7fce000-0x00007ffff7fcf000 +[+] Range: step4 Idx: 47 - 0x00007ffff7fcf000-0x00007ffff7fd0000 +[+] Range: step4 Idx: 48 - 0x00007ffff7fd0000-0x00007ffff7ff3000 +[+] Range: step4 Idx: 49 - 0x00007ffff7ff3000-0x00007ffff7ffb000 +[+] Range: step4 Idx: 50 - 0x00007ffff7ffc000-0x00007ffff7ffd000 +[+] Range: step4 Idx: 51 - 0x00007ffff7ffd000-0x00007ffff7ffe000 +[+] Range: step4 Idx: 52 - 0x00007ffff7ffe000-0x00007ffff7fff000 +[+] Range: step4 Idx: 53 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: step4 Idx: 54 - 0xffffffffff600000-0xffffffffff601000 +[+] Range: final Length: 9 +[+] Range: final Idx: 0 - 0x0000555555554000-0x0000555555555160 +[+] Range: final Idx: 1 - 0x0000555555555335-0x000055555557a000 +[+] Range: final Idx: 2 - 0x00007ffff7615000-0x00007ffff7625000 +[+] Range: final Idx: 3 - 0x00007ffff766d000-0x00007ffff78a6000 +[+] Range: final Idx: 4 - 0x00007ffff78a9000-0x00007ffff78ab000 +[+] Range: final Idx: 5 - 0x00007ffff78af000-0x00007ffff7ffb000 +[+] Range: final Idx: 6 - 0x00007ffff7ffc000-0x00007ffff7fff000 +[+] Range: final Idx: 7 - 0x00007ffffffdd000-0x00007ffffffff000 +[+] Range: final Idx: 8 - 0xffffffffff600000-0xffffffffff601000 +Looks like a zero to me! diff --git a/frida_mode/test/output/testinstr.c b/frida_mode/test/output/testinstr.c new file mode 100644 index 00000000..5e26fc46 --- /dev/null +++ b/frida_mode/test/output/testinstr.c @@ -0,0 +1,112 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +TESTINSTR_SECTION int main(int argc, char **argv) { + + char * file; + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + do { + + file = argv[1]; + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + diff --git a/include/envs.h b/include/envs.h index 73cd82a8..08b3284a 100644 --- a/include/envs.h +++ b/include/envs.h @@ -55,17 +55,22 @@ static char *afl_environment_variables[] = { "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS", "AFL_FRIDA_EXCLUDE_RANGES", + "AFL_FRIDA_INST_DEBUG_FILE", "AFL_FRIDA_INST_NO_OPTIMIZE", "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_RANGES", - "AFL_FRIDA_INST_STRICT", "AFL_FRIDA_INST_TRACE", + "AFL_FRIDA_OUTPUT_STDOUT", + "AFL_FRIDA_OUTPUT_STDERR", "AFL_FRIDA_PERSISTENT_ADDR", "AFL_FRIDA_PERSISTENT_CNT", "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK", "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET", + "AFL_FRIDA_STATS_FILE", + "AFL_FRIDA_STATS_INTERVAL", + "AFL_FRIDA_STATS_TRANSITIONS", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", -- cgit 1.4.1 From c7b9171c103fc80da75d2b9648b62aa87cbe76fd Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Tue, 8 Jun 2021 08:55:12 +0100 Subject: FRIDA AARCH64 support (#965) Co-authored-by: Your Name --- frida_mode/README.md | 8 +- frida_mode/include/ctx.h | 11 +- frida_mode/include/instrument.h | 10 +- frida_mode/src/asan/asan_arm.c | 28 -- frida_mode/src/asan/asan_arm32.c | 28 ++ frida_mode/src/asan/asan_arm64.c | 76 ++++- frida_mode/src/cmplog/cmplog_arm.c | 19 -- frida_mode/src/cmplog/cmplog_arm32.c | 19 ++ frida_mode/src/cmplog/cmplog_arm64.c | 295 ++++++++++++++++- frida_mode/src/ctx/ctx_arm32.c | 16 + frida_mode/src/ctx/ctx_arm64.c | 303 ++++++++++++++++++ frida_mode/src/instrument/instrument.c | 5 +- frida_mode/src/instrument/instrument_arm32.c | 12 + frida_mode/src/instrument/instrument_arm64.c | 12 + frida_mode/src/instrument/instrument_debug.c | 58 ++-- frida_mode/src/instrument/instrument_x64.c | 12 + frida_mode/src/instrument/instrument_x86.c | 12 + frida_mode/src/persistent/persistent_arm64.c | 354 ++++++++++++++++++++- frida_mode/src/persistent/persistent_x64.c | 2 - frida_mode/src/persistent/persistent_x86.c | 2 - frida_mode/src/stats/stats.c | 1 - frida_mode/src/stats/stats_arm.c | 36 --- frida_mode/src/stats/stats_arm32.c | 36 +++ frida_mode/test/cmplog/GNUmakefile | 11 +- frida_mode/test/cmplog/Makefile | 4 + frida_mode/test/cmplog/cmplog.c | 2 +- frida_mode/test/fasan/GNUmakefile | 4 +- frida_mode/test/persistent_ret/GNUmakefile | 4 +- frida_mode/test/png/persistent/GNUmakefile | 14 +- frida_mode/test/png/persistent/Makefile | 3 + frida_mode/test/png/persistent/hook/GNUmakefile | 4 +- .../png/persistent/hook/aflpp_qemu_driver_hook.c | 96 ++++++ 32 files changed, 1348 insertions(+), 149 deletions(-) delete mode 100644 frida_mode/src/asan/asan_arm.c create mode 100644 frida_mode/src/asan/asan_arm32.c delete mode 100644 frida_mode/src/cmplog/cmplog_arm.c create mode 100644 frida_mode/src/cmplog/cmplog_arm32.c create mode 100644 frida_mode/src/ctx/ctx_arm32.c create mode 100644 frida_mode/src/ctx/ctx_arm64.c delete mode 100644 frida_mode/src/stats/stats_arm.c create mode 100644 frida_mode/src/stats/stats_arm32.c (limited to 'frida_mode/include') diff --git a/frida_mode/README.md b/frida_mode/README.md index 0103a395..d7dd72a0 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -21,16 +21,16 @@ perhaps leverage some of its design and implementation. | Feature/Instrumentation | frida-mode | Notes | | -------------------------|:----------:|:--------------------------------------------:| | NeverZero | x | | - | Persistent Mode | x | (x86/x64 only)(Only on function boundaries) | + | Persistent Mode | x | (x86/x64/aarch64 only) | | LAF-Intel / CompCov | - | (CMPLOG is better 90% of the time) | - | CMPLOG | x | (x86/x64 only) | + | CMPLOG | x | (x86/x64/aarch64 only) | | Selective Instrumentation| x | | | Non-Colliding Coverage | - | (Not possible in binary-only instrumentation | | Ngram prev_loc Coverage | - | | | Context Coverage | - | | | Auto Dictionary | - | | | Snapshot LKM Support | - | | - | In-Memory Test Cases | x | (x86/x64 only) | + | In-Memory Test Cases | x | (x86/x64/aarch64 only) | ## Compatibility Currently FRIDA mode supports Linux and macOS targets on both x86/x64 @@ -288,7 +288,7 @@ to validate memory accesses against the shadow memory. ## TODO -The next features to be added are Aarch64 and Aarch32 support as well as looking at +The next features to be added are Aarch32 support as well as looking at potential performance improvements. The intention is to achieve feature parity with QEMU mode in due course. Contributions are welcome, but please get in touch to ensure that efforts are deconflicted. diff --git a/frida_mode/include/ctx.h b/frida_mode/include/ctx.h index cbcc892a..67274aee 100644 --- a/frida_mode/include/ctx.h +++ b/frida_mode/include/ctx.h @@ -3,8 +3,15 @@ #include "frida-gum.h" -#if defined(__x86_64__) || defined(__i386__) -gsize ctx_read_reg(GumCpuContext *ctx, x86_reg reg); +#if defined(__x86_64__) +gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg); +#elif defined(__i386__) +gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg); +#elif defined(__aarch64__) +gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg); +size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand); +#elif defined(__arm__) +gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg); #endif #endif diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index ed92c25a..577481d1 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -19,9 +19,11 @@ gboolean instrument_is_coverage_optimize_supported(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); -void instrument_debug_init(void); -void instrument_debug_start(uint64_t address, GumStalkerOutput *output); -void instrument_debug_instruction(uint64_t address, uint16_t size); -void instrument_debug_end(GumStalkerOutput *output); +void instrument_debug_init(void); +void instrument_debug_start(uint64_t address, GumStalkerOutput *output); +void instrument_debug_instruction(uint64_t address, uint16_t size); +void instrument_debug_end(GumStalkerOutput *output); +void instrument_flush(GumStalkerOutput *output); +gpointer instrument_cur(GumStalkerOutput *output); #endif diff --git a/frida_mode/src/asan/asan_arm.c b/frida_mode/src/asan/asan_arm.c deleted file mode 100644 index 79475ced..00000000 --- a/frida_mode/src/asan/asan_arm.c +++ /dev/null @@ -1,28 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "asan.h" -#include "util.h" - -#if defined(__arm__) -void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (asan_initialized) { - - FATAL("ASAN mode not supported on this architecture"); - - } - -} - -void asan_arch_init(void) { - - FATAL("ASAN mode not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/asan/asan_arm32.c b/frida_mode/src/asan/asan_arm32.c new file mode 100644 index 00000000..79475ced --- /dev/null +++ b/frida_mode/src/asan/asan_arm32.c @@ -0,0 +1,28 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "asan.h" +#include "util.h" + +#if defined(__arm__) +void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (asan_initialized) { + + FATAL("ASAN mode not supported on this architecture"); + + } + +} + +void asan_arch_init(void) { + + FATAL("ASAN mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 6262ee18..66138e42 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -1,18 +1,80 @@ +#include #include "frida-gum.h" #include "debug.h" #include "asan.h" +#include "ctx.h" #include "util.h" #if defined(__aarch64__) + +typedef struct { + + size_t size; + cs_arm64_op operand; + +} asan_ctx_t; + +typedef void (*asan_loadN_t)(gsize address, uint8_t size); +typedef void (*asan_storeN_t)(gsize address, uint8_t size); + +asan_loadN_t asan_loadN = NULL; +asan_storeN_t asan_storeN = NULL; + +static void asan_callout(GumCpuContext *ctx, gpointer user_data) { + + asan_ctx_t * asan_ctx = (asan_ctx_t *)user_data; + cs_arm64_op * operand = &asan_ctx->operand; + arm64_op_mem *mem = &operand->mem; + gsize base = 0; + gsize index = 0; + gsize address; + + if (mem->base != ARM64_REG_INVALID) { base = ctx_read_reg(ctx, mem->base); } + + if (mem->index != ARM64_REG_INVALID) { + + index = ctx_read_reg(ctx, mem->index); + + } + + address = base + index + mem->disp; + + if ((operand->access & CS_AC_READ) == CS_AC_READ) { + + asan_loadN(address, asan_ctx->size); + + } + + if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) { + + asan_storeN(address, asan_ctx->size); + + } + +} + void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); - if (asan_initialized) { - FATAL("ASAN mode not supported on this architecture"); + cs_arm64 arm64 = instr->detail->arm64; + cs_arm64_op *operand; + asan_ctx_t * ctx; + + if (!asan_initialized) return; + + for (uint8_t i = 0; i < arm64.op_count; i++) { + + operand = &arm64.operands[i]; + + if (operand->type != ARM64_OP_MEM) { continue; } + + ctx = g_malloc0(sizeof(asan_ctx_t)); + ctx->size = ctx_get_size(instr, &arm64.operands[0]); + memcpy(&ctx->operand, operand, sizeof(cs_arm64_op)); + gum_stalker_iterator_put_callout(iterator, asan_callout, ctx, g_free); } @@ -20,7 +82,13 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { void asan_arch_init(void) { - FATAL("ASAN mode not supported on this architecture"); + asan_loadN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_loadN"); + asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); + if (asan_loadN == NULL || asan_storeN == NULL) { + + FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + + } } diff --git a/frida_mode/src/cmplog/cmplog_arm.c b/frida_mode/src/cmplog/cmplog_arm.c deleted file mode 100644 index 5af28f3f..00000000 --- a/frida_mode/src/cmplog/cmplog_arm.c +++ /dev/null @@ -1,19 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "frida_cmplog.h" -#include "util.h" - -#if defined(__arm__) -void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c new file mode 100644 index 00000000..5af28f3f --- /dev/null +++ b/frida_mode/src/cmplog/cmplog_arm32.c @@ -0,0 +1,19 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "frida_cmplog.h" +#include "util.h" + +#if defined(__arm__) +void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { + + UNUSED_PARAMETER(instr); + UNUSED_PARAMETER(iterator); + if (__afl_cmp_map == NULL) { return; } + FATAL("CMPLOG mode not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index 187d0162..04631ff8 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -1,17 +1,304 @@ #include "frida-gum.h" #include "debug.h" +#include "cmplog.h" +#include "ctx.h" #include "frida_cmplog.h" #include "util.h" #if defined(__aarch64__) + +typedef struct { + + arm64_op_type type; + uint8_t size; + + union { + + arm64_op_mem mem; + arm64_reg reg; + int64_t imm; + + }; + +} cmplog_ctx_t; + +typedef struct { + + cmplog_ctx_t operand1; + cmplog_ctx_t operand2; + size_t size; + +} cmplog_pair_ctx_t; + +static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, + arm64_op_mem *mem, gsize *val) { + + gsize base = 0; + gsize index = 0; + gsize address; + + if (mem->base != ARM64_REG_INVALID) { base = ctx_read_reg(ctx, mem->base); } + + if (mem->index != ARM64_REG_INVALID) { + + index = ctx_read_reg(ctx, mem->index); + + } + + address = base + index + mem->disp; + + if (!cmplog_is_readable(address, size)) { return FALSE; } + + switch (size) { + + case 1: + *val = *((guint8 *)GSIZE_TO_POINTER(address)); + return TRUE; + case 2: + *val = *((guint16 *)GSIZE_TO_POINTER(address)); + return TRUE; + case 4: + *val = *((guint32 *)GSIZE_TO_POINTER(address)); + return TRUE; + case 8: + *val = *((guint64 *)GSIZE_TO_POINTER(address)); + return TRUE; + default: + FATAL("Invalid operand size: %d\n", size); + + } + + return FALSE; + +} + +static gboolean cmplog_get_operand_value(GumCpuContext *context, + cmplog_ctx_t *ctx, gsize *val) { + + switch (ctx->type) { + + case ARM64_OP_REG: + *val = ctx_read_reg(context, ctx->reg); + return TRUE; + case ARM64_OP_IMM: + *val = ctx->imm; + return TRUE; + case ARM64_OP_MEM: + return cmplog_read_mem(context, ctx->size, &ctx->mem, val); + default: + FATAL("Invalid operand type: %d\n", ctx->type); + + } + + return FALSE; + +} + +static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + gsize address = context->pc; + gsize x0 = ctx_read_reg(context, ARM64_REG_X0); + gsize x1 = ctx_read_reg(context, ARM64_REG_X1); + + if (((G_MAXULONG - x0) < 32) || ((G_MAXULONG - x1) < 32)) return; + + if (!cmplog_is_readable(x0, 32) || !cmplog_is_readable(x1, 32)) return; + + void *ptr1 = GSIZE_TO_POINTER(x0); + void *ptr2 = GSIZE_TO_POINTER(x1); + + uintptr_t k = address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = 31; + + hits &= CMP_MAP_RTN_H - 1; + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, + 32); + gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, + 32); + +} + +static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, + cs_arm64_op * operand) { + + ctx->type = operand->type; + switch (operand->type) { + + case ARM64_OP_REG: + gum_memcpy(&ctx->reg, &operand->reg, sizeof(arm64_reg)); + break; + case ARM64_OP_IMM: + gum_memcpy(&ctx->imm, &operand->imm, sizeof(int64_t)); + break; + case ARM64_OP_MEM: + gum_memcpy(&ctx->mem, &operand->mem, sizeof(arm64_op_mem)); + break; + default: + FATAL("Invalid operand type: %d\n", operand->type); + + } + +} + +static void cmplog_instrument_call(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_arm64 arm64 = instr->detail->arm64; + cs_arm64_op *operand; + + switch (instr->id) { + + case ARM64_INS_BL: + case ARM64_INS_BLR: + case ARM64_INS_BLRAA: + case ARM64_INS_BLRAAZ: + case ARM64_INS_BLRAB: + case ARM64_INS_BLRABZ: + break; + default: + return; + + } + + if (arm64.op_count != 1) return; + + operand = &arm64.operands[0]; + + if (operand->type == ARM64_OP_INVALID) return; + + gum_stalker_iterator_put_callout(iterator, cmplog_call_callout, NULL, NULL); + +} + +static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, + gsize operand2, uint8_t size) { + + gsize address = context->pc; + + register uintptr_t k = (uintptr_t)address; + + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + + __afl_cmp_map->headers[k].shape = (size - 1); + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = operand1; + __afl_cmp_map->log[k][hits].v1 = operand2; + +} + +static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { + + cmplog_pair_ctx_t *ctx = (cmplog_pair_ctx_t *)user_data; + gsize operand1; + gsize operand2; + + if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } + if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } + + cmplog_handle_cmp_sub(context, operand1, operand2, ctx->size); + +} + +static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator, + cs_arm64_op * operand1, + cs_arm64_op * operand2, + size_t size) { + + cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t)); + if (ctx == NULL) return; + + cmplog_instrument_put_operand(&ctx->operand1, operand1); + cmplog_instrument_put_operand(&ctx->operand2, operand2); + ctx->size = size; + + gum_stalker_iterator_put_callout(iterator, cmplog_cmp_sub_callout, ctx, + g_free); + +} + +static void cmplog_instrument_cmp_sub(const cs_insn * instr, + GumStalkerIterator *iterator) { + + cs_arm64 arm64 = instr->detail->arm64; + cs_arm64_op *operand1; + cs_arm64_op *operand2; + size_t size; + + switch (instr->id) { + + case ARM64_INS_ADCS: + case ARM64_INS_ADDS: + case ARM64_INS_ANDS: + case ARM64_INS_BICS: + case ARM64_INS_CMN: + case ARM64_INS_CMP: + case ARM64_INS_CMPEQ: + case ARM64_INS_CMPGE: + case ARM64_INS_CMPGT: + case ARM64_INS_CMPHI: + case ARM64_INS_CMPHS: + case ARM64_INS_CMPLE: + case ARM64_INS_CMPLO: + case ARM64_INS_CMPLS: + case ARM64_INS_CMPLT: + case ARM64_INS_CMPNE: + case ARM64_INS_EORS: + case ARM64_INS_NANDS: + case ARM64_INS_NEGS: + case ARM64_INS_NGCS: + case ARM64_INS_NORS: + case ARM64_INS_NOTS: + case ARM64_INS_ORNS: + case ARM64_INS_ORRS: + case ARM64_INS_SBCS: + case ARM64_INS_SUBS: + break; + + default: + return; + + } + + if (arm64.op_count != 2) return; + + operand1 = &arm64.operands[0]; + operand2 = &arm64.operands[1]; + + if (operand1->type == ARM64_OP_INVALID) return; + if (operand2->type == ARM64_OP_INVALID) return; + + size = ctx_get_size(instr, &arm64.operands[0]); + + cmplog_instrument_cmp_sub_put_callout(iterator, operand1, operand2, size); + +} + void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(iterator); - if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); + if (__afl_cmp_map == NULL) return; + + cmplog_instrument_call(instr, iterator); + cmplog_instrument_cmp_sub(instr, iterator); } diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c new file mode 100644 index 00000000..a5c6f6d4 --- /dev/null +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -0,0 +1,16 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "ctx.h" + +#if defined(__arm__) + +gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg) { + + FATAL("ctx_read_reg unimplemented for this architecture"); + +} + +#endif + diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c new file mode 100644 index 00000000..d09896af --- /dev/null +++ b/frida_mode/src/ctx/ctx_arm64.c @@ -0,0 +1,303 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "ctx.h" + +#if defined(__aarch64__) + + #define ARM64_REG_8(LABEL, REG) \ + case LABEL: { \ + \ + return REG & GUM_INT8_MASK; \ + \ + } + + #define ARM64_REG_16(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT16_MASK); \ + \ + } + + #define ARM64_REG_32(LABEL, REG) \ + case LABEL: { \ + \ + return (REG & GUM_INT32_MASK); \ + \ + } + + #define ARM64_REG_64(LABEL, REG) \ + case LABEL: { \ + \ + return (REG); \ + \ + } + +gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg) { + + switch (reg) { + + case ARM64_REG_WZR: + case ARM64_REG_XZR: + return 0; + + ARM64_REG_8(ARM64_REG_B0, ctx->x[0]) + ARM64_REG_8(ARM64_REG_B1, ctx->x[1]) + ARM64_REG_8(ARM64_REG_B2, ctx->x[2]) + ARM64_REG_8(ARM64_REG_B3, ctx->x[3]) + ARM64_REG_8(ARM64_REG_B4, ctx->x[4]) + ARM64_REG_8(ARM64_REG_B5, ctx->x[5]) + ARM64_REG_8(ARM64_REG_B6, ctx->x[6]) + ARM64_REG_8(ARM64_REG_B7, ctx->x[7]) + ARM64_REG_8(ARM64_REG_B8, ctx->x[8]) + ARM64_REG_8(ARM64_REG_B9, ctx->x[9]) + ARM64_REG_8(ARM64_REG_B10, ctx->x[10]) + ARM64_REG_8(ARM64_REG_B11, ctx->x[11]) + ARM64_REG_8(ARM64_REG_B12, ctx->x[12]) + ARM64_REG_8(ARM64_REG_B13, ctx->x[13]) + ARM64_REG_8(ARM64_REG_B14, ctx->x[14]) + ARM64_REG_8(ARM64_REG_B15, ctx->x[15]) + ARM64_REG_8(ARM64_REG_B16, ctx->x[16]) + ARM64_REG_8(ARM64_REG_B17, ctx->x[17]) + ARM64_REG_8(ARM64_REG_B18, ctx->x[18]) + ARM64_REG_8(ARM64_REG_B19, ctx->x[19]) + ARM64_REG_8(ARM64_REG_B20, ctx->x[20]) + ARM64_REG_8(ARM64_REG_B21, ctx->x[21]) + ARM64_REG_8(ARM64_REG_B22, ctx->x[22]) + ARM64_REG_8(ARM64_REG_B23, ctx->x[23]) + ARM64_REG_8(ARM64_REG_B24, ctx->x[24]) + ARM64_REG_8(ARM64_REG_B25, ctx->x[25]) + ARM64_REG_8(ARM64_REG_B26, ctx->x[26]) + ARM64_REG_8(ARM64_REG_B27, ctx->x[27]) + ARM64_REG_8(ARM64_REG_B28, ctx->x[28]) + ARM64_REG_8(ARM64_REG_B29, ctx->fp) + ARM64_REG_8(ARM64_REG_B30, ctx->lr) + ARM64_REG_8(ARM64_REG_B31, ctx->sp) + + ARM64_REG_16(ARM64_REG_H0, ctx->x[0]) + ARM64_REG_16(ARM64_REG_H1, ctx->x[1]) + ARM64_REG_16(ARM64_REG_H2, ctx->x[2]) + ARM64_REG_16(ARM64_REG_H3, ctx->x[3]) + ARM64_REG_16(ARM64_REG_H4, ctx->x[4]) + ARM64_REG_16(ARM64_REG_H5, ctx->x[5]) + ARM64_REG_16(ARM64_REG_H6, ctx->x[6]) + ARM64_REG_16(ARM64_REG_H7, ctx->x[7]) + ARM64_REG_16(ARM64_REG_H8, ctx->x[8]) + ARM64_REG_16(ARM64_REG_H9, ctx->x[9]) + ARM64_REG_16(ARM64_REG_H10, ctx->x[10]) + ARM64_REG_16(ARM64_REG_H11, ctx->x[11]) + ARM64_REG_16(ARM64_REG_H12, ctx->x[12]) + ARM64_REG_16(ARM64_REG_H13, ctx->x[13]) + ARM64_REG_16(ARM64_REG_H14, ctx->x[14]) + ARM64_REG_16(ARM64_REG_H15, ctx->x[15]) + ARM64_REG_16(ARM64_REG_H16, ctx->x[16]) + ARM64_REG_16(ARM64_REG_H17, ctx->x[17]) + ARM64_REG_16(ARM64_REG_H18, ctx->x[18]) + ARM64_REG_16(ARM64_REG_H19, ctx->x[19]) + ARM64_REG_16(ARM64_REG_H20, ctx->x[20]) + ARM64_REG_16(ARM64_REG_H21, ctx->x[21]) + ARM64_REG_16(ARM64_REG_H22, ctx->x[22]) + ARM64_REG_16(ARM64_REG_H23, ctx->x[23]) + ARM64_REG_16(ARM64_REG_H24, ctx->x[24]) + ARM64_REG_16(ARM64_REG_H25, ctx->x[25]) + ARM64_REG_16(ARM64_REG_H26, ctx->x[26]) + ARM64_REG_16(ARM64_REG_H27, ctx->x[27]) + ARM64_REG_16(ARM64_REG_H28, ctx->x[28]) + ARM64_REG_16(ARM64_REG_H29, ctx->fp) + ARM64_REG_16(ARM64_REG_H30, ctx->lr) + ARM64_REG_16(ARM64_REG_H31, ctx->sp) + + ARM64_REG_32(ARM64_REG_W0, ctx->x[0]) + ARM64_REG_32(ARM64_REG_W1, ctx->x[1]) + ARM64_REG_32(ARM64_REG_W2, ctx->x[2]) + ARM64_REG_32(ARM64_REG_W3, ctx->x[3]) + ARM64_REG_32(ARM64_REG_W4, ctx->x[4]) + ARM64_REG_32(ARM64_REG_W5, ctx->x[5]) + ARM64_REG_32(ARM64_REG_W6, ctx->x[6]) + ARM64_REG_32(ARM64_REG_W7, ctx->x[7]) + ARM64_REG_32(ARM64_REG_W8, ctx->x[8]) + ARM64_REG_32(ARM64_REG_W9, ctx->x[9]) + ARM64_REG_32(ARM64_REG_W10, ctx->x[10]) + ARM64_REG_32(ARM64_REG_W11, ctx->x[11]) + ARM64_REG_32(ARM64_REG_W12, ctx->x[12]) + ARM64_REG_32(ARM64_REG_W13, ctx->x[13]) + ARM64_REG_32(ARM64_REG_W14, ctx->x[14]) + ARM64_REG_32(ARM64_REG_W15, ctx->x[15]) + ARM64_REG_32(ARM64_REG_W16, ctx->x[16]) + ARM64_REG_32(ARM64_REG_W17, ctx->x[17]) + ARM64_REG_32(ARM64_REG_W18, ctx->x[18]) + ARM64_REG_32(ARM64_REG_W19, ctx->x[19]) + ARM64_REG_32(ARM64_REG_W20, ctx->x[20]) + ARM64_REG_32(ARM64_REG_W21, ctx->x[21]) + ARM64_REG_32(ARM64_REG_W22, ctx->x[22]) + ARM64_REG_32(ARM64_REG_W23, ctx->x[23]) + ARM64_REG_32(ARM64_REG_W24, ctx->x[24]) + ARM64_REG_32(ARM64_REG_W25, ctx->x[25]) + ARM64_REG_32(ARM64_REG_W26, ctx->x[26]) + ARM64_REG_32(ARM64_REG_W27, ctx->x[27]) + ARM64_REG_32(ARM64_REG_W28, ctx->x[28]) + ARM64_REG_32(ARM64_REG_W29, ctx->fp) + ARM64_REG_32(ARM64_REG_W30, ctx->lr) + + ARM64_REG_64(ARM64_REG_X0, ctx->x[0]) + ARM64_REG_64(ARM64_REG_X1, ctx->x[1]) + ARM64_REG_64(ARM64_REG_X2, ctx->x[2]) + ARM64_REG_64(ARM64_REG_X3, ctx->x[3]) + ARM64_REG_64(ARM64_REG_X4, ctx->x[4]) + ARM64_REG_64(ARM64_REG_X5, ctx->x[5]) + ARM64_REG_64(ARM64_REG_X6, ctx->x[6]) + ARM64_REG_64(ARM64_REG_X7, ctx->x[7]) + ARM64_REG_64(ARM64_REG_X8, ctx->x[8]) + ARM64_REG_64(ARM64_REG_X9, ctx->x[9]) + ARM64_REG_64(ARM64_REG_X10, ctx->x[10]) + ARM64_REG_64(ARM64_REG_X11, ctx->x[11]) + ARM64_REG_64(ARM64_REG_X12, ctx->x[12]) + ARM64_REG_64(ARM64_REG_X13, ctx->x[13]) + ARM64_REG_64(ARM64_REG_X14, ctx->x[14]) + ARM64_REG_64(ARM64_REG_X15, ctx->x[15]) + ARM64_REG_64(ARM64_REG_X16, ctx->x[16]) + ARM64_REG_64(ARM64_REG_X17, ctx->x[17]) + ARM64_REG_64(ARM64_REG_X18, ctx->x[18]) + ARM64_REG_64(ARM64_REG_X19, ctx->x[19]) + ARM64_REG_64(ARM64_REG_X20, ctx->x[20]) + ARM64_REG_64(ARM64_REG_X21, ctx->x[21]) + ARM64_REG_64(ARM64_REG_X22, ctx->x[22]) + ARM64_REG_64(ARM64_REG_X23, ctx->x[23]) + ARM64_REG_64(ARM64_REG_X24, ctx->x[24]) + ARM64_REG_64(ARM64_REG_X25, ctx->x[25]) + ARM64_REG_64(ARM64_REG_X26, ctx->x[26]) + ARM64_REG_64(ARM64_REG_X27, ctx->x[27]) + ARM64_REG_64(ARM64_REG_X28, ctx->x[28]) + ARM64_REG_64(ARM64_REG_FP, ctx->fp) + ARM64_REG_64(ARM64_REG_LR, ctx->lr) + ARM64_REG_64(ARM64_REG_SP, ctx->sp) + + default: + FATAL("Failed to read register: %d", reg); + return 0; + + } + +} + +size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { + + uint8_t num_registers; + uint8_t count_byte; + char vas_digit; + size_t mnemonic_len; + + switch (instr->id) { + + case ARM64_INS_STP: + case ARM64_INS_STXP: + case ARM64_INS_STNP: + case ARM64_INS_STLXP: + case ARM64_INS_LDP: + case ARM64_INS_LDXP: + case ARM64_INS_LDNP: + num_registers = 2; + break; + default: + num_registers = 1; + break; + + } + + mnemonic_len = strlen(instr->mnemonic); + if (mnemonic_len == 0) { FATAL("No mnemonic found"); }; + + char last = instr->mnemonic[mnemonic_len - 1]; + switch (last) { + + case 'b': + return 1; + case 'h': + return 2; + case 'w': + return 4 * num_registers; + + } + + if (operand->vas == ARM64_VAS_INVALID) { + + if (operand->type == ARM64_OP_REG) { + + switch (operand->reg) { + + case ARM64_REG_WZR: + case ARM64_REG_WSP: + case ARM64_REG_W0 ... ARM64_REG_W30: + case ARM64_REG_S0 ... ARM64_REG_S31: + return 4 * num_registers; + case ARM64_REG_D0 ... ARM64_REG_D31: + return 8 * num_registers; + case ARM64_REG_Q0 ... ARM64_REG_Q31: + return 16; + default: + return 8 * num_registers; + ; + + } + + } + + return 8 * num_registers; + + } + + if (g_str_has_prefix(instr->mnemonic, "st") || + g_str_has_prefix(instr->mnemonic, "ld")) { + + if (mnemonic_len < 3) { + + FATAL("VAS Mnemonic too short: %s\n", instr->mnemonic); + + } + + vas_digit = instr->mnemonic[2]; + if (vas_digit < '0' || vas_digit > '9') { + + FATAL("VAS Mnemonic digit out of range: %s\n", instr->mnemonic); + + } + + count_byte = vas_digit - '0'; + + } else { + + count_byte = 1; + + } + + switch (operand->vas) { + + case ARM64_VAS_1B: + return 1 * count_byte; + case ARM64_VAS_1H: + return 2 * count_byte; + case ARM64_VAS_4B: + case ARM64_VAS_1S: + case ARM64_VAS_1D: + case ARM64_VAS_2H: + return 4 * count_byte; + case ARM64_VAS_8B: + case ARM64_VAS_4H: + case ARM64_VAS_2S: + case ARM64_VAS_2D: + case ARM64_VAS_1Q: + return 8 * count_byte; + case ARM64_VAS_8H: + case ARM64_VAS_4S: + case ARM64_VAS_16B: + return 16 * count_byte; + default: + FATAL("Unexpected VAS type: %s %d", instr->mnemonic, operand->vas); + + } + +} + +#endif + diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index cd1ac0be..f261e79a 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -84,6 +84,8 @@ static void instr_basic_block(GumStalkerIterator *iterator, while (gum_stalker_iterator_next(iterator, &instr)) { + if (unlikely(begin)) { instrument_debug_start(instr->address, output); } + if (instr->address == entry_start) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } if (instr->address == persistent_ret) { persistent_epilogue(output); } @@ -119,8 +121,6 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (unlikely(begin)) { - instrument_debug_start(instr->address, output); - prefetch_write(GSIZE_TO_POINTER(instr->address)); if (likely(!excluded)) { @@ -155,6 +155,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, } + instrument_flush(output); instrument_debug_end(output); } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 1a3c40bb..450a69a3 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -22,5 +22,17 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_flush(GumStalkerOutput *output) { + + gum_arm_writer_flush(output->writer.arm); + +} + +gpointer instrument_cur(GumStalkerOutput *output) { + + return gum_arm_writer_cur(output->writer.arm); + +} + #endif diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index fa3afb48..49ee86a2 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -93,5 +93,17 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_flush(GumStalkerOutput *output) { + + gum_arm64_writer_flush(output->writer.arm64); + +} + +gpointer instrument_cur(GumStalkerOutput *output) { + + return gum_arm64_writer_cur(output->writer.arm64); + +} + #endif diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index f8c1df77..0ce26a1c 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -7,6 +7,7 @@ #include "debug.h" +#include "instrument.h" #include "util.h" static int debugging_fd = -1; @@ -31,44 +32,50 @@ static void instrument_debug(char *format, ...) { } -static void instrument_disasm(guint8 *code, guint size) { +static void instrument_disasm(guint8 *start, guint8 *end) { csh capstone; cs_err err; + uint16_t size; cs_insn *insn; - size_t count, i; + size_t count = 0; + size_t i; + uint16_t len; err = cs_open(GUM_DEFAULT_CS_ARCH, GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone); g_assert(err == CS_ERR_OK); - count = cs_disasm(capstone, code, size, GPOINTER_TO_SIZE(code), 0, &insn); - g_assert(insn != NULL); + size = GPOINTER_TO_SIZE(end) - GPOINTER_TO_SIZE(start); - for (i = 0; i != count; i++) { + for (guint8 *curr = start; curr < end; curr += len, size -= len, len = 0) { - instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t%s %s\n", insn[i].address, - insn[i].mnemonic, insn[i].op_str); + count = cs_disasm(capstone, curr, size, GPOINTER_TO_SIZE(curr), 0, &insn); + if (insn == NULL) { - } + instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t* 0x%016" G_GSIZE_MODIFIER + "x\n", + curr, *(size_t *)curr); - cs_free(insn, count); + len += sizeof(size_t); + continue; - cs_close(&capstone); + } -} + for (i = 0; i != count; i++) { + + instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t%s %s\n", insn[i].address, + insn[i].mnemonic, insn[i].op_str); + + len += insn[i].size; -static gpointer instrument_cur(GumStalkerOutput *output) { + } -#if defined(__i386__) || defined(__x86_64__) - return gum_x86_writer_cur(output->writer.x86); -#elif defined(__aarch64__) - return gum_arm64_writer_cur(output->writer.arm64); -#elif defined(__arm__) - return gum_arm_writer_cur(output->writer.arm); -#else - #error "Unsupported architecture" -#endif + } + + cs_free(insn, count); + + cs_close(&capstone); } @@ -111,7 +118,7 @@ void instrument_debug_instruction(uint64_t address, uint16_t size) { if (likely(debugging_fd < 0)) { return; } uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); - instrument_disasm(start, size); + instrument_disasm(start, start + size); } @@ -119,11 +126,10 @@ void instrument_debug_end(GumStalkerOutput *output) { if (likely(debugging_fd < 0)) { return; } gpointer instrument_gen_end = instrument_cur(output); - uint16_t size = GPOINTER_TO_SIZE(instrument_gen_end) - - GPOINTER_TO_SIZE(instrument_gen_start); - instrument_debug("\nGenerated block %p\n", instrument_gen_start); - instrument_disasm(instrument_gen_start, size); + instrument_debug("\nGenerated block %p-%p\n", instrument_gen_start, + instrument_gen_end); + instrument_disasm(instrument_gen_start, instrument_gen_end); } diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 901f3bd0..7000e65d 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -89,5 +89,17 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_flush(GumStalkerOutput *output) { + + gum_x86_writer_flush(output->writer.x86); + +} + +gpointer instrument_cur(GumStalkerOutput *output) { + + return gum_x86_writer_cur(output->writer.x86); + +} + #endif diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 585bb5b8..04a19e08 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -81,5 +81,17 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_flush(GumStalkerOutput *output) { + + gum_x86_writer_flush(output->writer.x86); + +} + +gpointer instrument_cur(GumStalkerOutput *output) { + + return gum_x86_writer_cur(output->writer.x86); + +} + #endif diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 1215d8da..b23693fe 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -1,9 +1,11 @@ +#include #include "frida-gum.h" #include "config.h" #include "debug.h" #include "instrument.h" +#include "persistent.h" #include "util.h" #if defined(__aarch64__) @@ -98,23 +100,365 @@ struct arm64_regs { typedef struct arm64_regs arch_api_regs; +static arch_api_regs saved_regs = {0}; +static gpointer saved_lr = NULL; + gboolean persistent_is_supported(void) { - return false; + return true; + +} + +static void instrument_persitent_save_regs(GumArm64Writer * cw, + struct arm64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + const guint32 mrs_x1_nzcv = 0xd53b4201; + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_SP, -(16), + GUM_INDEX_PRE_ADJUST); + + gum_arm64_writer_put_instruction(cw, mrs_x1_nzcv); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(regs_address)); + + /* Skip x0 & x1 we'll do that later */ + + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 1), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, + ARM64_REG_X0, (16 * 2), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, + ARM64_REG_X0, (16 * 3), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, + ARM64_REG_X0, (16 * 4), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, + ARM64_REG_X0, (16 * 5), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, + ARM64_REG_X0, (16 * 6), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, + ARM64_REG_X0, (16 * 7), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, + ARM64_REG_X0, (16 * 8), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, + ARM64_REG_X0, (16 * 9), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, + ARM64_REG_X0, (16 * 10), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, + ARM64_REG_X0, (16 * 11), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, + ARM64_REG_X0, (16 * 12), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, + ARM64_REG_X0, (16 * 13), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, + ARM64_REG_X0, (16 * 14), + GUM_INDEX_SIGNED_OFFSET); + + /* LR & Adjusted SP */ + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_SP, + (GUM_RED_ZONE_SIZE + 32)); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X2, + ARM64_REG_X0, (16 * 15), + GUM_INDEX_SIGNED_OFFSET); + + /* PC & CPSR */ + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, + GUM_ADDRESS(persistent_start)); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, + ARM64_REG_X0, (16 * 16), + GUM_INDEX_SIGNED_OFFSET); + + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, + ARM64_REG_X0, (16 * 17), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, + ARM64_REG_X0, (16 * 18), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, + ARM64_REG_X0, (16 * 19), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, + ARM64_REG_X0, (16 * 20), + GUM_INDEX_SIGNED_OFFSET); + + /* x0 & x1 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_SP, 16, + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 0), + GUM_INDEX_SIGNED_OFFSET); + + /* Pop the saved values */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_SP, 16, GUM_INDEX_POST_ADJUST); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); + +} + +static void instrument_persitent_restore_regs(GumArm64Writer * cw, + struct arm64_regs *regs) { + + GumAddress regs_address = GUM_ADDRESS(regs); + const guint32 msr_nzcv_x1 = 0xd51b4201; + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(regs_address)); + + /* Skip x0 - x3 we'll do that last */ + + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, + ARM64_REG_X0, (16 * 2), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, + ARM64_REG_X0, (16 * 3), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, + ARM64_REG_X0, (16 * 4), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, + ARM64_REG_X0, (16 * 5), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, + ARM64_REG_X0, (16 * 6), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, + ARM64_REG_X0, (16 * 7), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, + ARM64_REG_X0, (16 * 8), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, + ARM64_REG_X0, (16 * 9), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, + ARM64_REG_X0, (16 * 10), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, + ARM64_REG_X0, (16 * 11), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, + ARM64_REG_X0, (16 * 12), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, + ARM64_REG_X0, (16 * 13), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, + ARM64_REG_X0, (16 * 14), + GUM_INDEX_SIGNED_OFFSET); + + /* Don't restore RIP or RSP, use x1-x3 as clobber */ + + /* LR & Adjusted SP (clobber x1) */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X1, + ARM64_REG_X0, (16 * 15), + GUM_INDEX_SIGNED_OFFSET); + + /* PC (x2) & CPSR (x1) */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, + ARM64_REG_X0, (16 * 16), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_instruction(cw, msr_nzcv_x1); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, + ARM64_REG_X0, (16 * 17), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, + ARM64_REG_X0, (16 * 18), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, + ARM64_REG_X0, (16 * 19), + GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, + ARM64_REG_X0, (16 * 20), + GUM_INDEX_SIGNED_OFFSET); + + /* x2 & x3 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, + ARM64_REG_X0, (16 * 1), + GUM_INDEX_SIGNED_OFFSET); + /* x0 & x1 */ + gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X1, + ARM64_REG_X0, (16 * 0), + GUM_INDEX_SIGNED_OFFSET); + +} + +static void instrument_exit(GumArm64Writer *cw) { + + gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_X0, ARM64_REG_XZR); + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(_exit), 1, GUM_ARG_REGISTER, ARM64_REG_X0); + +} + +static int instrument_afl_persistent_loop_func(void) { + + int ret = __afl_persistent_loop(persistent_count); + previous_pc = 0; + return ret; + +} + +static void instrument_afl_persistent_loop(GumArm64Writer *cw) { + + gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0); + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + +} + +static void persistent_prologue_hook(GumArm64Writer * cw, + struct arm64_regs *regs) { + + if (hook == NULL) return; + + gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X3, + GUM_ADDRESS(&__afl_fuzz_len)); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); + + gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_X3, + G_MAXULONG); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, + GUM_ADDRESS(&__afl_fuzz_ptr)); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); + + gum_arm64_writer_put_call_address_with_arguments( + cw, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), + GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2, + GUM_ARG_REGISTER, ARM64_REG_X3); + + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + GUM_RED_ZONE_SIZE); + +} + +static void instrument_persitent_save_lr(GumArm64Writer *cw) { + + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, -(16 + GUM_RED_ZONE_SIZE), + GUM_INDEX_PRE_ADJUST); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(&saved_lr)); + + gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_LR, ARM64_REG_X0, 0); + + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_SP, 16 + GUM_RED_ZONE_SIZE, + GUM_INDEX_POST_ADJUST); } void persistent_prologue(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + /* + * SAVE REGS + * SAVE RET + * POP RET + * loop: + * CALL instrument_afl_persistent_loop + * TEST EAX, EAX + * JZ end: + * call hook (optionally) + * RESTORE REGS + * call original + * jmp loop: + * + * end: + * JMP SAVED RET + * + * original: + * INSTRUMENTED PERSISTENT FUNC + */ + + GumArm64Writer *cw = output->writer.arm64; + + gconstpointer loop = cw->code + 1; + + /* Stack must be 16-byte aligned per ABI */ + instrument_persitent_save_regs(cw, &saved_regs); + + /* loop: */ + gum_arm64_writer_put_label(cw, loop); + + /* call instrument_prologue_func */ + instrument_afl_persistent_loop(cw); + + /* jz done */ + gconstpointer done = cw->code + 1; + gum_arm64_writer_put_cmp_reg_reg(cw, ARM64_REG_X0, ARM64_REG_XZR); + gum_arm64_writer_put_b_cond_label(cw, ARM64_CC_EQ, done); + + /* Optionally call the persistent hook */ + persistent_prologue_hook(cw, &saved_regs); + + instrument_persitent_restore_regs(cw, &saved_regs); + gconstpointer original = cw->code + 1; + /* call original */ + + gum_arm64_writer_put_bl_label(cw, original); + + /* jmp loop */ + gum_arm64_writer_put_b_label(cw, loop); + + /* done: */ + gum_arm64_writer_put_label(cw, done); + + instrument_exit(cw); + + /* original: */ + gum_arm64_writer_put_label(cw, original); + + instrument_persitent_save_lr(cw); + + if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); } } void persistent_epilogue(GumStalkerOutput *output) { - UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + GumArm64Writer *cw = output->writer.arm64; + + if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); } + + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, + persistent_ret_offset); + + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0, + GUM_ADDRESS(&saved_lr)); + + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X0, 0); + + gum_arm64_writer_put_br_reg(cw, ARM64_REG_X0); } diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 4cb960fc..858ad38e 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -306,8 +306,6 @@ void persistent_prologue(GumStalkerOutput *output) { if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } - gum_x86_writer_flush(cw); - } void persistent_epilogue(GumStalkerOutput *output) { diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index b30dfadf..0675edf4 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -246,8 +246,6 @@ void persistent_prologue(GumStalkerOutput *output) { if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); } - gum_x86_writer_flush(cw); - } void persistent_epilogue(GumStalkerOutput *output) { diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 662fb6d5..0d7b9fb0 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -96,7 +96,6 @@ void stats_init(void) { void stats_vprint(int fd, char *format, va_list ap) { char buffer[4096] = {0}; - int ret; int len; if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } diff --git a/frida_mode/src/stats/stats_arm.c b/frida_mode/src/stats/stats_arm.c deleted file mode 100644 index 7eea7f91..00000000 --- a/frida_mode/src/stats/stats_arm.c +++ /dev/null @@ -1,36 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "stats.h" -#include "util.h" - -#if defined(__arm__) - -gboolean stats_is_supported_arch(void) { - - return FALSE; - -} - -size_t stats_data_size_arch(void) { - - FATAL("Stats not supported on this architecture"); - -} - -void stats_write_arch(void) { - - FATAL("Stats not supported on this architecture"); - -} - -void stats_collect_arch(const cs_insn *instr) { - - UNUSED_PARAMETER(instr); - FATAL("Stats not supported on this architecture"); - -} - -#endif - diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c new file mode 100644 index 00000000..7eea7f91 --- /dev/null +++ b/frida_mode/src/stats/stats_arm32.c @@ -0,0 +1,36 @@ +#include "frida-gum.h" + +#include "debug.h" + +#include "stats.h" +#include "util.h" + +#if defined(__arm__) + +gboolean stats_is_supported_arch(void) { + + return FALSE; + +} + +size_t stats_data_size_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_write_arch(void) { + + FATAL("Stats not supported on this architecture"); + +} + +void stats_collect_arch(const cs_insn *instr) { + + UNUSED_PARAMETER(instr); + FATAL("Stats not supported on this architecture"); + +} + +#endif + diff --git a/frida_mode/test/cmplog/GNUmakefile b/frida_mode/test/cmplog/GNUmakefile index 40de6a09..4c71bb33 100644 --- a/frida_mode/test/cmplog/GNUmakefile +++ b/frida_mode/test/cmplog/GNUmakefile @@ -13,7 +13,7 @@ CMP_LOG_INPUT:=$(TEST_DATA_DIR)in QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out -.PHONY: all 32 clean qemu frida format +.PHONY: all 32 clean qemu frida frida-nocmplog format all: $(TEST_CMPLOG_OBJ) make -C $(ROOT)frida_mode/ @@ -55,6 +55,15 @@ frida: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) -- \ $(TEST_CMPLOG_OBJ) @@ +frida-nocmplog: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) + $(ROOT)afl-fuzz \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -Z \ + -- \ + $(TEST_CMPLOG_OBJ) @@ + debug: $(TEST_CMPLOG_OBJ) $(CMP_LOG_INPUT) gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ diff --git a/frida_mode/test/cmplog/Makefile b/frida_mode/test/cmplog/Makefile index 606b43a5..7ca9a9a5 100644 --- a/frida_mode/test/cmplog/Makefile +++ b/frida_mode/test/cmplog/Makefile @@ -15,6 +15,10 @@ qemu: frida: @gmake frida + +frida-nocmplog: + @gmake frida-nocmplog + format: @gmake format diff --git a/frida_mode/test/cmplog/cmplog.c b/frida_mode/test/cmplog/cmplog.c index 99010645..ce5cf20e 100644 --- a/frida_mode/test/cmplog/cmplog.c +++ b/frida_mode/test/cmplog/cmplog.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { } -#if defined(__x86_64__) +#if defined(__x86_64__) || defined(__aarch64__) uint64_t x = 0; fread(&x, sizeof(x), 1, file); if (x != 0xCAFEBABECAFEBABE) { diff --git a/frida_mode/test/fasan/GNUmakefile b/frida_mode/test/fasan/GNUmakefile index 08b271de..c971c724 100644 --- a/frida_mode/test/fasan/GNUmakefile +++ b/frida_mode/test/fasan/GNUmakefile @@ -46,7 +46,7 @@ ifeq "$(ARCH)" "x86_64" LIBASAN_FILE:=libclang_rt.asan-x86_64.so endif -ifeq "$(ARCH)" "aarch64" +ifeq "$(ARCH)" "arm64" LIBASAN_FILE:=libclang_rt.asan-aarch64.so endif @@ -110,7 +110,7 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) mkdir -p $@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) - echo -n "TUODATM" > $@ + echo -n "XUODATM" > $@ frida-noasan: $(TEST_BIN) $(TEST_DATA_FILE) $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile index df48d065..4c9d8a19 100644 --- a/frida_mode/test/persistent_ret/GNUmakefile +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -85,7 +85,7 @@ frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -- \ $(TESTINSTBIN) @@ -debug: $(TESTINSTR_DATA_FILE) +debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) gdb \ --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ --ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \ @@ -96,7 +96,7 @@ debug: $(TESTINSTR_DATA_FILE) --ex 'set disassembly-flavor intel' \ --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -run: $(TESTINSTR_DATA_FILE) +run: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \ diff --git a/frida_mode/test/png/persistent/GNUmakefile b/frida_mode/test/png/persistent/GNUmakefile index ca6f0ff2..5af64822 100644 --- a/frida_mode/test/png/persistent/GNUmakefile +++ b/frida_mode/test/png/persistent/GNUmakefile @@ -5,6 +5,7 @@ BUILD_DIR:=$(PWD)build/ TEST_BIN:=$(PWD)../build/test TEST_DATA_DIR:=../build/libpng/libpng-1.2.56/contrib/pngsuite/ +AFLPP_DRIVER_DUMMY_INPUT:=$(BUILD_DIR)in QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out @@ -22,8 +23,7 @@ endif AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x4000000000) -ARCH=$(shell uname -m) -ifeq "$(ARCH)" "aarch64" +ifeq "$(ARCH)" "arm64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TEST_BIN) -s main -b 0x0000aaaaaaaaa000) endif @@ -46,6 +46,9 @@ all: $(BUILD_DIR): mkdir -p $@ +$(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) + truncate -s 1M $@ + qemu: | $(BUILD_DIR) AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -94,5 +97,12 @@ frida_entry: | $(BUILD_DIR) -- \ $(TEST_BIN) @@ +debug: $(AFLPP_DRIVER_DUMMY_INPUT) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/png/persistent/Makefile b/frida_mode/test/png/persistent/Makefile index cde0cf30..c2bd55f9 100644 --- a/frida_mode/test/png/persistent/Makefile +++ b/frida_mode/test/png/persistent/Makefile @@ -20,3 +20,6 @@ frida: frida_entry: @gmake frida_entry + +debug: + @gmake debug diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 82f08fa4..b17f3775 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -34,7 +34,7 @@ endif AFL_QEMU_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x4000000000) -ifeq "$(ARCH)" "aarch64" +ifeq "$(ARCH)" "arm64" AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)../get_symbol_addr.py -f $(TEST_BIN) -s LLVMFuzzerTestOneInput -b 0x0000aaaaaaaaa000) endif @@ -124,7 +124,7 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -debug: +debug: $(AFLPP_DRIVER_DUMMY_INPUT) echo $(AFL_FRIDA_PERSISTENT_ADDR) gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ diff --git a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c index 059d438d..1542c0bf 100644 --- a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c +++ b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c @@ -82,6 +82,102 @@ void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, *arg2 = (void *)input_buf_len; } +#elif defined(__aarch64__) + +struct arm64_regs { + + uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10; + + union { + + uint64_t x11; + uint32_t fp_32; + + }; + + union { + + uint64_t x12; + uint32_t ip_32; + + }; + + union { + + uint64_t x13; + uint32_t sp_32; + + }; + + union { + + uint64_t x14; + uint32_t lr_32; + + }; + + union { + + uint64_t x15; + uint32_t pc_32; + + }; + + union { + + uint64_t x16; + uint64_t ip0; + + }; + + union { + + uint64_t x17; + uint64_t ip1; + + }; + + uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28; + + union { + + uint64_t x29; + uint64_t fp; + + }; + + union { + + uint64_t x30; + uint64_t lr; + + }; + + union { + + uint64_t x31; + uint64_t sp; + + }; + + // the zero register is not saved here ofc + + uint64_t pc; + + uint32_t cpsr; + + uint8_t vfp_zregs[32][16 * 16]; + uint8_t vfp_pregs[17][32]; + uint32_t vfp_xregs[16]; + +}; + +void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, + uint8_t *input_buf, uint32_t input_buf_len) { + + memcpy((void *)regs->x0, input_buf, input_buf_len); + regs->x1 = input_buf_len; +} #else #pragma error "Unsupported architecture" -- cgit 1.4.1 From f348a35ec6cece54796599865c683505a475fe88 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Thu, 24 Jun 2021 18:46:08 +0100 Subject: Added JS support (#992) * Added JS support * Added some documentation Co-authored-by: Your Name --- frida_mode/GNUmakefile | 40 +++-- frida_mode/README.md | 4 + frida_mode/Scripting.md | 240 +++++++++++++++++++++++++++ frida_mode/include/asan.h | 3 +- frida_mode/include/ctx.h | 2 +- frida_mode/include/entry.h | 8 +- frida_mode/include/frida_cmplog.h | 1 + frida_mode/include/instrument.h | 16 +- frida_mode/include/intercept.h | 11 ++ frida_mode/include/interceptor.h | 11 -- frida_mode/include/js.h | 18 ++ frida_mode/include/lib.h | 4 +- frida_mode/include/output.h | 6 +- frida_mode/include/persistent.h | 7 +- frida_mode/include/prefetch.h | 5 +- frida_mode/include/ranges.h | 9 +- frida_mode/include/stalker.h | 3 +- frida_mode/include/stats.h | 7 +- frida_mode/include/util.h | 2 +- frida_mode/src/asan/asan.c | 21 ++- frida_mode/src/asan/asan_arm32.c | 2 +- frida_mode/src/asan/asan_arm64.c | 2 +- frida_mode/src/asan/asan_x64.c | 2 +- frida_mode/src/asan/asan_x86.c | 2 +- frida_mode/src/cmplog/cmplog.c | 16 +- frida_mode/src/cmplog/cmplog_arm32.c | 2 +- frida_mode/src/cmplog/cmplog_arm64.c | 2 +- frida_mode/src/cmplog/cmplog_x64.c | 2 +- frida_mode/src/cmplog/cmplog_x86.c | 2 +- frida_mode/src/ctx/ctx_arm32.c | 2 +- frida_mode/src/ctx/ctx_arm64.c | 2 +- frida_mode/src/ctx/ctx_x64.c | 2 +- frida_mode/src/ctx/ctx_x86.c | 2 +- frida_mode/src/entry.c | 19 ++- frida_mode/src/instrument/instrument.c | 66 ++++---- frida_mode/src/instrument/instrument_arm32.c | 2 +- frida_mode/src/instrument/instrument_arm64.c | 4 +- frida_mode/src/instrument/instrument_debug.c | 23 ++- frida_mode/src/instrument/instrument_x64.c | 4 +- frida_mode/src/instrument/instrument_x86.c | 4 +- frida_mode/src/intercept.c | 35 ++++ frida_mode/src/interceptor.c | 35 ---- frida_mode/src/js/api.js | 201 ++++++++++++++++++++++ frida_mode/src/js/js.c | 113 +++++++++++++ frida_mode/src/js/js_api.c | 142 ++++++++++++++++ frida_mode/src/lib/lib.c | 6 +- frida_mode/src/lib/lib_apple.c | 6 +- frida_mode/src/main.c | 53 +++--- frida_mode/src/output.c | 28 +++- frida_mode/src/persistent/persistent.c | 57 +++---- frida_mode/src/persistent/persistent_arm32.c | 2 +- frida_mode/src/persistent/persistent_arm64.c | 8 +- frida_mode/src/persistent/persistent_x64.c | 8 +- frida_mode/src/persistent/persistent_x86.c | 8 +- frida_mode/src/prefetch.c | 37 ++++- frida_mode/src/ranges.c | 120 +++++++------- frida_mode/src/stalker.c | 31 +++- frida_mode/src/stats/stats.c | 33 ++-- frida_mode/src/stats/stats_arm32.c | 2 +- frida_mode/src/stats/stats_arm64.c | 2 +- frida_mode/src/stats/stats_x64.c | 2 +- frida_mode/src/stats/stats_x86.c | 2 +- frida_mode/test/deferred/GNUmakefile | 2 +- frida_mode/test/js/GNUmakefile | 44 +++++ frida_mode/test/js/Makefile | 16 ++ frida_mode/test/js/test.js | 20 +++ frida_mode/test/js/testinstr.c | 121 ++++++++++++++ frida_mode/test/persistent_ret/GNUmakefile | 10 ++ frida_mode/test/persistent_ret/test.js | 38 +++++ include/envs.h | 3 +- 70 files changed, 1460 insertions(+), 305 deletions(-) create mode 100644 frida_mode/Scripting.md create mode 100644 frida_mode/include/intercept.h delete mode 100644 frida_mode/include/interceptor.h create mode 100644 frida_mode/include/js.h create mode 100644 frida_mode/src/intercept.c delete mode 100644 frida_mode/src/interceptor.c create mode 100644 frida_mode/src/js/api.js create mode 100644 frida_mode/src/js/js.c create mode 100644 frida_mode/src/js/js_api.c create mode 100644 frida_mode/test/js/GNUmakefile create mode 100644 frida_mode/test/js/Makefile create mode 100644 frida_mode/test/js/test.js create mode 100644 frida_mode/test/js/testinstr.c create mode 100644 frida_mode/test/persistent_ret/test.js (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 2f637412..fdacff62 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -6,6 +6,11 @@ INCLUDES:=$(wildcard $(INC_DIR)*.h) BUILD_DIR:=$(PWD)build/ OBJ_DIR:=$(BUILD_DIR)obj/ +JS_DIR:=$(SRC_DIR)js/ +JS_NAME:=api.js +JS:=$(JS_DIR)$(JS_NAME) +JS_SRC:=$(BUILD_DIR)api.c +JS_OBJ:=$(BUILD_DIR)api.o SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c) OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src)))) CFLAGS+=-fPIC \ @@ -71,25 +76,25 @@ ifndef OS endif GUM_DEVKIT_VERSION=14.2.18 -GUM_DEVKIT_FILENAME=frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz +GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)" GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME) -GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a -GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h +GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gumjs.a +GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gumjs.h FRIDA_DIR:=$(PWD)build/frida-source/ FRIDA_MAKEFILE:=$(FRIDA_DIR)Makefile -FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gum-1.0.a +FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gumjs-1.0.a FRIDA_GUM_DEVKIT_DIR:=$(FRIDA_DIR)build/gum-devkit/ -FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gum.h -FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar +FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gumjs.h +FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o -.PHONY: all 32 clean format $(FRIDA_GUM) +.PHONY: all 32 clean format $(FRIDA_GUM) quickjs ############################## ALL ############################################# @@ -113,7 +118,7 @@ $(FRIDA_GUM): $(FRIDA_MAKEFILE) cd $(FRIDA_DIR) && make gum-linux-$(ARCH) $(FRIDA_GUM_DEVKIT_HEADER): $(FRIDA_GUM) - $(FRIDA_DIR)releng/devkit.py frida-gum linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/ + $(FRIDA_DIR)releng/devkit.py frida-gumjs linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/ $(FRIDA_GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_HEADER) cd $(FRIDA_GUM_DEVKIT_DIR) && tar cvf $(FRIDA_GUM_DEVKIT_TARBALL) . @@ -150,6 +155,20 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) -o $@ \ -c $< +############################### JS ############################################# + +$(JS_SRC): $(JS) | $(BUILD_DIR) + cd $(JS_DIR) && xxd -i $(JS_NAME) $@ + +$(JS_OBJ): $(JS_SRC) + $(CC) \ + $(CFLAGS) \ + -I $(ROOT)include \ + -I $(FRIDA_BUILD_DIR) \ + -I $(INC_DIR) \ + -c $< \ + -o $@ + ############################# SOURCE ########################################### define BUILD_SOURCE @@ -167,9 +186,10 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $( ######################## AFL-FRIDA-TRACE ####################################### -$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR) - $(CC) \ +$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR) + $(CXX) \ $(OBJS) \ + $(JS_OBJ) \ $(GUM_DEVIT_LIBRARY) \ $(AFL_COMPILER_RT_OBJ) \ $(LDFLAGS) \ diff --git a/frida_mode/README.md b/frida_mode/README.md index 296e6405..6bed52b7 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -78,6 +78,10 @@ following options are currently supported: To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`. +## Scripting + +One of the more powerful features of FRIDA mode is it's support for configuration by JavaScript, rather than using environment variables. For details of how this works see [here](Scripting.md). + ## Performance Additionally, the intention is to be able to make a direct performance diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md new file mode 100644 index 00000000..8b961e18 --- /dev/null +++ b/frida_mode/Scripting.md @@ -0,0 +1,240 @@ +# Scripting +FRIDA now supports the ability to configure itself using JavaScript. This allows +the user to make use of the convenience of FRIDA's scripting engine (along with +it's support for debug symbols and exports) to configure all of the things which +were traditionally configured using environment variables. + +By default FRIDA mode will look for the file `afl.js` in the current working +directory of the target. Alternatively, a script file can be configured using +the environment variable `AFL_FRIDA_JS_SCRIPT`. + +This script can make use of all of the standard [frida api functions](https://frida.re/docs/javascript-api/), but FRIDA mode adds some additional functions to allow +you to interact with FRIDA mode itself. These can all be accessed via the global +`Afl` parameter. e.g. `Afl.print("HELLO WORLD");`, + +If you encounter a problem with your script, then you should set the environment +variable `AFL_DEBUG_CHILD=1` to view any diagnostic information. + + +# Example +Most of the time, users will likely be wanting to call the functions which configure an address (e.g. for the entry point, or the persistent address). + +The example below uses the API [`DebugSymbol.fromName()`](https://frida.re/docs/javascript-api/#debugsymbol). Another use API is [`Module.getExportByName()`](https://frida.re/docs/javascript-api/#module). + +```js +/* Use Afl.print instead of console.log */ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +/* Print some useful diagnostics stuff */ +Afl.print(`PID: ${Process.id}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +/* + * Configure entry-point, persistence etc. This will be what most + * people want to do. + */ +const persistent_addr = DebugSymbol.fromName('main'); +Afl.print(`persistent_addr: ${persistent_addr.address}`); + +if (persistent_addr.address.equals(ptr(0))) { + Afl.error('Cannot find symbol main'); +} + +const persistent_ret = DebugSymbol.fromName('slow'); +Afl.print(`persistent_ret: ${persistent_ret.address}`); + +if (persistent_ret.address.equals(ptr(0))) { + Afl.error('Cannot find symbol slow'); +} + +Afl.setPersistentAddress(persistent_addr.address); +Afl.setPersistentReturn(persistent_ret.address); +Afl.setPersistentCount(1000000); + +/* Control instrumentation, you may want to do this too */ +Afl.setInstrumentLibraries(); +const mod = Process.findModuleByName("libc-2.31.so") +Afl.addExcludedRange(mod.base, mod.size); + +/* Some useful options to configure logging */ +Afl.setStdOut("/tmp/stdout.txt"); +Afl.setStdErr("/tmp/stderr.txt"); + +/* Show the address layout. Sometimes helpful */ +Afl.setDebugMaps(); + +/* + * If you are using these options, then things aren't going + * very well for you. + */ +Afl.setInstrumentDebugFile("/tmp/instr.log"); +Afl.setPrefetchDisable(); +Afl.setInstrumentNoOptimize(); +Afl.setInstrumentEnableTracing(); +Afl.setInstrumentTracingUnique(); +Afl.setStatsFile("/tmp/stats.txt"); +Afl.setStatsInterval(1); +Afl.setStatsTransitions(); + +/* *ALWAYS* call this when you have finished all your configuration */ +Afl.done(); +Afl.print("done"); +``` + +# Stripped Binaries + +Lastly, if the binary you attempting to fuzz has no symbol information, and no +exports, then the following approach can be used. + +```js +const module = Process.getModuleByName('target.exe'); +/* Hardcoded offset within the target image */ +const address = module.base.add(0xdeadface); +Afl.setPersistentAddress(address); +``` + +# API +```js +/* + * Print a message to the STDOUT. This should be preferred to + * FRIDA's `console.log` since FRIDA will queue it's log messages. + * If `console.log` is used in a callback in particular, then there + * may no longer be a thread running to service this queue. + */ +Afl.print(msg); + +/* + * This must always be called at the end of your script. This lets + * FRIDA mode know that your configuration is finished and that + * execution has reached the end of your script. Failure to call + * this will result in a fatal error. + */ +Afl.done(); + +/* + * This function can be called within your script to cause FRIDA + * mode to trigger a fatal error. This is useful if for example you + * discover a problem you weren't expecting and want everything to + * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view + * this error message. + */ +Afl.error(); + +/* + * This has the same effect as setting `AFL_ENTRYPOINT`, but has the + * convenience of allowing you to use FRIDAs APIs to determine the + * address you would like to configure, rather than having to grep + * the output of `readelf` or something similarly ugly. This + * function should be called with a `NativePointer` as its + * argument. + */ +Afl.setEntryPoint(address); + +/* + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a + * `NativePointer` should be provided as it's argument. + */ +Afl.setPersistentAddress(address); + +/* + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a + * `NativePointer` should be provided as it's argument. + */ +Afl.setPersistentReturn(address); + +/* + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a + * `number` should be provided as it's argument. + */ +Afl.setPersistentCount(count); + +/* + * See `AFL_FRIDA_PERSISTENT_DEBUG`. + */ +Afl.setPersistentDebug(); + +/* + * See `AFL_FRIDA_DEBUG_MAPS`. + */ +Afl.setDebugMaps(); + +/* + * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to include several ranges. + */ +Afl.addIncludedRange(address, size); + +/* + * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to exclude several ranges. + */ +Afl.addExcludedRange(address, size); + +/* + * See `AFL_INST_LIBS`. + */ +Afl.setInstrumentLibraries(); + +/* + * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as + * an argument. + */ +Afl.setInstrumentDebugFile(file); + +/* + * See `AFL_FRIDA_INST_NO_PREFETCH`. + */ +Afl.setPrefetchDisable(); + +/* + * See `AFL_FRIDA_INST_NO_OPTIMIZE` + */ +Afl.setInstrumentNoOptimize(); + +/* + * See `AFL_FRIDA_INST_TRACE`. + */ +Afl.setInstrumentEnableTracing(); + +/* + * See `AFL_FRIDA_INST_TRACE_UNIQUE`. + */ +Afl.setInstrumentTracingUnique() + +/* + * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as + * an argument. + */ +Afl.setStdOut(file); + +/* + * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as + * an argument. + */ +Afl.setStdErr(file); + +/* + * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as + * an argument. + */ +Afl.setStatsFile(file); + +/* + * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an + * argument + */ +Afl.setStatsInterval(interval); + +/* + * See `AFL_FRIDA_STATS_TRANSITIONS` + */ +Afl.setStatsTransitions() +``` diff --git a/frida_mode/include/asan.h b/frida_mode/include/asan.h index 7a8726e0..67d33591 100644 --- a/frida_mode/include/asan.h +++ b/frida_mode/include/asan.h @@ -1,10 +1,11 @@ #ifndef _ASAN_H #define _ASAN_H -#include "frida-gum.h" +#include "frida-gumjs.h" extern gboolean asan_initialized; +void asan_config(void); void asan_init(void); void asan_arch_init(void); void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator); diff --git a/frida_mode/include/ctx.h b/frida_mode/include/ctx.h index 67274aee..c669478e 100644 --- a/frida_mode/include/ctx.h +++ b/frida_mode/include/ctx.h @@ -1,7 +1,7 @@ #ifndef _CTX_H #define _CTX_H -#include "frida-gum.h" +#include "frida-gumjs.h" #if defined(__x86_64__) gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg); diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index 967831af..801c2bbe 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -1,13 +1,15 @@ #ifndef _ENTRY_H #define _ENTRY_H -#include "frida-gum.h" +#include "frida-gumjs.h" -extern guint64 entry_start; +extern guint64 entry_point; + +void entry_config(void); void entry_init(void); -void entry_run(void); +void entry_start(void); void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); diff --git a/frida_mode/include/frida_cmplog.h b/frida_mode/include/frida_cmplog.h index b620a472..a665e970 100644 --- a/frida_mode/include/frida_cmplog.h +++ b/frida_mode/include/frida_cmplog.h @@ -3,6 +3,7 @@ extern struct cmp_map *__afl_cmp_map; +void cmplog_config(void); void cmplog_init(void); /* Functions to be implemented by the different architectures */ diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 577481d1..9c8d3a5d 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -1,13 +1,20 @@ #ifndef _INSTRUMENT_H #define _INSTRUMENT_H -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" -extern __thread uint64_t previous_pc; -extern uint8_t * __afl_area_ptr; -extern uint32_t __afl_map_size; +extern char * instrument_debug_filename; +extern gboolean instrument_tracing; +extern gboolean instrument_optimize; +extern gboolean instrument_unique; +extern __thread uint64_t instrument_previous_pc; + +extern uint8_t *__afl_area_ptr; +extern uint32_t __afl_map_size; + +void instrument_config(void); void instrument_init(void); @@ -19,6 +26,7 @@ gboolean instrument_is_coverage_optimize_supported(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); +void instrument_debug_config(void); void instrument_debug_init(void); void instrument_debug_start(uint64_t address, GumStalkerOutput *output); void instrument_debug_instruction(uint64_t address, uint16_t size); diff --git a/frida_mode/include/intercept.h b/frida_mode/include/intercept.h new file mode 100644 index 00000000..8fe93b10 --- /dev/null +++ b/frida_mode/include/intercept.h @@ -0,0 +1,11 @@ +#ifndef _INTERCEPTOR_H +#define _INTERCEPTOR_H + +#include "frida-gumjs.h" + +void intercept_hook(void *address, gpointer replacement, gpointer user_data); +void intercept_unhook(void *address); +void intercept_unhook_self(void); + +#endif + diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h deleted file mode 100644 index 0ff754a4..00000000 --- a/frida_mode/include/interceptor.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _INTERCEPTOR_H -#define _INTERCEPTOR_H - -#include "frida-gum.h" - -void intercept(void *address, gpointer replacement, gpointer user_data); -void unintercept(void *address); -void unintercept_self(void); - -#endif - diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h new file mode 100644 index 00000000..77237d55 --- /dev/null +++ b/frida_mode/include/js.h @@ -0,0 +1,18 @@ +#ifndef _JS_H +#define _JS_H + +#include "frida-gumjs.h" + +extern unsigned char api_js[]; +extern unsigned int api_js_len; + +extern gboolean js_done; + +/* Frida Mode */ + +void js_config(void); + +void js_start(void); + +#endif + diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h index 237aecb0..a9d56e4e 100644 --- a/frida_mode/include/lib.h +++ b/frida_mode/include/lib.h @@ -1,7 +1,9 @@ #ifndef _LIB_H #define _LIB_H -#include "frida-gum.h" +#include "frida-gumjs.h" + +void lib_config(void); void lib_init(void); diff --git a/frida_mode/include/output.h b/frida_mode/include/output.h index 53a9fdd3..743b2fe6 100644 --- a/frida_mode/include/output.h +++ b/frida_mode/include/output.h @@ -1,8 +1,12 @@ #ifndef _OUTPUT_H #define _OUTPUT_H -#include "frida-gum.h" +#include "frida-gumjs.h" +extern char *output_stdout; +extern char *output_stderr; + +void output_config(void); void output_init(void); #endif diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index 25b44ab0..8f00196c 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -2,7 +2,7 @@ #ifndef _PERSISTENT_H #define _PERSISTENT_H -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" typedef struct arch_api_regs api_regs; @@ -19,9 +19,10 @@ extern unsigned char *__afl_fuzz_ptr; extern guint64 persistent_start; extern guint64 persistent_count; extern guint64 persistent_ret; -extern guint64 persistent_ret_offset; extern gboolean persistent_debug; -extern afl_persistent_hook_fn hook; +extern afl_persistent_hook_fn persistent_hook; + +void persistent_config(void); void persistent_init(void); diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h index 8f0cee68..835d5e8a 100644 --- a/frida_mode/include/prefetch.h +++ b/frida_mode/include/prefetch.h @@ -1,8 +1,11 @@ #ifndef _PREFETCH_H #define _PREFETCH_H -#include "frida-gum.h" +#include "frida-gumjs.h" +extern gboolean prefetch_enable; + +void prefetch_config(void); void prefetch_init(void); void prefetch_write(void *addr); void prefetch_read(void); diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index c623f473..a667fb76 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -1,13 +1,20 @@ #ifndef _RANGES_H #define _RANGES_H -#include "frida-gum.h" +#include "frida-gumjs.h" +extern gboolean ranges_debug_maps; +extern gboolean ranges_inst_libs; + +void ranges_config(void); void ranges_init(void); gboolean range_is_excluded(gpointer address); void ranges_exclude(); +void ranges_add_include(GumMemoryRange *range); +void ranges_add_exclude(GumMemoryRange *range); + #endif diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 186ead11..2136fe52 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -1,8 +1,9 @@ #ifndef _STALKER_H #define _STALKER_H -#include "frida-gum.h" +#include "frida-gumjs.h" +void stalker_config(void); void stalker_init(void); GumStalker *stalker_get(void); void stalker_start(void); diff --git a/frida_mode/include/stats.h b/frida_mode/include/stats.h index 4271132a..1cfd6b8f 100644 --- a/frida_mode/include/stats.h +++ b/frida_mode/include/stats.h @@ -1,7 +1,7 @@ #ifndef _STATS_H #define _STATS_H -#include "frida-gum.h" +#include "frida-gumjs.h" typedef struct { @@ -15,6 +15,11 @@ typedef struct { extern stats_data_header_t *stats_data; +extern char * stats_filename; +extern guint64 stats_interval; +extern gboolean stats_transitions; + +void stats_config(void); void stats_init(void); void stats_collect(const cs_insn *instr, gboolean begin); void stats_print(char *format, ...); diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 7b443b5e..525e9d40 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -1,7 +1,7 @@ #ifndef _UTIL_H #define _UTIL_H -#include "frida-gum.h" +#include "frida-gumjs.h" #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index f78f690c..b2e763ca 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -1,18 +1,18 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" #include "asan.h" -gboolean asan_initialized = FALSE; +static gboolean asan_enabled = FALSE; +gboolean asan_initialized = FALSE; -void asan_init(void) { +void asan_config(void) { if (getenv("AFL_USE_FASAN") != NULL) { OKF("Frida ASAN mode enabled"); - asan_arch_init(); - asan_initialized = TRUE; + asan_enabled = TRUE; } else { @@ -22,3 +22,14 @@ void asan_init(void) { } +void asan_init(void) { + + if (asan_enabled) { + + asan_arch_init(); + asan_initialized = TRUE; + + } + +} + diff --git a/frida_mode/src/asan/asan_arm32.c b/frida_mode/src/asan/asan_arm32.c index 79475ced..f5fa4713 100644 --- a/frida_mode/src/asan/asan_arm32.c +++ b/frida_mode/src/asan/asan_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 66138e42..65524e03 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -1,5 +1,5 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c index a2eabe3c..5c12669f 100644 --- a/frida_mode/src/asan/asan_x64.c +++ b/frida_mode/src/asan/asan_x64.c @@ -1,5 +1,5 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c index 8490b490..6d2f9e2b 100644 --- a/frida_mode/src/asan/asan_x86.c +++ b/frida_mode/src/asan/asan_x86.c @@ -1,5 +1,5 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index 8814f7f3..a2609c8e 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -5,7 +5,7 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" @@ -50,6 +50,10 @@ static void cmplog_get_ranges(void) { } +void cmplog_config(void) { + +} + void cmplog_init(void) { if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); } @@ -94,10 +98,10 @@ static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit, gboolean cmplog_test_addr(guint64 addr, size_t size) { - if (g_hash_table_contains(hash_yes, (gpointer)addr)) { return true; } - if (g_hash_table_contains(hash_no, (gpointer)addr)) { return false; } + if (g_hash_table_contains(hash_yes, GSIZE_TO_POINTER(addr))) { return true; } + if (g_hash_table_contains(hash_no, GSIZE_TO_POINTER(addr))) { return false; } - void * page_addr = (void *)(addr & page_mask); + void * page_addr = GSIZE_TO_POINTER(addr & page_mask); size_t page_offset = addr & page_offset_mask; /* If it spans a page, then bail */ @@ -109,7 +113,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { */ if (msync(page_addr, page_offset + size, MS_ASYNC) < 0) { - if (!g_hash_table_add(hash_no, (gpointer)addr)) { + if (!g_hash_table_add(hash_no, GSIZE_TO_POINTER(addr))) { FATAL("Failed - g_hash_table_add"); @@ -119,7 +123,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { } else { - if (!g_hash_table_add(hash_yes, (gpointer)addr)) { + if (!g_hash_table_add(hash_yes, GSIZE_TO_POINTER(addr))) { FATAL("Failed - g_hash_table_add"); diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c index 5af28f3f..ac703408 100644 --- a/frida_mode/src/cmplog/cmplog_arm32.c +++ b/frida_mode/src/cmplog/cmplog_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index 04631ff8..dd97f38d 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" #include "cmplog.h" diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index ba16445d..0d18767a 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" #include "cmplog.h" diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index a27df0af..dd666c34 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" #include "cmplog.h" diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c index a5c6f6d4..a354c117 100644 --- a/frida_mode/src/ctx/ctx_arm32.c +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c index d09896af..a735401b 100644 --- a/frida_mode/src/ctx/ctx_arm64.c +++ b/frida_mode/src/ctx/ctx_arm64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c index 1772a252..da5cb13a 100644 --- a/frida_mode/src/ctx/ctx_x64.c +++ b/frida_mode/src/ctx/ctx_x64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c index 9b50cb52..1a587702 100644 --- a/frida_mode/src/ctx/ctx_x86.c +++ b/frida_mode/src/ctx/ctx_x86.