From f68b9f5110f75068b65be35bd73d458f048f3fa1 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sat, 23 Oct 2021 20:09:36 +0100 Subject: frida mode display command line on mac --- frida_mode/src/main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'frida_mode/src/main.c') diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c0de9c6b..c8183d8f 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -6,6 +6,7 @@ #ifdef __APPLE__ #include #include + #include #else #include #include @@ -90,6 +91,7 @@ static void embedded_init(void) { static void afl_print_cmdline(void) { +#if defined(__linux__) char * buffer = g_malloc0(PROC_MAX); gchar *fname = g_strdup_printf("/proc/%d/cmdline", getppid()); int fd = open(fname, O_RDONLY); @@ -123,6 +125,17 @@ static void afl_print_cmdline(void) { close(fd); g_free(fname); g_free(buffer); +#elif defined(__APPLE__) + int idx; + char **argv = *_NSGetArgv(); + int nargv = *_NSGetArgc(); + + for (idx = 0; idx < nargv; idx ++) { + + OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); + + } +#endif } -- cgit 1.4.1 From 6ce3d7fede6b32b522b6cc4403f7c0101cf4a4bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 4 Nov 2021 15:53:17 +0100 Subject: add AFL_USE_TSAN --- TODO.md | 1 + docs/Changelog.md | 2 + docs/fuzzing_expert.md | 2 + frida_mode/src/instrument/instrument.c | 4 +- frida_mode/src/instrument/instrument_arm32.c | 2 + frida_mode/src/instrument/instrument_arm64.c | 1 + frida_mode/src/instrument/instrument_x64.c | 54 ++++++++++++++------------ frida_mode/src/instrument/instrument_x86.c | 1 + frida_mode/src/main.c | 7 ++-- frida_mode/src/prefetch.c | 6 +-- frida_mode/src/seccomp/seccomp_callback.c | 32 ++++++++------- frida_mode/src/seccomp/seccomp_filter.c | 6 +-- include/envs.h | 1 + instrumentation/SanitizerCoverageLTO.so.cc | 3 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 3 +- instrumentation/afl-llvm-pass.so.cc | 3 +- qemu_mode/libcompcov/libcompcov.so.c | 25 +++++++++--- src/afl-as.c | 1 + src/afl-cc.c | 9 +++++ utils/aflpp_driver/aflpp_qemu_driver.c | 2 +- 20 files changed, 106 insertions(+), 59 deletions(-) (limited to 'frida_mode/src/main.c') diff --git a/TODO.md b/TODO.md index 1d4270b4..30676312 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## TODO + - AFL_USE_TSAN to docs/env_variables.md after work over - screen update during input2stage - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/docs/Changelog.md b/docs/Changelog.md index 04b2fb2e..cfeb8cc1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,7 +26,9 @@ sending a mail to . - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: + - support llvm IR select instrumentation for default PCGUARD and LTO - fix for shared linking on MacOS + - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 96193f88..44ebade4 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++: vulnerabilities - which is however one of the most important and dangerous C++ memory corruption classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. + * TSAN = Thread SANitizer, finds thread race conditions. + Enabled with `export AFL_USE_TSAN=1` before compiling. * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really a security issue, but for developers this can be very valuable. Note that unlike the other sanitizers above this needs diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 81d85aa1..eeebe545 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -347,8 +347,8 @@ void instrument_init(void) { #else tid = syscall(SYS_gettid); #endif - instrument_hash_seed = g_get_monotonic_time() ^ - (((guint64)getpid()) << 32) ^ tid; + instrument_hash_seed = + g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ tid; } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 4b0a648e..395d56c1 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -23,7 +23,9 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + WARNF("Optimized coverage not supported on this architecture"); + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 80d1d845..358e8e6b 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -96,6 +96,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index a7eb650a..19ec81b2 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -4,12 +4,12 @@ #include #if defined(__linux__) -#if !defined(__ANDROID__) -#include -#include -#else -#include -#endif + #if !defined(__ANDROID__) + #include + #include + #else + #include + #endif #endif #include "frida-gumjs.h" @@ -22,13 +22,13 @@ #if defined(__x86_64__) -#ifndef MAP_FIXED_NOREPLACE - #ifdef MAP_EXCL - #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED - #else - #define MAP_FIXED_NOREPLACE MAP_FIXED + #ifndef MAP_FIXED_NOREPLACE + #ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED + #else + #define MAP_FIXED_NOREPLACE MAP_FIXED + #endif #endif -#endif gboolean instrument_is_coverage_optimize_supported(void) { @@ -53,15 +53,12 @@ typedef struct { // 0x7ffff6cfb08b: pushf // 0x7ffff6cfb08c: push rsi // 0x7ffff6cfb08d: mov rsi,0x228 - // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740 - // 0x7ffff6cfb09b: xor rsi,0x451 - // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1 - // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0 - // 0x7ffff6cfb0b0: pop rsi - // 0x7ffff6cfb0b1: popf + // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # + // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add + // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR + // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] - uint8_t lea_rsp_rsp_sub_rz[5]; uint8_t push_fq; uint8_t push_rsi; @@ -160,16 +157,25 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, __afl_area_ptr = NULL; -#if !defined(__ANDROID__) + #if !defined(__ANDROID__) shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); if (shm_fd == -1) { FATAL("shm_open() failed\n"); } -#else + #else shm_fd = open("/dev/ashmem", O_RDWR); if (shm_fd == -1) { FATAL("open() failed\n"); } - if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); } - if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); } + if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { -#endif + FATAL("ioctl(ASHMEM_SET_NAME) failed"); + + } + + if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { + + FATAL("ioctl(ASHMEM_SET_SIZE) failed"); + + } + + #endif __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 1ff5c920..f90c01c2 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -84,6 +84,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c8183d8f..3599143b 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -126,15 +126,16 @@ static void afl_print_cmdline(void) { g_free(fname); g_free(buffer); #elif defined(__APPLE__) - int idx; + int idx; char **argv = *_NSGetArgv(); - int nargv = *_NSGetArgc(); + int nargv = *_NSGetArgc(); - for (idx = 0; idx < nargv; idx ++) { + for (idx = 0; idx < nargv; idx++) { OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); } + #endif } diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index c30ca65c..1ddbd5ed 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -44,8 +44,8 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self, sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size; if (sizeof(gsize) + size > remaining) { return; } - gsize *dst_backpatch_size = (gsize *) - &prefetch_data->backpatch_data[prefetch_data->backpatch_size]; + gsize *dst_backpatch_size = + (gsize *)&prefetch_data->backpatch_data[prefetch_data->backpatch_size]; *dst_backpatch_size = size; prefetch_data->backpatch_size += sizeof(gsize); @@ -117,7 +117,7 @@ static void prefetch_read_patches(void) { remaining = prefetch_data->backpatch_size - offset) { gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset]; - gsize size = *src_backpatch_data; + gsize size = *src_backpatch_data; offset += sizeof(gsize); if (prefetch_data->backpatch_size - offset < size) { diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index 4232d842..ac0fb8bb 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,8 +1,8 @@ #if defined(__linux__) && !defined(__ANDROID__) -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include "seccomp.h" @@ -16,12 +16,13 @@ static void seccomp_callback_filter(struct seccomp_notif * req, GumDebugSymbolDetails details = {0}; if (req->data.nr == SYS_OPENAT) { -#if UINTPTR_MAX == 0xffffffffffffffffu + #if UINTPTR_MAX == 0xffffffffffffffffu seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); -#endif -#if UINTPTR_MAX == 0xffffffff + #endif + #if UINTPTR_MAX == 0xffffffff seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]); -#endif + #endif + } seccomp_print( @@ -31,7 +32,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, req->data.args[0], req->data.args[1], req->data.args[2], req->data.args[3], req->data.args[4], req->data.args[5]); -#if !defined(__MUSL__) + #if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); if (syms == NULL) { FATAL("Failed to get symbols"); } @@ -52,23 +53,24 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); -#else + #else void **syms = (void **)__builtin_frame_address(0); - void *framep = __builtin_frame_address(1); - int i = 0; + void * framep = __builtin_frame_address(1); + int i = 0; syms = framep; while (syms) { - - framep = *syms; + + framep = *syms; syms = framep; if (!syms) break; - seccomp_print("\%3d. %s\n", i ++, (char *)framep); + seccomp_print("\%3d. %s\n", i++, (char *)framep); } -#endif + + #endif resp->error = 0; resp->val = 0; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 7ee5ead1..0dcc4cbb 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,9 +2,9 @@ #include #include -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include #include diff --git a/include/envs.h b/include/envs.h index 61267a0d..25d05539 100644 --- a/include/envs.h +++ b/include/envs.h @@ -203,6 +203,7 @@ static char *afl_environment_variables[] = { "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", + "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_USE_LSAN", "AFL_WINE_PATH", diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index ee8c317e..4e25221a 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1142,10 +1142,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations (%u selects) without collisions (%llu " diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index be3f4f49..76bb2448 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -547,10 +547,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations with no collisions (%s mode) of which are " diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index ecf28f31..9b7e625e 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -956,11 +956,12 @@ bool AFLCoverage::runOnModule(Module &M) { else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks, modeline, inst_ratio); diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index 24867cda..eba3d80a 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -42,10 +42,10 @@ #endif /* !__linux__ */ #ifndef likely -# define likely(x) __builtin_expect((!!(x)),1) + #define likely(x) __builtin_expect((!!(x)), 1) #endif #ifndef unlikely -# define unlikely(x) __builtin_expect((!!(x)),0) + #define unlikely(x) __builtin_expect((!!(x)), 0) #endif /* Change this value to tune the compare coverage */ @@ -235,7 +235,12 @@ int strcmp(const char *str1, const char *str2) { int strncmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); } + if (unlikely(!__libc_strncmp)) { + + __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -265,7 +270,12 @@ int strncmp(const char *str1, const char *str2, size_t len) { int strcasecmp(const char *str1, const char *str2) { - if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); } + if (unlikely(!__libc_strcasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -296,7 +306,12 @@ int strcasecmp(const char *str1, const char *str2) { int strncasecmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); } + if (unlikely(!__libc_strncasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && diff --git a/src/afl-as.c b/src/afl-as.c index 7119d630..774340ac 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -521,6 +521,7 @@ static void add_instrumentation(void) { getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : "", getenv("AFL_USE_LSAN") ? ", LSAN" : ""); diff --git a/src/afl-cc.c b/src/afl-cc.c index e7f08aac..3837459b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=undefined"; cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; + + } + + if (getenv("AFL_USE_TSAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=thread"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; } @@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) { " AFL_USE_CFISAN: activate control flow sanitizer\n" " AFL_USE_MSAN: activate memory sanitizer\n" " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" + " AFL_USE_TSAN: activate thread sanitizer\n" " AFL_USE_LSAN: activate leak-checker sanitizer\n"); if (have_gcc_plugin) diff --git a/utils/aflpp_driver/aflpp_qemu_driver.c b/utils/aflpp_driver/aflpp_qemu_driver.c index 99a4c9a8..e47df1e6 100644 --- a/utils/aflpp_driver/aflpp_qemu_driver.c +++ b/utils/aflpp_driver/aflpp_qemu_driver.c @@ -22,7 +22,7 @@ int main(int argc, char **argv) { if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { + if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) { afl_qemu_driver_stdin_input(); -- cgit 1.4.1 From 02e8919cbc744064510f6cd99539f7662343073f Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 9 Nov 2021 18:29:25 +0000 Subject: Suppress spurious output --- frida_mode/include/util.h | 28 ++++++- frida_mode/src/asan/asan.c | 7 +- frida_mode/src/asan/asan_arm32.c | 6 +- frida_mode/src/asan/asan_arm64.c | 4 +- frida_mode/src/asan/asan_x64.c | 4 +- frida_mode/src/asan/asan_x86.c | 4 +- frida_mode/src/cmplog/cmplog.c | 22 +++-- frida_mode/src/cmplog/cmplog_arm32.c | 4 +- frida_mode/src/cmplog/cmplog_arm64.c | 6 +- frida_mode/src/cmplog/cmplog_x64.c | 6 +- frida_mode/src/cmplog/cmplog_x86.c | 8 +- frida_mode/src/ctx/ctx_arm32.c | 4 +- frida_mode/src/ctx/ctx_arm64.c | 12 ++- frida_mode/src/ctx/ctx_x64.c | 5 +- frida_mode/src/ctx/ctx_x86.c | 4 +- frida_mode/src/entry.c | 16 ++-- frida_mode/src/instrument/instrument.c | 21 +++-- frida_mode/src/instrument/instrument_arm32.c | 6 +- frida_mode/src/instrument/instrument_arm64.c | 1 - frida_mode/src/instrument/instrument_coverage.c | 66 +++++++-------- frida_mode/src/instrument/instrument_debug.c | 12 ++- frida_mode/src/instrument/instrument_x64.c | 17 ++-- frida_mode/src/instrument/instrument_x86.c | 2 - frida_mode/src/intercept.c | 5 +- frida_mode/src/js/js.c | 18 ++-- frida_mode/src/js/js_api.c | 3 +- frida_mode/src/lib/lib.c | 55 ++++++------ frida_mode/src/lib/lib_apple.c | 20 ++--- frida_mode/src/main.c | 21 +++-- frida_mode/src/output.c | 13 ++- frida_mode/src/persistent/persistent.c | 33 ++++---- frida_mode/src/persistent/persistent_arm32.c | 6 +- frida_mode/src/persistent/persistent_arm64.c | 3 +- frida_mode/src/persistent/persistent_x64.c | 3 +- frida_mode/src/persistent/persistent_x86.c | 3 +- frida_mode/src/prefetch.c | 14 ++-- frida_mode/src/ranges.c | 107 ++++++++++++------------ frida_mode/src/seccomp/seccomp.c | 8 +- frida_mode/src/seccomp/seccomp_atomic.c | 4 +- frida_mode/src/seccomp/seccomp_callback.c | 23 +++-- frida_mode/src/seccomp/seccomp_child.c | 7 +- frida_mode/src/seccomp/seccomp_event.c | 11 ++- frida_mode/src/seccomp/seccomp_filter.c | 24 +++--- frida_mode/src/seccomp/seccomp_socket.c | 23 +++-- frida_mode/src/seccomp/seccomp_syscall.c | 7 +- frida_mode/src/stalker.c | 15 ++-- frida_mode/src/stats/stats.c | 15 ++-- frida_mode/src/stats/stats_arm32.c | 8 +- frida_mode/src/stats/stats_arm64.c | 6 +- frida_mode/src/stats/stats_x86_64.c | 16 ++-- frida_mode/src/util.c | 18 +++- 51 files changed, 367 insertions(+), 387 deletions(-) (limited to 'frida_mode/src/main.c') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 525e9d40..77fbda94 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -3,12 +3,38 @@ #include "frida-gumjs.h" +#include "debug.h" + #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) guint64 util_read_address(char *key); -guint64 util_read_num(char *key); +guint64 util_read_num(char *key); +gboolean util_output_enabled(void); + +#define FOKF(x...) \ + do { \ + \ + if (!util_output_enabled()) { break; } \ + \ + OKF(x); \ + \ + } while (0) + +#define FWARNF(x...) \ + do { \ + \ + WARNF(x); \ + \ + } while (0) + +#define FFATAL(x...) \ + do { \ + \ + FATAL(x); \ + \ + } while (0) #endif diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index b2e763ca..d649bd76 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" +#include "util.h" static gboolean asan_enabled = FALSE; gboolean asan_initialized = FALSE; @@ -11,12 +10,12 @@ void asan_config(void) { if (getenv("AFL_USE_FASAN") != NULL) { - OKF("Frida ASAN mode enabled"); + FOKF("Frida ASAN mode enabled"); asan_enabled = TRUE; } else { - OKF("Frida ASAN mode disabled"); + FOKF("Frida ASAN mode disabled"); } diff --git a/frida_mode/src/asan/asan_arm32.c b/frida_mode/src/asan/asan_arm32.c index f5fa4713..21400881 100644 --- a/frida_mode/src/asan/asan_arm32.c +++ b/frida_mode/src/asan/asan_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "util.h" @@ -12,7 +10,7 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(iterator); if (asan_initialized) { - FATAL("ASAN mode not supported on this architecture"); + FFATAL("ASAN mode not supported on this architecture"); } @@ -20,7 +18,7 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { void asan_arch_init(void) { - FATAL("ASAN mode not supported on this architecture"); + FFATAL("ASAN mode not supported on this architecture"); } diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 65524e03..88c76535 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -86,7 +84,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c index 5c12669f..c7b70967 100644 --- a/frida_mode/src/asan/asan_x64.c +++ b/frida_mode/src/asan/asan_x64.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -83,7 +81,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c index 6d2f9e2b..afc89936 100644 --- a/frida_mode/src/asan/asan_x86.c +++ b/frida_mode/src/asan/asan_x86.