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index e71386a0..186d5098 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" @@ -9,27 +9,32 @@ extern void __afl_manual_init(); -guint64 entry_start = 0; +guint64 entry_point = 0; static void entry_launch(void) { __afl_manual_init(); /* Child here */ - previous_pc = 0; + instrument_previous_pc = 0; + +} + +void entry_config(void) { + + entry_point = util_read_address("AFL_ENTRYPOINT"); } void entry_init(void) { - entry_start = util_read_address("AFL_ENTRYPOINT"); - OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_start); + OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); } -void entry_run(void) { +void entry_start(void) { - if (entry_start == 0) { entry_launch(); } + if (entry_point == 0) { entry_launch(); } } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index ba82b89f..d6ae505d 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -2,7 +2,7 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -18,12 +18,13 @@ #include "stats.h" #include "util.h" -static gboolean tracing = false; -static gboolean optimize = false; -static gboolean unique = false; +gboolean instrument_tracing = false; +gboolean instrument_optimize = false; +gboolean instrument_unique = false; + static GumStalkerTransformer *transformer = NULL; -__thread uint64_t previous_pc = 0; +__thread uint64_t instrument_previous_pc = 0; static GumAddress previous_rip = 0; static u8 * edges_notified = NULL; @@ -61,7 +62,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, current_pc = (current_rip >> 4) ^ (current_rip << 8); current_pc &= MAP_SIZE - 1; - edge = current_pc ^ previous_pc; + edge = current_pc ^ instrument_previous_pc; cursor = &__afl_area_ptr[edge]; value = *cursor; @@ -77,11 +78,11 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, } *cursor = value; - previous_pc = current_pc >> 1; + instrument_previous_pc = current_pc >> 1; - if (unlikely(tracing)) { + if (unlikely(instrument_tracing)) { - if (!unique || edges_notified[edge] == 0) { + if (!instrument_unique || edges_notified[edge] == 0) { trace_debug("TRACE: edge: %10" G_GINT64_MODIFIER "d, current_rip: 0x%016" G_GINT64_MODIFIER @@ -90,7 +91,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, } - if (unique) { edges_notified[edge] = 1; } + if (instrument_unique) { edges_notified[edge] = 1; } previous_rip = current_rip; @@ -98,8 +99,9 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, } -static void instr_basic_block(GumStalkerIterator *iterator, - GumStalkerOutput *output, gpointer user_data) { +static void instrument_basic_block(GumStalkerIterator *iterator, + GumStalkerOutput * output, + gpointer user_data) { UNUSED_PARAMETER(user_data); @@ -111,7 +113,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (unlikely(begin)) { instrument_debug_start(instr->address, output); } - if (instr->address == entry_start) { entry_prologue(iterator, output); } + if (instr->address == entry_point) { entry_prologue(iterator, output); } if (instr->address == persistent_start) { persistent_prologue(output); } if (instr->address == persistent_ret) { persistent_epilogue(output); } @@ -150,7 +152,7 @@ static void instr_basic_block(GumStalkerIterator *iterator, if (likely(!excluded)) { - if (likely(optimize)) { + if (likely(instrument_optimize)) { instrument_coverage_optimize(instr, output); @@ -185,31 +187,39 @@ static void instr_basic_block(GumStalkerIterator *iterator, } -void instrument_init(void) { +void instrument_config(void) { + + instrument_optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); + instrument_tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); + instrument_unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL); + + instrument_debug_config(); + asan_config(); + cmplog_config(); - optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); - tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); - unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL); +} + +void instrument_init(void) { - if (!instrument_is_coverage_optimize_supported()) optimize = false; + if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false; - OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' '); - OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' '); - OKF("Instrumentation - unique [%c]", unique ? 'X' : ' '); + OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); + OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); + OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); - if (tracing && optimize) { + if (instrument_tracing && instrument_optimize) { FATAL("AFL_FRIDA_INST_TRACE requires AFL_FRIDA_INST_NO_OPTIMIZE"); } - if (unique && optimize) { + if (instrument_unique && instrument_optimize) { FATAL("AFL_FRIDA_INST_TRACE_UNIQUE requires AFL_FRIDA_INST_NO_OPTIMIZE"); } - if (unique) { tracing = TRUE; } + if (instrument_unique) { instrument_tracing = TRUE; } if (__afl_map_size != 0x10000) { @@ -217,10 +227,10 @@ void instrument_init(void) { } - transformer = - gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL); + transformer = gum_stalker_transformer_make_from_callback( + instrument_basic_block, NULL, NULL); - if (unique) { + if (instrument_unique) { int shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 450a69a3..0e15940a 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 49ee86a2..17f97c97 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -72,7 +72,7 @@ void instrument_coverage_optimize(const cs_insn * instr, gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; - uint64_t *afl_prev_loc_ptr = &previous_pc; + uint64_t *afl_prev_loc_ptr = &instrument_previous_pc; gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, sizeof(afl_area_ptr_ptr)); gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index 0ce26a1c..b8cca634 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -3,7 +3,7 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" @@ -13,6 +13,8 @@ static int debugging_fd = -1; static gpointer instrument_gen_start = NULL; +char *instrument_debug_filename = NULL; + static void instrument_debug(char *format, ...) { va_list ap; @@ -79,18 +81,25 @@ static void instrument_disasm(guint8 *start, guint8 *end) { } +void instrument_debug_config(void) { + + instrument_debug_filename = getenv("AFL_FRIDA_INST_DEBUG_FILE"); + +} + void instrument_debug_init(void) { - char *filename = getenv("AFL_FRIDA_INST_DEBUG_FILE"); - OKF("Instrumentation debugging - enabled [%c]", filename == NULL ? ' ' : 'X'); + OKF("Instrumentation debugging - enabled [%c]", + instrument_debug_filename == NULL ? ' ' : 'X'); - if (filename == NULL) { return; } + if (instrument_debug_filename == NULL) { return; } - OKF("Instrumentation debugging - file [%s]", filename); + OKF("Instrumentation debugging - file [%s]", instrument_debug_filename); - if (filename == NULL) { return; } + if (instrument_debug_filename == NULL) { return; } - char *path = g_canonicalize_filename(filename, g_get_current_dir()); + char *path = + g_canonicalize_filename(instrument_debug_filename, g_get_current_dir()); OKF("Instrumentation debugging - path [%s]", path); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 7000e65d..a38b5b14 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" @@ -68,7 +68,7 @@ void instrument_coverage_optimize(const cs_insn * instr, current_log_impl = cw->pc; gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); - uint64_t *afl_prev_loc_ptr = &previous_pc; + uint64_t *afl_prev_loc_ptr = &instrument_previous_pc; gum_x86_writer_put_bytes(cw, (const guint8 *)&__afl_area_ptr, sizeof(__afl_area_ptr)); gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 04a19e08..3c3dc272 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" @@ -16,7 +16,7 @@ static void instrument_coverage_function(GumX86Writer *cw) { gum_x86_writer_put_push_reg(cw, GUM_REG_EDX); gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX, - GUM_ADDRESS(&previous_pc)); + GUM_ADDRESS(&instrument_previous_pc)); gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_EDX, GUM_REG_ECX); gum_x86_writer_put_xor_reg_reg(cw, GUM_REG_EDX, GUM_REG_EDI); diff --git a/frida_mode/src/intercept.c b/frida_mode/src/intercept.c new file mode 100644 index 00000000..ed8d27bd --- /dev/null +++ b/frida_mode/src/intercept.c @@ -0,0 +1,35 @@ +#include "frida-gumjs.h" + +#include "debug.h" + +#include "intercept.h" + +void intercept_hook(void *address, gpointer replacement, gpointer user_data) { + + GumInterceptor *interceptor = gum_interceptor_obtain(); + gum_interceptor_begin_transaction(interceptor); + GumReplaceReturn ret = + gum_interceptor_replace(interceptor, address, replacement, user_data); + if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); } + gum_interceptor_end_transaction(interceptor); + +} + +void intercept_unhook(void *address) { + + GumInterceptor *interceptor = gum_interceptor_obtain(); + + gum_interceptor_begin_transaction(interceptor); + gum_interceptor_revert(interceptor, address); + gum_interceptor_end_transaction(interceptor); + gum_interceptor_flush(interceptor); + +} + +void intercept_unhook_self(void) { + + GumInvocationContext *ctx = gum_interceptor_get_current_invocation(); + intercept_unhook(ctx->function); + +} + diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c deleted file mode 100644 index d2802752..00000000 --- a/frida_mode/src/interceptor.c +++ /dev/null @@ -1,35 +0,0 @@ -#include "frida-gum.h" - -#include "debug.h" - -#include "interceptor.h" - -void intercept(void *address, gpointer replacement, gpointer user_data) { - - GumInterceptor *interceptor = gum_interceptor_obtain(); - gum_interceptor_begin_transaction(interceptor); - GumReplaceReturn ret = - gum_interceptor_replace(interceptor, address, replacement, user_data); - if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); } - gum_interceptor_end_transaction(interceptor); - -} - -void unintercept(void *address) { - - GumInterceptor *interceptor = gum_interceptor_obtain(); - - gum_interceptor_begin_transaction(interceptor); - gum_interceptor_revert(interceptor, address); - gum_interceptor_end_transaction(interceptor); - gum_interceptor_flush(interceptor); - -} - -void unintercept_self(void) { - - GumInvocationContext *ctx = gum_interceptor_get_current_invocation(); - unintercept(ctx->function); - -} - diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js new file mode 100644 index 00000000..983f1efa --- /dev/null +++ b/frida_mode/src/js/api.js @@ -0,0 +1,201 @@ +const write = new NativeFunction( + Module.getExportByName(null, 'write'), + 'int', + ['int', 'pointer', 'int'] +); + +const afl_frida_trace = Process.findModuleByName('afl-frida-trace.so'); + +function get_api(name, ret, args) { + const addr = afl_frida_trace.findExportByName(name); + return new NativeFunction(addr, ret, args); +} + +const js_api_done = get_api( + 'js_api_done', + 'void', + []); + +const js_api_error = get_api( + 'js_api_error', + 'void', + ['pointer']); + +const js_api_set_entrypoint = get_api( + 'js_api_set_entrypoint', + 'void', + ['pointer']); + +const js_api_set_persistent_address = get_api( + 'js_api_set_persistent_address', + 'void', + ['pointer']); + +const js_api_set_persistent_return = get_api( + 'js_api_set_persistent_return', + 'void', + ['pointer']); + +const js_api_set_persistent_count = get_api( + 'js_api_set_persistent_count', + 'void', + ['uint64']); + +const js_api_set_persistent_debug = get_api( + 'js_api_set_persistent_debug', + 'void', + []); + +const js_api_set_debug_maps = get_api( + 'js_api_set_debug_maps', + 'void', + []); + +const js_api_add_include_range = get_api( + 'js_api_add_include_range', + 'void', + ['pointer', 'size_t']); + +const js_api_add_exclude_range = get_api( + 'js_api_add_exclude_range', + 'void', + ['pointer', 'size_t']); + +const js_api_set_instrument_libraries = get_api( + 'js_api_set_instrument_libraries', + 'void', + []); + +const js_api_set_instrument_debug_file = get_api( + 'js_api_set_instrument_debug_file', + 'void', + ['pointer']); + +const js_api_set_prefetch_disable = get_api( + 'js_api_set_prefetch_disable', + 'void', + []); + +const js_api_set_instrument_no_optimize = get_api( + 'js_api_set_instrument_no_optimize', + 'void', + []); + +const js_api_set_instrument_trace = get_api( + 'js_api_set_instrument_trace', + 'void', + []); + +const js_api_set_instrument_trace_unique = get_api( + 'js_api_set_instrument_trace_unique', + 'void', + []); + +const js_api_set_stdout = get_api( + 'js_api_set_stdout', + 'void', + ['pointer']); + +const js_api_set_stderr = get_api( + 'js_api_set_stderr', + 'void', + ['pointer']); + +const js_api_set_stats_file = get_api( + 'js_api_set_stats_file', + 'void', + ['pointer']); + +const js_api_set_stats_interval = get_api( + 'js_api_set_stats_interval', + 'void', + ['uint64']); + +const js_api_set_stats_transitions = get_api( + 'js_api_set_stats_transitions', + 'void', + []); + +const afl = { + print: function (msg) { + const STDOUT_FILENO = 2; + const log = `${msg}\n`; + const buf = Memory.allocUtf8String(log); + write(STDOUT_FILENO, buf, log.length); + }, + done: function() { + js_api_done(); + }, + error: function(msg) { + const buf = Memory.allocUtf8String(msg); + js_api_error(buf); + }, + setEntryPoint: function(addr) { + js_api_set_entrypoint(addr); + }, + setPersistentAddress: function(addr) { + js_api_set_persistent_address(addr); + }, + setPersistentReturn: function(addr) { + js_api_set_persistent_return(addr); + }, + setPersistentCount: function(addr) { + js_api_set_persistent_count(addr); + }, + setPersistentDebug: function() { + js_api_set_persistent_debug(); + }, + setDebugMaps: function() { + js_api_set_debug_maps(); + }, + addIncludedRange: function(address, size) { + js_api_add_include_range(address, size); + }, + addExcludedRange: function(address, size) { + js_api_add_exclude_range(address, size); + }, + setInstrumentLibraries: function() { + js_api_set_instrument_libraries(); + }, + setInstrumentDebugFile: function(file) { + const buf = Memory.allocUtf8String(file); + js_api_set_instrument_debug_file(buf) + }, + setPrefetchDisable: function() { + js_api_set_prefetch_disable(); + }, + setInstrumentNoOptimize: function() { + js_api_set_instrument_no_optimize(); + }, + setInstrumentEnableTracing: function() { + js_api_set_instrument_trace(); + }, + setInstrumentTracingUnique: function() { + js_api_set_instrument_trace_unique(); + }, + setStdOut: function(file) { + const buf = Memory.allocUtf8String(file); + js_api_set_stdout(buf) + }, + setStdErr: function(file) { + const buf = Memory.allocUtf8String(file); + js_api_set_stderr(buf) + }, + setStatsFile: function(file) { + const buf = Memory.allocUtf8String(file); + js_api_set_stats_file(buf) + }, + setStatsInterval: function(interval) { + js_api_set_stats_interval(interval); + }, + setStatsTransitions: function() { + js_api_set_stats_transitions(); + } + +}; + +Object.defineProperty(global, 'Afl', {value: afl, writeable: false}); + +//////////////////////////////////////////////////////////////////////////////// +// END OF API // +//////////////////////////////////////////////////////////////////////////////// diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c new file mode 100644 index 00000000..79e716ad --- /dev/null +++ b/frida_mode/src/js/js.c @@ -0,0 +1,113 @@ +#include "frida-gumjs.h" + +#include "debug.h" + +#include "js.h" +#include "util.h" + +static char *js_script = NULL; +gboolean js_done = FALSE; + +static gchar * filename = "afl.js"; +static gchar * contents; +static GumScriptBackend *backend; +static GCancellable * cancellable = NULL; +static GError * error = NULL; +static GumScript * script; + +static void js_msg(GumScript *script, const gchar *message, GBytes *data, + gpointer user_data) { + + UNUSED_PARAMETER(script); + UNUSED_PARAMETER(data); + UNUSED_PARAMETER(user_data); + OKF("%s", message); + +} + +void js_config(void) { + + js_script = getenv("AFL_FRIDA_JS_SCRIPT"); + +} + +static gchar *js_get_script() { + + gsize length; + if (js_script != NULL) { filename = js_script; } + + filename = g_canonicalize_filename(filename, g_get_current_dir()); + + if (!g_file_get_contents(filename, &contents, &length, NULL)) { + + if (js_script == NULL) { + + return NULL; + + } else { + + FATAL("Could not load script file: %s", filename); + + } + + } else { + + OKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename, + length); + + gchar *source = g_malloc0(api_js_len + length + 1); + memcpy(source, api_js, api_js_len); + memcpy(&source[api_js_len], contents, length); + + return source; + + } + +} + +static void js_print_script(gchar *source) { + + gchar **split = g_strsplit(source, "\n", 0); + + for (size_t i = 0; split[i] != NULL; i++) { + + OKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]); + + } + + g_strfreev(split); + +} + +void js_start(void) { + + GMainContext *context; + + gchar *source = js_get_script(); + if (source == NULL) { return; } + js_print_script(source); + + backend = gum_script_backend_obtain_qjs(); + + script = gum_script_backend_create_sync(backend, "example", source, + cancellable, &error); + + if (error != NULL) { + + g_printerr("%s\n", error->message); + FATAL("Error processing script"); + + } + + gum_script_set_message_handler(script, js_msg, NULL, NULL); + + gum_script_load_sync(script, cancellable); + + context = g_main_context_get_thread_default(); + while (g_main_context_pending(context)) + g_main_context_iteration(context, FALSE); + + if (!js_done) { FATAL("Script didn't call Afl.done()"); } + +} + diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c new file mode 100644 index 00000000..018c0b9a --- /dev/null +++ b/frida_mode/src/js/js_api.c @@ -0,0 +1,142 @@ +#include "debug.h" + +#include "entry.h" +#include "instrument.h" +#include "js.h" +#include "output.h" +#include "persistent.h" +#include "prefetch.h" +#include "ranges.h" +#include "stats.h" +#include "util.h" + +void js_api_done() { + + js_done = TRUE; + +} + +void js_api_error(char *msg) { + + FATAL("%s", msg); + +} + +void js_api_set_entrypoint(void *address) { + + entry_point = GPOINTER_TO_SIZE(address); + +} + +void js_api_set_persistent_address(void *address) { + + persistent_start = GPOINTER_TO_SIZE(address); + +} + +void js_api_set_persistent_return(void *address) { + + persistent_ret = GPOINTER_TO_SIZE(address); + +} + +void js_api_set_persistent_count(uint64_t count) { + + persistent_count = count; + +} + +void js_api_set_persistent_debug() { + + persistent_debug = TRUE; + +} + +void js_api_set_debug_maps() { + + ranges_debug_maps = TRUE; + +} + +void js_api_add_include_range(void *address, gsize size) { + + GumMemoryRange range = {.base_address = GUM_ADDRESS(address), .size = size}; + ranges_add_include(&range); + +} + +void js_api_add_exclude_range(void *address, gsize size) { + + GumMemoryRange range = {.base_address = GUM_ADDRESS(address), .size = size}; + ranges_add_exclude(&range); + +} + +void js_api_set_instrument_libraries() { + + ranges_inst_libs = TRUE; + +} + +void js_api_set_instrument_debug_file(char *path) { + + instrument_debug_filename = g_strdup(path); + +} + +void js_api_set_prefetch_disable(void) { + + prefetch_enable = FALSE; + +} + +void js_api_set_instrument_no_optimize(void) { + + instrument_optimize = FALSE; + +} + +void js_api_set_instrument_trace(void) { + + instrument_tracing = TRUE; + +} + +void js_api_set_instrument_trace_unique(void) { + + instrument_unique = TRUE; + +} + +void js_api_set_stdout(char *file) { + + output_stdout = g_strdup(file); + +} + +void js_api_set_stderr(char *file) { + + output_stderr = g_strdup(file); + +} + +void js_api_set_stats_file(char *file) { + + stats_filename = g_strdup(file); + +} + +void js_api_set_stats_interval(uint64_t interval) { + + stats_interval = interval; + +} + +void js_api_set_stats_transitions() { + + stats_transitions = TRUE; + +} + +// "AFL_FRIDA_PERSISTENT_HOOK", + diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index 13a7d1e7..59a3fcf9 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -6,7 +6,7 @@ #include #include - #include "frida-gum.h" + #include "frida-gumjs.h" #include "debug.h" @@ -151,6 +151,10 @@ static void lib_get_text_section(lib_details_t *details) { } +void lib_config(void) { + +} + void lib_init(void) { lib_details_t lib_details; diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c index 8f863861..2aa48a13 100644 --- a/frida_mode/src/lib/lib_apple.c +++ b/frida_mode/src/lib/lib_apple.c @@ -1,5 +1,5 @@ #ifdef __APPLE__ - #include "frida-gum.h" + #include "frida-gumjs.h" #include "debug.h" @@ -56,6 +56,10 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details, } +void lib_config(void) { + +} + void lib_init(void) { GumDarwinModule *module = NULL; diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index b17d9f49..85b0bbf3 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -11,14 +11,15 @@ #include #endif -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" #include "entry.h" #include "instrument.h" -#include "interceptor.h" +#include "intercept.h" +#include "js.h" #include "lib.h" #include "output.h" #include "persistent.h" @@ -44,13 +45,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp); static main_fn_t main_fn = NULL; -static int on_fork(void) { - - prefetch_read(); - return fork(); - -} - #ifdef __APPLE__ static void on_main_os(int argc, char **argv, char **envp) { @@ -174,23 +168,36 @@ void afl_frida_start(void) { afl_print_cmdline(); afl_print_env(); + /* Configure */ + entry_config(); + instrument_config(); + js_config(); + lib_config(); + output_config(); + persistent_config(); + prefetch_config(); + ranges_config(); + stalker_config(); + stats_config(); + + js_start(); + + /* Initialize */ + output_init(); + embedded_init(); - stalker_init(); - lib_init(); entry_init(); instrument_init(); - output_init(); + lib_init(); persistent_init(); prefetch_init(); + stalker_init(); ranges_init(); stats_init(); - void *fork_addr = - GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork")); - intercept(fork_addr, on_fork, NULL); - + /* Start */ stalker_start(); - entry_run(); + entry_start(); } @@ -198,7 +205,7 @@ static int *on_main(int argc, char **argv, char **envp) { on_main_os(argc, argv, envp); - unintercept_self(); + intercept_unhook_self(); afl_frida_start(); @@ -212,7 +219,7 @@ extern int *main(int argc, char **argv, char **envp); static void intercept_main(void) { main_fn = main; - intercept(main, on_main, NULL); + intercept_hook(main, on_main, NULL); } @@ -225,7 +232,7 @@ static void intercept_main(void) { OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); void *main = GSIZE_TO_POINTER(entry); main_fn = main; - intercept(main, on_main, NULL); + intercept_hook(main, on_main, NULL); } @@ -236,8 +243,8 @@ static int on_libc_start_main(int *(main)(int, char **, char **), int argc, void(*stack_end)) { main_fn = main; - unintercept_self(); - intercept(main, on_main, NULL); + intercept_unhook_self(); + intercept_hook(main, on_main, NULL); return __libc_start_main(main, argc, ubp_av, init, fini, rtld_fini, stack_end); @@ -245,7 +252,7 @@ static int on_libc_start_main(int *(main)(int, char **, char **), int argc, static void intercept_main(void) { - intercept(__libc_start_main, on_libc_start_main, NULL); + intercept_hook(__libc_start_main, on_libc_start_main, NULL); } diff --git a/frida_mode/src/output.c b/frida_mode/src/output.c index 8a222b25..e2b744e7 100644 --- a/frida_mode/src/output.c +++ b/frida_mode/src/output.c @@ -2,17 +2,17 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" #include "output.h" -static int output_fd = -1; +char *output_stdout = NULL; +char *output_stderr = NULL; -static void output_redirect(int fd, char *variable) { +static void output_redirect(int fd, char *filename) { - char *filename = getenv(variable); char *path = NULL; if (filename == NULL) { return; } @@ -21,8 +21,8 @@ static void output_redirect(int fd, char *variable) { OKF("Redirect %d -> '%s'", fd, path); - output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, - S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); g_free(path); @@ -34,12 +34,24 @@ static void output_redirect(int fd, char *variable) { } + close(output_fd); + +} + +void output_config(void) { + + output_stdout = getenv("AFL_FRIDA_OUTPUT_STDOUT"); + output_stderr = getenv("AFL_FRIDA_OUTPUT_STDERR"); + } void output_init(void) { - output_redirect(STDOUT_FILENO, "AFL_FRIDA_OUTPUT_STDOUT"); - output_redirect(STDERR_FILENO, "AFL_FRIDA_OUTPUT_STDERR"); + OKF("Output - StdOut: %s", output_stdout); + OKF("Output - StdErr: %s", output_stderr); + + output_redirect(STDOUT_FILENO, output_stdout); + output_redirect(STDERR_FILENO, output_stderr); } diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index 243d501d..e3e0b0ca 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -1,6 +1,6 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -8,17 +8,18 @@ #include "persistent.h" #include "util.h" -int __afl_sharedmem_fuzzing = 0; -afl_persistent_hook_fn hook = NULL; +int __afl_sharedmem_fuzzing = 0; +static char *hook_name = NULL; + +afl_persistent_hook_fn persistent_hook = NULL; guint64 persistent_start = 0; guint64 persistent_count = 0; guint64 persistent_ret = 0; gboolean persistent_debug = FALSE; -void persistent_init(void) { - - char *hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK"); +void persistent_config(void) { + hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK"); persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR"); persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT"); persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET"); @@ -33,6 +34,11 @@ void persistent_init(void) { } + if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; + + if (persistent_start != 0 && !persistent_is_supported()) + FATAL("Persistent mode not supported on this architecture"); + if (persistent_ret != 0 && persistent_start == 0) { FATAL( @@ -41,13 +47,9 @@ void persistent_init(void) { } - if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; - - if (persistent_count != 0 && persistent_count < 100) - WARNF("Persistent count out of recommended range (<100)"); +} - if (persistent_start != 0 && !persistent_is_supported()) - FATAL("Persistent mode not supported on this architecture"); +void persistent_init(void) { OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", persistent_start == 0 ? ' ' : 'X', persistent_start); @@ -58,27 +60,26 @@ void persistent_init(void) { OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", persistent_ret == 0 ? ' ' : 'X', persistent_ret); - if (hook_name != NULL) { + if (hook_name == NULL) { return; } - void *hook_obj = dlopen(hook_name, RTLD_NOW); - if (hook_obj == NULL) - FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); + void *hook_obj = dlopen(hook_name, RTLD_NOW); + if (hook_obj == NULL) + FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); - int (*afl_persistent_hook_init_ptr)(void) = - dlsym(hook_obj, "afl_persistent_hook_init"); - if (afl_persistent_hook_init_ptr == NULL) - FATAL("Failed to find afl_persistent_hook_init in %s", hook_name); + int (*afl_persistent_hook_init_ptr)(void) = + dlsym(hook_obj, "afl_persistent_hook_init"); + if (afl_persistent_hook_init_ptr == NULL) + FATAL("Failed to find afl_persistent_hook_init in %s", hook_name); - if (afl_persistent_hook_init_ptr() == 0) - FATAL("afl_persistent_hook_init returned a failure"); + if (afl_persistent_hook_init_ptr() == 0) + FATAL("afl_persistent_hook_init returned a failure"); - hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook"); - if (hook == NULL) - FATAL("Failed to find afl_persistent_hook in %s", hook_name); + persistent_hook = + (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook"); + if (persistent_hook == NULL) + FATAL("Failed to find afl_persistent_hook in %s", hook_name); - __afl_sharedmem_fuzzing = 1; - - } + __afl_sharedmem_fuzzing = 1; } diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index 6a3c06fa..f12f1af8 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index d7c6c76b..e618fbac 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -1,5 +1,5 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -318,7 +318,7 @@ static void instrument_exit(GumArm64Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - previous_pc = 0; + instrument_previous_pc = 0; return ret; } @@ -337,7 +337,7 @@ static void instrument_afl_persistent_loop(GumArm64Writer *cw) { static void persistent_prologue_hook(GumArm64Writer * cw, struct arm64_regs *regs) { - if (hook == NULL) return; + if (persistent_hook == NULL) return; gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, GUM_RED_ZONE_SIZE); @@ -354,7 +354,7 @@ static void persistent_prologue_hook(GumArm64Writer * cw, gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); gum_arm64_writer_put_call_address_with_arguments( - cw, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), + cw, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2, GUM_ARG_REGISTER, ARM64_REG_X3); diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index 653acefe..a91abc1c 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -1,5 +1,5 @@ #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -199,7 +199,7 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - previous_pc = 0; + instrument_previous_pc = 0; return ret; } @@ -220,7 +220,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) { static void persistent_prologue_hook(GumX86Writer * cw, struct x86_64_regs *regs) { - if (hook == NULL) return; + if (persistent_hook == NULL) return; gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -(GUM_RED_ZONE_SIZE)); @@ -236,7 +236,7 @@ static void persistent_prologue_hook(GumX86Writer * cw, gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0); gum_x86_writer_put_call_address_with_arguments( - cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, + cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_RDX, GUM_ARG_REGISTER, GUM_REG_RCX); diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 7add6e99..1d01d8e4 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" @@ -152,7 +152,7 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - previous_pc = 0; + instrument_previous_pc = 0; return ret; } @@ -167,7 +167,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) { static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) { - if (hook == NULL) return; + if (persistent_hook == NULL) return; gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX, GUM_ADDRESS(&__afl_fuzz_len)); @@ -180,7 +180,7 @@ static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) { /* Base address is 64-bits (hence two zero arguments) */ gum_x86_writer_put_call_address_with_arguments( - cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 5, GUM_ARG_ADDRESS, + cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 5, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER, GUM_REG_ECX); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 65c09fba..50d10c9e 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -2,10 +2,11 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" +#include "intercept.h" #include "prefetch.h" #include "stalker.h" @@ -20,9 +21,10 @@ typedef struct { } prefetch_data_t; -static prefetch_data_t *prefetch_data = NULL; +gboolean prefetch_enable = TRUE; -static int prefetch_shm_id = -1; +static prefetch_data_t *prefetch_data = NULL; +static int prefetch_shm_id = -1; /* * We do this from the transformer since we need one anyway for coverage, this @@ -72,14 +74,33 @@ void prefetch_read(void) { } +void prefetch_config(void) { + + prefetch_enable = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL); + +} + +static int prefetch_on_fork(void) { + + prefetch_read(); + return fork(); + +} + +static void prefetch_hook_fork(void) { + + void *fork_addr = + GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork")); + intercept_hook(fork_addr, prefetch_on_fork, NULL); + +} + void prefetch_init(void) { g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE); - gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL); + OKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' '); - OKF("Instrumentation - prefetch [%c]", prefetch ? 'X' : ' '); - - if (!prefetch) { return; } + if (!prefetch_enable) { return; } /* * Make our shared memory, we can attach before we fork, just like AFL does * with the coverage bitmap region and fork will take care of ensuring both @@ -108,5 +129,7 @@ void prefetch_init(void) { /* Clear it, not sure it's necessary, just seems like good practice */ memset(prefetch_data, '\0', sizeof(prefetch_data_t)); + prefetch_hook_fork(); + } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index ef25b371..534f202b 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" @@ -17,11 +17,14 @@ typedef struct { } convert_name_ctx_t; -GArray *module_ranges = NULL; -GArray *libs_ranges = NULL; -GArray *include_ranges = NULL; -GArray *exclude_ranges = NULL; -GArray *ranges = NULL; +gboolean ranges_debug_maps = FALSE; +gboolean ranges_inst_libs = FALSE; + +static GArray *module_ranges = NULL; +static GArray *libs_ranges = NULL; +static GArray *include_ranges = NULL; +static GArray *exclude_ranges = NULL; +static GArray *ranges = NULL; static void convert_address_token(gchar *token, GumMemoryRange *range) { @@ -225,6 +228,43 @@ static GArray *collect_module_ranges(void) { } +static void check_for_overlaps(GArray *array) { + + for (guint i = 1; i < array->len; i++) { + + GumMemoryRange *prev = &g_array_index(array, GumMemoryRange, i - 1); + GumMemoryRange *curr = &g_array_index(array, GumMemoryRange, i); + GumAddress prev_limit = prev->base_address + prev->size; + GumAddress curr_limit = curr->base_address + curr->size; + if (prev_limit > curr->base_address) { + + FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); + + } + + } + +} + +void ranges_add_include(GumMemoryRange *range) { + + g_array_append_val(include_ranges, *range); + g_array_sort(include_ranges, range_sort); + check_for_overlaps(include_ranges); + +} + +void ranges_add_exclude(GumMemoryRange *range) { + + g_array_append_val(exclude_ranges, *range); + g_array_sort(exclude_ranges, range_sort); + check_for_overlaps(exclude_ranges); + +} + static GArray *collect_ranges(char *env_key) { char * env_val; @@ -253,23 +293,7 @@ static GArray *collect_ranges(char *env_key) { g_array_sort(result, range_sort); - /* Check for overlaps */ - for (i = 1; i < token_count; i++) { - - GumMemoryRange *prev = &g_array_index(result, GumMemoryRange, i - 1); - GumMemoryRange *curr = &g_array_index(result, GumMemoryRange, i); - GumAddress prev_limit = prev->base_address + prev->size; - GumAddress curr_limit = curr->base_address + curr->size; - if (prev_limit > curr->base_address) { - - FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - prev->base_address, prev_limit, curr->base_address, curr_limit); - - } - - } + check_for_overlaps(result); print_ranges(env_key, result); @@ -285,15 +309,15 @@ static GArray *collect_libs_ranges(void) { GumMemoryRange range; result = g_array_new(false, false, sizeof(GumMemoryRange)); - if (getenv("AFL_INST_LIBS") == NULL) { + if (ranges_inst_libs) { - range.base_address = lib_get_text_base(); - range.size = lib_get_text_limit() - lib_get_text_base(); + range.base_address = 0; + range.size = G_MAXULONG; } else { - range.base_address = 0; - range.size = G_MAXULONG; + range.base_address = lib_get_text_base(); + range.size = lib_get_text_limit() - lib_get_text_base(); } @@ -480,30 +504,13 @@ static GArray *merge_ranges(GArray *a) { } -static gboolean exclude_ranges_callback(const GumRangeDetails *details, - gpointer user_data) { +void ranges_config(void) { - UNUSED_PARAMETER(user_data); - gchar * name; - gboolean found; - GumStalker *stalker; - if (details->file == NULL) { return TRUE; } - name = g_path_get_basename(details->file->path); - - found = (g_strcmp0(name, "afl-frida-trace.so") == 0); - g_free(name); - if (!found) { return TRUE; } - - stalker = stalker_get(); - gum_stalker_exclude(stalker, details->range); - - return FALSE; + if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; } + if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; } -} - -static void ranges_exclude_self(void) { - - gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, exclude_ranges_callback, NULL); + include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES"); + exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES"); } @@ -515,16 +522,20 @@ void ranges_init(void) { GArray * step3; GArray * step4; - if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { + if (ranges_debug_maps) { gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, NULL); } + OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); + + print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); + print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges); + module_ranges = collect_module_ranges(); libs_ranges = collect_libs_ranges(); - include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES"); /* If include ranges is empty, then assume everything is included */ if (include_ranges->len == 0) { @@ -535,8 +546,6 @@ void ranges_init(void) { } - exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES"); - /* Intersect with .text section of main executable unless AFL_INST_LIBS */ step1 = intersect_ranges(module_ranges, libs_ranges); print_ranges("step1", step1); @@ -565,9 +574,6 @@ void ranges_init(void) { g_array_free(step2, TRUE); g_array_free(step1, TRUE); - /* *NEVER* stalk the stalker, only bad things will ever come of this! */ - ranges_exclude_self(); - ranges_exclude(); } diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 63f3c529..98483cde 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -2,18 +2,47 @@ #include "instrument.h" #include "stalker.h" +#include "util.h" static GumStalker *stalker = NULL; -void stalker_init(void) { +void stalker_config(void) { if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); } +} + +static gboolean stalker_exclude_self(const GumRangeDetails *details, + gpointer user_data) { + + UNUSED_PARAMETER(user_data); + gchar * name; + gboolean found; + GumStalker *stalker; + if (details->file == NULL) { return TRUE; } + name = g_path_get_basename(details->file->path); + + found = (g_strcmp0(name, "afl-frida-trace.so") == 0); + g_free(name); + if (!found) { return TRUE; } + + stalker = stalker_get(); + gum_stalker_exclude(stalker, details->range); + + return FALSE; + +} + +void stalker_init(void) { + stalker = gum_stalker_new(); if (stalker == NULL) { FATAL("Failed to initialize stalker"); } gum_stalker_set_trust_threshold(stalker, 0); + /* *NEVER* stalk the stalker, only bad things will ever come of this! */ + gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, stalker_exclude_self, NULL); + } GumStalker *stalker_get(void) { diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 0d7b9fb0..0dd8be70 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -5,7 +5,7 @@ #include #include -#include "frida-gum.h" +#include "frida-gumjs.h" #include "config.h" #include "debug.h" @@ -17,15 +17,16 @@ stats_data_header_t *stats_data = NULL; -static int stats_parent_pid = -1; -static int stats_fd = -1; -static gboolean stats_transitions = FALSE; -static guint64 stats_interval = 0; +static int stats_parent_pid = -1; +static int stats_fd = -1; -void stats_init(void) { +char * stats_filename = NULL; +guint64 stats_interval = 0; +gboolean stats_transitions = FALSE; - stats_parent_pid = getpid(); - char *filename = getenv("AFL_FRIDA_STATS_FILE"); +void stats_config(void) { + + stats_filename = getenv("AFL_FRIDA_STATS_FILE"); stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL"); if (getenv("AFL_FRIDA_STATS_TRANSITIONS") != NULL) { @@ -33,10 +34,16 @@ void stats_init(void) { } - OKF("Stats - file [%s]", filename); +} + +void stats_init(void) { + + stats_parent_pid = getpid(); + + OKF("Stats - file [%s]", stats_filename); OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); - if (stats_interval != 0 && filename == NULL) { + if (stats_interval != 0 && stats_filename == NULL) { FATAL( "AFL_FRIDA_STATS_FILE must be specified if " @@ -46,7 +53,7 @@ void stats_init(void) { if (stats_interval == 0) { stats_interval = 10; } - if (filename == NULL) { return; } + if (stats_filename == NULL) { return; } if (!stats_is_supported_arch()) { @@ -56,11 +63,11 @@ void stats_init(void) { char *path = NULL; - if (filename == NULL) { return; } + if (stats_filename == NULL) { return; } if (stats_transitions) { gum_stalker_set_counters_enabled(TRUE); } - path = g_canonicalize_filename(filename, g_get_current_dir()); + path = g_canonicalize_filename(stats_filename, g_get_current_dir()); OKF("Stats - path [%s]", path); diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c index 7eea7f91..71953af3 100644 --- a/frida_mode/src/stats/stats_arm32.c +++ b/frida_mode/src/stats/stats_arm32.