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -83,7 +81,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index ae3116eb..81e1a4b0 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -7,8 +7,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "util.h" #define DEFAULT_MMAP_MIN_ADDR (32UL << 10) @@ -42,7 +40,7 @@ static gint cmplog_sort(gconstpointer a, gconstpointer b) { static void cmplog_get_ranges(void) { - OKF("CMPLOG - Collecting ranges"); + FOKF("CMPLOG - Collecting ranges"); cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, cmplog_ranges); @@ -56,7 +54,7 @@ void cmplog_config(void) { void cmplog_init(void) { - OKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); + FOKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); if (__afl_cmp_map == NULL) { return; } @@ -65,9 +63,9 @@ void cmplog_init(void) { for (guint i = 0; i < cmplog_ranges->len; i++) { GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); - OKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER - "X - 0x%016" G_GINT64_MODIFIER "X", - i, range->base_address, range->base_address + range->size); + FOKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER + "X - 0x%016" G_GINT64_MODIFIER "X", + i, range->base_address, range->base_address + range->size); } @@ -78,14 +76,14 @@ void cmplog_init(void) { hash_yes = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_yes == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } hash_no = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_no == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -117,7 +115,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_no, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -127,7 +125,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_yes, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -139,7 +137,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { gboolean cmplog_is_readable(guint64 addr, size_t size) { - if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); + if (cmplog_ranges == NULL) FFATAL("CMPLOG not initialized"); /* * The Linux kernel prevents mmap from allocating from the very bottom of the diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c index ac703408..106baa52 100644 --- a/frida_mode/src/cmplog/cmplog_arm32.c +++ b/frida_mode/src/cmplog/cmplog_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "frida_cmplog.h" #include "util.h" @@ -11,7 +9,7 @@ void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); + FFATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index c6590bb4..515a6256 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -67,7 +67,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -89,7 +89,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case ARM64_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -163,7 +163,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(arm64_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 7fbcf408..7d515336 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -62,7 +62,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -84,7 +84,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -157,7 +157,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index bdd1af4e..4a747417 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -59,7 +59,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint32 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -81,7 +81,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -162,7 +162,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } @@ -228,7 +228,7 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { gsize operand1; gsize operand2; - if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + if (ctx->operand1.size != ctx->operand2.size) FFATAL("Operand size mismatch"); if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c index 9fc70fb4..049b5548 100644 --- a/frida_mode/src/ctx/ctx_arm32.c +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -1,14 +1,12 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__arm__) gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) { - FATAL("ctx_read_reg unimplemented for this architecture"); + FFATAL("ctx_read_reg unimplemented for this architecture"); } diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c index a735401b..01f321e3 100644 --- a/frida_mode/src/ctx/ctx_arm64.c +++ b/frida_mode/src/ctx/ctx_arm64.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__aarch64__) @@ -174,7 +172,7 @@ gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg) { ARM64_REG_64(ARM64_REG_SP, ctx->sp) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } @@ -206,7 +204,7 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { } mnemonic_len = strlen(instr->mnemonic); - if (mnemonic_len == 0) { FATAL("No mnemonic found"); }; + if (mnemonic_len == 0) { FFATAL("No mnemonic found"); }; char last = instr->mnemonic[mnemonic_len - 1]; switch (last) { @@ -252,14 +250,14 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { if (mnemonic_len < 3) { - FATAL("VAS Mnemonic too short: %s\n", instr->mnemonic); + FFATAL("VAS Mnemonic too short: %s\n", instr->mnemonic); } vas_digit = instr->mnemonic[2]; if (vas_digit < '0' || vas_digit > '9') { - FATAL("VAS Mnemonic digit out of range: %s\n", instr->mnemonic); + FFATAL("VAS Mnemonic digit out of range: %s\n", instr->mnemonic); } @@ -293,7 +291,7 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { case ARM64_VAS_16B: return 16 * count_byte; default: - FATAL("Unexpected VAS type: %s %d", instr->mnemonic, operand->vas); + FFATAL("Unexpected VAS type: %s %d", instr->mnemonic, operand->vas); } diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c index da5cb13a..02423416 100644 --- a/frida_mode/src/ctx/ctx_x64.c +++ b/frida_mode/src/ctx/ctx_x64.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" +#include "util.h" #if defined(__x86_64__) @@ -121,7 +120,7 @@ gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg) { X86_REG_64(X86_REG_RIP, ctx->rip) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c index 1a587702..abfeafc8 100644 --- a/frida_mode/src/ctx/ctx_x86.c +++ b/frida_mode/src/ctx/ctx_x86.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__i386__) @@ -72,7 +70,7 @@ gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg) { X86_REG_32(X86_REG_EIP, ctx->eip) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index c51e202f..a36daf88 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -6,8 +6,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "entry.h" #include "instrument.h" #include "persistent.h" @@ -26,7 +24,7 @@ gboolean entry_run = FALSE; static void entry_launch(void) { - OKF("Entry point reached"); + FOKF("Entry point reached"); __afl_manual_init(); /* Child here */ @@ -45,7 +43,7 @@ void entry_on_fork(void) { if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) < 0) { - FATAL("Failed to PR_SET_PTRACER"); + FFATAL("Failed to PR_SET_PTRACER"); } @@ -56,7 +54,7 @@ void entry_on_fork(void) { #else void entry_on_fork(void) { - if (traceable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + if (traceable) { FWARNF("AFL_FRIDA_TRACEABLE unsupported"); } } @@ -71,10 +69,10 @@ void entry_config(void) { void entry_init(void) { - OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); - OKF("dumpable: [%c]", traceable ? 'X' : ' '); + FOKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); + FOKF("dumpable: [%c]", traceable ? 'X' : ' '); - if (dlopen(NULL, RTLD_NOW) == NULL) { FATAL("Failed to dlopen: %d", errno); } + if (dlopen(NULL, RTLD_NOW) == NULL) { FFATAL("Failed to dlopen: %d", errno); } } @@ -96,7 +94,7 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { UNUSED_PARAMETER(output); - OKF("AFL_ENTRYPOINT reached"); + FOKF("AFL_ENTRYPOINT reached"); if (persistent_start == 0) { diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index eeebe545..0262e461 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -6,7 +6,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "hash.h" #include "asan.h" @@ -261,14 +260,14 @@ void instrument_init(void) { if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false; - OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); - OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); - OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); - OKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", - instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); - OKF("Instrumentation - unstable coverage [%c] [%s]", - instrument_coverage_unstable_filename == NULL ? ' ' : 'X', - instrument_coverage_unstable_filename); + FOKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); + FOKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); + FOKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); + FOKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", + instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); + FOKF("Instrumentation - unstable coverage [%c] [%s]", + instrument_coverage_unstable_filename == NULL ? ' ' : 'X', + instrument_coverage_unstable_filename); if (instrument_tracing && instrument_optimize) { @@ -352,8 +351,8 @@ void instrument_init(void) { } - OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", - instrument_hash_seed); + FOKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", + instrument_hash_seed); instrument_hash_zero = instrument_get_offset_hash(0); instrument_coverage_optimize_init(); diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 395d56c1..fa8b0bd2 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -18,13 +16,13 @@ void instrument_coverage_optimize(const cs_insn * instr, UNUSED_PARAMETER(instr); UNUSED_PARAMETER(output); - FATAL("Optimized coverage not supported on this architecture"); + FFATAL("Optimized coverage not supported on this architecture"); } void instrument_coverage_optimize_init(void) { - WARNF("Optimized coverage not supported on this architecture"); + FWARNF("Optimized coverage not supported on this architecture"); } diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 358e8e6b..0f635458 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -1,7 +1,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 513df29a..95a24808 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -251,7 +249,7 @@ static void coverage_write(void *data, size_t size) { if (written < 0) { - FATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); + FFATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); } @@ -371,7 +369,7 @@ static void instrument_coverage_normal_run() { if (close(normal_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -379,7 +377,7 @@ static void instrument_coverage_normal_run() { g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, g_free); if (coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -396,7 +394,7 @@ static void instrument_coverage_normal_run() { } - if (bytes != 0) { FATAL("Coverage data truncated"); } + if (bytes != 0) { FFATAL("Coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -435,7 +433,7 @@ static GArray *instrument_coverage_unstable_read_unstable_ids(void) { if (!g_file_get_contents(unstable_coverage_fuzzer_stats, &contents, &length, NULL)) { - FATAL("Failed to read fuzzer_stats"); + FFATAL("Failed to read fuzzer_stats"); } @@ -526,7 +524,7 @@ static GHashTable *instrument_collect_unstable_blocks( GHashTable *child = (GHashTable *)g_hash_table_lookup(unstable_coverage_hash, *id); - if (child == NULL) { FATAL("Failed to find edge ID"); } + if (child == NULL) { FFATAL("Failed to find edge ID"); } GHashTableIter iter = {0}; gpointer value; @@ -565,7 +563,7 @@ static void instrument_coverage_unstable_run(void) { if (close(unstable_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -573,7 +571,7 @@ static void instrument_coverage_unstable_run(void) { g_direct_hash, g_direct_equal, NULL, (GDestroyNotify)g_hash_table_unref); if (unstable_coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -599,7 +597,7 @@ static void instrument_coverage_unstable_run(void) { if (!g_hash_table_insert(unstable_coverage_hash, GSIZE_TO_POINTER(value->edge), hash_value)) { - FATAL("Entry already in hashtable"); + FFATAL("Entry already in hashtable"); } @@ -613,7 +611,7 @@ static void instrument_coverage_unstable_run(void) { } - if (bytes != 0) { FATAL("Unstable coverage data truncated"); } + if (bytes != 0) { FFATAL("Unstable coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -659,33 +657,33 @@ void instrument_coverage_config(void) { void instrument_coverage_normal_init(void) { - OKF("Coverage - enabled [%c]", - instrument_coverage_filename == NULL ? ' ' : 'X'); + FOKF("Coverage - enabled [%c]", + instrument_coverage_filename == NULL ? ' ' : 'X'); if (instrument_coverage_filename == NULL) { return; } - OKF("Coverage - file [%s]", instrument_coverage_filename); + FOKF("Coverage - file [%s]", instrument_coverage_filename); char *path = g_canonicalize_filename(instrument_coverage_filename, g_get_current_dir()); - OKF("Coverage - path [%s]", path); + FOKF("Coverage - path [%s]", path); normal_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (normal_coverage_fd < 0) { - FATAL("Failed to open coverage file '%s'", path); + FFATAL("Failed to open coverage file '%s'", path); } g_free(path); - if (pipe(normal_coverage_pipes) != 0) { FATAL("Failed to create pipes"); } + if (pipe(normal_coverage_pipes) != 0) { FFATAL("Failed to create pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -697,13 +695,13 @@ void instrument_coverage_normal_init(void) { if (close(normal_coverage_fd) < 0) { - FATAL("Failed to close coverage output file"); + FFATAL("Failed to close coverage output file"); } if (close(normal_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -714,11 +712,11 @@ void instrument_coverage_unstable_find_output(void) { gchar *fds_name = g_strdup_printf("/proc/%d/fd/", getppid()); gchar *root = g_file_read_link("/proc/self/root", NULL); - if (root == NULL) { FATAL("Failed to read link"); } + if (root == NULL) { FFATAL("Failed to read link"); } GDir *dir = g_dir_open(fds_name, 0, NULL); - OKF("Coverage Unstable - fds: %s", fds_name); + FOKF("Coverage Unstable - fds: %s", fds_name); for (const gchar *filename = g_dir_read_name(dir); filename != NULL; filename = g_dir_read_name(dir)) { @@ -726,7 +724,7 @@ void instrument_coverage_unstable_find_output(void) { gchar *fullname = g_build_path("/", fds_name, filename, NULL); gchar *link = g_file_read_link(fullname, NULL); - if (link == NULL) { FATAL("Failed to read link: %s", fullname); } + if (link == NULL) { FFATAL("Failed to read link: %s", fullname); } gchar *basename = g_path_get_basename(link); if (g_strcmp0(basename, "default") != 0) { @@ -778,11 +776,11 @@ void instrument_coverage_unstable_find_output(void) { if (unstable_coverage_fuzzer_stats == NULL) { - FATAL("Failed to find fuzzer stats"); + FFATAL("Failed to find fuzzer stats"); } - OKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); + FOKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); } @@ -793,14 +791,14 @@ void instrument_coverage_unstable_init(void) { char *path = g_canonicalize_filename(instrument_coverage_unstable_filename, g_get_current_dir()); - OKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); + FOKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); unstable_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (unstable_coverage_fd < 0) { - FATAL("Failed to open unstable coverage file '%s'", path); + FFATAL("Failed to open unstable coverage file '%s'", path); } @@ -810,12 +808,12 @@ void instrument_coverage_unstable_init(void) { if (pipe(unstable_coverage_pipes) != 0) { - FATAL("Failed to create unstable pipes"); + FFATAL("Failed to create unstable pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -827,13 +825,13 @@ void instrument_coverage_unstable_init(void) { if (close(unstable_coverage_fd) < 0) { - FATAL("Failed to close unstable coverage output file"); + FFATAL("Failed to close unstable coverage output file"); } if (close(unstable_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -865,7 +863,7 @@ void instrument_coverage_end(uint64_t address) { if (write(normal_coverage_pipes[STDOUT_FILENO], &data, sizeof(normal_coverage_data_t)) != sizeof(normal_coverage_data_t)) { - FATAL("Coverage I/O error"); + FFATAL("Coverage I/O error"); } @@ -888,7 +886,7 @@ void instrument_coverage_unstable(guint64 edge, guint64 previous_rip, sizeof(unstable_coverage_data_t)) != sizeof(unstable_coverage_data_t)) { - FATAL("Unstable coverage I/O error"); + FFATAL("Unstable coverage I/O error"); } diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index b8cca634..a175b585 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -89,24 +87,24 @@ void instrument_debug_config(void) { void instrument_debug_init(void) { - OKF("Instrumentation debugging - enabled [%c]", - instrument_debug_filename == NULL ? ' ' : 'X'); + FOKF("Instrumentation debugging - enabled [%c]", + instrument_debug_filename == NULL ? ' ' : 'X'); if (instrument_debug_filename == NULL) { return; } - OKF("Instrumentation debugging - file [%s]", instrument_debug_filename); + FOKF("Instrumentation debugging - file [%s]", instrument_debug_filename); if (instrument_debug_filename == NULL) { return; } char *path = g_canonicalize_filename(instrument_debug_filename, g_get_current_dir()); - OKF("Instrumentation debugging - path [%s]", path); + FOKF("Instrumentation debugging - path [%s]", path); debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + if (debugging_fd < 0) { FFATAL("Failed to open stats file '%s'", path); } g_free(path); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 07605a04..e2cbb804 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -15,11 +15,11 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "ranges.h" #include "stalker.h" +#include "util.h" #if defined(__x86_64__) @@ -238,6 +238,9 @@ static void instrument_coverage_switch(GumStalkerObserver *self, const cs_insn * from_insn, gpointer * target) { + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(start_address); + cs_x86 * x86; cs_x86_op *op; if (from_insn == NULL) { return; } @@ -271,7 +274,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } - *target = *target + sizeof(afl_log_code); + *target = (guint8 *)*target + sizeof(afl_log_code); } @@ -282,7 +285,7 @@ void instrument_coverage_optimize_init(void) { gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low, &low_address); - OKF("Low address: %p", low_address); + FOKF("Low address: %p", low_address); if (low_address == 0 || GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) { @@ -294,11 +297,11 @@ void instrument_coverage_optimize_init(void) { ranges_print_debug_maps(); char *shm_env = getenv(SHM_ENV_VAR); - OKF("SHM_ENV_VAR: %s", shm_env); + FOKF("SHM_ENV_VAR: %s", shm_env); if (shm_env == NULL) { - WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); + FWARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); instrument_coverage_optimize_map_mmap_anon(low_address); @@ -318,8 +321,8 @@ void instrument_coverage_optimize_init(void) { } - OKF("__afl_area_ptr: %p", __afl_area_ptr); - OKF("instrument_previous_pc: %p", &instrument_previous_pc); + FOKF("__afl_area_ptr: %p", __afl_area_ptr); + FOKF("instrument_previous_pc: %p", &instrument_previous_pc); } diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index f90c01c2..79664afa 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" diff --git a/frida_mode/src/intercept.c b/frida_mode/src/intercept.c index ed8d27bd..26d20c50 100644 --- a/frida_mode/src/intercept.c +++ b/frida_mode/src/intercept.