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c index 592af87a..d9d374a4 100644 --- a/frida_mode/src/stats/stats_arm64.c +++ b/frida_mode/src/stats/stats_arm64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c index c3e8742a..7c3a90d7 100644 --- a/frida_mode/src/stats/stats_x64.c +++ b/frida_mode/src/stats/stats_x64.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/src/stats/stats_x86.c b/frida_mode/src/stats/stats_x86.c index 1906e809..d9c4f652 100644 --- a/frida_mode/src/stats/stats_x86.c +++ b/frida_mode/src/stats/stats_x86.c @@ -1,4 +1,4 @@ -#include "frida-gum.h" +#include "frida-gumjs.h" #include "debug.h" diff --git a/frida_mode/test/deferred/GNUmakefile b/frida_mode/test/deferred/GNUmakefile index c268ef66..ae580e3f 100644 --- a/frida_mode/test/deferred/GNUmakefile +++ b/frida_mode/test/deferred/GNUmakefile @@ -37,7 +37,7 @@ ifeq "$(ARCH)" "x86" AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x56555000) endif -.PHONY: all clean qemu frida +.PHONY: all clean frida all: $(TESTINSTBIN) make -C $(ROOT)frida_mode/ diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile new file mode 100644 index 00000000..8ea71656 --- /dev/null +++ b/frida_mode/test/js/GNUmakefile @@ -0,0 +1,44 @@ +PWD:=$(shell pwd)/ +ROOT:=$(shell realpath $(PWD)../../..)/ +BUILD_DIR:=$(PWD)build/ +TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ +TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in + +TESTINSTBIN:=$(BUILD_DIR)testinstr +TESTINSTSRC:=$(PWD)testinstr.c + +QEMU_OUT:=$(BUILD_DIR)qemu-out +FRIDA_OUT:=$(BUILD_DIR)frida-out + +.PHONY: all 32 clean qemu frida + +all: $(TESTINSTBIN) + make -C $(ROOT)frida_mode/ + +32: + CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) + echo -n "000" > $@ + +$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=test.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ diff --git a/frida_mode/test/js/Makefile b/frida_mode/test/js/Makefile new file mode 100644 index 00000000..7a237f99 --- /dev/null +++ b/frida_mode/test/js/Makefile @@ -0,0 +1,16 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida + +debug: + @gmake debug diff --git a/frida_mode/test/js/test.js b/frida_mode/test/js/test.js new file mode 100644 index 00000000..f10ef2d1 --- /dev/null +++ b/frida_mode/test/js/test.js @@ -0,0 +1,20 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const entry_point = DebugSymbol.fromName('run'); +Afl.print(`entry_point: ${entry_point.address}`); + +Afl.setEntryPoint(entry_point.address); + +// Afl.error('HARD NOPE'); + +Afl.done(); +Afl.print("done"); diff --git a/frida_mode/test/js/testinstr.c b/frida_mode/test/js/testinstr.c new file mode 100644 index 00000000..bd605c52 --- /dev/null +++ b/frida_mode/test/js/testinstr.c @@ -0,0 +1,121 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +#ifdef __APPLE__ + #define TESTINSTR_SECTION +#else + #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) +#endif + +void testinstr(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int run(char *file) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + do { + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + testinstr(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + +void slow() { + + usleep(100000); + +} + +int main(int argc, char **argv) { + + if (argc != 2) { return 1; } + slow(); + return run(argv[1]); + +} + diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile index 2de51d86..81fdd069 100644 --- a/frida_mode/test/persistent_ret/GNUmakefile +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -82,6 +82,16 @@ frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -- \ $(TESTINSTBIN) @@ +frida_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=test.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TESTINSTR_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) gdb \ --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js new file mode 100644 index 00000000..43c6ad7c --- /dev/null +++ b/frida_mode/test/persistent_ret/test.js @@ -0,0 +1,38 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const persistent_addr = DebugSymbol.fromName('main'); +Afl.print(`persistent_addr: ${persistent_addr.address}`); + +const persistent_ret = DebugSymbol.fromName('slow'); +Afl.print(`persistent_ret: ${persistent_ret.address}`); + +Afl.setPersistentAddress(persistent_addr.address); +Afl.setPersistentReturn(persistent_ret.address); +Afl.setPersistentCount(1000000); + +Afl.setDebugMaps(); + +const mod = Process.findModuleByName("libc-2.31.so") +Afl.addExcludedRange(mod.base, mod.size); +Afl.setInstrumentLibraries(); +Afl.setInstrumentDebugFile("/tmp/instr.log"); +Afl.setPrefetchDisable(); +Afl.setInstrumentNoOptimize(); +Afl.setInstrumentEnableTracing(); +Afl.setInstrumentTracingUnique(); +Afl.setStdOut("/tmp/stdout.txt"); +Afl.setStdErr("/tmp/stderr.txt"); +Afl.setStatsFile("/tmp/stats.txt"); +Afl.setStatsInterval(1); +Afl.setStatsTransitions(); +Afl.done(); +Afl.print("done"); diff --git a/include/envs.h b/include/envs.h index 54bb6597..f89e8e62 100644 --- a/include/envs.h +++ b/include/envs.h @@ -60,7 +60,8 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_RANGES", "AFL_FRIDA_INST_TRACE", - "AFL_FRIDA_INST_UNSTABLE", + "AFL_FRIDA_INST_TRACE_UNIQUE", + "AFL_FRIDA_JS_SCRIPT", "AFL_FRIDA_OUTPUT_STDOUT", "AFL_FRIDA_OUTPUT_STDERR", "AFL_FRIDA_PERSISTENT_ADDR", -- cgit 1.4.1 From 6a3877dcd35d31eb79bebbc30ffe70ac0342743e Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Fri, 25 Jun 2021 22:14:27 +0100 Subject: Improved FRIDA mode scripting support (#994) Co-authored-by: Your Name --- frida_mode/.gitignore | 2 + frida_mode/GNUmakefile | 17 +- frida_mode/Makefile | 3 + frida_mode/Scripting.md | 828 ++++++++++++++++++--- frida_mode/hook/hook.c | 50 ++ frida_mode/include/js.h | 10 +- frida_mode/src/entry.c | 1 + frida_mode/src/instrument/instrument.c | 11 +- frida_mode/src/js/api.js | 430 ++++++----- frida_mode/src/js/js.c | 13 +- frida_mode/src/js/js_api.c | 12 +- frida_mode/src/persistent/persistent.c | 28 +- frida_mode/src/persistent/persistent_arm64.c | 399 ++++------ frida_mode/src/persistent/persistent_x64.c | 174 ++--- frida_mode/src/persistent/persistent_x86.c | 111 ++- frida_mode/test/jpeg/GNUmakefile | 10 +- frida_mode/test/jpeg/Makefile | 3 - frida_mode/test/jpeg/aflpp_qemu_driver_hook.c | 97 --- frida_mode/test/js/GNUmakefile | 56 +- frida_mode/test/js/Makefile | 13 +- frida_mode/test/js/entry.js | 20 + frida_mode/test/js/patch.js | 34 + frida_mode/test/js/replace.js | 43 ++ frida_mode/test/js/stalker.js | 109 +++ frida_mode/test/js/test.c | 115 +++ frida_mode/test/js/test.js | 20 - frida_mode/test/js/test2.c | 177 +++++ frida_mode/test/js/testinstr.c | 121 --- frida_mode/test/libpcap/GNUmakefile | 10 +- frida_mode/test/libpcap/aflpp_qemu_driver_hook.c | 97 --- frida_mode/test/persistent_ret/GNUmakefile | 11 +- frida_mode/test/persistent_ret/test.js | 62 +- frida_mode/test/persistent_ret/testinstr.c | 11 +- frida_mode/test/png/persistent/hook/GNUmakefile | 30 +- frida_mode/test/png/persistent/hook/Makefile | 3 + .../png/persistent/hook/aflpp_qemu_driver_hook.c | 193 ----- frida_mode/test/png/persistent/hook/cmodule.js | 39 + frida_mode/test/png/persistent/hook/load.js | 27 + frida_mode/test/proj4/GNUmakefile | 10 +- frida_mode/test/proj4/Makefile | 2 - frida_mode/test/proj4/aflpp_qemu_driver_hook.c | 97 --- frida_mode/test/re2/GNUmakefile | 10 +- frida_mode/test/re2/Makefile | 2 - frida_mode/test/re2/aflpp_qemu_driver_hook.c | 97 --- frida_mode/ts/lib/afl.ts | 373 ++++++++++ frida_mode/ts/package-lock.json | 12 + frida_mode/ts/package.json | 32 + frida_mode/ts/tsconfig.json | 14 + frida_mode/ts/tslint.json | 256 +++++++ 49 files changed, 2749 insertions(+), 1546 deletions(-) create mode 100644 frida_mode/hook/hook.c delete mode 100644 frida_mode/test/jpeg/aflpp_qemu_driver_hook.c create mode 100644 frida_mode/test/js/entry.js create mode 100644 frida_mode/test/js/patch.js create mode 100644 frida_mode/test/js/replace.js create mode 100644 frida_mode/test/js/stalker.js create mode 100644 frida_mode/test/js/test.c delete mode 100644 frida_mode/test/js/test.js create mode 100644 frida_mode/test/js/test2.c delete mode 100644 frida_mode/test/js/testinstr.c delete mode 100644 frida_mode/test/libpcap/aflpp_qemu_driver_hook.c delete mode 100644 frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c create mode 100644 frida_mode/test/png/persistent/hook/cmodule.js create mode 100644 frida_mode/test/png/persistent/hook/load.js delete mode 100644 frida_mode/test/proj4/aflpp_qemu_driver_hook.c delete mode 100644 frida_mode/test/re2/aflpp_qemu_driver_hook.c create mode 100644 frida_mode/ts/lib/afl.ts create mode 100644 frida_mode/ts/package-lock.json create mode 100644 frida_mode/ts/package.json create mode 100644 frida_mode/ts/tsconfig.json create mode 100644 frida_mode/ts/tslint.json (limited to 'frida_mode/include') diff --git a/frida_mode/.gitignore b/frida_mode/.gitignore index 956b9911..32cca51f 100644 --- a/frida_mode/.gitignore +++ b/frida_mode/.gitignore @@ -3,3 +3,5 @@ frida_test.dat qemu_test.dat frida_out/** qemu_out/** +ts/dist/ +ts/node_modules/ diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index fdacff62..f5a96501 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -94,11 +94,15 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o -.PHONY: all 32 clean format $(FRIDA_GUM) quickjs +HOOK_DIR:=$(PWD)hook/ +AFLPP_DRIVER_HOOK_SRC=$(HOOK_DIR)hook.c +AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)hook.so + +.PHONY: all 32 clean format hook $(FRIDA_GUM) ############################## ALL ############################################# -all: $(FRIDA_TRACE) +all: $(FRIDA_TRACE) $(AFLPP_DRIVER_HOOK_OBJ) 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all @@ -197,13 +201,20 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL cp -v $(FRIDA_TRACE) $(ROOT) +############################# HOOK ############################################# + +$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ + +hook: $(AFLPP_DRIVER_HOOK_OBJ) + ############################# CLEAN ############################################ clean: rm -rf $(BUILD_DIR) ############################# FORMAT ########################################### format: - cd $(ROOT) && echo $(SOURCES) | xargs -L1 ./.custom-format.py -i + cd $(ROOT) && echo $(SOURCES) $(AFLPP_DRIVER_HOOK_SRC) | xargs -L1 ./.custom-format.py -i cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i ############################# RUN ############################################# diff --git a/frida_mode/Makefile b/frida_mode/Makefile index 6cd1a64e..1922c7e6 100644 --- a/frida_mode/Makefile +++ b/frida_mode/Makefile @@ -11,3 +11,6 @@ clean: format: @gmake format + +hook: + @gmake hook diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index 8b961e18..4c6fe6b2 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -99,142 +99,752 @@ const address = module.base.add(0xdeadface); Afl.setPersistentAddress(address); ``` -# API +# Persisent Hook +A persistent hook can be implemented using a conventional shared object, sample +source code for a hook suitable for the prototype of `LLVMFuzzerTestOneInput` +can be found [here](hook/hook.c). This can be configured using code similar to +the following. + ```js -/* - * Print a message to the STDOUT. This should be preferred to - * FRIDA's `console.log` since FRIDA will queue it's log messages. - * If `console.log` is used in a callback in particular, then there - * may no longer be a thread running to service this queue. - */ -Afl.print(msg); +const path = Afl.module.path; +const dir = path.substring(0, path.lastIndexOf("/")); +const mod = Module.load(`${dir}/frida_mode/build/hook.so`); +const hook = mod.getExportByName('afl_persistent_hook'); +Afl.setPersistentHook(hook); +``` -/* - * This must always be called at the end of your script. This lets - * FRIDA mode know that your configuration is finished and that - * execution has reached the end of your script. Failure to call - * this will result in a fatal error. - */ +Alternatively, the hook can be provided by using FRIDAs built in support for `CModule`, powered by TinyCC. + +```js +const cm = new CModule(` + + #include + #include + + void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, + uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + + } + `, + { + memcpy: Module.getExportByName(null, 'memcpy') + }); +Afl.setPersistentHook(cm.afl_persistent_hook); +``` + +# Advanced Persistence +Consider the following target code... +```c + +#include +#include +#include +#include +#include + +void LLVMFuzzerTestOneInput(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int run(char *file) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + do { + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + LLVMFuzzerTestOneInput(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + +void slow() { + + usleep(100000); + +} + +int main(int argc, char **argv) { + + if (argc != 2) { return 1; } + slow(); + return run(argv[1]); + +} +``` + +FRIDA mode supports the replacement of any function, with an implementation +generated by CModule. This allows for a bespoke harness to be written as +follows: + +``` +const slow = DebugSymbol.fromName('slow').address; +Afl.print(`slow: ${slow}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + void slow(void) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.slow); +Afl.setPersistentAddress(cm.slow); +Afl.setInMemoryFuzzing(); +Interceptor.replace(slow, cm.slow); +Afl.print("done"); Afl.done(); +``` -/* - * This function can be called within your script to cause FRIDA - * mode to trigger a fatal error. This is useful if for example you - * discover a problem you weren't expecting and want everything to - * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view - * this error message. - */ -Afl.error(); +Here, we replace the function `slow` with our own code. This code is then +selected as the entry point as well as the persistent loop address. -/* - * This has the same effect as setting `AFL_ENTRYPOINT`, but has the - * convenience of allowing you to use FRIDAs APIs to determine the - * address you would like to configure, rather than having to grep - * the output of `readelf` or something similarly ugly. This - * function should be called with a `NativePointer` as its - * argument. - */ -Afl.setEntryPoint(address); +**WARNING** There are two key limitations in replacing a function in this way: +- The function which is to be replaced must not be `main` this is because this +is the point at which FRIDA mode is initialized and at the point the the JS has +been run, the start of the `main` function has already been instrumented and +cached. +- The replacement function must not call itself. e.g. in this example we +couldn't replace `LLVMFuzzerTestOneInput` and call itself. -/* - * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a - * `NativePointer` should be provided as it's argument. - */ -Afl.setPersistentAddress(address); +# Patching +Consider the [following](test/js/test2.c) test code... +```c /* - * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a - * `NativePointer` should be provided as it's argument. + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 */ -Afl.setPersistentReturn(address); -/* - * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a - * `number` should be provided as it's argument. - */ -Afl.setPersistentCount(count); +#include +#include +#include +#include +#include +#include + +const uint32_t crc32_tab[] = { + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + + ... + + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d +}; + +uint32_t +crc32(const void *buf, size_t size) +{ + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; +} /* - * See `AFL_FRIDA_PERSISTENT_DEBUG`. + * Don't you hate those contrived examples which CRC their data. We can use + * FRIDA to patch this function out and always return success. Otherwise, we + * could change it to actually correct the checksum. */ -Afl.setPersistentDebug(); +int crc32_check (char * buf, int len) { + if (len < sizeof(uint32_t)) { return 0; } + uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; + uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); + return expected == calculated; +} /* - * See `AFL_FRIDA_DEBUG_MAPS`. + * So you've found a really boring bug in an earlier campaign which results in + * a NULL dereference or something like that. That bug can get in the way, + * causing the persistent loop to exit whenever it is triggered, and can also + * cloud your output unnecessarily. Again, we can use FRIDA to patch it out. */ -Afl.setDebugMaps(); +void some_boring_bug(char c) { + switch (c) { + case 'A'...'Z': + case 'a'...'z': + __builtin_trap(); + break; + } +} -/* - * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, - * it takes as arguments a `NativePointer` and a `number`. It can be - * called multiple times to include several ranges. - */ -Afl.addIncludedRange(address, size); +void LLVMFuzzerTestOneInput(char *buf, int len) { + + if (!crc32_check(buf, len)) return; + + some_boring_bug(buf[0]); + + if (buf[0] == '0') { + printf("Looks like a zero to me!\n"); + } + else if (buf[0] == '1') { + printf("Pretty sure that is a one!\n"); + } + else if (buf[0] == '2') { + if (buf[1] == '3') { + if (buf[2] == '4') { + printf("Oh we, weren't expecting that!"); + __builtin_trap(); + } + } + } + else + printf("Neither one or zero? How quaint!\n"); -/* - * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, - * it takes as arguments a `NativePointer` and a `number`. It can be - * called multiple times to exclude several ranges. - */ -Afl.addExcludedRange(address, size); +} -/* - * See `AFL_INST_LIBS`. - */ -Afl.setInstrumentLibraries(); +int main(int argc, char **argv) { -/* - * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as - * an argument. - */ -Afl.setInstrumentDebugFile(file); + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; -/* - * See `AFL_FRIDA_INST_NO_PREFETCH`. - */ -Afl.setPrefetchDisable(); + if (argc != 2) { return 1; } -/* - * See `AFL_FRIDA_INST_NO_OPTIMIZE` - */ -Afl.setInstrumentNoOptimize(); + printf("Running: %s\n", argv[1]); -/* - * See `AFL_FRIDA_INST_TRACE`. - */ -Afl.setInstrumentEnableTracing(); + fd = open(argv[1], O_RDONLY); + if (fd < 0) { return 1; } -/* - * See `AFL_FRIDA_INST_TRACE_UNIQUE`. - */ -Afl.setInstrumentTracingUnique() + len = lseek(fd, 0, SEEK_END); + if (len < 0) { return 1; } -/* - * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as - * an argument. - */ -Afl.setStdOut(file); + if (lseek(fd, 0, SEEK_SET) != 0) { return 1; } -/* - * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as - * an argument. - */ -Afl.setStdErr(file); + buf = malloc(len); + if (buf == NULL) { return 1; } -/* - * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as - * an argument. - */ -Afl.setStatsFile(file); + n_read = read(fd, buf, len); + if (n_read != len) { return 1; } -/* - * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an - * argument - */ -Afl.setStatsInterval(interval); + printf("Running: %s: (%zd bytes)\n", argv[1], n_read); + + LLVMFuzzerTestOneInput(buf, len); + printf("Done: %s: (%zd bytes)\n", argv[1], n_read); + + return 0; +} +``` + +There are a couple of obstacles with our target application. Unlike when fuzzing +source code, though, we can't simply edit it and recompile it. The following +script shows how we can use the normal functionality of FRIDA to modify any +troublesome behaviour. + +```js +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); +Afl.setEntryPoint(main); +Afl.setPersistentAddress(main); +Afl.setPersistentCount(10000000); + +const crc32_check = DebugSymbol.fromName('crc32_check').address; +const crc32_replacement = new NativeCallback( + (buf, len) => { + Afl.print(`len: ${len}`); + if (len < 4) { + return 0; + } + + return 1; + }, + 'int', + ['pointer', 'int']); +Interceptor.replace(crc32_check, crc32_replacement); + +const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address +const boring_replacement = new NativeCallback( + (c) => { }, + 'void', + ['char']); +Interceptor.replace(some_boring_bug, boring_replacement); + +Afl.done(); +Afl.print("done"); +``` + +# Advanced Patching +Consider the following code fragment... +```c +extern void some_boring_bug2(char c); + +__asm__ ( + ".text \n" + "some_boring_bug2: \n" + ".global some_boring_bug2 \n" + ".type some_boring_bug2, @function \n" + "mov %edi, %eax \n" + "cmp $0xb4, %al \n" + "jne ok \n" + "ud2 \n" + "ok: \n" + "ret \n"); + +void LLVMFuzzerTestOneInput(char *buf, int len) { + + ... + + some_boring_bug2(buf[0]); + + ... + +} +``` + +Rather than using FRIDAs `Interceptor.replace` or `Interceptor.attach` APIs, it +is possible to apply much more fine grained modification to the target +application by means of using the Stalker APIs. + +The following code locates the function of interest and patches out the UD2 +instruction signifying a crash. + +```js +/* Modify the instructions */ +const some_boring_bug2 = DebugSymbol.fromName('some_boring_bug2').address +const pid = Memory.alloc(4); +pid.writeInt(Process.id); + +const cm = new CModule(` + #include + #include + + typedef int pid_t; + + #define STDERR_FILENO 2 + #define BORING2_LEN 10 + + extern int dprintf(int fd, const char *format, ...); + extern void some_boring_bug2(char c); + extern pid_t getpid(void); + extern pid_t pid; + + gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, + gboolean excluded, GumStalkerOutput *output) + { + pid_t my_pid = getpid(); + GumX86Writer *cw = output->writer.x86; + + if (GUM_ADDRESS(insn->address) < GUM_ADDRESS(some_boring_bug2)) { + + return TRUE; + + } + + if (GUM_ADDRESS(insn->address) >= + GUM_ADDRESS(some_boring_bug2) + BORING2_LEN) { + + return TRUE; + + } + + if (my_pid == pid) { + + if (begin) { + + dprintf(STDERR_FILENO, "\n> 0x%016lX: %s %s\n", insn->address, + insn->mnemonic, insn->op_str); + + } else { + + dprintf(STDERR_FILENO, " 0x%016lX: %s %s\n", insn->address, + insn->mnemonic, insn->op_str); + + } + + } + + if (insn->id == X86_INS_UD2) { + + gum_x86_writer_put_nop(cw); + return FALSE; + + } else { + + return TRUE; + + } + } + `, + { + dprintf: Module.getExportByName(null, 'dprintf'), + getpid: Module.getExportByName(null, 'getpid'), + some_boring_bug2: some_boring_bug2, + pid: pid + }); +Afl.setStalkerCallback(cm.js_stalker_callback) +Afl.setStdErr("/tmp/stderr.txt"); +``` + +Note that you will more likely want to find the +patch address by using: + +```js +const module = Process.getModuleByName('target.exe'); +/* Hardcoded offset within the target image */ +const address = module.base.add(0xdeadface); +``` +OR +``` +const address = DebugSymbol.fromName("my_function").address.add(0xdeadface); +``` +OR +``` +const address = Module.getExportByName(null, "my_function").add(0xdeadface); +``` + +The function `js_stalker_callback` should return `TRUE` if the original +instruction should be emitted in the instrumented code, or `FALSE` otherwise. +In the example above, we can see it is replaced with a `NOP`. + +Lastly, note that the same callback will be called when compiling instrumented +code both in the child of the forkserver (as it is executed) and also in the +parent of the forserver (when prefetching is enabled) so that it can be +inherited by the next forked child. It is **VERY** important that the same +instructions be generated in both the parent and the child, or if prefetching is +disabled that the same instructions are generated every time the block is +compiled. Failure to do so will likely lead to bugs which are incredibly +difficult to diagnose. The code above only prints the instructions when running +in the parent process (the one provided by `Process.id` when the JS script is +executed). + +# API +```js +class Afl { + + /** + * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode + * implementation). + */ + public static module: Module = Process.getModuleByName("afl-frida-trace.so"); + + /** + * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to exclude several ranges. + */ + public static addExcludedRange(addressess: NativePointer, size: number): void { + Afl.jsApiAddExcludeRange(addressess, size); + } + + /** + * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to include several ranges. + */ + public static addIncludedRange(addressess: NativePointer, size: number): void { + Afl.jsApiAddIncludeRange(addressess, size); + } + + /** + * This must always be called at the end of your script. This lets + * FRIDA mode know that your configuration is finished and that + * execution has reached the end of your script. Failure to call + * this will result in a fatal error. + */ + public static done(): void { + Afl.jsApiDone(); + } + + /** + * This function can be called within your script to cause FRIDA + * mode to trigger a fatal error. This is useful if for example you + * discover a problem you weren't expecting and want everything to + * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view + * this error message. + */ + public static error(msg: string): void { + const buf = Memory.allocUtf8String(msg); + Afl.jsApiError(buf); + } + + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of + * fuzzing data when using in-memory test case fuzzing. + */ + public static getAflFuzzLen(): NativePointer { + + return Afl.jsApiGetSymbol("__afl_fuzz_len"); + } + + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing + * data when using in-memory test case fuzzing. + */ + public static getAflFuzzPtr(): NativePointer { + + return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); + } + + /** + * Print a message to the STDOUT. This should be preferred to + * FRIDA's `console.log` since FRIDA will queue it's log messages. + * If `console.log` is used in a callback in particular, then there + * may no longer be a thread running to service this queue. + */ + public static print(msg: string): void { + const STDOUT_FILENO = 2; + const log = `${msg}\n`; + const buf = Memory.allocUtf8String(log); + Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + } + + /** + * See `AFL_FRIDA_DEBUG_MAPS`. + */ + public static setDebugMaps(): void { + Afl.jsApiSetDebugMaps(); + } + + /** + * This has the same effect as setting `AFL_ENTRYPOINT`, but has the + * convenience of allowing you to use FRIDAs APIs to determine the + * address you would like to configure, rather than having to grep + * the output of `readelf` or something similarly ugly. This + * function should be called with a `NativePointer` as its + * argument. + */ + public static setEntryPoint(address: NativePointer): void { + Afl.jsApiSetEntryPoint(address); + } + + /** + * Function used to enable in-memory test cases for fuzzing. + */ + public static setInMemoryFuzzing(): void { + Afl.jsApiAflSharedMemFuzzing.writeInt(1); + } + + /** + * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as + * an argument. + */ + public static setInstrumentDebugFile(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentDebugFile(buf); + } + + /** + * See `AFL_FRIDA_INST_TRACE`. + */ + public static setInstrumentEnableTracing(): void { + Afl.jsApiSetInstrumentTrace(); + } + + /** + * See `AFL_INST_LIBS`. + */ + public static setInstrumentLibraries(): void { + Afl.jsApiSetInstrumentLibraries(); + } + + /** + * See `AFL_FRIDA_INST_NO_OPTIMIZE` + */ + public static setInstrumentNoOptimize(): void { + Afl.jsApiSetInstrumentNoOptimize(); + } + + /** + * See `AFL_FRIDA_INST_TRACE_UNIQUE`. + */ + public static setInstrumentTracingUnique(): void { + Afl.jsApiSetInstrumentTraceUnique(); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a + * `NativePointer` should be provided as it's argument. + */ + public static setPersistentAddress(address: NativePointer): void { + Afl.jsApiSetPersistentAddress(address); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a + * `number` should be provided as it's argument. + */ + public static setPersistentCount(count: number): void { + Afl.jsApiSetPersistentCount(count); + } + + /** + * See `AFL_FRIDA_PERSISTENT_DEBUG`. + */ + public static setPersistentDebug(): void { + Afl.jsApiSetPersistentDebug(); + } + + /** + * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an + * argument. See above for examples of use. + */ + public static setPersistentHook(address: NativePointer): void { + Afl.jsApiSetPersistentHook(address); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a + * `NativePointer` should be provided as it's argument. + */ + public static setPersistentReturn(address: NativePointer): void { + Afl.jsApiSetPersistentReturn(address); + } + + /** + * See `AFL_FRIDA_INST_NO_PREFETCH`. + */ + public static setPrefetchDisable(): void { + Afl.jsApiSetPrefetchDisable(); + } + + /* + * Set a function to be called for each instruction which is instrumented + * by AFL FRIDA mode. + */ + public static setStalkerCallback(callback: NativePointer): void { + Afl.jsApiSetStalkerCallback(callback); + } + + /** + * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as + * an argument. + */ + public static setStatsFile(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStatsFile(buf); + } + + /** + * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an + * argument + */ + public static setStatsInterval(interval: number): void { + Afl.jsApiSetStatsInterval(interval); + } + + /** + * See `AFL_FRIDA_STATS_TRANSITIONS` + */ + public static setStatsTransitions(): void { + Afl.jsApiSetStatsTransitions(); + } + + /** + * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as + * an argument. + */ + public static setStdErr(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdErr(buf); + } + + /** + * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as + * an argument. + */ + public static setStdOut(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdOut(buf); + } + +} -/* - * See `AFL_FRIDA_STATS_TRANSITIONS` - */ -Afl.setStatsTransitions() ``` diff --git a/frida_mode/hook/hook.c b/frida_mode/hook/hook.c new file mode 100644 index 00000000..7d08101f --- /dev/null +++ b/frida_mode/hook/hook.c @@ -0,0 +1,50 @@ +#include +#include + +#include "frida-gumjs.h" + +#if defined(__x86_64__) + +void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, + uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + +} + +#elif defined(__i386__) + +void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, + uint32_t input_buf_len) { + + void **esp = (void **)regs->esp; + void * arg1 = esp[0]; + void **arg2 = &esp[1]; + memcpy(arg1, input_buf, input_buf_len); + *arg2 = (void *)input_buf_len; + +} + +#elif defined(__aarch64__) + +void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, + uint32_t input_buf_len) { + + memcpy((void *)regs->x[0], input_buf, input_buf_len); + regs->x[1] = input_buf_len; + +} + +#else + #pragma error "Unsupported architecture" +#endif + +int afl_persistent_hook_init(void) { + + // 1 for shared memory input (faster), 0 for normal input (you have to use + // read(), input_buf will be NULL) + return 1; + +} + diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h index 77237d55..a5ecb712 100644 --- a/frida_mode/include/js.h +++ b/frida_mode/include/js.h @@ -3,10 +3,15 @@ #include "frida-gumjs.h" +typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn, + gboolean begin, gboolean excluded, + GumStalkerOutput *output); + extern unsigned char api_js[]; extern unsigned int api_js_len; -extern gboolean js_done; +extern gboolean js_done; +extern js_api_stalker_callback_t js_user_callback; /* Frida Mode */ @@ -14,5 +19,8 @@ void js_config(void); void js_start(void); +gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, + gboolean excluded, GumStalkerOutput *output); + #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 186d5098..e95b923b 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -13,6 +13,7 @@ guint64 entry_point = 0; static void entry_launch(void) { + OKF("Entry point reached"); __afl_manual_init(); /* Child here */ diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index d6ae505d..2a217d96 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -11,6 +11,7 @@ #include "entry.h" #include "frida_cmplog.h" #include "instrument.h" +#include "js.h" #include "persistent.h" #include "prefetch.h" #include "ranges.h" @@ -165,8 +166,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator, } - begin = FALSE; - } instrument_debug_instruction(instr->address, instr->size); @@ -178,7 +177,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator, } - gum_stalker_iterator_keep(iterator); + if (js_stalker_callback(instr, begin, excluded, output)) { + + gum_stalker_iterator_keep(iterator); + + } + + begin = FALSE; } diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 983f1efa..4cb04704 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -1,201 +1,243 @@ -const write = new NativeFunction( - Module.getExportByName(null, 'write'), - 'int', - ['int', 'pointer', 'int'] -); - -const afl_frida_trace = Process.findModuleByName('afl-frida-trace.so'); - -function get_api(name, ret, args) { - const addr = afl_frida_trace.findExportByName(name); - return new NativeFunction(addr, ret, args); -} - -const js_api_done = get_api( - 'js_api_done', - 'void', - []); - -const js_api_error = get_api( - 'js_api_error', - 'void', - ['pointer']); - -const js_api_set_entrypoint = get_api( - 'js_api_set_entrypoint', - 'void', - ['pointer']); - -const js_api_set_persistent_address = get_api( - 'js_api_set_persistent_address', - 'void', - ['pointer']); - -const js_api_set_persistent_return = get_api( - 'js_api_set_persistent_return', - 'void', - ['pointer']); - -const js_api_set_persistent_count = get_api( - 'js_api_set_persistent_count', - 'void', - ['uint64']); - -const js_api_set_persistent_debug = get_api( - 'js_api_set_persistent_debug', - 'void', - []); - -const js_api_set_debug_maps = get_api( - 'js_api_set_debug_maps', - 'void', - []); - -const js_api_add_include_range = get_api( - 'js_api_add_include_range', - 'void', - ['pointer', 'size_t']); - -const js_api_add_exclude_range = get_api( - 'js_api_add_exclude_range', - 'void', - ['pointer', 'size_t']); - -const js_api_set_instrument_libraries = get_api( - 'js_api_set_instrument_libraries', - 'void', - []); - -const js_api_set_instrument_debug_file = get_api( - 'js_api_set_instrument_debug_file', - 'void', - ['pointer']); - -const js_api_set_prefetch_disable = get_api( - 'js_api_set_prefetch_disable', - 'void', - []); - -const js_api_set_instrument_no_optimize = get_api( - 'js_api_set_instrument_no_optimize', - 'void', - []); - -const js_api_set_instrument_trace = get_api( - 'js_api_set_instrument_trace', - 'void', - []); - -const js_api_set_instrument_trace_unique = get_api( - 'js_api_set_instrument_trace_unique', - 'void', - []); - -const js_api_set_stdout = get_api( - 'js_api_set_stdout', - 'void', - ['pointer']); - -const js_api_set_stderr = get_api( - 'js_api_set_stderr', - 'void', - ['pointer']); - -const js_api_set_stats_file = get_api( - 'js_api_set_stats_file', - 'void', - ['pointer']); - -const js_api_set_stats_interval = get_api( - 'js_api_set_stats_interval', - 'void', - ['uint64']); - -const js_api_set_stats_transitions = get_api( - 'js_api_set_stats_transitions', - 'void', - []); - -const afl = { - print: function (msg) { +"use strict"; +class Afl { + /** + * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to exclude several ranges. + */ + static addExcludedRange(addressess, size) { + Afl.jsApiAddExcludeRange(addressess, size); + } + /** + * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to include several ranges. + */ + static addIncludedRange(addressess, size) { + Afl.jsApiAddIncludeRange(addressess, size); + } + /** + * This must always be called at the end of your script. This lets + * FRIDA mode know that your configuration is finished and that + * execution has reached the end of your script. Failure to call + * this will result in a fatal error. + */ + static done() { + Afl.jsApiDone(); + } + /** + * This function can be called within your script to cause FRIDA + * mode to trigger a fatal error. This is useful if for example you + * discover a problem you weren't expecting and want everything to + * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view + * this error message. + */ + static error(msg) { + const buf = Memory.allocUtf8String(msg); + Afl.jsApiError(buf); + } + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of + * fuzzing data when using in-memory test case fuzzing. + */ + static getAflFuzzLen() { + return Afl.jsApiGetSymbol("__afl_fuzz_len"); + } + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing + * data when using in-memory test case fuzzing. + */ + static getAflFuzzPtr() { + return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); + } + /** + * Print a message to the STDOUT. This should be preferred to + * FRIDA's `console.log` since FRIDA will queue it's log messages. + * If `console.log` is used in a callback in particular, then there + * may no longer be a thread running to service this queue. + */ + static print(msg) { const STDOUT_FILENO = 2; const log = `${msg}\n`; const buf = Memory.allocUtf8String(log); - write(STDOUT_FILENO, buf, log.length); - }, - done: function() { - js_api_done(); - }, - error: function(msg) { - const buf = Memory.allocUtf8String(msg); - js_api_error(buf); - }, - setEntryPoint: function(addr) { - js_api_set_entrypoint(addr); - }, - setPersistentAddress: function(addr) { - js_api_set_persistent_address(addr); - }, - setPersistentReturn: function(addr) { - js_api_set_persistent_return(addr); - }, - setPersistentCount: function(addr) { - js_api_set_persistent_count(addr); - }, - setPersistentDebug: function() { - js_api_set_persistent_debug(); - }, - setDebugMaps: function() { - js_api_set_debug_maps(); - }, - addIncludedRange: function(address, size) { - js_api_add_include_range(address, size); - }, - addExcludedRange: function(address, size) { - js_api_add_exclude_range(address, size); - }, - setInstrumentLibraries: function() { - js_api_set_instrument_libraries(); - }, - setInstrumentDebugFile: function(file) { + Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + } + /** + * See `AFL_FRIDA_DEBUG_MAPS`. + */ + static setDebugMaps() { + Afl.jsApiSetDebugMaps(); + } + /** + * This has the same effect as setting `AFL_ENTRYPOINT`, but has the + * convenience of allowing you to use FRIDAs APIs to determine the + * address you would like to configure, rather than having to grep + * the output of `readelf` or something similarly ugly. This + * function should be called with a `NativePointer` as its + * argument. + */ + static setEntryPoint(address) { + Afl.jsApiSetEntryPoint(address); + } + /** + * Function used to enable in-memory test cases for fuzzing. + */ + static setInMemoryFuzzing() { + Afl.jsApiAflSharedMemFuzzing.writeInt(1); + } + /** + * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as + * an argument. + */ + static setInstrumentDebugFile(file) { const buf = Memory.allocUtf8String(file); - js_api_set_instrument_debug_file(buf) - }, - setPrefetchDisable: function() { - js_api_set_prefetch_disable(); - }, - setInstrumentNoOptimize: function() { - js_api_set_instrument_no_optimize(); - }, - setInstrumentEnableTracing: function() { - js_api_set_instrument_trace(); - }, - setInstrumentTracingUnique: function() { - js_api_set_instrument_trace_unique(); - }, - setStdOut: function(file) { + Afl.jsApiSetInstrumentDebugFile(buf); + } + /** + * See `AFL_FRIDA_INST_TRACE`. + */ + static setInstrumentEnableTracing() { + Afl.jsApiSetInstrumentTrace(); + } + /** + * See `AFL_INST_LIBS`. + */ + static setInstrumentLibraries() { + Afl.jsApiSetInstrumentLibraries(); + } + /** + * See `AFL_FRIDA_INST_NO_OPTIMIZE` + */ + static setInstrumentNoOptimize() { + Afl.jsApiSetInstrumentNoOptimize(); + } + /** + * See `AFL_FRIDA_INST_TRACE_UNIQUE`. + */ + static setInstrumentTracingUnique() { + Afl.jsApiSetInstrumentTraceUnique(); + } + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a + * `NativePointer` should be provided as it's argument. + */ + static setPersistentAddress(address) { + Afl.jsApiSetPersistentAddress(address); + } + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a + * `number` should be provided as it's argument. + */ + static setPersistentCount(count) { + Afl.jsApiSetPersistentCount(count); + } + /** + * See `AFL_FRIDA_PERSISTENT_DEBUG`. + */ + static setPersistentDebug() { + Afl.jsApiSetPersistentDebug(); + } + /** + * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an + * argument. See above for examples of use. + */ + static setPersistentHook(address) { + Afl.jsApiSetPersistentHook(address); + } + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a + * `NativePointer` should be provided as it's argument. + */ + static setPersistentReturn(address) { + Afl.jsApiSetPersistentReturn(address); + } + /** + * See `AFL_FRIDA_INST_NO_PREFETCH`. + */ + static setPrefetchDisable() { + Afl.jsApiSetPrefetchDisable(); + } + /* + * Set a function to be called for each instruction which is instrumented + * by AFL FRIDA mode. + */ + static setStalkerCallback(callback) { + Afl.jsApiSetStalkerCallback(callback); + } + /** + * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as + * an argument. + */ + static setStatsFile(file) { const buf = Memory.allocUtf8String(file); - js_api_set_stdout(buf) - }, - setStdErr: function(file) { + Afl.jsApiSetStatsFile(buf); + } + /** + * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an + * argument + */ + static setStatsInterval(interval) { + Afl.jsApiSetStatsInterval(interval); + } + /** + * See `AFL_FRIDA_STATS_TRANSITIONS` + */ + static setStatsTransitions() { + Afl.jsApiSetStatsTransitions(); + } + /** + * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as + * an argument. + */ + static setStdErr(file) { const buf = Memory.allocUtf8String(file); - js_api_set_stderr(buf) - }, - setStatsFile: function(file) { + Afl.jsApiSetStdErr(buf); + } + /** + * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as + * an argument. + */ + static setStdOut(file) { const buf = Memory.allocUtf8String(file); - js_api_set_stats_file(buf) - }, - setStatsInterval: function(interval) { - js_api_set_stats_interval(interval); - }, - setStatsTransitions: function() { - js_api_set_stats_transitions(); - } - -}; - -Object.defineProperty(global, 'Afl', {value: afl, writeable: false}); - -//////////////////////////////////////////////////////////////////////////////// -// END OF API // -//////////////////////////////////////////////////////////////////////////////// + Afl.jsApiSetStdOut(buf); + } + static jsApiGetFunction(name, retType, argTypes) { + const addr = Afl.module.getExportByName(name); + return new NativeFunction(addr, retType, argTypes); + } + static jsApiGetSymbol(name) { + return Afl.module.getExportByName(name); + } +} +/** + * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode + * implementation). + */ +Afl.module = Process.getModuleByName("afl-frida-trace.so"); +Afl.jsApiAddExcludeRange = Afl.jsApiGetFunction("js_api_add_exclude_range", "void", ["pointer", "size_t"]); +Afl.jsApiAddIncludeRange = Afl.jsApiGetFunction("js_api_add_include_range", "void", ["pointer", "size_t"]); +Afl.jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing"); +Afl.jsApiDone = Afl.jsApiGetFunction("js_api_done", "void", []); +Afl.jsApiError = Afl.jsApiGetFunction("js_api_error", "void", ["pointer"]); +Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []); +Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]); +Afl.jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction("js_api_set_instrument_debug_file", "void", ["pointer"]); +Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []); +Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []); +Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); +Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); +Afl.jsApiSetPersistentAddress = Afl.jsApiGetFunction("js_api_set_persistent_address", "void", ["pointer"]); +Afl.jsApiSetPersistentCount = Afl.jsApiGetFunction("js_api_set_persistent_count", "void", ["uint64"]); +Afl.jsApiSetPersistentDebug = Afl.jsApiGetFunction("js_api_set_persistent_debug", "void", []); +Afl.jsApiSetPersistentHook = Afl.jsApiGetFunction("js_api_set_persistent_hook", "void", ["pointer"]); +Afl.jsApiSetPersistentReturn = Afl.jsApiGetFunction("js_api_set_persistent_return", "void", ["pointer"]); +Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []); +Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); +Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]); +Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); +Afl.jsApiSetStatsTransitions = Afl.jsApiGetFunction("js_api_set_stats_transitions", "void", []); +Afl.jsApiSetStdErr = Afl.jsApiGetFunction("js_api_set_stderr", "void", ["pointer"]); +Afl.jsApiSetStdOut = Afl.jsApiGetFunction("js_api_set_stdout", "void", ["pointer"]); +Afl.jsApiWrite = new NativeFunction( +/* tslint:disable-next-line:no-null-keyword */ +Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 79e716ad..ed378d2c 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -5,8 +5,9 @@ #include "js.h" #include "util.h" -static char *js_script = NULL; -gboolean js_done = FALSE; +static char * js_script = NULL; +gboolean js_done = FALSE; +js_api_stalker_callback_t js_user_callback = NULL; static gchar * filename = "afl.js"; static gchar * contents; @@ -111,3 +112,11 @@ void js_start(void) { } +gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, + gboolean excluded, GumStalkerOutput *output) { + + if (js_user_callback == NULL) { return TRUE; } + return js_user_callback(insn, begin, excluded, output); + +} + diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 018c0b9a..91dccab2 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -138,5 +138,15 @@ void js_api_set_stats_transitions() { } -// "AFL_FRIDA_PERSISTENT_HOOK", +void js_api_set_persistent_hook(void *address) { + + persistent_hook = address; + +} + +void js_api_set_stalker_callback(const js_api_stalker_callback_t callback) { + + js_user_callback = callback; + +} diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index e3e0b0ca..bcc59ea7 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -47,19 +47,6 @@ void persistent_config(void) { } -} - -void persistent_init(void) { - - OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_start == 0 ? ' ' : 'X', persistent_start); - OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", - persistent_start == 0 ? ' ' : 'X', persistent_count); - OKF("Instrumentation - hook [%s]", hook_name); - - OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_ret == 0 ? ' ' : 'X', persistent_ret); - if (hook_name == NULL) { return; } void *hook_obj = dlopen(hook_name, RTLD_NOW); @@ -79,7 +66,20 @@ void persistent_init(void) { if (persistent_hook == NULL) FATAL("Failed to find afl_persistent_hook in %s", hook_name); - __afl_sharedmem_fuzzing = 1; +} + +void persistent_init(void) { + + OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_start == 0 ? ' ' : 'X', persistent_start); + OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", + persistent_start == 0 ? ' ' : 'X', persistent_count); + OKF("Instrumentation - hook [%s]", hook_name); + + OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_ret == 0 ? ' ' : 'X', persistent_ret); + + if (persistent_hook != NULL) { __afl_sharedmem_fuzzing = 1; } } diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index e618fbac..003f058a 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -9,99 +9,15 @@ #include "util.h" #if defined(__aarch64__) +typedef struct { -struct arm64_regs { + GumCpuContext ctx; + uint64_t rflags; - uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10; +} persistent_ctx_t; - union { - - uint64_t x11; - uint32_t fp_32; - - }; - - union { - - uint64_t x12; - uint32_t ip_32; - - }; - - union { - - uint64_t x13; - uint32_t sp_32; - - }; - - union { - - uint64_t x14; - uint32_t lr_32; - - }; - - union { - - uint64_t x15; - uint32_t pc_32; - - }; - - union { - - uint64_t x16; - uint64_t ip0; - - }; - - union { - - uint64_t x17; - uint64_t ip1; - - }; - - uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28; - - union { - - uint64_t x29; - uint64_t fp; - - }; - - union { - - uint64_t x30; - uint64_t lr; - - }; - - union { - - uint64_t x31; - uint64_t sp; - - }; - - // the zero register is not saved here ofc - - uint64_t pc; - - uint32_t cpsr; - - uint8_t vfp_zregs[32][16 * 16]; - uint8_t vfp_pregs[17][32]; - uint32_t vfp_xregs[16]; - -}; - -typedef struct arm64_regs arch_api_regs; - -static arch_api_regs saved_regs = {0}; -static gpointer saved_lr = NULL; +static persistent_ctx_t saved_regs = {0}; +static gpointer saved_lr = NULL; gboolean persistent_is_supported(void) { @@ -109,8 +25,8 @@ gboolean persistent_is_supported(void) { } -static void instrument_persitent_save_regs(GumArm64Writer * cw, - struct arm64_regs *regs) { +static void instrument_persitent_save_regs(GumArm64Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); const guint32 mrs_x1_nzcv = 0xd53b4201; @@ -129,83 +45,87 @@ static void instrument_persitent_save_regs(GumArm64Writer * cw, /* Skip x0 & x1 we'll do that later */ - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, - ARM64_REG_X0, (16 * 1), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, - ARM64_REG_X0, (16 * 2), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, - ARM64_REG_X0, (16 * 3), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, - ARM64_REG_X0, (16 * 4), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, - ARM64_REG_X0, (16 * 5), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, - ARM64_REG_X0, (16 * 6), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, - ARM64_REG_X0, (16 * 7), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, - ARM64_REG_X0, (16 * 8), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, - ARM64_REG_X0, (16 * 9), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, - ARM64_REG_X0, (16 * 10), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, - ARM64_REG_X0, (16 * 11), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, - ARM64_REG_X0, (16 * 12), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, - ARM64_REG_X0, (16 * 13), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, - ARM64_REG_X0, (16 * 14), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0, + offsetof(GumCpuContext, x[2]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X4, ARM64_REG_X5, ARM64_REG_X0, + offsetof(GumCpuContext, x[4]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X6, ARM64_REG_X7, ARM64_REG_X0, + offsetof(GumCpuContext, x[6]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X8, ARM64_REG_X9, ARM64_REG_X0, + offsetof(GumCpuContext, x[8]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X10, ARM64_REG_X11, ARM64_REG_X0, + offsetof(GumCpuContext, x[10]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X12, ARM64_REG_X13, ARM64_REG_X0, + offsetof(GumCpuContext, x[12]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X14, ARM64_REG_X15, ARM64_REG_X0, + offsetof(GumCpuContext, x[14]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X16, ARM64_REG_X17, ARM64_REG_X0, + offsetof(GumCpuContext, x[16]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X18, ARM64_REG_X19, ARM64_REG_X0, + offsetof(GumCpuContext, x[18]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X20, ARM64_REG_X21, ARM64_REG_X0, + offsetof(GumCpuContext, x[20]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X22, ARM64_REG_X23, ARM64_REG_X0, + offsetof(GumCpuContext, x[22]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X24, ARM64_REG_X25, ARM64_REG_X0, + offsetof(GumCpuContext, x[24]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X26, ARM64_REG_X27, ARM64_REG_X0, + offsetof(GumCpuContext, x[26]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X28, ARM64_REG_X29, ARM64_REG_X0, + offsetof(GumCpuContext, x[28]), GUM_INDEX_SIGNED_OFFSET); - /* LR & Adjusted SP */ - gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_SP, - (GUM_RED_ZONE_SIZE + 32)); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X2, - ARM64_REG_X0, (16 * 15), - GUM_INDEX_SIGNED_OFFSET); + /* LR (x30) */ + gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0, + offsetof(GumCpuContext, x[30])); - /* PC & CPSR */ + /* PC & Adjusted SP (31) */ gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, GUM_ADDRESS(persistent_start)); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, - ARM64_REG_X0, (16 * 16), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_SP, + (GUM_RED_ZONE_SIZE + 32)); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0, offsetof(GumCpuContext, pc), + GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, - ARM64_REG_X0, (16 * 17), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, - ARM64_REG_X0, (16 * 18), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, - ARM64_REG_X0, (16 * 19), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, - ARM64_REG_X0, (16 * 20), - GUM_INDEX_SIGNED_OFFSET); + /* CPSR */ + gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0, + offsetof(persistent_ctx_t, rflags)); + + /* Q */ + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0, + offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0, + offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0, + offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0, + offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET); /* x0 & x1 */ gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_SP, 16, GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, - ARM64_REG_X0, (16 * 0), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_stp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0, + offsetof(GumCpuContext, x[0]), GUM_INDEX_SIGNED_OFFSET); /* Pop the saved values */ gum_arm64_writer_put_ldp_reg_reg_reg_offset( @@ -217,8 +137,8 @@ static void instrument_persitent_save_regs(GumArm64Writer * cw, } -static void instrument_persitent_restore_regs(GumArm64Writer * cw, - struct arm64_regs *regs) { +static void instrument_persitent_restore_regs(GumArm64Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); const guint32 msr_nzcv_x1 = 0xd51b4201; @@ -228,82 +148,81 @@ static void instrument_persitent_restore_regs(GumArm64Writer * cw, /* Skip x0 - x3 we'll do that last */ - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5, - ARM64_REG_X0, (16 * 2), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7, - ARM64_REG_X0, (16 * 3), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9, - ARM64_REG_X0, (16 * 4), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11, - ARM64_REG_X0, (16 * 5), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13, - ARM64_REG_X0, (16 * 6), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15, - ARM64_REG_X0, (16 * 7), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17, - ARM64_REG_X0, (16 * 8), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19, - ARM64_REG_X0, (16 * 9), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21, - ARM64_REG_X0, (16 * 10), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23, - ARM64_REG_X0, (16 * 11), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25, - ARM64_REG_X0, (16 * 12), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27, - ARM64_REG_X0, (16 * 13), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29, - ARM64_REG_X0, (16 * 14), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X4, ARM64_REG_X5, ARM64_REG_X0, + offsetof(GumCpuContext, x[4]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X6, ARM64_REG_X7, ARM64_REG_X0, + offsetof(GumCpuContext, x[6]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X8, ARM64_REG_X9, ARM64_REG_X0, + offsetof(GumCpuContext, x[8]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X10, ARM64_REG_X11, ARM64_REG_X0, + offsetof(GumCpuContext, x[10]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X12, ARM64_REG_X13, ARM64_REG_X0, + offsetof(GumCpuContext, x[12]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X14, ARM64_REG_X15, ARM64_REG_X0, + offsetof(GumCpuContext, x[14]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X16, ARM64_REG_X17, ARM64_REG_X0, + offsetof(GumCpuContext, x[16]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X18, ARM64_REG_X19, ARM64_REG_X0, + offsetof(GumCpuContext, x[18]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X20, ARM64_REG_X21, ARM64_REG_X0, + offsetof(GumCpuContext, x[20]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X22, ARM64_REG_X23, ARM64_REG_X0, + offsetof(GumCpuContext, x[22]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X24, ARM64_REG_X25, ARM64_REG_X0, + offsetof(GumCpuContext, x[24]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X26, ARM64_REG_X27, ARM64_REG_X0, + offsetof(GumCpuContext, x[26]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X28, ARM64_REG_X29, ARM64_REG_X0, + offsetof(GumCpuContext, x[28]), GUM_INDEX_SIGNED_OFFSET); - /* LR & Adjusted SP (use x1 as clobber) */ - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X1, - ARM64_REG_X0, (16 * 15), - GUM_INDEX_SIGNED_OFFSET); + /* LR (x30) */ + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0, + offsetof(GumCpuContext, x[30])); + /* Adjusted SP (31) (use x1 as clobber)*/ + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0, + offsetof(GumCpuContext, sp)); gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_SP, ARM64_REG_X1); - /* Don't restore RIP use x1-x3 as clobber */ - - /* PC (x2) & CPSR (x1) */ - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1, - ARM64_REG_X0, (16 * 16), - GUM_INDEX_SIGNED_OFFSET); + /* CPSR */ + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0, + offsetof(persistent_ctx_t, rflags)); gum_arm64_writer_put_instruction(cw, msr_nzcv_x1); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1, - ARM64_REG_X0, (16 * 17), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3, - ARM64_REG_X0, (16 * 18), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5, - ARM64_REG_X0, (16 * 19), - GUM_INDEX_SIGNED_OFFSET); - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7, - ARM64_REG_X0, (16 * 20), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0, + offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0, + offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0, + offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0, + offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET); /* x2 & x3 */ - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3, - ARM64_REG_X0, (16 * 1), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0, + offsetof(GumCpuContext, x[2]), GUM_INDEX_SIGNED_OFFSET); /* x0 & x1 */ - gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X1, - ARM64_REG_X0, (16 * 0), - GUM_INDEX_SIGNED_OFFSET); + gum_arm64_writer_put_ldp_reg_reg_reg_offset( + cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_X0, + offsetof(GumCpuContext, x[0]), GUM_INDEX_SIGNED_OFFSET); } @@ -334,29 +253,29 @@ static void instrument_afl_persistent_loop(GumArm64Writer *cw) { } -static void persistent_prologue_hook(GumArm64Writer * cw, - struct arm64_regs *regs) { +static void persistent_prologue_hook(GumArm64Writer * cw, + persistent_ctx_t *regs) { if (persistent_hook == NULL) return; gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, GUM_RED_ZONE_SIZE); - gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X3, + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, GUM_ADDRESS(&__afl_fuzz_len)); - gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); - gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); - gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_X3, + gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_X2, G_MAXULONG); - gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2, + gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X1, GUM_ADDRESS(&__afl_fuzz_ptr)); - gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0); + gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X1, 0); gum_arm64_writer_put_call_address_with_arguments( - cw, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs), - GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2, - GUM_ARG_REGISTER, ARM64_REG_X3); + cw, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS, + GUM_ADDRESS(®s->ctx), GUM_ARG_REGISTER, ARM64_REG_X1, GUM_ARG_REGISTER, + ARM64_REG_X2); gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP, GUM_RED_ZONE_SIZE); @@ -406,6 +325,8 @@ void persistent_prologue(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; + OKF("Persistent loop reached"); + instrument_persitent_save_regs(cw, &saved_regs); /* loop: */ diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index a91abc1c..b2186db1 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -10,40 +10,15 @@ #if defined(__x86_64__) -struct x86_64_regs { +typedef struct { - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; + GumCpuContext ctx; + uint64_t rflags; - union { +} persistent_ctx_t; - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -typedef struct x86_64_regs arch_api_regs; - -static arch_api_regs saved_regs = {0}; -static gpointer saved_ret = NULL; +static persistent_ctx_t saved_regs = {0}; +static gpointer saved_ret = NULL; gboolean persistent_is_supported(void) { @@ -51,8 +26,8 @@ gboolean persistent_is_supported(void) { } -static void instrument_persitent_save_regs(GumX86Writer * cw, - struct x86_64_regs *regs) { +static void instrument_persitent_save_regs(GumX86Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, @@ -64,41 +39,41 @@ static void instrument_persitent_save_regs(GumX86Writer * cw, gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 1), - GUM_REG_RBX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 2), - GUM_REG_RCX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 3), - GUM_REG_RDX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 4), - GUM_REG_RDI); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 5), - GUM_REG_RSI); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 6), - GUM_REG_RBP); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 7), - GUM_REG_R8); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 8), - GUM_REG_R9); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 9), - GUM_REG_R10); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 10), - GUM_REG_R11); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 11), - GUM_REG_R12); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 12), - GUM_REG_R13); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 13), - GUM_REG_R14); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 14), - GUM_REG_R15); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rbx), GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rcx), GUM_REG_RCX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rdx), GUM_REG_RDX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rdi), GUM_REG_RDI); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rsi), GUM_REG_RSI); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rbp), GUM_REG_RBP); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r8), GUM_REG_R8); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r9), GUM_REG_R9); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r10), GUM_REG_R10); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r11), GUM_REG_R11); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r12), GUM_REG_R12); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r13), GUM_REG_R13); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r14), GUM_REG_R14); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, r15), GUM_REG_R15); /* Store RIP */ gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RBX, GUM_ADDRESS(persistent_start)); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 15), - GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rip), GUM_REG_RBX); /* Store adjusted RSP */ gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_RBX, GUM_REG_RSP); @@ -106,18 +81,18 @@ static void instrument_persitent_save_regs(GumX86Writer * cw, /* RED_ZONE + Saved flags, RAX, alignment */ gum_x86_writer_put_add_reg_imm(cw, GUM_REG_RBX, GUM_RED_ZONE_SIZE + (0x8 * 2)); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 16), - GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rsp), GUM_REG_RBX); /* Save the flags */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x8); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 17), - GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(persistent_ctx_t, rflags), GUM_REG_RBX); /* Save the RAX */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x0); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 0), - GUM_REG_RBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_RAX, offsetof(GumCpuContext, rax), GUM_REG_RBX); /* Pop the saved values */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 0x10); @@ -127,56 +102,56 @@ static void instrument_persitent_save_regs(GumX86Writer * cw, } -static void instrument_persitent_restore_regs(GumX86Writer * cw, - struct x86_64_regs *regs) { +static void instrument_persitent_restore_regs(GumX86Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RAX, - (0x8 * 2)); + offsetof(GumCpuContext, rcx)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RAX, - (0x8 * 3)); + offsetof(GumCpuContext, rdx)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDI, GUM_REG_RAX, - (0x8 * 4)); + offsetof(GumCpuContext, rdi)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RAX, - (0x8 * 5)); + offsetof(GumCpuContext, rsi)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBP, GUM_REG_RAX, - (0x8 * 6)); + offsetof(GumCpuContext, rbp)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R8, GUM_REG_RAX, - (0x8 * 7)); + offsetof(GumCpuContext, r8)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R9, GUM_REG_RAX, - (0x8 * 8)); + offsetof(GumCpuContext, r9)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R10, GUM_REG_RAX, - (0x8 * 9)); + offsetof(GumCpuContext, r10)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R11, GUM_REG_RAX, - (0x8 * 10)); + offsetof(GumCpuContext, r11)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R12, GUM_REG_RAX, - (0x8 * 11)); + offsetof(GumCpuContext, r12)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R13, GUM_REG_RAX, - (0x8 * 12)); + offsetof(GumCpuContext, r13)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R14, GUM_REG_RAX, - (0x8 * 13)); + offsetof(GumCpuContext, r14)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R15, GUM_REG_RAX, - (0x8 * 14)); + offsetof(GumCpuContext, r15)); /* Don't restore RIP */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSP, GUM_REG_RAX, - (0x8 * 16)); + offsetof(GumCpuContext, rsp)); /* Restore RBX, RAX & Flags */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -(GUM_RED_ZONE_SIZE)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, - (0x8 * 1)); + offsetof(GumCpuContext, rbx)); gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, - (0x8 * 0)); + offsetof(GumCpuContext, rax)); gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX, - (0x8 * 17)); + offsetof(persistent_ctx_t, rflags)); gum_x86_writer_put_push_reg(cw, GUM_REG_RBX); gum_x86_writer_put_popfx(cw); @@ -217,28 +192,27 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) { } -static void persistent_prologue_hook(GumX86Writer * cw, - struct x86_64_regs *regs) { +static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) { if (persistent_hook == NULL) return; gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -(GUM_RED_ZONE_SIZE)); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RCX, + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX, GUM_ADDRESS(&__afl_fuzz_len)); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0); gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_RDI, 0xffffffff); - gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RCX, GUM_REG_RDI); + gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RDX, GUM_REG_RDI); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX, + gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RSI, GUM_ADDRESS(&__afl_fuzz_ptr)); - gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0); + gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RSI, 0); gum_x86_writer_put_call_address_with_arguments( - cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, - GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, - GUM_REG_RDX, GUM_ARG_REGISTER, GUM_REG_RCX); + cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS, + GUM_ADDRESS(®s->ctx), GUM_ARG_REGISTER, GUM_REG_RSI, GUM_ARG_REGISTER, + GUM_REG_RDX); gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (GUM_RED_ZONE_SIZE)); @@ -296,6 +270,8 @@ void persistent_prologue(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; + OKF("Persistent loop reached"); + /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8); diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 1d01d8e4..f50bccb0 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -1,45 +1,23 @@ #include "frida-gumjs.h" #include "config.h" +#include "debug.h" #include "instrument.h" #include "persistent.h" #if defined(__i386__) -struct x86_regs { +typedef struct { - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; + GumCpuContext ctx; + uint32_t eflags; - union { +} persistent_ctx_t; - uint32_t eip; - uint32_t pc; +static persistent_ctx_t saved_regs = {0}; - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -typedef struct x86_regs arch_api_regs; - -static arch_api_regs saved_regs = {0}; -static gpointer saved_ret = NULL; +static gpointer saved_ret = NULL; gboolean persistent_is_supported(void) { @@ -47,8 +25,8 @@ gboolean persistent_is_supported(void) { } -static void instrument_persitent_save_regs(GumX86Writer * cw, - struct x86_regs *regs) { +static void instrument_persitent_save_regs(GumX86Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); @@ -58,80 +36,80 @@ static void instrument_persitent_save_regs(GumX86Writer * cw, gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 1), - GUM_REG_EBX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 2), - GUM_REG_ECX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 3), - GUM_REG_EDX); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 4), - GUM_REG_EDI); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 5), - GUM_REG_ESI); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 6), - GUM_REG_EBP); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, ebx), GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, ecx), GUM_REG_ECX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, edx), GUM_REG_EDX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, edi), GUM_REG_EDI); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, esi), GUM_REG_ESI); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, ebp), GUM_REG_EBP); /* Store RIP */ gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EBX, GUM_ADDRESS(persistent_start)); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 7), - GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, eip), GUM_REG_EBX); /* Store adjusted RSP */ gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_EBX, GUM_REG_ESP); /* RED_ZONE + Saved flags, RAX */ gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EBX, (0x4 * 2)); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 8), - GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, esp), GUM_REG_EBX); /* Save the flags */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x4); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 9), - GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(persistent_ctx_t, eflags), GUM_REG_EBX); /* Save the RAX */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x0); - gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 0), - GUM_REG_EBX); + gum_x86_writer_put_mov_reg_offset_ptr_reg( + cw, GUM_REG_EAX, offsetof(GumCpuContext, eax), GUM_REG_EBX); /* Pop