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "intercept.h" +#include "util.h" void intercept_hook(void *address, gpointer replacement, gpointer user_data) { @@ -10,7 +9,7 @@ void intercept_hook(void *address, gpointer replacement, gpointer user_data) { gum_interceptor_begin_transaction(interceptor); GumReplaceReturn ret = gum_interceptor_replace(interceptor, address, replacement, user_data); - if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); } + if (ret != GUM_REPLACE_OK) { FFATAL("gum_interceptor_attach: %d", ret); } gum_interceptor_end_transaction(interceptor); } diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index e3cd4933..37cd377b 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "js.h" #include "util.h" @@ -25,7 +23,7 @@ static void js_msg(GumScript *script, const gchar *message, GBytes *data, UNUSED_PARAMETER(script); UNUSED_PARAMETER(data); UNUSED_PARAMETER(user_data); - OKF("%s", message); + FOKF("%s", message); } @@ -50,14 +48,14 @@ static gchar *js_get_script() { } else { - FATAL("Could not load script file: %s", filename); + FFATAL("Could not load script file: %s", filename); } } else { - OKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename, - length); + FOKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename, + length); gchar *source = g_malloc0(api_js_len + length + 1); memcpy(source, api_js, api_js_len); @@ -75,7 +73,7 @@ static void js_print_script(gchar *source) { for (size_t i = 0; split[i] != NULL; i++) { - OKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]); + FOKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]); } @@ -89,7 +87,7 @@ static void load_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); gum_script_load_finish(script, result); - if (error != NULL) { FATAL("Failed to load script - %s", error->message); } + if (error != NULL) { FFATAL("Failed to load script - %s", error->message); } } @@ -99,7 +97,7 @@ static void create_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); script = gum_script_backend_create_finish(backend, result, &error); - if (error != NULL) { FATAL("Failed to create script: %s", error->message); } + if (error != NULL) { FFATAL("Failed to create script: %s", error->message); } gum_script_set_message_handler(script, js_msg, NULL, NULL); @@ -128,7 +126,7 @@ void js_start(void) { while (g_main_context_pending(context)) g_main_context_iteration(context, FALSE); - if (!js_done) { FATAL("Script didn't call Afl.done()"); } + if (!js_done) { FFATAL("Script didn't call Afl.done()"); } } diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index abc0ac30..570da335 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -1,4 +1,3 @@ -#include "debug.h" #include "entry.h" #include "instrument.h" @@ -20,7 +19,7 @@ __attribute__((visibility("default"))) void js_api_done() { __attribute__((visibility("default"))) void js_api_error(char *msg) { - FATAL("%s", msg); + FFATAL("%s", msg); } diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index 59a3fcf9..48d2ea2a 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -8,9 +8,8 @@ #include "frida-gumjs.h" - #include "debug.h" - #include "lib.h" + #include "util.h" #if defined(__arm__) || defined(__i386__) #define ELFCLASS ELFCLASS32 @@ -55,11 +54,11 @@ static gboolean lib_find_exe(const GumModuleDetails *details, static void lib_validate_hdr(Elf_Ehdr *hdr) { - if (hdr->e_ident[0] != ELFMAG0) FATAL("Invalid e_ident[0]"); - if (hdr->e_ident[1] != ELFMAG1) FATAL("Invalid e_ident[1]"); - if (hdr->e_ident[2] != ELFMAG2) FATAL("Invalid e_ident[2]"); - if (hdr->e_ident[3] != ELFMAG3) FATAL("Invalid e_ident[3]"); - if (hdr->e_ident[4] != ELFCLASS) FATAL("Invalid class"); + if (hdr->e_ident[0] != ELFMAG0) FFATAL("Invalid e_ident[0]"); + if (hdr->e_ident[1] != ELFMAG1) FFATAL("Invalid e_ident[1]"); + if (hdr->e_ident[2] != ELFMAG2) FFATAL("Invalid e_ident[2]"); + if (hdr->e_ident[3] != ELFMAG3) FFATAL("Invalid e_ident[3]"); + if (hdr->e_ident[4] != ELFCLASS) FFATAL("Invalid class"); } @@ -88,18 +87,22 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { } - if (!found_preferred_base) { FATAL("Failed to find preferred load address"); } + if (!found_preferred_base) { + + FFATAL("Failed to find preferred load address"); + + } - OKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x", - preferred_base); + FOKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x", + preferred_base); shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff); shstrtab = &shdr[hdr->e_shstrndx]; shstr = (char *)hdr + shstrtab->sh_offset; - OKF("shdr: %p", shdr); - OKF("shstrtab: %p", shstrtab); - OKF("shstr: %p", shstr); + FOKF("shdr: %p", shdr); + FOKF("shstrtab: %p", shstrtab); + FOKF("shstr: %p", shstr); for (size_t i = 0; i < hdr->e_shnum; i++) { @@ -108,16 +111,16 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { if (curr->sh_name == 0) continue; section_name = &shstr[curr->sh_name]; - OKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER - "X size: 0x%016" G_GSIZE_MODIFIER "X %s", - i, curr->sh_addr, curr->sh_size, section_name); + FOKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER + "X size: 0x%016" G_GSIZE_MODIFIER "X %s", + i, curr->sh_addr, curr->sh_size, section_name); if (memcmp(section_name, text_name, sizeof(text_name)) == 0 && text_base == 0) { text_base = lib_details->base_address + curr->sh_addr - preferred_base; text_limit = text_base + curr->sh_size; - OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); - OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); + FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); + FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); } @@ -132,16 +135,16 @@ static void lib_get_text_section(lib_details_t *details) { Elf_Ehdr *hdr; fd = open(details->path, O_RDONLY); - if (fd < 0) { FATAL("Failed to open %s", details->path); } + if (fd < 0) { FFATAL("Failed to open %s", details->path); } len = lseek(fd, 0, SEEK_END); - if (len == (off_t)-1) { FATAL("Failed to lseek %s", details->path); } + if (len == (off_t)-1) { FFATAL("Failed to lseek %s", details->path); } - OKF("len: %ld", len); + FOKF("len: %ld", len); hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0); - if (hdr == MAP_FAILED) { FATAL("Failed to map %s", details->path); } + if (hdr == MAP_FAILED) { FFATAL("Failed to map %s", details->path); } lib_validate_hdr(hdr); lib_read_text_section(details, hdr); @@ -159,22 +162,22 @@ void lib_init(void) { lib_details_t lib_details; gum_process_enumerate_modules(lib_find_exe, &lib_details); - OKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s", lib_details.base_address, - lib_details.path); + FOKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s", + lib_details.base_address, lib_details.path); lib_get_text_section(&lib_details); } guint64 lib_get_text_base(void) { - if (text_base == 0) FATAL("Lib not initialized"); + if (text_base == 0) FFATAL("Lib not initialized"); return text_base; } guint64 lib_get_text_limit(void) { - if (text_limit == 0) FATAL("Lib not initialized"); + if (text_limit == 0) FFATAL("Lib not initialized"); return text_limit; } diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c index 2aa48a13..3bdb8c10 100644 --- a/frida_mode/src/lib/lib_apple.c +++ b/frida_mode/src/lib/lib_apple.c @@ -1,8 +1,6 @@ #ifdef __APPLE__ #include "frida-gumjs.h" - #include "debug.h" - #include "lib.h" #include "util.h" @@ -22,7 +20,7 @@ static gboolean lib_get_main_module(const GumModuleDetails *details, details->path, mach_task_self(), details->range->base_address, GUM_DARWIN_MODULE_FLAGS_NONE, NULL); - OKF("Found main module: %s", module->name); + FOKF("Found main module: %s", module->name); *ret = module; @@ -37,18 +35,18 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details, static size_t idx = 0; char text_name[] = "__text"; - OKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER - "X size: 0x%016" G_GINT64_MODIFIER "X %s", - idx++, details->vm_address, details->vm_address + details->size, - details->section_name); + FOKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER + "X size: 0x%016" G_GINT64_MODIFIER "X %s", + idx++, details->vm_address, details->vm_address + details->size, + details->section_name); if (memcmp(details->section_name, text_name, sizeof(text_name)) == 0 && text_base == 0) { text_base = details->vm_address; text_limit = details->vm_address + details->size; - OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); - OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); + FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); + FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); } @@ -70,14 +68,14 @@ void lib_init(void) { guint64 lib_get_text_base(void) { - if (text_base == 0) FATAL("Lib not initialized"); + if (text_base == 0) FFATAL("Lib not initialized"); return text_base; } guint64 lib_get_text_limit(void) { - if (text_limit == 0) FATAL("Lib not initialized"); + if (text_limit == 0) FFATAL("Lib not initialized"); return text_limit; } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 3599143b..cb88eabe 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -15,7 +15,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "entry.h" #include "instrument.h" @@ -63,7 +62,7 @@ static void on_main_os(int argc, char **argv, char **envp) { /* Personality doesn't affect the current process, it only takes effect on * evec */ int persona = personality(ADDR_NO_RANDOMIZE); - if (persona == -1) { WARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); } + if (persona == -1) { FWARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); } if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } GumInterceptor *interceptor = gum_interceptor_obtain(); @@ -98,7 +97,7 @@ static void afl_print_cmdline(void) { if (fd < 0) { - WARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); + FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); return; } @@ -106,7 +105,7 @@ static void afl_print_cmdline(void) { ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1); if (bytes_read < 0) { - FATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); + FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); } @@ -116,7 +115,7 @@ static void afl_print_cmdline(void) { if (i == 0 || buffer[i - 1] == '\0') { - OKF("AFL - COMMANDLINE: argv[%d] = %s", idx++, &buffer[i]); + FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx++, &buffer[i]); } @@ -132,7 +131,7 @@ static void afl_print_cmdline(void) { for (idx = 0; idx < nargv; idx++) { - OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); + FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); } @@ -148,7 +147,7 @@ static void afl_print_env(void) { if (fd < 0) { - WARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); + FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); return; } @@ -156,7 +155,7 @@ static void afl_print_env(void) { ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1); if (bytes_read < 0) { - FATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); + FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); } @@ -166,7 +165,7 @@ static void afl_print_env(void) { if (i == 0 || buffer[i - 1] == '\0') { - OKF("AFL - ENVIRONMENT %3d: %s", idx++, &buffer[i]); + FOKF("AFL - ENVIRONMENT %3d: %s", idx++, &buffer[i]); } @@ -244,9 +243,9 @@ static void intercept_main(void) { static void intercept_main(void) { mach_port_t task = mach_task_self(); - OKF("Task Id: %u", task); + FOKF("Task Id: %u", task); GumAddress entry = gum_darwin_find_entrypoint(task); - OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); + FOKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); void *main = GSIZE_TO_POINTER(entry); main_fn = main; intercept_hook(main, on_main, NULL); diff --git a/frida_mode/src/output.c b/frida_mode/src/output.c index e2b744e7..f570fe91 100644 --- a/frida_mode/src/output.c +++ b/frida_mode/src/output.c @@ -4,9 +4,8 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "output.h" +#include "util.h" char *output_stdout = NULL; char *output_stderr = NULL; @@ -19,18 +18,18 @@ static void output_redirect(int fd, char *filename) { path = g_canonicalize_filename(filename, g_get_current_dir()); - OKF("Redirect %d -> '%s'", fd, path); + FOKF("Redirect %d -> '%s'", fd, path); int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); g_free(path); - if (output_fd < 0) { FATAL("Failed to open fd(%d) error %d", fd, errno); } + if (output_fd < 0) { FFATAL("Failed to open fd(%d) error %d", fd, errno); } if (dup2(output_fd, fd) < 0) { - FATAL("Failed to set fd(%d) error %d", fd, errno); + FFATAL("Failed to set fd(%d) error %d", fd, errno); } @@ -47,8 +46,8 @@ void output_config(void) { void output_init(void) { - OKF("Output - StdOut: %s", output_stdout); - OKF("Output - StdErr: %s", output_stderr); + FOKF("Output - StdOut: %s", output_stdout); + FOKF("Output - StdErr: %s", output_stderr); output_redirect(STDOUT_FILENO, output_stdout); output_redirect(STDERR_FILENO, output_stderr); diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index b2915a2f..e62f25d0 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -3,7 +3,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "entry.h" #include "persistent.h" @@ -31,7 +30,7 @@ void persistent_config(void) { if (persistent_count != 0 && persistent_start == 0) { - FATAL( + FFATAL( "AFL_FRIDA_PERSISTENT_ADDR must be specified if " "AFL_FRIDA_PERSISTENT_CNT is"); @@ -40,11 +39,11 @@ void persistent_config(void) { if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; if (persistent_start != 0 && !persistent_is_supported()) - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); if (persistent_ret != 0 && persistent_start == 0) { - FATAL( + FFATAL( "AFL_FRIDA_PERSISTENT_ADDR must be specified if " "AFL_FRIDA_PERSISTENT_RET is"); @@ -54,33 +53,33 @@ void persistent_config(void) { void *hook_obj = dlopen(hook_name, RTLD_NOW); if (hook_obj == NULL) - FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); + FFATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); int (*afl_persistent_hook_init_ptr)(void) = dlsym(hook_obj, "afl_persistent_hook_init"); if (afl_persistent_hook_init_ptr == NULL) - FATAL("Failed to find afl_persistent_hook_init in %s", hook_name); + FFATAL("Failed to find afl_persistent_hook_init in %s", hook_name); if (afl_persistent_hook_init_ptr() == 0) - FATAL("afl_persistent_hook_init returned a failure"); + FFATAL("afl_persistent_hook_init returned a failure"); persistent_hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook"); if (persistent_hook == NULL) - FATAL("Failed to find afl_persistent_hook in %s", hook_name); + FFATAL("Failed to find afl_persistent_hook in %s", hook_name); } void persistent_init(void) { - OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_start == 0 ? ' ' : 'X', persistent_start); - OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", - persistent_start == 0 ? ' ' : 'X', persistent_count); - OKF("Instrumentation - hook [%s]", hook_name); + FOKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_start == 0 ? ' ' : 'X', persistent_start); + FOKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", + persistent_start == 0 ? ' ' : 'X', persistent_count); + FOKF("Instrumentation - hook [%s]", hook_name); - OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_ret == 0 ? ' ' : 'X', persistent_ret); + FOKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_ret == 0 ? ' ' : 'X', persistent_ret); if (persistent_hook != NULL) { __afl_sharedmem_fuzzing = 1; } @@ -88,7 +87,7 @@ void persistent_init(void) { void persistent_prologue(GumStalkerOutput *output) { - OKF("AFL_FRIDA_PERSISTENT_ADDR reached"); + FOKF("AFL_FRIDA_PERSISTENT_ADDR reached"); entry_compiled = TRUE; ranges_exclude(); stalker_trust(); @@ -98,7 +97,7 @@ void persistent_prologue(GumStalkerOutput *output) { void persistent_epilogue(GumStalkerOutput *output) { - OKF("AFL_FRIDA_PERSISTENT_RET reached"); + FOKF("AFL_FRIDA_PERSISTENT_RET reached"); persistent_epilogue_arch(output); } diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index 769f1505..b4e50897 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "persistent.h" #include "util.h" @@ -64,14 +62,14 @@ gboolean persistent_is_supported(void) { void persistent_prologue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); } void persistent_epilogue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); } diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 3cd61cd5..c9159ca1 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -2,7 +2,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -325,7 +324,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); instrument_persitent_save_regs(cw, &saved_regs); diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index c0bd9a09..8cbde633 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -2,7 +2,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -270,7 +269,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8); diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index b911676a..902274b3 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -1,7 +1,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -210,7 +209,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 1ddbd5ed..8c9ce94d 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -4,8 +4,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "entry.h" #include "intercept.h" #include "prefetch.h" @@ -122,7 +120,7 @@ static void prefetch_read_patches(void) { if (prefetch_data->backpatch_size - offset < size) { - FATAL("Incomplete backpatch entry"); + FFATAL("Incomplete backpatch entry"); } @@ -180,9 +178,9 @@ static void prefetch_hook_fork(void) { void prefetch_init(void) { - OKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' '); - OKF("Instrumentation - prefetch_backpatch [%c]", - prefetch_backpatch ? 'X' : ' '); + FOKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' '); + FOKF("Instrumentation - prefetch_backpatch [%c]", + prefetch_backpatch ? 'X' : ' '); if (!prefetch_enable) { return; } /* @@ -194,7 +192,7 @@ void prefetch_init(void) { shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600); if (prefetch_shm_id < 0) { - FATAL("prefetch_shm_id < 0 - errno: %d\n", errno); + FFATAL("prefetch_shm_id < 0 - errno: %d\n", errno); } @@ -206,7 +204,7 @@ void prefetch_init(void) { */ if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 1b666fce..027417ee 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "lib.h" #include "ranges.h" #include "stalker.h" @@ -37,8 +35,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (token_count != 2) { - FATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", - token); + FFATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", + token); } @@ -47,15 +45,15 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_str_has_prefix(from_str, "0x")) { - FATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", - token, from_str); + FFATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", + token, from_str); } if (!g_str_has_prefix(to_str, "0x")) { - FATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, - to_str); + FFATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, + to_str); } @@ -66,8 +64,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_ascii_isxdigit(*c)) { - FATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", - token, from_str); + FFATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", + token, from_str); } @@ -77,8 +75,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_ascii_isxdigit(*c)) { - FATAL("Invalid range: %s - End address not formed of hex digits: %s\n", - token, to_str); + FFATAL("Invalid range: %s - End address not formed of hex digits: %s\n", + token, to_str); } @@ -87,24 +85,25 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { guint64 from = g_ascii_strtoull(from_str, NULL, 16); if (from == 0) { - FATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, - from_str); + FFATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, + from_str); } guint64 to = g_ascii_strtoull(to_str, NULL, 16); if (to == 0) { - FATAL("Invalid range: %s - End failed hex conversion: %s\n", token, to_str); + FFATAL("Invalid range: %s - End failed hex conversion: %s\n", token, + to_str); } if (from >= to) { - FATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER - "x) must be less than end " - "(0x%016" G_GINT64_MODIFIER "x)\n", - token, from, to); + FFATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER + "x) must be less than end " + "(0x%016" G_GINT64_MODIFIER "x)\n", + token, from, to); } @@ -123,10 +122,10 @@ static gboolean convert_name_token_for_module(const GumModuleDetails *details, if (!g_str_has_suffix(details->path, ctx->suffix)) { return true; }; - OKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x %s", - ctx->suffix, details->range->base_address, - details->range->base_address + details->range->size, details->path); + FOKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x %s", + ctx->suffix, details->range->base_address, + details->range->base_address + details->range->size, details->path); *ctx->range = *details->range; ctx->done = true; @@ -140,7 +139,7 @@ static void convert_name_token(gchar *token, GumMemoryRange *range) { convert_name_ctx_t ctx = {.suffix = suffix, .range = range, .done = false}; gum_process_enumerate_modules(convert_name_token_for_module, &ctx); - if (!ctx.done) { FATAL("Failed to resolve module: %s\n", token); } + if (!ctx.done) { FFATAL("Failed to resolve module: %s\n", token); } g_free(suffix); } @@ -159,9 +158,9 @@ static void convert_token(gchar *token, GumMemoryRange *range) { } - OKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x\n", - token, range->base_address, range->base_address + range->size); + FOKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x\n", + token, range->base_address, range->base_address + range->size); } @@ -179,24 +178,24 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, if (details->file == NULL) { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %c%c%c", - details->range->base_address, - details->range->base_address + details->range->size, - details->protection & GUM_PAGE_READ ? 'R' : '-', - details->protection & GUM_PAGE_WRITE ? 'W' : '-', - details->protection & GUM_PAGE_EXECUTE ? 'X' : '-'); + FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %c%c%c", + details->range->base_address, + details->range->base_address + details->range->size, + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-'); } else { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)", - details->range->base_address, - details->range->base_address + details->range->size, - details->protection & GUM_PAGE_READ ? 'R' : '-', - details->protection & GUM_PAGE_WRITE ? 'W' : '-', - details->protection & GUM_PAGE_EXECUTE ? 'X' : '-', details->file->path, - details->file->offset); + FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)", + details->range->base_address, + details->range->base_address + details->range->size, + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-', + details->file->path, details->file->offset); } @@ -206,14 +205,14 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, static void print_ranges(char *key, GArray *ranges) { - OKF("Range: %s Length: %d", key, ranges->len); + FOKF("Range: %s Length: %d", key, ranges->len); for (guint i = 0; i < ranges->len; i++) { GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); GumAddress curr_limit = curr->base_address + curr->size; - OKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - key, i, curr->base_address, curr_limit); + FOKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + key, i, curr->base_address, curr_limit); } @@ -250,10 +249,10 @@ static void check_for_overlaps(GArray *array) { GumAddress curr_limit = curr->base_address + curr->size; if (prev_limit > curr->base_address) { - FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - prev->base_address, prev_limit, curr->base_address, curr_limit); + FFATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); } @@ -577,13 +576,13 @@ void ranges_init(void) { GArray * step4; GArray * step5; - OKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' '); - OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); + FOKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' '); + FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges); - OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); + FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges); @@ -660,7 +659,7 @@ void ranges_exclude() { GumMemoryRange *r; GumStalker * stalker = stalker_get(); - OKF("Excluding ranges"); + FOKF("Excluding ranges"); for (guint i = 0; i < ranges->len; i++) { diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 99111591..9d8fdd5d 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "seccomp.h" #include "util.h" @@ -12,7 +10,7 @@ void seccomp_on_fork(void) { if (seccomp_filename == NULL) { return; } #ifdef __APPLE__ - FATAL("Seccomp not supported on OSX"); + FFATAL("Seccomp not supported on OSX"); #else seccomp_callback_parent(); #endif @@ -27,12 +25,12 @@ void seccomp_config(void) { void seccomp_init(void) { - OKF("Seccomp - file [%s]", seccomp_filename); + FOKF("Seccomp - file [%s]", seccomp_filename); if (seccomp_filename == NULL) { return; } #ifdef __APPLE__ - FATAL("Seccomp not supported on OSX"); + FFATAL("Seccomp not supported on OSX"); #else seccomp_callback_initialize(); #endif diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c index c2042f97..18cb6724 100644 --- a/frida_mode/src/seccomp/seccomp_atomic.c +++ b/frida_mode/src/seccomp/seccomp_atomic.c @@ -3,13 +3,13 @@ #include #include - #include "debug.h" + #include "util.h" void seccomp_atomic_set(volatile bool *ptr, bool val) { if (!__sync_bool_compare_and_swap(ptr, !val, val)) { - FATAL("Failed to set event"); + FFATAL("Failed to set event"); } diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index ac0fb8bb..f7aaf78b 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -6,8 +6,7 @@ #include #include "seccomp.h" - - #include "debug.h" + #include "util.h" static void seccomp_callback_filter(struct seccomp_notif * req, struct seccomp_notif_resp *resp, @@ -35,7 +34,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, #if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); - if (syms == NULL) { FATAL("Failed to get symbols"); } + if (syms == NULL) { FFATAL("Failed to get symbols"); } for (guint i = 0; i < frames->len; i++) { @@ -84,7 +83,7 @@ static void seccomp_callback_child(int signal_parent, void *ctx) { int sock_fd = *((int *)ctx); int fd = seccomp_socket_recv(sock_fd); - if (close(sock_fd) < 0) { FATAL("child - close"); } + if (close(sock_fd) < 0) { FFATAL("child - close"); } seccomp_event_signal(signal_parent); seccomp_filter_child_install(); @@ -101,18 +100,18 @@ void seccomp_callback_parent(void) { seccomp_socket_create(sock); seccomp_child_run(seccomp_callback_child, sock, &child, &child_fd); - if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FATAL("dup2"); } + if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FFATAL("dup2"); } - if (close(child_fd) < 0) { FATAL("seccomp_on_fork - close (1)"); } + if (close(child_fd) < 0) { FFATAL("seccomp_on_fork - close (1)"); } - if (close(sock[STDIN_FILENO]) < 0) { FATAL("grandparent - close (2)"); } + if (close(sock[STDIN_FILENO]) < 0) { FFATAL("grandparent - close (2)"); } int fd = seccomp_filter_install(child); seccomp_socket_send(sock[STDOUT_FILENO], fd); - if (close(sock[STDOUT_FILENO]) < 0) { FATAL("grandparent - close (3)"); } + if (close(sock[STDOUT_FILENO]) < 0) { FFATAL("grandparent - close (3)"); } - if (close(fd) < 0) { FATAL("grandparent - close (4)"); } + if (close(fd) < 0) { FFATAL("grandparent - close (4)"); } seccomp_child_wait(SECCOMP_PARENT_EVENT_FD); @@ -125,18 +124,18 @@ void seccomp_callback_initialize(void) { path = g_canonicalize_filename(seccomp_filename, g_get_current_dir()); - OKF("Seccomp - path [%s]", path); + FOKF("Seccomp - path [%s]", path); fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (dup2(fd, SECCOMP_OUTPUT_FILE_FD) < 0) { - FATAL("Failed to duplicate seccomp output file"); + FFATAL("Failed to duplicate seccomp output file"); } - if (close(fd) < 0) { FATAL("Failed to close seccomp output file fd"); } + if (close(fd) < 0) { FFATAL("Failed to close seccomp output file fd"); } g_free(path); diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c index 43a79894..c02ef67c 100644 --- a/frida_mode/src/seccomp/seccomp_child.c +++ b/frida_mode/src/seccomp/seccomp_child.c @@ -10,9 +10,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" #define SECCOMP_CHILD_STACK_SIZE (1UL << 20) @@ -51,11 +50,11 @@ void seccomp_child_run(seccomp_child_func_t child_func, void *ctx, pid_t *child, char *stack = (char *)mmap(NULL, SECCOMP_CHILD_STACK_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (stack == MAP_FAILED) { FATAL("mmap"); } + if (stack == MAP_FAILED) { FFATAL("mmap"); } pid_t child_pid = clone(seccomp_child_func, &stack[SECCOMP_CHILD_STACK_SIZE], flags, child_ctx, NULL, NULL, NULL); - if (child_pid < 0) { FATAL("clone"); } + if (child_pid < 0) { FFATAL("clone"); } if (child != NULL) { *child = child_pid; } if (event_fd != NULL) { *event_fd = fd; } diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index e2f592ca..aca0967a 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -5,14 +5,13 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" int seccomp_event_create(void) { int fd = syscall(SYS_eventfd, 0, 0); - if (fd < 0) { FATAL("seccomp_event_create"); } + if (fd < 0) { FFATAL("seccomp_event_create"); } return fd; } @@ -22,7 +21,7 @@ void seccomp_event_signal(int