the saved values */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 0x8); } -static void instrument_persitent_restore_regs(GumX86Writer * cw, - struct x86_regs *regs) { +static void instrument_persitent_restore_regs(GumX86Writer * cw, + persistent_ctx_t *regs) { GumAddress regs_address = GUM_ADDRESS(regs); gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_EAX, - (0x4 * 2)); + offsetof(GumCpuContext, ecx)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EAX, - (0x4 * 3)); + offsetof(GumCpuContext, edx)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDI, GUM_REG_EAX, - (0x4 * 4)); + offsetof(GumCpuContext, edi)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESI, GUM_REG_EAX, - (0x4 * 5)); + offsetof(GumCpuContext, esi)); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBP, GUM_REG_EAX, - (0x4 * 6)); + offsetof(GumCpuContext, ebp)); /* Don't restore RIP */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESP, GUM_REG_EAX, - (0x4 * 8)); + offsetof(GumCpuContext, esp)); /* Restore RBX, RAX & Flags */ gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, - (0x4 * 1)); + offsetof(GumCpuContext, ebx)); gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, - (0x4 * 0)); + offsetof(GumCpuContext, eax)); gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX, - (0x4 * 9)); + offsetof(persistent_ctx_t, eflags)); gum_x86_writer_put_push_reg(cw, GUM_REG_EBX); gum_x86_writer_put_popfx(cw); @@ -165,7 +143,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) { } -static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) { +static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) { if (persistent_hook == NULL) return; @@ -180,9 +158,8 @@ static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) { /* Base address is 64-bits (hence two zero arguments) */ gum_x86_writer_put_call_address_with_arguments( - cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 5, GUM_ARG_ADDRESS, - GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS, - GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER, + cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS, + GUM_ADDRESS(®s->ctx), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER, GUM_REG_ECX); } @@ -233,6 +210,8 @@ void persistent_prologue(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; + OKF("Persistent loop reached"); + /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4); diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile index 689fce3d..e3a8f321 100644 --- a/frida_mode/test/jpeg/GNUmakefile +++ b/frida_mode/test/jpeg/GNUmakefile @@ -2,8 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so LIBJPEG_BUILD_DIR:=$(BUILD_DIR)libjpeg/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -118,11 +117,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(JPEGTEST_OBJ) $(LIBJPEG_LIB) $(LDFLAGS) \ $(TEST_BIN_LDFLAGS) \ -########## HOOK ######## - -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ - ########## DUMMY ####### $(TEST_DATA_DIR): | $(BUILD_DIR) @@ -133,8 +127,6 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) ###### TEST DATA ####### -hook: $(AFLPP_DRIVER_HOOK_OBJ) - clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/jpeg/Makefile b/frida_mode/test/jpeg/Makefile index 863438cf..7a237f99 100644 --- a/frida_mode/test/jpeg/Makefile +++ b/frida_mode/test/jpeg/Makefile @@ -14,6 +14,3 @@ frida: debug: @gmake debug - -hook: - @gmake hook diff --git a/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c b/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c deleted file mode 100644 index 059d438d..00000000 --- a/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c +++ /dev/null @@ -1,97 +0,0 @@ -#include -#include - -#if defined(__x86_64__) - -struct x86_64_regs { - - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; - - union { - - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->rdi, input_buf, input_buf_len); - regs->rsi = input_buf_len; - -} - -#elif defined(__i386__) - -struct x86_regs { - - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; - - union { - - uint32_t eip; - uint32_t pc; - - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - void **esp = (void **)regs->esp; - void * arg1 = esp[1]; - void **arg2 = &esp[2]; - memcpy(arg1, input_buf, input_buf_len); - *arg2 = (void *)input_buf_len; - -} - -#else - #pragma error "Unsupported architecture" -#endif - -int afl_persistent_hook_init(void) { - - // 1 for shared memory input (faster), 0 for normal input (you have to use - // read(), input_buf will be NULL) - return 1; - -} - diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile index 8ea71656..af40c1c4 100644 --- a/frida_mode/test/js/GNUmakefile +++ b/frida_mode/test/js/GNUmakefile @@ -1,18 +1,21 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ -TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in +TEST_DATA_DIR:=$(BUILD_DIR)in/ +TEST_DATA_FILE:=$(TEST_DATA_DIR)in -TESTINSTBIN:=$(BUILD_DIR)testinstr -TESTINSTSRC:=$(PWD)testinstr.c +TESTINSTBIN:=$(BUILD_DIR)test +TESTINSTSRC:=$(PWD)test.c + +TESTINSTBIN2:=$(BUILD_DIR)test2 +TESTINSTSRC2:=$(PWD)test2.c QEMU_OUT:=$(BUILD_DIR)qemu-out FRIDA_OUT:=$(BUILD_DIR)frida-out .PHONY: all 32 clean qemu frida -all: $(TESTINSTBIN) +all: $(TESTINSTBIN) $(TESTINSTBIN2) make -C $(ROOT)frida_mode/ 32: @@ -21,24 +24,57 @@ all: $(TESTINSTBIN) $(BUILD_DIR): mkdir -p $@ -$(TESTINSTR_DATA_DIR): | $(BUILD_DIR) +$(TEST_DATA_DIR): | $(BUILD_DIR) mkdir -p $@ -$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) +$(TEST_DATA_FILE): | $(TEST_DATA_DIR) echo -n "000" > $@ $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< +$(TESTINSTBIN2): $(TESTINSTSRC2) | $(BUILD_DIR) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + clean: rm -rf $(BUILD_DIR) -frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) - AFL_FRIDA_JS_SCRIPT=test.js \ +frida_js_entry: $(TESTINSTBIN) $(TEST_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=entry.js \ $(ROOT)afl-fuzz \ -D \ -O \ - -i $(TESTINSTR_DATA_DIR) \ + -i $(TEST_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ $(TESTINSTBIN) @@ + +frida_js_replace: $(TESTINSTBIN) $(TEST_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=replace.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN) @@ + +frida_js_patch: $(TESTINSTBIN2) $(TEST_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=patch.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN2) @@ + +frida_js_stalker: $(TESTINSTBIN2) $(TEST_DATA_FILE) + AFL_FRIDA_JS_SCRIPT=stalker.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TESTINSTBIN2) @@ diff --git a/frida_mode/test/js/Makefile b/frida_mode/test/js/Makefile index 7a237f99..8a2b6fb0 100644 --- a/frida_mode/test/js/Makefile +++ b/frida_mode/test/js/Makefile @@ -9,8 +9,17 @@ all: clean: @gmake clean -frida: - @gmake frida +frida_js_entry: + @gmake frida_js_entry + +frida_js_replace: + @gmake frida_js_replace + +frida_js_patch: + @gmake frida_js_patch + +frida_js_stalker: + @gmake frida_js_stalker debug: @gmake debug diff --git a/frida_mode/test/js/entry.js b/frida_mode/test/js/entry.js new file mode 100644 index 00000000..f10ef2d1 --- /dev/null +++ b/frida_mode/test/js/entry.js @@ -0,0 +1,20 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const entry_point = DebugSymbol.fromName('run'); +Afl.print(`entry_point: ${entry_point.address}`); + +Afl.setEntryPoint(entry_point.address); + +// Afl.error('HARD NOPE'); + +Afl.done(); +Afl.print("done"); diff --git a/frida_mode/test/js/patch.js b/frida_mode/test/js/patch.js new file mode 100644 index 00000000..485a434f --- /dev/null +++ b/frida_mode/test/js/patch.js @@ -0,0 +1,34 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); +Afl.setEntryPoint(main); +Afl.setPersistentAddress(main); +Afl.setPersistentCount(10000000); + +const crc32_check = DebugSymbol.fromName('crc32_check').address; +const crc32_replacement = new NativeCallback( + (buf, len) => { + Afl.print(`len: ${len}`); + if (len < 4) { + return 0; + } + + return 1; + }, + 'int', + ['pointer', 'int']); +Interceptor.replace(crc32_check, crc32_replacement); + +const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address +const boring_replacement = new NativeCallback( + (c) => { }, + 'void', + ['char']); +Interceptor.replace(some_boring_bug, boring_replacement); + +Afl.done(); +Afl.print("done"); diff --git a/frida_mode/test/js/replace.js b/frida_mode/test/js/replace.js new file mode 100644 index 00000000..4e1e7eb7 --- /dev/null +++ b/frida_mode/test/js/replace.js @@ -0,0 +1,43 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const slow = DebugSymbol.fromName('slow').address; +Afl.print(`slow: ${slow}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + void slow(void) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.slow); +Afl.setPersistentAddress(cm.slow); +Afl.setInMemoryFuzzing(); +Interceptor.replace(slow, cm.slow); +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/test/js/stalker.js b/frida_mode/test/js/stalker.js new file mode 100644 index 00000000..33f024f5 --- /dev/null +++ b/frida_mode/test/js/stalker.js @@ -0,0 +1,109 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); +Afl.setEntryPoint(main); +Afl.setPersistentAddress(main); +Afl.setPersistentCount(10000000); + +/* Replace CRC-32 check */ +const crc32_check = DebugSymbol.fromName('crc32_check').address; +const crc32_replacement = new NativeCallback( + (buf, len) => { + if (len < 4) { + return 0; + } + + return 1; + }, + 'int', + ['pointer', 'int']); +Interceptor.replace(crc32_check, crc32_replacement); + +/* Patch out the first boring bug */ +const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address +const boring_replacement = new NativeCallback( + (c) => { }, + 'void', + ['char']); +Interceptor.replace(some_boring_bug, boring_replacement); + +/* Modify the instructions */ +const some_boring_bug2 = DebugSymbol.fromName('some_boring_bug2').address +const pid = Memory.alloc(4); +pid.writeInt(Process.id); + +const cm = new CModule(` + #include + #include + + typedef int pid_t; + + #define STDERR_FILENO 2 + #define BORING2_LEN 10 + + extern int dprintf(int fd, const char *format, ...); + extern void some_boring_bug2(char c); + extern pid_t getpid(void); + extern pid_t pid; + + gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, + gboolean excluded, GumStalkerOutput *output) + { + pid_t my_pid = getpid(); + GumX86Writer *cw = output->writer.x86; + + if (GUM_ADDRESS(insn->address) < GUM_ADDRESS(some_boring_bug2)) { + + return TRUE; + + } + + if (GUM_ADDRESS(insn->address) >= + GUM_ADDRESS(some_boring_bug2) + BORING2_LEN) { + + return TRUE; + + } + + if (my_pid == pid) { + + if (begin) { + + dprintf(STDERR_FILENO, "\n> 0x%016lX: %s %s\n", insn->address, + insn->mnemonic, insn->op_str); + + } else { + + dprintf(STDERR_FILENO, " 0x%016lX: %s %s\n", insn->address, + insn->mnemonic, insn->op_str); + + } + + } + + if (insn->id == X86_INS_UD2) { + + gum_x86_writer_put_nop(cw); + return FALSE; + + } else { + + return TRUE; + + } + } + `, + { + dprintf: Module.getExportByName(null, 'dprintf'), + getpid: Module.getExportByName(null, 'getpid'), + some_boring_bug2: some_boring_bug2, + pid: pid + }); +Afl.setStalkerCallback(cm.js_stalker_callback) +Afl.setStdErr("/tmp/stderr.txt"); +Afl.done(); +Afl.print("done"); diff --git a/frida_mode/test/js/test.c b/frida_mode/test/js/test.c new file mode 100644 index 00000000..bbda5ccf --- /dev/null +++ b/frida_mode/test/js/test.c @@ -0,0 +1,115 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include + +void LLVMFuzzerTestOneInput(char *buf, int len) { + + if (len < 1) return; + buf[len] = 0; + + // we support three input cases + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else if (buf[0] == '1') + printf("Pretty sure that is a one!\n"); + else + printf("Neither one or zero? How quaint!\n"); + +} + +int run(char *file) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + do { + + dprintf(STDERR_FILENO, "Running: %s\n", file); + + fd = open(file, O_RDONLY); + if (fd < 0) { + + perror("open"); + break; + + } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { + + perror("lseek (SEEK_END)"); + break; + + } + + if (lseek(fd, 0, SEEK_SET) != 0) { + + perror("lseek (SEEK_SET)"); + break; + + } + + buf = malloc(len); + if (buf == NULL) { + + perror("malloc"); + break; + + } + + n_read = read(fd, buf, len); + if (n_read != len) { + + perror("read"); + break; + + } + + dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); + + LLVMFuzzerTestOneInput(buf, len); + dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); + + result = 0; + + } while (false); + + if (buf != NULL) { free(buf); } + + if (fd != -1) { close(fd); } + + return result; + +} + +void slow() { + + usleep(100000); + +} + +int main(int argc, char **argv) { + + if (argc != 2) { return 1; } + slow(); + return run(argv[1]); + +} + diff --git a/frida_mode/test/js/test.js b/frida_mode/test/js/test.js deleted file mode 100644 index f10ef2d1..00000000 --- a/frida_mode/test/js/test.js +++ /dev/null @@ -1,20 +0,0 @@ -Afl.print('******************'); -Afl.print('* AFL FRIDA MODE *'); -Afl.print('******************'); -Afl.print(''); - -Afl.print(`PID: ${Process.id}`); - -new ModuleMap().values().forEach(m => { - Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); -}); - -const entry_point = DebugSymbol.fromName('run'); -Afl.print(`entry_point: ${entry_point.address}`); - -Afl.setEntryPoint(entry_point.address); - -// Afl.error('HARD NOPE'); - -Afl.done(); -Afl.print("done"); diff --git a/frida_mode/test/js/test2.c b/frida_mode/test/js/test2.c new file mode 100644 index 00000000..d16f35fc --- /dev/null +++ b/frida_mode/test/js/test2.c @@ -0,0 +1,177 @@ +/* + american fuzzy lop++ - a trivial program to test the build + -------------------------------------------------------- + Originally written by Michal Zalewski + Copyright 2014 Google Inc. All rights reserved. + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define IGNORED_RETURN(x) (void)!(x) + +const uint32_t crc32_tab[] = { + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, + 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, + 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, + 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, + 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, + 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, + 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, + 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, + 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, + 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, + 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, + 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, + 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, + 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, + 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, + 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, + 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, + 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, + 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, + 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, + 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, + 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, + 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, + 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, + 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, + 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, + 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, + 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, + 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, + 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, + 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, + 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, + 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, + 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, + 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, + 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, + 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, + 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, + 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, + 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d +}; + +uint32_t +crc32(const void *buf, size_t size) +{ + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; +} + +/* + * Don't you hate those contrived examples which CRC their data. We can use + * FRIDA to patch this function out and always return success. Otherwise, we + * could change it to actually correct the checksum. + */ +int crc32_check (char * buf, int len) { + if (len < sizeof(uint32_t)) { return 0; } + uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)]; + uint32_t calculated = crc32(buf, len - sizeof(uint32_t)); + return expected == calculated; +} + +/* + * So you've found a really boring bug in an earlier campaign which results in + * a NULL dereference or something like that. That bug can get in the way, + * causing the persistent loop to exit whenever it is triggered, and can also + * cloud your output unnecessarily. Again, we can use FRIDA to patch it out. + */ +void some_boring_bug(char c) { + switch (c) { + case 'A'...'Z': + case 'a'...'z': + __builtin_trap(); + break; + } +} + +extern void some_boring_bug2(char c); + +__asm__ ( + ".text \n" + "some_boring_bug2: \n" + ".global some_boring_bug2 \n" + ".type some_boring_bug2, @function \n" + "mov %edi, %eax \n" + "cmp $0xb4, %al \n" + "jne ok \n" + "ud2 \n" + "ok: \n" + "ret \n"); + +void LLVMFuzzerTestOneInput(char *buf, int len) { + + if (!crc32_check(buf, len)) return; + + some_boring_bug(buf[0]); + some_boring_bug2(buf[0]); + + if (buf[0] == '0') { + printf("Looks like a zero to me!\n"); + } + else if (buf[0] == '1') { + printf("Pretty sure that is a one!\n"); + } + else if (buf[0] == '2') { + printf("Oh we, weren't expecting that!"); + __builtin_trap(); + } + else + printf("Neither one or zero? How quaint!\n"); + +} + +int main(int argc, char **argv) { + + int fd = -1; + off_t len; + char * buf = NULL; + size_t n_read; + int result = -1; + + if (argc != 2) { return 1; } + + printf("Running: %s\n", argv[1]); + + fd = open(argv[1], O_RDONLY); + if (fd < 0) { return 1; } + + len = lseek(fd, 0, SEEK_END); + if (len < 0) { return 1; } + + if (lseek(fd, 0, SEEK_SET) != 0) { return 1; } + + buf = malloc(len); + if (buf == NULL) { return 1; } + + n_read = read(fd, buf, len); + if (n_read != len) { return 1; } + + printf("Running: %s: (%zd bytes)\n", argv[1], n_read); + + LLVMFuzzerTestOneInput(buf, len); + printf("Done: %s: (%zd bytes)\n", argv[1], n_read); + + return 0; +} + diff --git a/frida_mode/test/js/testinstr.c b/frida_mode/test/js/testinstr.c deleted file mode 100644 index bd605c52..00000000 --- a/frida_mode/test/js/testinstr.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - american fuzzy lop++ - a trivial program to test the build - -------------------------------------------------------- - Originally written by Michal Zalewski - Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 - */ - -#include -#include -#include -#include -#include - -#ifdef __APPLE__ - #define TESTINSTR_SECTION -#else - #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) -#endif - -void testinstr(char *buf, int len) { - - if (len < 1) return; - buf[len] = 0; - - // we support three input cases - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else if (buf[0] == '1') - printf("Pretty sure that is a one!\n"); - else - printf("Neither one or zero? How quaint!\n"); - -} - -int run(char *file) { - - int fd = -1; - off_t len; - char * buf = NULL; - size_t n_read; - int result = -1; - - do { - - dprintf(STDERR_FILENO, "Running: %s\n", file); - - fd = open(file, O_RDONLY); - if (fd < 0) { - - perror("open"); - break; - - } - - len = lseek(fd, 0, SEEK_END); - if (len < 0) { - - perror("lseek (SEEK_END)"); - break; - - } - - if (lseek(fd, 0, SEEK_SET) != 0) { - - perror("lseek (SEEK_SET)"); - break; - - } - - buf = malloc(len); - if (buf == NULL) { - - perror("malloc"); - break; - - } - - n_read = read(fd, buf, len); - if (n_read != len) { - - perror("read"); - break; - - } - - dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); - - testinstr(buf, len); - dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); - - result = 0; - - } while (false); - - if (buf != NULL) { free(buf); } - - if (fd != -1) { close(fd); } - - return result; - -} - -void slow() { - - usleep(100000); - -} - -int main(int argc, char **argv) { - - if (argc != 2) { return 1; } - slow(); - return run(argv[1]); - -} - diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile index e30f2049..8a10be07 100644 --- a/frida_mode/test/libpcap/GNUmakefile +++ b/frida_mode/test/libpcap/GNUmakefile @@ -2,8 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -137,11 +136,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB) $(LDFLAGS) \ $(TEST_BIN_LDFLAGS) \ -########## HOOK ######## - -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ - ########## DUMMY ####### $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR) @@ -149,8 +143,6 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR) ###### TEST DATA ####### -hook: $(AFLPP_DRIVER_HOOK_OBJ) - clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c b/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c deleted file mode 100644 index 059d438d..00000000 --- a/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c +++ /dev/null @@ -1,97 +0,0 @@ -#include -#include - -#if defined(__x86_64__) - -struct x86_64_regs { - - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; - - union { - - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->rdi, input_buf, input_buf_len); - regs->rsi = input_buf_len; - -} - -#elif defined(__i386__) - -struct x86_regs { - - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; - - union { - - uint32_t eip; - uint32_t pc; - - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - void **esp = (void **)regs->esp; - void * arg1 = esp[1]; - void **arg2 = &esp[2]; - memcpy(arg1, input_buf, input_buf_len); - *arg2 = (void *)input_buf_len; - -} - -#else - #pragma error "Unsupported architecture" -#endif - -int afl_persistent_hook_init(void) { - - // 1 for shared memory input (faster), 0 for normal input (you have to use - // read(), input_buf will be NULL) - return 1; - -} - diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile index 81fdd069..f11269e3 100644 --- a/frida_mode/test/persistent_ret/GNUmakefile +++ b/frida_mode/test/persistent_ret/GNUmakefile @@ -90,7 +90,7 @@ frida_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -i $(TESTINSTR_DATA_DIR) \ -o $(FRIDA_OUT) \ -- \ - $(TESTINSTBIN) @@ + $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) gdb \ @@ -102,6 +102,15 @@ debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) --ex 'set disassembly-flavor intel' \ --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) +debug_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + gdb \ + --ex 'set environment AFL_FRIDA_JS_SCRIPT=test.js' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \ + --ex 'set environment AFL_DEBUG_CHILD=1' \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + run: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \ diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js index 43c6ad7c..8adb45b2 100644 --- a/frida_mode/test/persistent_ret/test.js +++ b/frida_mode/test/persistent_ret/test.js @@ -5,34 +5,44 @@ Afl.print(''); Afl.print(`PID: ${Process.id}`); +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + new ModuleMap().values().forEach(m => { Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); }); -const persistent_addr = DebugSymbol.fromName('main'); -Afl.print(`persistent_addr: ${persistent_addr.address}`); - -const persistent_ret = DebugSymbol.fromName('slow'); -Afl.print(`persistent_ret: ${persistent_ret.address}`); - -Afl.setPersistentAddress(persistent_addr.address); -Afl.setPersistentReturn(persistent_ret.address); -Afl.setPersistentCount(1000000); - -Afl.setDebugMaps(); - -const mod = Process.findModuleByName("libc-2.31.so") -Afl.addExcludedRange(mod.base, mod.size); -Afl.setInstrumentLibraries(); -Afl.setInstrumentDebugFile("/tmp/instr.log"); -Afl.setPrefetchDisable(); -Afl.setInstrumentNoOptimize(); -Afl.setInstrumentEnableTracing(); -Afl.setInstrumentTracingUnique(); -Afl.setStdOut("/tmp/stdout.txt"); -Afl.setStdErr("/tmp/stderr.txt"); -Afl.setStatsFile("/tmp/stats.txt"); -Afl.setStatsInterval(1); -Afl.setStatsTransitions(); -Afl.done(); +if (name === 'testinstr') { + const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; + Afl.print(`persistent_addr: ${persistent_addr}`); + Afl.setEntryPoint(persistent_addr); + Afl.setPersistentAddress(persistent_addr); + Afl.setInstrumentDebugFile("/dev/stdout"); + Afl.setPersistentDebug(); + Afl.setInstrumentNoOptimize(); + Afl.setInstrumentEnableTracing(); + + const LLVMFuzzerTestOneInput = new NativeFunction( + persistent_addr, + 'void', + ['pointer', 'uint64'], + {traps: "all"}); + + const persistentHook = new NativeCallback( + (data, size) => { + const input = Afl.aflFuzzPtr.readPointer(); + const len = Afl.aflFuzzLen.readPointer().readU32(); + const hd = hexdump(input, {length: len, header: false, ansi: true}); + Afl.print(`input: ${hd}`); + LLVMFuzzerTestOneInput(input, len); + }, + 'void', + ['pointer', 'uint64']); + + Afl.aflSharedMemFuzzing.writeInt(1); + Interceptor.replace(persistent_addr, persistentHook); + Interceptor.flush(); +} + Afl.print("done"); +Afl.done(); diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c index 6cb88a50..42e3519a 100644 --- a/frida_mode/test/persistent_ret/testinstr.c +++ b/frida_mode/test/persistent_ret/testinstr.c @@ -17,13 +17,14 @@ #include #ifdef __APPLE__ - #define TESTINSTR_SECTION + #define MAIN_SECTION #else - #define TESTINSTR_SECTION __attribute__((section(".testinstr"))) + #define MAIN_SECTION __attribute__((section(".main"))) #endif -void testinstr(char *buf, int len) { +void LLVMFuzzerTestOneInput(char *buf, int len) { + printf (">>> LLVMFuzzerTestOneInput >>>\n"); if (len < 1) return; buf[len] = 0; @@ -43,7 +44,7 @@ void slow() { } -TESTINSTR_SECTION int main(int argc, char **argv) { +MAIN_SECTION int main(int argc, char **argv) { char * file; int fd = -1; @@ -101,7 +102,7 @@ TESTINSTR_SECTION int main(int argc, char **argv) { dprintf(STDERR_FILENO, "Running: %s: (%zd bytes)\n", file, n_read); - testinstr(buf, len); + LLVMFuzzerTestOneInput(buf, len); dprintf(STDERR_FILENO, "Done: %s: (%zd bytes)\n", file, n_read); slow(); diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index b17f3775..0ff9fe86 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -2,8 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so CFLAGS+=-O3 \ -funroll-loops \ @@ -48,7 +47,7 @@ endif .PHONY: all 32 clean format qemu qemu_entry frida frida_entry debug -all: $(AFLPP_DRIVER_HOOK_OBJ) +all: make -C $(ROOT)frida_mode/test/png/persistent/ 32: @@ -68,9 +67,6 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) truncate -s 1M $@ -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ - qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ @@ -124,6 +120,28 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) +frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_JS_SCRIPT=load.js \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + +frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_JS_SCRIPT=cmodule.js \ + $(ROOT)afl-fuzz \ + -D \ + -V 30 \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) + debug: $(AFLPP_DRIVER_DUMMY_INPUT) echo $(AFL_FRIDA_PERSISTENT_ADDR) gdb \ diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile index 983d009e..dca51d85 100644 --- a/frida_mode/test/png/persistent/hook/Makefile +++ b/frida_mode/test/png/persistent/hook/Makefile @@ -24,5 +24,8 @@ frida: frida_entry: @gmake frida_entry +frida_js: + @gmake frida_js + debug: @gmake debug diff --git a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c deleted file mode 100644 index 1542c0bf..00000000 --- a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c +++ /dev/null @@ -1,193 +0,0 @@ -#include -#include - -#if defined(__x86_64__) - -struct x86_64_regs { - - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; - - union { - - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->rdi, input_buf, input_buf_len); - regs->rsi = input_buf_len; - -} - -#elif defined(__i386__) - -struct x86_regs { - - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; - - union { - - uint32_t eip; - uint32_t pc; - - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - void **esp = (void **)regs->esp; - void * arg1 = esp[1]; - void **arg2 = &esp[2]; - memcpy(arg1, input_buf, input_buf_len); - *arg2 = (void *)input_buf_len; - -} -#elif defined(__aarch64__) - -struct arm64_regs { - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10; - - union { - - uint64_t x11; - uint32_t fp_32; - - }; - - union { - - uint64_t x12; - uint32_t ip_32; - - }; - - union { - - uint64_t x13; - uint32_t sp_32; - - }; - - union { - - uint64_t x14; - uint32_t lr_32; - - }; - - union { - - uint64_t x15; - uint32_t pc_32; - - }; - - union { - - uint64_t x16; - uint64_t ip0; - - }; - - union { - - uint64_t x17; - uint64_t ip1; - - }; - - uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28; - - union { - - uint64_t x29; - uint64_t fp; - - }; - - union { - - uint64_t x30; - uint64_t lr; - - }; - - union { - - uint64_t x31; - uint64_t sp; - - }; - - // the zero register is not saved here ofc - - uint64_t pc; - - uint32_t cpsr; - - uint8_t vfp_zregs[32][16 * 16]; - uint8_t vfp_pregs[17][32]; - uint32_t vfp_xregs[16]; - -}; - -void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->x0, input_buf, input_buf_len); - regs->x1 = input_buf_len; -} - -#else - #pragma error "Unsupported architecture" -#endif - -int afl_persistent_hook_init(void) { - - // 1 for shared memory input (faster), 0 for normal input (you have to use - // read(), input_buf will be NULL) - return 1; - -} - diff --git a/frida_mode/test/png/persistent/hook/cmodule.js b/frida_mode/test/png/persistent/hook/cmodule.js new file mode 100644 index 00000000..ab8bdc66 --- /dev/null +++ b/frida_mode/test/png/persistent/hook/cmodule.js @@ -0,0 +1,39 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`persistent_addr: ${persistent_addr}`); +Afl.setEntryPoint(persistent_addr); +Afl.setPersistentAddress(persistent_addr); + +const cm = new CModule(` + + #include + #include + + void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, + uint32_t input_buf_len) { + + memcpy((void *)regs->rdi, input_buf, input_buf_len); + regs->rsi = input_buf_len; + + } + `, + { + memcpy: Module.getExportByName(null, 'memcpy') + }); +Afl.setPersistentHook(cm.afl_persistent_hook); + +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/test/png/persistent/hook/load.js b/frida_mode/test/png/persistent/hook/load.js new file mode 100644 index 00000000..ce4374ae --- /dev/null +++ b/frida_mode/test/png/persistent/hook/load.js @@ -0,0 +1,27 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`persistent_addr: ${persistent_addr}`); +Afl.setEntryPoint(persistent_addr); +Afl.setPersistentAddress(persistent_addr); + +const path = Afl.module.path; +const dir = path.substring(0, path.lastIndexOf("/")); +const mod = Module.load(`${dir}/frida_mode/build/hook.so`); +const hook = mod.getExportByName('afl_persistent_hook'); +Afl.setPersistentHook(hook); + +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile index 09112cd5..e324a5d0 100644 --- a/frida_mode/test/proj4/GNUmakefile +++ b/frida_mode/test/proj4/GNUmakefile @@ -2,8 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so LIBPROJ4_BUILD_DIR:=$(BUILD_DIR)libproj4/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -118,11 +117,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PROJ4TEST_OBJ) $(LIBPROJ4_LIB) $(LDFLAGS) \ $(TEST_BIN_LDFLAGS) \ -########## HOOK ######## - -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ - ########## DUMMY ####### $(TEST_DATA_DIR): | $(BUILD_DIR) @@ -133,8 +127,6 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) ###### TEST DATA ####### -hook: $(AFLPP_DRIVER_HOOK_OBJ) - clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/proj4/Makefile b/frida_mode/test/proj4/Makefile index 863438cf..f83e2992 100644 --- a/frida_mode/test/proj4/Makefile +++ b/frida_mode/test/proj4/Makefile @@ -15,5 +15,3 @@ frida: debug: @gmake debug -hook: - @gmake hook diff --git a/frida_mode/test/proj4/aflpp_qemu_driver_hook.c b/frida_mode/test/proj4/aflpp_qemu_driver_hook.c deleted file mode 100644 index 059d438d..00000000 --- a/frida_mode/test/proj4/aflpp_qemu_driver_hook.c +++ /dev/null @@ -1,97 +0,0 @@ -#include -#include - -#if defined(__x86_64__) - -struct x86_64_regs { - - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; - - union { - - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->rdi, input_buf, input_buf_len); - regs->rsi = input_buf_len; - -} - -#elif defined(__i386__) - -struct x86_regs { - - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; - - union { - - uint32_t eip; - uint32_t pc; - - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - void **esp = (void **)regs->esp; - void * arg1 = esp[1]; - void **arg2 = &esp[2]; - memcpy(arg1, input_buf, input_buf_len); - *arg2 = (void *)input_buf_len; - -} - -#else - #pragma error "Unsupported architecture" -#endif - -int afl_persistent_hook_init(void) { - - // 1 for shared memory input (faster), 0 for normal input (you have to use - // read(), input_buf will be NULL) - return 1; - -} - diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile index 9f0b31d3..e1c5347d 100644 --- a/frida_mode/test/re2/GNUmakefile +++ b/frida_mode/test/re2/GNUmakefile @@ -2,8 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so +AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -116,11 +115,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB) $(LDFLAGS) \ $(TEST_BIN_LDFLAGS) \ -########## HOOK ######## - -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@ - ########## DUMMY ####### $(TEST_DATA_DIR): | $(BUILD_DIR) @@ -131,8 +125,6 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR) ###### TEST DATA ####### -hook: $(AFLPP_DRIVER_HOOK_OBJ) - clean: rm -rf $(BUILD_DIR) diff --git a/frida_mode/test/re2/Makefile b/frida_mode/test/re2/Makefile index 00b2b287..360cdc44 100644 --- a/frida_mode/test/re2/Makefile +++ b/frida_mode/test/re2/Makefile @@ -18,5 +18,3 @@ frida: debug: @gmake debug -hook: - @gmake hook diff --git a/frida_mode/test/re2/aflpp_qemu_driver_hook.c b/frida_mode/test/re2/aflpp_qemu_driver_hook.c deleted file mode 100644 index 059d438d..00000000 --- a/frida_mode/test/re2/aflpp_qemu_driver_hook.c +++ /dev/null @@ -1,97 +0,0 @@ -#include -#include - -#if defined(__x86_64__) - -struct x86_64_regs { - - uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14, - r15; - - union { - - uint64_t rip; - uint64_t pc; - - }; - - union { - - uint64_t rsp; - uint64_t sp; - - }; - - union { - - uint64_t rflags; - uint64_t flags; - - }; - - uint8_t zmm_regs[32][64]; - -}; - -void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - memcpy((void *)regs->rdi, input_buf, input_buf_len); - regs->rsi = input_buf_len; - -} - -#elif defined(__i386__) - -struct x86_regs { - - uint32_t eax, ebx, ecx, edx, edi, esi, ebp; - - union { - - uint32_t eip; - uint32_t pc; - - }; - - union { - - uint32_t esp; - uint32_t sp; - - }; - - union { - - uint32_t eflags; - uint32_t flags; - - }; - - uint8_t xmm_regs[8][16]; - -}; - -void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, - uint8_t *input_buf, uint32_t input_buf_len) { - - void **esp = (void **)regs->esp; - void * arg1 = esp[1]; - void **arg2 = &esp[2]; - memcpy(arg1, input_buf, input_buf_len); - *arg2 = (void *)input_buf_len; - -} - -#else - #pragma error "Unsupported architecture" -#endif - -int afl_persistent_hook_init(void) { - - // 1 for shared memory input (faster), 0 for normal input (you have to use - // read(), input_buf will be NULL) - return 1; - -} - diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts new file mode 100644 index 00000000..6da7fabc --- /dev/null +++ b/frida_mode/ts/lib/afl.ts @@ -0,0 +1,373 @@ +class Afl { + + /** + * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode + * implementation). + */ + public static module: Module = Process.getModuleByName("afl-frida-trace.so"); + + /** + * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to exclude several ranges. + */ + public static addExcludedRange(addressess: NativePointer, size: number): void { + Afl.jsApiAddExcludeRange(addressess, size); + } + + /** + * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, + * it takes as arguments a `NativePointer` and a `number`. It can be + * called multiple times to include several ranges. + */ + public static addIncludedRange(addressess: NativePointer, size: number): void { + Afl.jsApiAddIncludeRange(addressess, size); + } + + /** + * This must always be called at the end of your script. This lets + * FRIDA mode know that your configuration is finished and that + * execution has reached the end of your script. Failure to call + * this will result in a fatal error. + */ + public static done(): void { + Afl.jsApiDone(); + } + + /** + * This function can be called within your script to cause FRIDA + * mode to trigger a fatal error. This is useful if for example you + * discover a problem you weren't expecting and want everything to + * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view + * this error message. + */ + public static error(msg: string): void { + const buf = Memory.allocUtf8String(msg); + Afl.jsApiError(buf); + } + + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of + * fuzzing data when using in-memory test case fuzzing. + */ + public static getAflFuzzLen(): NativePointer { + + return Afl.jsApiGetSymbol("__afl_fuzz_len"); + } + + /** + * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing + * data when using in-memory test case fuzzing. + */ + public static getAflFuzzPtr(): NativePointer { + + return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); + } + + /** + * Print a message to the STDOUT. This should be preferred to + * FRIDA's `console.log` since FRIDA will queue it's log messages. + * If `console.log` is used in a callback in particular, then there + * may no longer be a thread running to service this queue. + */ + public static print(msg: string): void { + const STDOUT_FILENO = 2; + const log = `${msg}\n`; + const buf = Memory.allocUtf8String(log); + Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + } + + /** + * See `AFL_FRIDA_DEBUG_MAPS`. + */ + public static setDebugMaps(): void { + Afl.jsApiSetDebugMaps(); + } + + /** + * This has the same effect as setting `AFL_ENTRYPOINT`, but has the + * convenience of allowing you to use FRIDAs APIs to determine the + * address you would like to configure, rather than having to grep + * the output of `readelf` or something similarly ugly. This + * function should be called with a `NativePointer` as its + * argument. + */ + public static setEntryPoint(address: NativePointer): void { + Afl.jsApiSetEntryPoint(address); + } + + /** + * Function used to enable in-memory test cases for fuzzing. + */ + public static setInMemoryFuzzing(): void { + Afl.jsApiAflSharedMemFuzzing.writeInt(1); + } + + /** + * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as + * an argument. + */ + public static setInstrumentDebugFile(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentDebugFile(buf); + } + + /** + * See `AFL_FRIDA_INST_TRACE`. + */ + public static setInstrumentEnableTracing(): void { + Afl.jsApiSetInstrumentTrace(); + } + + /** + * See `AFL_INST_LIBS`. + */ + public static setInstrumentLibraries(): void { + Afl.jsApiSetInstrumentLibraries(); + } + + /** + * See `AFL_FRIDA_INST_NO_OPTIMIZE` + */ + public static setInstrumentNoOptimize(): void { + Afl.jsApiSetInstrumentNoOptimize(); + } + + /** + * See `AFL_FRIDA_INST_TRACE_UNIQUE`. + */ + public static setInstrumentTracingUnique(): void { + Afl.jsApiSetInstrumentTraceUnique(); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a + * `NativePointer` should be provided as it's argument. + */ + public static setPersistentAddress(address: NativePointer): void { + Afl.jsApiSetPersistentAddress(address); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a + * `number` should be provided as it's argument. + */ + public static setPersistentCount(count: number): void { + Afl.jsApiSetPersistentCount(count); + } + + /** + * See `AFL_FRIDA_PERSISTENT_DEBUG`. + */ + public static setPersistentDebug(): void { + Afl.jsApiSetPersistentDebug(); + } + + /** + * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an + * argument. See above for examples of use. + */ + public static setPersistentHook(address: NativePointer): void { + Afl.jsApiSetPersistentHook(address); + } + + /** + * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a + * `NativePointer` should be provided as it's argument. + */ + public static setPersistentReturn(address: NativePointer): void { + Afl.jsApiSetPersistentReturn(address); + } + + /** + * See `AFL_FRIDA_INST_NO_PREFETCH`. + */ + public static setPrefetchDisable(): void { + Afl.jsApiSetPrefetchDisable(); + } + + /* + * Set a function to be called for each instruction which is instrumented + * by AFL FRIDA mode. + */ + public static setStalkerCallback(callback: NativePointer): void { + Afl.jsApiSetStalkerCallback(callback); + } + + /** + * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as + * an argument. + */ + public static setStatsFile(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStatsFile(buf); + } + + /** + * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an + * argument + */ + public static setStatsInterval(interval: number): void { + Afl.jsApiSetStatsInterval(interval); + } + + /** + * See `AFL_FRIDA_STATS_TRANSITIONS` + */ + public static setStatsTransitions(): void { + Afl.jsApiSetStatsTransitions(); + } + + /** + * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as + * an argument. + */ + public static setStdErr(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdErr(buf); + } + + /** + * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as + * an argument. + */ + public static setStdOut(file: string): void { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdOut(buf); + } + + private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction( + "js_api_add_exclude_range", + "void", + ["pointer", "size_t"]); + + private static readonly jsApiAddIncludeRange = Afl.jsApiGetFunction( + "js_api_add_include_range", + "void", + ["pointer", "size_t"]); + + private static readonly jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing"); + + private static readonly jsApiDone = Afl.jsApiGetFunction( + "js_api_done", + "void", + []); + + private static readonly jsApiError = Afl.jsApiGetFunction( + "js_api_error", + "void", + ["pointer"]); + + private static readonly jsApiSetDebugMaps = Afl.jsApiGetFunction( + "js_api_set_debug_maps", + "void", + []); + + private static readonly jsApiSetEntryPoint = Afl.jsApiGetFunction( + "js_api_set_entrypoint", + "void", + ["pointer"]); + + private static readonly jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction( + "js_api_set_instrument_debug_file", + "void", + ["pointer"]); + + private static readonly jsApiSetInstrumentLibraries = Afl.jsApiGetFunction( + "js_api_set_instrument_libraries", + "void", + []); + + private static readonly jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction( + "js_api_set_instrument_no_optimize", + "void", + []); + + private static readonly jsApiSetInstrumentTrace = Afl.jsApiGetFunction( + "js_api_set_instrument_trace", + "void", + []); + + private static readonly jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction( + "js_api_set_instrument_trace_unique", + "void", + []); + + private static readonly jsApiSetPersistentAddress = Afl.jsApiGetFunction( + "js_api_set_persistent_address", + "void", + ["pointer"]); + + private static readonly jsApiSetPersistentCount = Afl.jsApiGetFunction( + "js_api_set_persistent_count", + "void", + ["uint64"]); + + private static readonly jsApiSetPersistentDebug = Afl.jsApiGetFunction( + "js_api_set_persistent_debug", + "void", + []); + + private static readonly jsApiSetPersistentHook = Afl.jsApiGetFunction( + "js_api_set_persistent_hook", + "void", + ["pointer"]); + + private static readonly jsApiSetPersistentReturn = Afl.jsApiGetFunction( + "js_api_set_persistent_return", + "void", + ["pointer"]); + + private static readonly jsApiSetPrefetchDisable = Afl.jsApiGetFunction( + "js_api_set_prefetch_disable", + "void", + []); + + private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( + "js_api_set_stalker_callback", + "void", + ["pointer"]); + + private static readonly jsApiSetStatsFile = Afl.jsApiGetFunction( + "js_api_set_stats_file", + "void", + ["pointer"]); + + private static readonly jsApiSetStatsInterval = Afl.jsApiGetFunction( + "js_api_set_stats_interval", + "void", + ["uint64"]); + + private static readonly jsApiSetStatsTransitions = Afl.jsApiGetFunction( + "js_api_set_stats_transitions", + "void", + []); + + private static readonly jsApiSetStdErr = Afl.jsApiGetFunction( + "js_api_set_stderr", + "void", + ["pointer"]); + + private static readonly jsApiSetStdOut = Afl.jsApiGetFunction( + "js_api_set_stdout", + "void", + ["pointer"]); + + private static readonly jsApiWrite = new NativeFunction( + /* tslint:disable-next-line:no-null-keyword */ + Module.getExportByName(null, "write"), + "int", + ["int", "pointer", "int"]); + + private static jsApiGetFunction(name: string, retType: NativeType, argTypes: NativeType[]): NativeFunction { + const addr: NativePointer = Afl.module.getExportByName(name); + + return new NativeFunction(addr, retType, argTypes); + } + + private static jsApiGetSymbol(name: string): NativePointer { + + return Afl.module.getExportByName(name); + } + +} diff --git a/frida_mode/ts/package-lock.json b/frida_mode/ts/package-lock.json new file mode 100644 index 00000000..e766c2c2 --- /dev/null +++ b/frida_mode/ts/package-lock.json @@ -0,0 +1,12 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "tsc": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/tsc/-/tsc-2.0.3.tgz", + "integrity": "sha512-SN+9zBUtrpUcOpaUO7GjkEHgWtf22c7FKbKCA4e858eEM7Qz86rRDpgOU2lBIDf0fLCsEg65ms899UMUIB2+Ow==", + "dev": true + } + } +} diff --git a/frida_mode/ts/package.json b/frida_mode/ts/package.json new file mode 100644 index 00000000..47b693ed --- /dev/null +++ b/frida_mode/ts/package.json @@ -0,0 +1,32 @@ +{ + "name": "@worksbutnottested/aflplusplus-frida", + "version": "1.0.0", + "description": "AFLplusplus Frida Mode", + "main": "./dist/frida.js", + "types": "./dist/frida.d.ts", + "files": [ + "/dist/" + ], + "repository": { + "type": "git", + "url": "git@github.com:worksbutnottested/AFLplusplus.git" + }, + "publishConfig": { + "cache": "~/.npm", + "registry": "https://npm.pkg.github.com/@worksbutnottested" + }, + "scripts": { + "prepare": "npm run build", + "build": "tsc", + "lint": "tslint -p tslint.json" + }, + "devDependencies": { + "@types/node": "^14.14.2", + "typescript": "^4.0.3", + "typescript-tslint-plugin": "^0.5.5", + "tslint": "^6.1.3" + }, + "dependencies": { + "@types/frida-gum": "^16.2.0" + } + } diff --git a/frida_mode/ts/tsconfig.json b/frida_mode/ts/tsconfig.json new file mode 100644 index 00000000..624e4496 --- /dev/null +++ b/frida_mode/ts/tsconfig.json @@ -0,0 +1,14 @@ +{ + "compilerOptions": { + "target": "es2020", + "lib": ["es2020"], + "strict": true, + "module": "commonjs", + "esModuleInterop": true, + "declaration": true, + "outDir": "./dist" + }, + "include": [ + "lib/**/*" + ] + } diff --git a/frida_mode/ts/tslint.json b/frida_mode/ts/tslint.json new file mode 100644 index 00000000..0e7a77ed --- /dev/null +++ b/frida_mode/ts/tslint.json @@ -0,0 +1,256 @@ +{ + "rules": { + "adjacent-overload-signatures": true, + "ban-types": { + "options": [ + ["Object", "Avoid using the `Object` type. Did you mean `object`?"], + [ + "Function", + "Avoid using the `Function` type. Prefer a specific function type, like `() => void`." + ], + ["Boolean", "Avoid using the `Boolean` type. Did you mean `boolean`?"], + ["Number", "Avoid using the `Number` type. Did you mean `number`?"], + ["String", "Avoid using the `String` type. Did you mean `string`?"], + ["Symbol", "Avoid using the `Symbol` type. Did you mean `symbol`?"] + ] + }, + "ban-ts-ignore": true, + "member-access": { + "options": ["check-accessor", "check-constructor", "check-parameter-property"] + }, + "member-ordering": { + "options": { + "order": "statics-first", + "alphabetize": true + } + }, + "no-any": true, + "no-empty-interface": true, + "no-for-in": true, + "no-import-side-effect": true, + "no-inferrable-types": { "options": ["ignore-params"] }, + "no-internal-module": true, + "no-magic-numbers": true, + "no-namespace": true, + "no-non-null-assertion": true, + "no-reference": true, + "no-restricted-globals": true, + "no-this-assignment": true, + "no-var-requires": true, + "only-arrow-functions": true, + "prefer-for-of": true, + "prefer-readonly": true, + "promise-function-async": true, + "typedef": { + "options": [ + "call-signature", + "parameter", + "property-declaration" + ] + }, + "typedef-whitespace": { + "options": [ + { + "call-signature": "nospace", + "index-signature": "nospace", + "parameter": "nospace", + "property-declaration": "nospace", + "variable-declaration": "nospace" + }, + { + "call-signature": "onespace", + "index-signature": "onespace", + "parameter": "onespace", + "property-declaration": "onespace", + "variable-declaration": "onespace" + } + ] + }, + "unified-signatures": true, + "await-promise": true, + "ban-comma-operator": true, + "curly": true, + "forin": true, + "function-constructor": true, + "label-position": true, + "no-arg": true, + "no-async-without-await": true, + "no-bitwise": true, + "no-conditional-assignment": true, + "no-console": true, + "no-construct": true, + "no-debugger": true, + "no-duplicate-super": true, + "no-duplicate-switch-case": true, + "no-duplicate-variable": { "options": ["check-parameters"] }, + "no-dynamic-delete": true, + "no-empty": true, + "no-eval": true, + "no-floating-promises": true, + "no-for-in-array": true, + "no-implicit-dependencies": true, + "no-inferred-empty-object-type": true, + "no-invalid-template-strings": true, + "no-misused-new": true, + "no-null-keyword": true, + "no-null-undefined-union": true, + "no-object-literal-type-assertion": true, + "no-promise-as-boolean": true, + "no-return-await": true, + "no-shadowed-variable": true, + "no-string-literal": true, + "no-string-throw": true, + "no-sparse-arrays": true, + "no-submodule-imports": true, + "no-tautology-expression": true, + "no-unbound-method": true, + "no-unnecessary-class": { "options": ["allow-empty-class", "allow-static-only"] }, + "no-unsafe-any": false, + "no-unsafe-finally": true, + "no-unused-expression": true, + "no-var-keyword": true, + "no-void-expression": true, + "prefer-conditional-expression": true, + "radix": true, + "restrict-plus-operands": true, + "static-this": true, + "strict-boolean-expressions": true, + "strict-string-expressions": true, + "strict-comparisons": true, + "strict-type-predicates": true, + "switch-default": true, + "triple-equals": true, + "unnecessary-constructor": true, + "use-default-type-parameter": true, + "use-isnan": true, + "cyclomatic-complexity": true, + "eofline": true, + "indent": { "options": ["spaces"] }, + "invalid-void": true, + "linebreak-style": { "options": "LF" }, + "max-classes-per-file": { "options": 1 }, + "max-file-line-count": { "options": 1000 }, + "max-line-length": { + "options": { "limit": 120 } + }, + "no-default-export": true, + "no-default-import": true, + "no-duplicate-imports": true, + "no-irregular-whitespace": true, + "no-mergeable-namespace": true, + "no-parameter-reassignment": true, + "no-require-imports": true, + "no-trailing-whitespace": true, + "object-literal-sort-keys": true, + "prefer-const": true, + "trailing-comma": { + "options": { + "esSpecCompliant": true, + "multiline": "always", + "singleline": "never" + } + }, + "align": { + "options": ["parameters", "arguments", "statements", "elements", "members"] + }, + "array-type": { "options": "array-simple" }, + "arrow-parens": true, + "arrow-return-shorthand": { "options": "multiline" }, + "binary-expression-operand-order": true, + "callable-types": true, + "class-name": true, + "comment-format": { "options": ["check-space", "check-uppercase"] }, + "comment-type": { "options": ["singleline", "multiline", "doc", "directive"] }, + "completed-docs": [ + true, + { + "enums": true, + "methods": {"locations": "all", "privacies": ["public", "protected"]}, + "properties": {"locations": "all", "privacies": ["public", "protected"]} + } + ], + "deprecation": true, + "encoding": true, + "file-name-casing": { "options": "camel-case" }, + "import-spacing": true, + "increment-decrement": true, + "interface-name": true, + "interface-over-type-literal": true, + "jsdoc-format": { "options": "check-multiline-start" }, + "match-default-export-name": true, + "new-parens": true, + "newline-before-return": true, + "newline-per-chained-call": true, + "no-angle-bracket-type-assertion": true, + "no-boolean-literal-compare": true, + "no-consecutive-blank-lines": true, + "no-parameter-properties": true, + "no-redundant-jsdoc": true, + "no-reference-import": true, + "no-unnecessary-callback-wrapper": true, + "no-unnecessary-initializer": true, + "no-unnecessary-qualifier": true, + "no-unnecessary-type-assertion": true, + "number-literal-format": true, + "object-literal-key-quotes": { "options": "consistent-as-needed" }, + "object-literal-shorthand": true, + "one-line": { + "options": [ + "check-catch", + "check-else", + "check-finally", + "check-open-brace", + "check-whitespace" + ] + }, + "one-variable-per-declaration": true, + "ordered-imports": { + "options": { + "grouped-imports": true, + "import-sources-order": "case-insensitive", + "named-imports-order": "case-insensitive", + "module-source-path": "full" + } + }, + "prefer-function-over-method": true, + "prefer-method-signature": true, + "prefer-object-spread": true, + "prefer-switch": true, + "prefer-template": true, + "prefer-while": true, + "quotemark": { + "options": ["double", "avoid-escape", "avoid-template"] + }, + "return-undefined": true, + "semicolon": { "options": ["always"] }, + "space-before-function-paren": { + "options": { + "anonymous": "never", + "asyncArrow": "always", + "constructor": "never", + "method": "never", + "named": "never" + } + }, + "space-within-parens": { "options": 0 }, + "switch-final-break": true, + "type-literal-delimiter": true, + "unnecessary-bind": true, + "unnecessary-else": true, + "variable-name": { "options": ["ban-keywords", "check-format", "require-const-for-all-caps"] }, + "whitespace": { + "options": [ + "check-branch", + "check-decl", + "check-operator", + "check-module", + "check-separator", + "check-type", + "check-typecast", + "check-preblock", + "check-type-operator", + "check-rest-spread" + ] + } + } +} -- cgit 1.4.1 From bf9a15541888ac8836a70b4d01c2c9e7bd940051 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Tue, 6 Jul 2021 08:09:31 +0100 Subject: Support for excluding JIT code (#1006) Co-authored-by: Your Name --- frida_mode/README.md | 3 ++ frida_mode/frida.map | 1 + frida_mode/include/ranges.h | 1 + frida_mode/src/js/api.js | 7 +++++ frida_mode/src/js/js_api.c | 6 ++++ frida_mode/src/ranges.c | 68 +++++++++++++++++++++++++++++++++++++++------ frida_mode/ts/lib/afl.ts | 12 ++++++++ include/envs.h | 1 + 8 files changed, 90 insertions(+), 9 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/README.md b/frida_mode/README.md index c85cf3af..024fc140 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -153,6 +153,9 @@ Generated block 0x7ffff75e98e2 *** ``` +* `AFL_FRIDA_INST_JIT` - Enable the instrumentation of Just-In-Time compiled +code. Code is considered to be JIT if the executable segment is not backed by a +file. * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage instrumentation (the default where available). Required to use `AFL_FRIDA_INST_TRACE`. diff --git a/frida_mode/frida.map b/frida_mode/frida.map index cc072dd7..8fc0b174 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -11,6 +11,7 @@ js_api_set_debug_maps; js_api_set_entrypoint; js_api_set_instrument_debug_file; + js_api_set_instrument_jit; js_api_set_instrument_libraries; js_api_set_instrument_no_optimize; js_api_set_instrument_trace; diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index a667fb76..2eb9b355 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -5,6 +5,7 @@ extern gboolean ranges_debug_maps; extern gboolean ranges_inst_libs; +extern gboolean ranges_inst_jit; void ranges_config(void); void ranges_init(void); diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 4cb04704..1d843024 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -99,6 +99,12 @@ class Afl { static setInstrumentEnableTracing() { Afl.jsApiSetInstrumentTrace(); } + /** + * See `AFL_FRIDA_INST_JIT`. + */ + static setInstrumentJit() { + Afl.jsApiSetInstrumentJit(); + } /** * See `AFL_INST_LIBS`. */ @@ -222,6 +228,7 @@ Afl.jsApiError = Afl.jsApiGetFunction("js_api_error", "void", ["pointer"]); Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []); Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]); Afl.jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction("js_api_set_instrument_debug_file", "void", ["pointer"]); +Afl.jsApiSetInstrumentJit = Afl.jsApiGetFunction("js_api_set_instrument_jit", "void", []); Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []); Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []); Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 58bf9ba3..36471387 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -77,6 +77,12 @@ __attribute__((visibility("default"))) void js_api_add_exclude_range( } +__attribute__((visibility("default"))) void js_api_set_instrument_jit() { + + ranges_inst_jit = TRUE; + +} + __attribute__((visibility("default"))) void js_api_set_instrument_libraries() { ranges_inst_libs = TRUE; diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 05e18156..5e78fa60 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -19,9 +19,11 @@ typedef struct { gboolean ranges_debug_maps = FALSE; gboolean ranges_inst_libs = FALSE; +gboolean ranges_inst_jit = FALSE; static GArray *module_ranges = NULL; static GArray *libs_ranges = NULL; +static GArray *jit_ranges = NULL; static GArray *include_ranges = NULL; static GArray *exclude_ranges = NULL; static GArray *ranges = NULL; @@ -174,19 +176,27 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, gpointer user_data) { UNUSED_PARAMETER(user_data); + if (details->file == NULL) { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X", + OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %c%c%c", details->range->base_address, - details->range->base_address + details->range->size); + details->range->base_address + details->range->size, + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-'); } else { OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %s(0x%016" G_GINT64_MODIFIER "x)", + "X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)", details->range->base_address, details->range->base_address + details->range->size, - details->file->path, details->file->offset); + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-', details->file->path, + details->file->offset); } @@ -331,6 +341,39 @@ static GArray *collect_libs_ranges(void) { } +static gboolean collect_jit_ranges_callback(const GumRangeDetails *details, + gpointer user_data) { + + GArray *ranges = (GArray *)user_data; + + /* If the executable code isn't backed by a file, it's probably JIT */ + if (details->file == NULL) { + + GumMemoryRange range = *details->range; + g_array_append_val(ranges, range); + + } + + return TRUE; + +} + +static GArray *collect_jit_ranges(void) { + + GArray *result; + result = g_array_new(false, false, sizeof(GumMemoryRange)); + if (!ranges_inst_jit) { + + gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, collect_jit_ranges_callback, + result); + + } + + print_ranges("JIT", result); + return result; + +} + static gboolean intersect_range(GumMemoryRange *rr, GumMemoryRange *ra, GumMemoryRange *rb) { @@ -510,6 +553,7 @@ void ranges_config(void) { if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; } if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; } + if (getenv("AFL_FRIDA_INST_JIT") != NULL) { ranges_inst_jit = TRUE; } if (ranges_debug_maps) { @@ -530,7 +574,9 @@ void ranges_init(void) { GArray * step2; GArray * step3; GArray * step4; + GArray * step5; + OKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' '); OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); @@ -538,6 +584,7 @@ void ranges_init(void) { module_ranges = collect_module_ranges(); libs_ranges = collect_libs_ranges(); + jit_ranges = collect_jit_ranges(); /* If include ranges is empty, then assume everything is included */ if (include_ranges->len == 0) { @@ -560,17 +607,20 @@ void ranges_init(void) { step3 = subtract_ranges(step2, exclude_ranges); print_ranges("step3", step3); + step4 = subtract_ranges(step3, jit_ranges); + print_ranges("step4", step4); + /* - * After step3, we have the total ranges to be instrumented, we now subtract + * After step4, we have the total ranges to be instrumented, we now subtract * that from the original ranges of the modules to configure stalker. */ + step5 = subtract_ranges(module_ranges, step4); + print_ranges("step5", step5); - step4 = subtract_ranges(module_ranges, step3); - print_ranges("step4", step4); - - ranges = merge_ranges(step4); + ranges = merge_ranges(step5); print_ranges("final", ranges); + g_array_free(step5, TRUE); g_array_free(step4, TRUE); g_array_free(step3, TRUE); g_array_free(step2, TRUE); diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 93368dac..67e21beb 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -119,6 +119,13 @@ class Afl { Afl.jsApiSetInstrumentTrace(); } + /** + * See `AFL_FRIDA_INST_JIT`. + */ + public static setInstrumentJit(): void { + Afl.jsApiSetInstrumentJit(); + } + /** * See `AFL_INST_LIBS`. */ @@ -273,6 +280,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetInstrumentJit = Afl.jsApiGetFunction( + "js_api_set_instrument_jit", + "void", + []); + private static readonly jsApiSetInstrumentLibraries = Afl.jsApiGetFunction( "js_api_set_instrument_libraries", "void", diff --git a/include/envs.h b/include/envs.h index f89e8e62..4bab54ce 100644 --- a/include/envs.h +++ b/include/envs.h @@ -56,6 +56,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_DEBUG_MAPS", "AFL_FRIDA_EXCLUDE_RANGES", "AFL_FRIDA_INST_DEBUG_FILE", + "AFL_FRIDA_INST_JIT", "AFL_FRIDA_INST_NO_OPTIMIZE", "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_RANGES", -- cgit 1.4.1 From 4a02118fdae1ed0bd2cb74a775e7bc0d82d91a81 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Tue, 6 Jul 2021 18:30:50 +0100 Subject: Deferred exclusion support (#1008) * Deferred exclusion support * Changes to support different hook libraries for QEMU and FRIDA * Changes to collect more stats Co-authored-by: Your Name --- frida_mode/GNUmakefile | 25 ++++++++++++++++--------- frida_mode/include/entry.h | 3 ++- frida_mode/include/persistent.h | 3 +++ frida_mode/include/stalker.h | 1 + frida_mode/src/entry.c | 15 ++++++++++++++- frida_mode/src/instrument/instrument.c | 8 +++++++- frida_mode/src/persistent/persistent.c | 20 ++++++++++++++++++++ frida_mode/src/persistent/persistent_arm32.c | 4 ++-- frida_mode/src/persistent/persistent_arm64.c | 4 ++-- frida_mode/src/persistent/persistent_x64.c | 4 ++-- frida_mode/src/persistent/persistent_x86.c | 4 ++-- frida_mode/src/stalker.c | 8 +++++++- frida_mode/src/stats/stats_x64.c | 18 ++++++++++++++++++ frida_mode/test/jpeg/GNUmakefile | 6 +++--- frida_mode/test/libpcap/GNUmakefile | 11 ++++++----- frida_mode/test/png/GNUmakefile | 6 ++++++ frida_mode/test/png/Makefile | 3 +++ frida_mode/test/png/persistent/hook/GNUmakefile | 25 +++++++++++++------------ frida_mode/test/png/persistent/hook/load.js | 2 +- frida_mode/test/proj4/GNUmakefile | 6 +++--- frida_mode/test/re2/GNUmakefile | 11 ++++++----- frida_mode/test/testinstr/GNUmakefile | 7 +++++++ 22 files changed, 144 insertions(+), 50 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 6c17f369..4d8f8507 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -98,9 +98,12 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o -HOOK_DIR:=$(PWD)hook/ -AFLPP_DRIVER_HOOK_SRC=$(HOOK_DIR)hook.c -AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)hook.so +FRIDA_HOOK_DIR:=$(PWD)hook/ +AFLPP_FRIDA_DRIVER_HOOK_SRC=$(FRIDA_HOOK_DIR)hook.c +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(BUILD_DIR)frida_hook.so + +QEMU_HOOK_DIR:=$(ROOT)utils/aflpp_driver/ +AFLPP_QEMU_DRIVER_HOOK_OBJ:=$(BUILD_DIR)qemu_hook.so BIN2C:=$(BUILD_DIR)bin2c BIN2C_SRC:=$(PWD)util/bin2c.c @@ -109,7 +112,7 @@ BIN2C_SRC:=$(PWD)util/bin2c.c ############################## ALL ############################################# -all: $(FRIDA_TRACE) $(AFLPP_DRIVER_HOOK_OBJ) +all: $(FRIDA_TRACE) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all @@ -150,10 +153,10 @@ $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR) wget -O $@ $(GUM_DEVKIT_URL) endif -$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL) +$(GUM_DEVIT_LIBRARY): $(GUM_DEVKIT_TARBALL) tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) -$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL) +$(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL) tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR) ############################## AFL ############################################# @@ -214,10 +217,14 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL ############################# HOOK ############################################# -$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR) +$(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) | $(BUILD_DIR) $(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ -hook: $(AFLPP_DRIVER_HOOK_OBJ) +$(AFLPP_QEMU_DRIVER_HOOK_OBJ): | $(QEMU_HOOK_DIR) + make -C $(QEMU_HOOK_DIR) aflpp_qemu_driver_hook.so + cp $(QEMU_HOOK_DIR)aflpp_qemu_driver_hook.so $@ + +hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) ############################# CLEAN ############################################ clean: @@ -225,7 +232,7 @@ clean: ############################# FORMAT ########################################### format: - cd $(ROOT) && echo $(SOURCES) $(AFLPP_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i + cd $(ROOT) && echo $(SOURCES) $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i ############################# RUN ############################################# diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index 801c2bbe..cbc5c8c7 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -3,7 +3,8 @@ #include "frida-gumjs.h" -extern guint64 entry_point; +extern guint64 entry_point; +extern gboolean entry_reached; void entry_config(void); diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h index 8f00196c..c79f0143 100644 --- a/frida_mode/include/persistent.h +++ b/frida_mode/include/persistent.h @@ -30,7 +30,10 @@ void persistent_init(void); gboolean persistent_is_supported(void); void persistent_prologue(GumStalkerOutput *output); +void persistent_prologue_arch(GumStalkerOutput *output); + void persistent_epilogue(GumStalkerOutput *output); +void persistent_epilogue_arch(GumStalkerOutput *output); #endif diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 2136fe52..b5e05d5a 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -7,6 +7,7 @@ void stalker_config(void); void stalker_init(void); GumStalker *stalker_get(void); void stalker_start(void); +void stalker_trust(void); #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index e95b923b..1d3b3e43 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -4,12 +4,15 @@ #include "entry.h" #include "instrument.h" +#include "persistent.h" +#include "ranges.h" #include "stalker.h" #include "util.h" extern void __afl_manual_init(); -guint64 entry_point = 0; +guint64 entry_point = 0; +gboolean entry_reached = FALSE; static void entry_launch(void) { @@ -50,6 +53,16 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { UNUSED_PARAMETER(output); + OKF("AFL_ENTRYPOINT reached"); + + if (persistent_start == 0) { + + entry_reached = TRUE; + ranges_exclude(); + stalker_trust(); + + } + gum_stalker_iterator_put_callout(iterator, entry_callout, NULL, NULL); } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index c646843c..2d857716 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -149,7 +149,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator, if (unlikely(begin)) { - prefetch_write(GSIZE_TO_POINTER(instr->address)); + instrument_debug_start(instr->address, output); + + if (likely(entry_reached)) { + + prefetch_write(GSIZE_TO_POINTER(instr->address)); + + } if (likely(!excluded)) { diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index bcc59ea7..639a694e 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -5,7 +5,10 @@ #include "config.h" #include "debug.h" +#include "entry.h" #include "persistent.h" +#include "ranges.h" +#include "stalker.h" #include "util.h" int __afl_sharedmem_fuzzing = 0; @@ -83,3 +86,20 @@ void persistent_init(void) { } +void persistent_prologue(GumStalkerOutput *output) { + + OKF("AFL_FRIDA_PERSISTENT_ADDR reached"); + entry_reached = TRUE; + ranges_exclude(); + stalker_trust(); + persistent_prologue_arch(output); + +} + +void persistent_epilogue(GumStalkerOutput *output) { + + OKF("AFL_FRIDA_PERSISTENT_RET reached"); + persistent_epilogue_arch(output); + +} + diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index f12f1af8..769f1505 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -61,14 +61,14 @@ gboolean persistent_is_supported(void) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); FATAL("Persistent mode not supported on this architecture"); } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); FATAL("Persistent mode not supported on this architecture"); diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 003f058a..4ab7b283 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -299,7 +299,7 @@ static void instrument_persitent_save_lr(GumArm64Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -366,7 +366,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumArm64Writer *cw = output->writer.arm64; diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index b2186db1..ce3017e4 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -244,7 +244,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -313,7 +313,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index f50bccb0..cc1f1a4f 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -184,7 +184,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) { } -void persistent_prologue(GumStalkerOutput *output) { +void persistent_prologue_arch(GumStalkerOutput *output) { /* * SAVE REGS @@ -251,7 +251,7 @@ void persistent_prologue(GumStalkerOutput *output) { } -void persistent_epilogue(GumStalkerOutput *output) { +void persistent_epilogue_arch(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 98483cde..5df0386f 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -38,7 +38,7 @@ void stalker_init(void) { stalker = gum_stalker_new(); if (stalker == NULL) { FATAL("Failed to initialize stalker"); } - gum_stalker_set_trust_threshold(stalker, 0); + gum_stalker_set_trust_threshold(stalker, -1); /* *NEVER* stalk the stalker, only bad things will ever come of this! */ gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, stalker_exclude_self, NULL); @@ -59,3 +59,9 @@ void stalker_start(void) { } +void stalker_trust(void) { + + gum_stalker_set_trust_threshold(stalker, 0); + +} + diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c index 7c3a90d7..11464a2a 100644 --- a/frida_mode/src/stats/stats_x64.c +++ b/frida_mode/src/stats/stats_x64.c @@ -31,6 +31,9 @@ typedef struct { guint64 num_rip_relative; + guint64 num_rip_relative_type[X86_INS_ENDING]; + char name_rip_relative_type[X86_INS_ENDING][CS_MNEMONIC_SIZE]; + } stats_data_arch_t; gboolean stats_is_supported_arch(void) { @@ -136,6 +139,18 @@ void stats_write_arch(void) { stats_data_arch->num_rip_relative, (stats_data_arch->num_rip_relative * 100 / num_instructions)); + for (size_t i = 0; i < X86_INS_ENDING; i++) { + + if (stats_data_arch->num_rip_relative_type[i] != 0) { + + stats_print(" %10d %s\n", + stats_data_arch->num_rip_relative_type[i], + stats_data_arch->name_rip_relative_type[i]); + + } + + } + stats_print("\n"); stats_print("\n"); @@ -256,6 +271,9 @@ static void stats_collect_rip_relative_arch(const cs_insn *instr) { if (rm != 5) { return; } stats_data_arch->num_rip_relative++; + stats_data_arch->num_rip_relative_type[instr->id]++; + memcpy(stats_data_arch->name_rip_relative_type[instr->id], instr->mnemonic, + CS_MNEMONIC_SIZE); } diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile index 68469782..1c124743 100644 --- a/frida_mode/test/jpeg/GNUmakefile +++ b/frida_mode/test/jpeg/GNUmakefile @@ -2,7 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so LIBJPEG_BUILD_DIR:=$(BUILD_DIR)libjpeg/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_DEBUG_CHILD=1 \ AFL_DISABLE_TRIM=1 \ AFL_FRIDA_PERSISTENT_CNT=1000000 \ @@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_SKIP_CPUFREQ=1 \ AFL_SKIP_CRASHES=1 \ AFL_TESTCACHE_SIZE=2 \ - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile index 4d0bc4f1..f1ad06e4 100644 --- a/frida_mode/test/libpcap/GNUmakefile +++ b/frida_mode/test/libpcap/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -148,8 +149,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR) clean: rm -rf $(BUILD_DIR) -qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -162,8 +163,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDU -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index fdb2c318..a1a7f1a5 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -112,3 +112,9 @@ frida: $(TEST_BIN) -o $(FRIDA_OUT) \ -- \ $(TEST_BIN) @@ + +debug: + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.png diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile index 4bef1ccb..f843af19 100644 --- a/frida_mode/test/png/Makefile +++ b/frida_mode/test/png/Makefile @@ -14,3 +14,6 @@ qemu: frida: @gmake frida + +debug: + @gmake debug diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 8a1a9a60..ddf63a96 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so CFLAGS+=-O3 \ -funroll-loops \ @@ -73,8 +74,8 @@ $(TEST_DATA_DIR): | $(BUILD_DIR) $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) truncate -s 1M $@ -qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ $(ROOT)/afl-fuzz \ @@ -86,8 +87,8 @@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -100,8 +101,8 @@ qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ -D \ @@ -113,8 +114,8 @@ frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ @@ -126,7 +127,7 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) +frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=load.js \ $(ROOT)afl-fuzz \ @@ -139,7 +140,7 @@ frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DI -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR) +frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=cmodule.js \ $(ROOT)afl-fuzz \ @@ -155,7 +156,7 @@ debug: $(AFLPP_DRIVER_DUMMY_INPUT) echo $(AFL_FRIDA_PERSISTENT_ADDR) gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ - --ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ)' \ + --ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ)' \ --ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \ --ex 'set disassembly-flavor intel' \ --args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) diff --git a/frida_mode/test/png/persistent/hook/load.js b/frida_mode/test/png/persistent/hook/load.js index ce4374ae..ea4d28c3 100644 --- a/frida_mode/test/png/persistent/hook/load.js +++ b/frida_mode/test/png/persistent/hook/load.js @@ -19,7 +19,7 @@ Afl.setPersistentAddress(persistent_addr); const path = Afl.module.path; const dir = path.substring(0, path.lastIndexOf("/")); -const mod = Module.load(`${dir}/frida_mode/build/hook.so`); +const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`); const hook = mod.getExportByName('afl_persistent_hook'); Afl.setPersistentHook(hook); diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile index 6ce03fd3..8555ebad 100644 --- a/frida_mode/test/proj4/GNUmakefile +++ b/frida_mode/test/proj4/GNUmakefile @@ -2,7 +2,7 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so LIBPROJ4_BUILD_DIR:=$(BUILD_DIR)libproj4/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_DEBUG_CHILD=1 \ AFL_DISABLE_TRIM=1 \ AFL_FRIDA_PERSISTENT_CNT=1000000 \ @@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) AFL_SKIP_CPUFREQ=1 \ AFL_SKIP_CRASHES=1 \ AFL_TESTCACHE_SIZE=2 \ - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile index ab986190..ce95df3b 100644 --- a/frida_mode/test/re2/GNUmakefile +++ b/frida_mode/test/re2/GNUmakefile @@ -2,7 +2,8 @@ PWD:=$(shell pwd)/ ROOT:=$(shell realpath $(PWD)../../..)/ BUILD_DIR:=$(PWD)build/ -AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ @@ -130,8 +131,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR) clean: rm -rf $(BUILD_DIR) -qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) - AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_GPR=1 \ @@ -144,8 +145,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) -- \ $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT) -frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) - AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \ +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ $(ROOT)afl-fuzz \ diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile index a35073ab..3701ddc8 100644 --- a/frida_mode/test/testinstr/GNUmakefile +++ b/frida_mode/test/testinstr/GNUmakefile @@ -52,6 +52,13 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) -- \ $(TESTINSTBIN) @@ +debug: + echo $(AFL_FRIDA_PERSISTENT_ADDR) + gdb \ + --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ + --ex 'set disassembly-flavor intel' \ + --args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) + debug: gdb \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ -- cgit 1.4.1 From 161d763334a27c6b031d8c5b9a7b49280cb05796 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 7 Jul 2021 21:11:03 +0100 Subject: Changes to print stats more periodically rather than relying on a new block being instrumented (#1011) Co-authored-by: Your Name --- frida_mode/hook/frida_hook.c | 1 - frida_mode/include/stats.h | 1 + frida_mode/src/entry.c | 2 ++ frida_mode/src/stats/stats.c | 6 +++--- 4 files changed, 6 insertions(+), 4 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/hook/frida_hook.c b/frida_mode/hook/frida_hook.c index 96446d6f..3bfdb207 100644 --- a/frida_mode/hook/frida_hook.c +++ b/frida_mode/hook/frida_hook.c @@ -6,7 +6,6 @@ * */ - #include #include diff --git a/frida_mode/include/stats.h b/frida_mode/include/stats.h index 1cfd6b8f..cd2350ea 100644 --- a/frida_mode/include/stats.h +++ b/frida_mode/include/stats.h @@ -28,6 +28,7 @@ gboolean stats_is_supported_arch(void); size_t stats_data_size_arch(void); void stats_collect_arch(const cs_insn *instr); void stats_write_arch(void); +void stats_on_fork(void); #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 1d3b3e43..f70e21fc 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -7,6 +7,7 @@ #include "persistent.h" #include "ranges.h" #include "stalker.h" +#include "stats.h" #include "util.h" extern void __afl_manual_init(); @@ -21,6 +22,7 @@ static void entry_launch(void) { /* Child here */ instrument_previous_pc = 0; + stats_on_fork(); } diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 0dd8be70..91a58741 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -178,10 +178,12 @@ void stats_write(void) { } -static void stats_maybe_write(void) { +void stats_on_fork(void) { guint64 current_time; + if (stats_filename == NULL) { return; } + if (stats_interval == 0) { return; } current_time = g_get_monotonic_time(); @@ -208,7 +210,5 @@ void stats_collect(const cs_insn *instr, gboolean begin) { stats_collect_arch(instr); - stats_maybe_write(); - } -- cgit 1.4.1 From 94999782f1a3742e3e755a66f5d76e84573ae6ef Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 14 Jul 2021 08:48:37 +0100 Subject: Improved block and edge numbering to reduce collisions (#1021) Co-authored-by: Your Name --- frida_mode/GNUmakefile | 30 ++++-- frida_mode/MapDensity.md | 147 +++++++++++++++++++++++++++ frida_mode/README.md | 4 + frida_mode/hook/qemu_hook.c | 3 + frida_mode/include/instrument.h | 16 ++- frida_mode/many-linux/Dockerfile | 2 +- frida_mode/src/entry.c | 2 +- frida_mode/src/instrument/instrument.c | 62 ++++++++--- frida_mode/src/instrument/instrument_arm64.c | 16 +-- frida_mode/src/instrument/instrument_x64.c | 19 ++-- frida_mode/src/instrument/instrument_x86.c | 22 ++-- frida_mode/src/persistent/persistent_arm64.c | 2 +- frida_mode/src/persistent/persistent_x64.c | 2 +- frida_mode/src/persistent/persistent_x86.c | 2 +- frida_mode/util/get_symbol_addr.sh | 2 +- 15 files changed, 277 insertions(+), 54 deletions(-) create mode 100644 frida_mode/MapDensity.md (limited to 'frida_mode/include') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 582cf8d6..44dfafe3 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -21,7 +21,7 @@ CFLAGS+=-fPIC \ -funroll-loops \ -ffunction-sections \ -RT_CFLAGS:=-Wno-unused-parameter \ +AFL_CFLAGS:=-Wno-unused-parameter \ -Wno-sign-compare \ -Wno-unused-function \ -Wno-unused-result \ @@ -60,10 +60,10 @@ endif ifeq "$(shell uname)" "Darwin" OS:=macos - RT_CFLAGS:=$(RT_CFLAGS) -Wno-deprecated-declarations + AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-deprecated-declarations else ifdef DEBUG - RT_CFLAGS:=$(RT_CFLAGS) -Wno-prio-ctor-dtor + AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-prio-ctor-dtor endif LDFLAGS+= -z noexecstack \ -Wl,--gc-sections \ @@ -79,7 +79,12 @@ ifndef OS $(error "Operating system unsupported") endif +ifeq "$(ARCH)" "arm64" +# 15.0.0 Not released for aarch64 yet +GUM_DEVKIT_VERSION=14.2.18 +else GUM_DEVKIT_VERSION=15.0.0 +endif GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)" @@ -98,6 +103,9 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME) AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o +AFL_PERFORMANCE_SRC:=$(ROOT)src/afl-performance.c +AFL_PERFORMANCE_OBJ:=$(OBJ_DIR)afl-performance.o + HOOK_DIR:=$(PWD)hook/ AFLPP_FRIDA_DRIVER_HOOK_SRC=$(HOOK_DIR)frida_hook.c AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(BUILD_DIR)frida_hook.so @@ -163,7 +171,16 @@ $(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL) $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) $(CC) \ $(CFLAGS) \ - $(RT_CFLAGS) \ + $(AFL_CFLAGS) \ + -I $(ROOT) \ + -I $(ROOT)include \ + -o $@ \ + -c $< + +$(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) + $(CC) \ + $(CFLAGS) \ + $(AFL_CFLAGS) \ -I $(ROOT) \ -I $(ROOT)include \ -o $@ \ @@ -172,7 +189,7 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) ############################### JS ############################################# $(BIN2C): $(BIN2C_SRC) - $(CC) -o $@ $< + $(CC) -D_GNU_SOURCE -o $@ $< $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR) cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@ @@ -203,12 +220,13 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $( ######################## AFL-FRIDA-TRACE ####################################### -$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR) +$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR) $(CXX) \ $(OBJS) \ $(JS_OBJ) \ $(GUM_DEVIT_LIBRARY) \ $(AFL_COMPILER_RT_OBJ) \ + $(AFL_PERFORMANCE_OBJ) \ $(LDFLAGS) \ $(LDSCRIPT) \ -o $@ \ diff --git a/frida_mode/MapDensity.md b/frida_mode/MapDensity.md new file mode 100644 index 00000000..f4ae3ace --- /dev/null +++ b/frida_mode/MapDensity.md @@ -0,0 +1,147 @@ +# Map Density + +# How Coverage Works +The coverage in AFL++ works by assigning each basic block of code a unique ID +and during execution when transitioning between blocks (e.g. by calls or jumps) +assigning each of these edges an ID based upon the source and destination block +ID. + +For each individual execution of the target, a single dimensional byte array +indexed by the edge ID is used to count how many times each edge is traversed. + +A single dimensional cumulative byte array is also constructed where each byte +again represents an individual edge ID, but this time, the value of the byte +represents a range of how many times that edge has been traversed. + +```1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+``` + +The theory is that a new path isn't particularly interesting if an edge has been +traversed `23` instead of `24` times for example, but is interesting if an edge +has been traversed for the very first time, or the number of times fits within a different bucket. + +After each run, the count of times each edge is hit is compared to the values in +the cumulative map and if it is different, then the input is kept as a new seed +and the cumulative map is updated. + +This mechanism is described in greater detail in the seminal +[paper](https://lcamtuf.coredump.cx/afl/technical_details.txt) on AFL by +[lcamtuf](https://github.com/lcamtuf). + +# Collisions +In black-box fuzzing, we must assume that control may flow from any block to any +other block, since we don't know any better. Thus for a target with `n` basic +blocks of code, there are `n * n` potential edges. As we can see, even with a +small number of edges, a very large map will be required so that we have space +to fit them all. Even if our target only had `1024` blocks, this would require a +map containing `1048576` entries (or 1Mb in size). + +Whilst this may not seem like a lot of memory, it causes problems for two reasons. Firstly, the processing step after each execution must now process much more +data, and secondly a map this size is unlikely to fit within the L2 cache of the processor. Since this is a very hot code path, we are likely to pay a very heavy +performance cost. + +Therefore, we must accept that not all edges can have a unique and that +therefore there will be collisions. This means that if the fuzzer finds a new +path by uncovering an edge which was not previously found, but that the same +edge ID is used by another edge, then it may go completely unnoticed. This is +obviously undesirable, but equally if our map is too large, then we will not be +able to process as many potential inputs in the same time and hence not uncover +edges for that reason. Thus a careful trade-off of map size must be made. + +# Block & Edge Numbering +Since the original AFL, blocks and edges have always been numbered in the same +way as we can see from the following C snippet from the whitepaper. + +```c + cur_location = (block_address >> 4) ^ (block_address << 8); + shared_mem[cur_location ^ prev_location]++; + prev_location = cur_location >> 1; + +``` + +Each block ID is generated by performing a shift and XOR on its address. Then +the edge ID is calculated as `E = B ^ (B' >> 1)`. Here, we can make two +observations. In fact, the edge ID is also masked to ensure it is less than the +size of the map being used. + +## Block IDs +Firstly, the block ID doesn't have very good entropy. If we consider the address +of the block, then whilst each block has a unique ID, it isn't necessarily very +evenly distributed. + +We start with a large address, and need to discard a large number of the bits to +generate a block ID which is within range. But how do we choose the unique bits +of the address verus those which are the same for every block? The high bits of +the address may simply be all `0s` or all `1s` to make the address cannonical, +the middle portion of the address may be the same for all blocks (since if they +are all within the same binary, then they will all be adjacent in memory), and +on some systems, even the low bits may have poor entropy as some use fixed +length aligned instructions. Then we need to consider that a portion of each +binary may contain the `.data` or `.bss` sections and so may not contain any +blocks of code at all. + +## Edge IDs +Secondly, we can observe that when we generate an edge ID from the source and +destination block IDs, we perform a right shift on the source block ID. Whilst +there are good reasons as set out in the whitepaper why such a transform is +applied, in so doing, we dispose of `1` bit of precious entropy in our source +block ID. + +All together, this means that some edge IDs may be more popular than others. +This means that some portions of the map may be very densly populated with large +numbers of edges, whilst others may be very sparsely populated, or not populated +at all. + +# Improvements +One of the main reaons why this algorithm selected, is performance. All of the +operations are very quick to perform and given we may be carrying this out for +every block of code we execute, performance is critical. + +However, the design of the binary instrumentation modes of AFL++ has moved on. +Both QEMU and FRIDA modes use a two stage process when executing a target +application. Each block is first compiled or instrumented, and then it is +executed. The compiled blocks can be re-used each time the target executes them. + +Since a blocks ID is based on its address, and this is known at compile time, we +only need to generate this ID once per block and so this ID generation no longer +needs to be as performant. We can therefore use a hash algorithm to generate +this ID and therefore ensure that the block IDs are more evenly distributed. + +Edge IDs however, can only be determined at run-time. Since we don't know which +blocks a given input will traverse until we run it. However, given our block IDs +are now evenly distributed, generating an evenly distributed edge ID becomes +simple. Here, the only change we make is to use a rotate operation rather than +a shift operation so we don't lose a bit of entropy from the source ID. + +So our new algorithm becomes: +```c + cur_location = hash(block_address) + shared_mem[cur_location ^ prev_location]++; + prev_location = rotate(cur_location, 1); +``` + +Lastly, in the original design, the `cur_location` was always set to `0`, at the +beginning of a run, we instead set the value of `cur_location` to `hash(0)`. + +# Parallel Fuzzing +Another sub-optimal aspect of the original design is that no matter how many +instances of the fuzzer you ran in parallel, each instance numbered each block +and so each edge with the same ID. Each instance would therefore find the same +subset of edges collide with each other. In the event of a collision, all +instances will hit the same road block. + +However, if we instead use a different seed for our hashing function for each +instance, then each will ascribe each block a different ID and hence each edge +will be given a different edge ID. This means that whilst one instance of the +fuzzer may find a given pair of edges collide, it is very unlikely that another +instance will find the same pair also collide. + +Due to the collaborative nature of parallel fuzzing, this means that whilst one +instance may struggle to find a particular new path because the new edge +collides, another instance will likely not encounter the same collision and thus +be able to differentiate this new path and share it with the other instances. + +If only a single new edge is found, and the new path is shared with an instance +for which that edge collides, that instance may disregard it as irrelevant. In +practice, however, the discovery of a single new edge, likely leads to several +more edges beneath it also being found and therefore the likelihood of all of +these being collisions is very slim. diff --git a/frida_mode/README.md b/frida_mode/README.md index 024fc140..6cbb4c4c 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -293,6 +293,10 @@ FASAN then adds instrumentation for any instrucutions which use memory operands then calls into the `__asan_loadN` and `__asan_storeN` functions provided by the DSO to validate memory accesses against the shadow memory. +# Collisions +FRIDA mode has also introduced some improvements to reduce collisions in the map. +See [here](MapDensity.md) for details. + ## TODO The next features to be added are Aarch32 support as well as looking at diff --git a/frida_mode/hook/qemu_hook.c b/frida_mode/hook/qemu_hook.c index 5b4f65b1..56e787e3 100644 --- a/frida_mode/hook/qemu_hook.c +++ b/frida_mode/hook/qemu_hook.c @@ -36,6 +36,7 @@ struct x86_64_regs { void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { + (void)guest_base; /* unused */ memcpy((void *)regs->rdi, input_buf, input_buf_len); regs->rsi = input_buf_len; @@ -75,6 +76,7 @@ struct x86_regs { void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { + (void)guest_base; /* unused */ void **esp = (void **)regs->esp; void * arg1 = esp[1]; void **arg2 = &esp[2]; @@ -175,6 +177,7 @@ struct arm64_regs { void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base, uint8_t *input_buf, uint32_t input_buf_len) { + (void)guest_base; /* unused */ memcpy((void *)regs->x0, input_buf, input_buf_len); regs->x1 = input_buf_len; } diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 9c8d3a5d..695b46af 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -5,11 +5,12 @@ #include "config.h" -extern char * instrument_debug_filename; -extern gboolean instrument_tracing; -extern gboolean instrument_optimize; -extern gboolean instrument_unique; -extern __thread uint64_t instrument_previous_pc; +extern char * instrument_debug_filename; +extern gboolean instrument_tracing; +extern gboolean instrument_optimize; +extern gboolean instrument_unique; +extern __thread guint64 instrument_previous_pc; +extern guint64 instrument_hash_zero; extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; @@ -33,5 +34,10 @@ void instrument_debug_instruction(uint64_t address, uint16_t size); void instrument_debug_end(GumStalkerOutput *output); void instrument_flush(GumStalkerOutput *output); gpointer instrument_cur(GumStalkerOutput *output); + +void instrument_on_fork(); + +guint64 instrument_get_offset_hash(GumAddress current_rip); + #endif diff --git a/frida_mode/many-linux/Dockerfile b/frida_mode/many-linux/Dockerfile index 1d39c356..2cd56bc8 100644 --- a/frida_mode/many-linux/Dockerfile +++ b/frida_mode/many-linux/Dockerfile @@ -11,7 +11,7 @@ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git WORKDIR /AFLplusplus RUN mkdir -p /AFLplusplus/frida_mode/build/frida/ -RUN curl -L -o /AFLplusplus/frida_mode/build/frida/frida-gumjs-devkit-14.2.18-linux-x86_64.tar.xz "https://github.com/frida/frida/releases/download/14.2.18/frida-gumjs-devkit-14.2.18-linux-x86_64.tar.xz" +RUN curl -L -o /AFLplusplus/frida_mode/build/frida/frida-gumjs-devkit-15.0.0-linux-x86_64.tar.xz "https://github.com/frida/frida/releases/download/15.0.0/frida-gumjs-devkit-15.0.0-linux-x86_64.tar.xz" WORKDIR /AFLplusplus RUN git checkout dev diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index f70e21fc..a0ffd028 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -21,7 +21,7 @@ static void entry_launch(void) { __afl_manual_init(); /* Child here */ - instrument_previous_pc = 0; + instrument_on_fork(); stats_on_fork(); } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 2d857716..81d14013 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -6,6 +6,7 @@ #include "config.h" #include "debug.h" +#include "hash.h" #include "asan.h" #include "entry.h" @@ -22,10 +23,12 @@ gboolean instrument_tracing = false; gboolean instrument_optimize = false; gboolean instrument_unique = false; +guint64 instrument_hash_zero = 0; +guint64 instrument_hash_seed = 0; static GumStalkerTransformer *transformer = NULL; -__thread uint64_t instrument_previous_pc = 0; +__thread guint64 instrument_previous_pc = 0; static GumAddress previous_rip = 0; static u8 * edges_notified = NULL; @@ -49,21 +52,18 @@ static void trace_debug(char *format, ...) { } -__attribute__((hot)) static void on_basic_block(GumCpuContext *context, - gpointer user_data) { +guint64 instrument_get_offset_hash(GumAddress current_rip) { - UNUSED_PARAMETER(context); + guint64 area_offset = hash64((unsigned char *)¤t_rip, + sizeof(GumAddress), instrument_hash_seed); + return area_offset &= MAP_SIZE - 1; - GumAddress current_rip = GUM_ADDRESS(user_data); - GumAddress current_pc; - GumAddress edge; - uint8_t * cursor; - uint64_t value; +} - current_pc = (current_rip >> 4) ^ (current_rip << 8); - current_pc &= MAP_SIZE - 1; +__attribute__((hot)) static void instrument_increment_map(GumAddress edge) { - edge = current_pc ^ instrument_previous_pc; + uint8_t *cursor; + uint64_t value; cursor = &__afl_area_ptr[edge]; value = *cursor; @@ -79,7 +79,21 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, } *cursor = value; - instrument_previous_pc = current_pc >> 1; + +} + +__attribute__((hot)) static void on_basic_block(GumCpuContext *context, + gpointer user_data) { + + UNUSED_PARAMETER(context); + + GumAddress current_rip = GUM_ADDRESS(user_data); + guint64 current_pc = instrument_get_offset_hash(current_rip); + guint64 edge; + + edge = current_pc ^ instrument_previous_pc; + + instrument_increment_map(edge); if (unlikely(instrument_tracing)) { @@ -98,6 +112,9 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, } + instrument_previous_pc = + ((current_pc & (MAP_SIZE - 1) >> 1)) | ((current_pc & 0x1) << 15); + } static void instrument_basic_block(GumStalkerIterator *iterator, @@ -265,6 +282,19 @@ void instrument_init(void) { } + /* + * By using a different seed value for the hash, we can make different + * instances have edge collisions in different places when carrying out + * parallel fuzzing. The seed itself, doesn't have to be random, it just + * needs to be different for each instance. + */ + instrument_hash_seed = + g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ gettid(); + + OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", + instrument_hash_seed); + instrument_hash_zero = instrument_get_offset_hash(0); + instrument_debug_init(); asan_init(); cmplog_init(); @@ -278,3 +308,9 @@ GumStalkerTransformer *instrument_get_transformer(void) { } +void instrument_on_fork() { + + instrument_previous_pc = instrument_hash_zero; + +} + diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 17f97c97..cf37e048 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -12,15 +12,15 @@ static GumAddress current_log_impl = GUM_ADDRESS(0); static const guint8 afl_log_code[] = { // __afl_area_ptr[current_pc ^ previous_pc]++; - // previous_pc = current_pc >> 1; + // previous_pc = current_pc ROR 1; 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! // x0 = current_pc - 0xe1, 0x01, 0x00, 0x58, // ldr x1, #0x3c, =&__afl_area_ptr + 0x21, 0x02, 0x00, 0x58, // ldr x1, #0x44, =&__afl_area_ptr 0x21, 0x00, 0x40, 0xf9, // ldr x1, [x1] (=__afl_area_ptr) - 0xe2, 0x01, 0x00, 0x58, // ldr x2, #0x3c, =&previous_pc + 0x22, 0x02, 0x00, 0x58, // ldr x2, #0x44, =&previous_pc 0x42, 0x00, 0x40, 0xf9, // ldr x2, [x2] (=previous_pc) // __afl_area_ptr[current_pc ^ previous_pc]++; @@ -30,8 +30,11 @@ static const guint8 afl_log_code[] = { 0x63, 0x00, 0x1f, 0x9a, // adc x3, x3, xzr 0x23, 0x68, 0x22, 0xf8, // str x3, [x1, x2] - // previous_pc = current_pc >> 1; - 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 + // previous_pc = current_pc ROR 1; + 0xe4, 0x07, 0x40, 0x8b, // add x4, xzr, x0, LSR #1 + 0xe0, 0xff, 0x00, 0x8b, // add x0, xzr, x0, LSL #63 + 0x80, 0xc0, 0x40, 0x8b, // add x0, x4, x0, LSR #48 + 0xe2, 0x00, 0x00, 0x58, // ldr x2, #0x1c, =&previous_pc 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] @@ -54,8 +57,7 @@ void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { guint64 current_pc = instr->address; - guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); - area_offset &= MAP_SIZE - 1; + guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); GumArm64Writer *cw = output->writer.arm64; if (current_log_impl == 0 || diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index a2b54369..fec8afbb 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -24,7 +24,7 @@ static const guint8 afl_log_code[] = { 0x80, 0x02, 0x01, /* add byte ptr [rdx], 1 */ 0x80, 0x12, 0x00, /* adc byte ptr [rdx], 0 */ - 0x48, 0xd1, 0xef, /* shr rdi, 1 */ + 0x66, 0xd1, 0xcf, /* ror di, 1 */ 0x48, 0x89, 0x39, /* mov qword [rcx], rdi */ 0x5a, /* pop rdx */ @@ -49,13 +49,9 @@ gboolean instrument_is_coverage_optimize_supported(void) { static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; -void instrument_coverage_optimize(const cs_insn * instr, - GumStalkerOutput *output) { +static void instrument_coverate_write_function(GumStalkerOutput *output) { - guint64 current_pc = instr->address; - guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); - guint64 misalign = 0; - area_offset &= MAP_SIZE - 1; + guint64 misalign = 0; GumX86Writer *cw = output->writer.x86; if (current_log_impl == 0 || @@ -87,6 +83,15 @@ void instrument_coverage_optimize(const cs_insn * instr, } +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); + instrument_coverate_write_function(output); + gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -GUM_RED_ZONE_SIZE); gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 3c3dc272..7bf48f96 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -30,7 +30,8 @@ static void instrument_coverage_function(GumX86Writer *cw) { uint8_t adc_byte_ptr_edx_0[] = {0x80, 0x12, 0x00}; gum_x86_writer_put_bytes(cw, adc_byte_ptr_edx_0, sizeof(adc_byte_ptr_edx_0)); - gum_x86_writer_put_shr_reg_u8(cw, GUM_REG_EDI, 1); + uint8_t ror_di_1[] = {0x66, 0xd1, 0xcf}; + gum_x86_writer_put_bytes(cw, ror_di_1, sizeof(ror_di_1)); gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_ECX, GUM_REG_EDI); gum_x86_writer_put_pop_reg(cw, GUM_REG_EDX); @@ -46,15 +47,8 @@ gboolean instrument_is_coverage_optimize_supported(void) { } -void instrument_coverage_optimize(const cs_insn * instr, - GumStalkerOutput *output) { - - UNUSED_PARAMETER(instr); - UNUSED_PARAMETER(output); +static void instrument_coverate_write_function(GumStalkerOutput *output) { - guint64 current_pc = instr->address; - guint64 area_offset = (current_pc >> 4) ^ (current_pc << 8); - area_offset &= MAP_SIZE - 1; GumX86Writer *cw = output->writer.x86; if (current_log_impl == 0 || @@ -73,7 +67,15 @@ void instrument_coverage_optimize(const cs_insn * instr, } - // gum_x86_writer_put_breakpoint(cw); +} + +void instrument_coverage_optimize(const cs_insn * instr, + GumStalkerOutput *output) { + + GumX86Writer *cw = output->writer.x86; + guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); + instrument_coverate_write_function(output); + gum_x86_writer_put_push_reg(cw, GUM_REG_EDI); gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EDI, area_offset); gum_x86_writer_put_call_address(cw, current_log_impl); diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 4ab7b283..3cd61cd5 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -237,7 +237,7 @@ static void instrument_exit(GumArm64Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = 0; + instrument_previous_pc = instrument_hash_zero; return ret; } diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index ce3017e4..c0bd9a09 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -174,7 +174,7 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = 0; + instrument_previous_pc = instrument_hash_zero; return ret; } diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index cc1f1a4f..b911676a 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -130,7 +130,7 @@ static void instrument_exit(GumX86Writer *cw) { static int instrument_afl_persistent_loop_func(void) { int ret = __afl_persistent_loop(persistent_count); - instrument_previous_pc = 0; + instrument_previous_pc = instrument_hash_zero; return ret; } diff --git a/frida_mode/util/get_symbol_addr.sh b/frida_mode/util/get_symbol_addr.sh index 7f9b7d22..f5d8df91 100755 --- a/frida_mode/util/get_symbol_addr.sh +++ b/frida_mode/util/get_symbol_addr.sh @@ -26,7 +26,7 @@ file "$target" | grep -q executable && { exit 0 } -hex_base=$(echo "$3" | awk '{sub("^0x","");print $0}') +hex_base=$(echo "$3" | awk '{sub("^0x","");print $0}' | tr a-f A-F ) nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F | \ xargs echo "ibase=16;obase=10;$hex_base + " | bc | tr A-F a-f | awk '{print "0x"$0}' exit 0 -- cgit 1.4.1 From 9e8afcc6156fbcc7b0ed41cde1a5873989b65063 Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Thu, 15 Jul 2021 19:32:44 +0100 Subject: Support for setting a fixed seed for the hash function (#1026) Co-authored-by: Your Name --- frida_mode/README.md | 3 +++ frida_mode/frida.map | 1 + frida_mode/include/instrument.h | 3 +++ frida_mode/src/instrument/instrument.c | 38 ++++++++++++++++++++++++++-------- frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js.c | 11 +++------- frida_mode/src/js/js_api.c | 8 +++++++ frida_mode/ts/lib/afl.ts | 12 +++++++++++ include/envs.h | 1 + 9 files changed, 67 insertions(+), 17 deletions(-) (limited to 'frida_mode/include') diff --git a/frida_mode/README.md b/frida_mode/README.md index 6cbb4c4c..3009e171 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -162,6 +162,9 @@ instrumentation (the default where available). Required to use * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork. +* `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to +generate block (and hence edge) IDs. Setting this to a constant value may be +useful for debugging purposes, e.g. investigating unstable edges. * `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, implies `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_TRACE_UNIQUE` - As per `AFL_FRIDA_INST_TRACE`, but each edge diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 8fc0b174..7223d50e 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -14,6 +14,7 @@ js_api_set_instrument_jit; js_api_set_instrument_libraries; js_api_set_instrument_no_optimize; + js_api_set_instrument_seed; js_api_set_instrument_trace; js_api_set_instrument_trace_unique; js_api_set_persistent_address; diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 695b46af..29f14da9 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -12,6 +12,9 @@ extern gboolean instrument_unique; extern __thread guint64 instrument_previous_pc; extern guint64 instrument_hash_zero; +extern gboolean instrument_use_fixed_seed; +extern guint64 instrument_fixed_seed; + extern uint8_t *__afl_area_ptr; extern uint32_t __afl_map_size; diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index e1dabf92..67aafa5a 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -27,6 +27,9 @@ gboolean instrument_unique = false; guint64 instrument_hash_zero = 0; guint64 instrument_hash_seed = 0; +gboolean instrument_use_fixed_seed = FALSE; +guint64 instrument_fixed_seed = 0; + static GumStalkerTransformer *transformer = NULL; __thread guint64 instrument_previous_pc = 0; @@ -221,6 +224,8 @@ void instrument_config(void) { instrument_optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL); instrument_tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); instrument_unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL); + instrument_use_fixed_seed = (getenv("AFL_FRIDA_INST_SEED") != NULL); + instrument_fixed_seed = util_read_num("AFL_FRIDA_INST_SEED"); instrument_debug_config(); asan_config(); @@ -235,6 +240,8 @@ void instrument_init(void) { OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); + OKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", + instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); if (instrument_tracing && instrument_optimize) { @@ -270,7 +277,8 @@ void instrument_init(void) { g_assert(edges_notified != MAP_FAILED); /* - * Configure the shared memory region to be removed once the process dies. + * Configure the shared memory region to be removed once the process + * dies. */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { @@ -283,14 +291,26 @@ void instrument_init(void) { } - /* - * By using a different seed value for the hash, we can make different - * instances have edge collisions in different places when carrying out - * parallel fuzzing. The seed itself, doesn't have to be random, it just - * needs to be different for each instance. - */ - instrument_hash_seed = - g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ syscall(SYS_gettid); + if (instrument_use_fixed_seed) { + + /* + * This configuration option may be useful for diagnostics or + * debugging. + */ + instrument_hash_seed = instrument_fixed_seed; + + } else { + + /* + * By using a different seed value for the hash, we can make different + * instances have edge collisions in different places when carrying out + * parallel fuzzing. The seed itself, doesn't have to be random, it + * just needs to be different for each instance. + */ + instrument_hash_seed = g_get_monotonic_time() ^ + (((guint64)getpid()) << 32) ^ syscall(SYS_gettid); + + } OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", instrument_hash_seed); diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 1d843024..b8f2d39a 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -117,6 +117,12 @@ class Afl { static setInstrumentNoOptimize() { Afl.jsApiSetInstrumentNoOptimize(); } + /* + * See `AFL_FRIDA_INST_SEED` + */ + static setInstrumentSeed(seed) { + Afl.jsApiSetInstrumentSeed(seed); + } /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ @@ -231,6 +237,7 @@ Afl.jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction("js_api_set_instrument_de Afl.jsApiSetInstrumentJit = Afl.jsApiGetFunction("js_api_set_instrument_jit", "void", []); Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []); Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []); +Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", "void", ["uint64"]); Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); Afl.jsApiSetPersistentAddress = Afl.jsApiGetFunction("js_api_set_persistent_address", "void", ["pointer"]); diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 86ae6d29..e3cd4933 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -89,10 +89,7 @@ static void load_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); gum_script_load_finish(script, result); - if (error != NULL) - { - FATAL("Failed to load script - %s", error->message); - } + if (error != NULL) { FATAL("Failed to load script - %s", error->message); } } @@ -102,10 +99,7 @@ static void create_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); script = gum_script_backend_create_finish(backend, result, &error); - if (error != NULL) - { - FATAL("Failed to create script: %s", error->message); - } + if (error != NULL) { FATAL("Failed to create script: %s", error->message); } gum_script_set_message_handler(script, js_msg, NULL, NULL); @@ -145,3 +139,4 @@ gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, return js_user_callback(insn, begin, excluded, output); } + diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index fd8128c5..930a6dc0 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -127,6 +127,14 @@ __attribute__((visibility("default"))) void js_api_set_instrument_no_optimize( } +__attribute__((visibility("default"))) void js_api_set_instrument_seed( + guint64 seed) { + + instrument_use_fixed_seed = TRUE; + instrument_fixed_seed = seed; + +} + __attribute__((visibility("default"))) void js_api_set_instrument_trace(void) { instrument_tracing = TRUE; diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 67e21beb..6326c099 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -140,6 +140,13 @@ class Afl { Afl.jsApiSetInstrumentNoOptimize(); } + /* + * See `AFL_FRIDA_INST_SEED` + */ + public static setInstrumentSeed(seed: NativePointer): void { + Afl.jsApiSetInstrumentSeed(seed); + } + /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ @@ -295,6 +302,11 @@ class Afl { "void", []); + private static readonly jsApiSetInstrumentSeed = Afl.jsApiGetFunction( + "js_api_set_instrument_seed", + "void", + ["uint64"]); + private static readonly jsApiSetInstrumentTrace = Afl.jsApiGetFunction( "js_api_set_instrument_trace", "void", diff --git a/include/envs.h b/include/envs.h index 4bab54ce..26cc250f 100644 --- a/include/envs.h +++ b/include/envs.h @@ -60,6 +60,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_INST_NO_OPTIMIZE", "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_RANGES", + "AFL_FRIDA_INST_SEED", "AFL_FRIDA_INST_TRACE", "AFL_FRIDA_INST_TRACE_UNIQUE", "AFL_FRIDA_JS_SCRIPT", -- cgit 1.4.1