fd) { uint64_t val = 1; if (write(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { - FATAL("seccomp_event_signal"); + FFATAL("seccomp_event_signal"); } @@ -33,7 +32,7 @@ void seccomp_event_wait(int fd) { uint64_t val = 1; if (read(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { - FATAL("seccomp_event_wait"); + FFATAL("seccomp_event_wait"); } @@ -41,7 +40,7 @@ void seccomp_event_wait(int fd) { void seccomp_event_destroy(int fd) { - if (close(fd) < 0) { FATAL("seccomp_event_destroy"); } + if (close(fd) < 0) { FFATAL("seccomp_event_destroy"); } } diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 0dcc4cbb..a7c0926c 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -17,8 +17,6 @@ #include #include - #include "debug.h" - #include "frida-gumjs.h" #include "seccomp.h" @@ -159,7 +157,7 @@ static void seccomp_filter_parent_handler(int sig, siginfo_t *info, if (syscall(SYS_tgkill, seccomp_filter_child, seccomp_filter_child, SIGUSR1) < 0) { - FATAL("kill"); + FFATAL("kill"); } @@ -172,7 +170,7 @@ void seccomp_filter_child_install(void) { const struct sigaction sa = {.sa_sigaction = seccomp_filter_child_handler, .sa_flags = SA_SIGINFO | SA_RESTART}; - if (sigaction(SIGUSR1, &sa, NULL) < 0) { FATAL("sigaction"); } + if (sigaction(SIGUSR1, &sa, NULL) < 0) { FFATAL("sigaction"); } } @@ -187,17 +185,17 @@ int seccomp_filter_install(pid_t child) { .len = sizeof(filter) / sizeof(struct sock_filter), .filter = filter}; - if (sigaction(SIGUSR1, &sa, NULL) < 0) { FATAL("sigaction"); } + if (sigaction(SIGUSR1, &sa, NULL) < 0) { FFATAL("sigaction"); } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - FATAL("PR_SET_NO_NEW_PRIVS %d", errno); + FFATAL("PR_SET_NO_NEW_PRIVS %d", errno); } int fd = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &filter_prog); - if (fd < 0) { FATAL("SYS_seccomp %d", fd); } + if (fd < 0) { FFATAL("SYS_seccomp %d", fd); } return fd; @@ -211,19 +209,19 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { if (syscall(SYS_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == -1) { - FATAL("seccomp-SECCOMP_GET_NOTIF_SIZES"); + FFATAL("seccomp-SECCOMP_GET_NOTIF_SIZES"); } if (sizes.seccomp_notif != sizeof(struct seccomp_notif)) { - FATAL("size - seccomp_notif"); + FFATAL("size - seccomp_notif"); } if (sizes.seccomp_notif_resp != sizeof(struct seccomp_notif_resp)) { - FATAL("size - seccomp_notif"); + FFATAL("size - seccomp_notif"); } @@ -237,7 +235,7 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) { if (errno == EINTR) { continue; } - FATAL("SECCOMP_IOCTL_NOTIF_RECV: %d\n", fd); + FFATAL("SECCOMP_IOCTL_NOTIF_RECV: %d\n", fd); } @@ -247,14 +245,14 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { } else { - if (kill(req->pid, SIGUSR1) < 0) { FATAL("kill"); } + if (kill(req->pid, SIGUSR1) < 0) { FFATAL("kill"); } } if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) { if (errno == ENOENT) { continue; } - OKF("SECCOMP_IOCTL_NOTIF_SEND"); + FOKF("SECCOMP_IOCTL_NOTIF_SEND"); continue; } diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c index ef937420..a01e88ee 100644 --- a/frida_mode/src/seccomp/seccomp_socket.c +++ b/frida_mode/src/seccomp/seccomp_socket.c @@ -5,9 +5,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" union cmsg { @@ -21,31 +20,31 @@ void seccomp_socket_create(int *sock) { int tmp_sock[2] = {-1, -1}; if (socketpair(AF_UNIX, SOCK_STREAM, 0, tmp_sock) < 0) { - FATAL("socketpair"); + FFATAL("socketpair"); } if (dup2(tmp_sock[STDIN_FILENO], SECCOMP_SOCKET_RECV_FD) < 0) { - FATAL("seccomp_socket_create - dup2 (1)"); + FFATAL("seccomp_socket_create - dup2 (1)"); } if (dup2(tmp_sock[STDOUT_FILENO], SECCOMP_SOCKET_SEND_FD) < 0) { - FATAL("seccomp_socket_create - dup2 (1)"); + FFATAL("seccomp_socket_create - dup2 (1)"); } if (close(tmp_sock[STDIN_FILENO]) < 0) { - FATAL("seccomp_socket_create - close (1)"); + FFATAL("seccomp_socket_create - close (1)"); } if (close(tmp_sock[STDOUT_FILENO]) < 0) { - FATAL("seccomp_socket_create - close (2)"); + FFATAL("seccomp_socket_create - close (2)"); } @@ -76,7 +75,7 @@ void seccomp_socket_send(int sockfd, int fd) { memcpy(CMSG_DATA(&control_msg.hdr), &fd, sizeof(int)); - if (sendmsg(sockfd, &message, 0) == -1) { FATAL("sendmsg"); } + if (sendmsg(sockfd, &message, 0) == -1) { FFATAL("sendmsg"); } } @@ -95,23 +94,23 @@ int seccomp_socket_recv(int sockfd) { int fd; - if (recvmsg(sockfd, &message, 0) < 0) { FATAL("recvmsg"); } + if (recvmsg(sockfd, &message, 0) < 0) { FFATAL("recvmsg"); } if (control_msg.hdr.cmsg_len != CMSG_LEN(sizeof(int))) { - FATAL("control_msg.hdr.cmsg_len"); + FFATAL("control_msg.hdr.cmsg_len"); } if (control_msg.hdr.cmsg_level != SOL_SOCKET) { - FATAL("control_msg.hdr.cmsg_level"); + FFATAL("control_msg.hdr.cmsg_level"); } if (control_msg.hdr.cmsg_type != SCM_RIGHTS) { - FATAL("control_msg.hdr.cmsg_type"); + FFATAL("control_msg.hdr.cmsg_type"); } diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c index 8335b93c..2eac1af3 100644 --- a/frida_mode/src/seccomp/seccomp_syscall.c +++ b/frida_mode/src/seccomp/seccomp_syscall.c @@ -3,9 +3,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" typedef struct { @@ -324,10 +323,10 @@ static syscall_entry_t seccomp_syscall_table[] = { char *seccomp_syscall_lookup(int id) { - if (id < 0) { FATAL("Invalid id: %d", id); } + if (id < 0) { FFATAL("Invalid id: %d", id); } if ((uint32_t)id >= sizeof(seccomp_syscall_table) / sizeof(syscall_entry_t)) { - FATAL("Invalid id: %d", id); + FFATAL("Invalid id: %d", id); } diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 6ba41bc6..35a9d856 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -1,4 +1,3 @@ -#include "debug.h" #include "instrument.h" #include "prefetch.h" @@ -57,7 +56,7 @@ static void gum_afl_stalker_observer_init(GumAflStalkerObserver *self) { void stalker_config(void) { - if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); } + if (!gum_stalker_is_supported()) { FFATAL("Failed to initialize embedded"); } backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); @@ -90,14 +89,14 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details, void stalker_init(void) { - OKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); + FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); - OKF("Stalker - ic_entries [%u]", stalker_ic_entries); + FOKF("Stalker - ic_entries [%u]", stalker_ic_entries); #if !(defined(__x86_64__) || defined(__i386__)) if (stalker_ic_entries != 0) { - FATAL("AFL_FRIDA_STALKER_IC_ENTRIES not supported"); + FFATAL("AFL_FRIDA_STALKER_IC_ENTRIES not supported"); } @@ -112,7 +111,7 @@ void stalker_init(void) { stalker = gum_stalker_new(); #endif - if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + if (stalker == NULL) { FFATAL("Failed to initialize stalker"); } gum_stalker_set_trust_threshold(stalker, -1); @@ -123,7 +122,7 @@ void stalker_init(void) { GumStalker *stalker_get(void) { - if (stalker == NULL) { FATAL("Stalker uninitialized"); } + if (stalker == NULL) { FFATAL("Stalker uninitialized"); } return stalker; } @@ -145,7 +144,7 @@ void stalker_trust(void) { GumStalkerObserver *stalker_get_observer(void) { - if (observer == NULL) { FATAL("Stalker not yet initialized"); } + if (observer == NULL) { FFATAL("Stalker not yet initialized"); } return GUM_STALKER_OBSERVER(observer); } diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 7972b881..a61834d6 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -8,7 +8,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "util.h" #include "entry.h" @@ -330,12 +329,12 @@ void stats_config(void) { void stats_init(void) { - OKF("Stats - file [%s]", stats_filename); - OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); + FOKF("Stats - file [%s]", stats_filename); + FOKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); if (stats_interval != 0 && stats_filename == NULL) { - FATAL( + FFATAL( "AFL_FRIDA_STATS_FILE must be specified if " "AFL_FRIDA_STATS_INTERVAL is"); @@ -348,18 +347,18 @@ void stats_init(void) { char *path = g_canonicalize_filename(stats_filename, g_get_current_dir()); - OKF("Stats - path [%s]", path); + FOKF("Stats - path [%s]", path); stats_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - if (stats_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + if (stats_fd < 0) { FFATAL("Failed to open stats file '%s'", path); } g_free(path); int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data = shmat(shm_id, NULL, 0); g_assert(stats_data != MAP_FAILED); @@ -372,7 +371,7 @@ void stats_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c index 5860d33b..bd652aa3 100644 --- a/frida_mode/src/stats/stats_arm32.c +++ b/frida_mode/src/stats/stats_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "stats.h" #include "util.h" @@ -9,13 +7,13 @@ void starts_arch_init(void) { - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } void stats_write_arch(stats_data_t *data) { - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } @@ -23,7 +21,7 @@ void stats_collect_arch(const cs_insn *instr, gboolean begin) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(begin); - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c index 54b3faf1..313ab47a 100644 --- a/frida_mode/src/stats/stats_arm64.c +++ b/frida_mode/src/stats/stats_arm64.c @@ -3,8 +3,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ranges.h" #include "stats.h" #include "util.h" @@ -48,7 +46,7 @@ void starts_arch_init(void) { int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data_arch = shmat(shm_id, NULL, 0); g_assert(stats_data_arch != MAP_FAILED); @@ -58,7 +56,7 @@ void starts_arch_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/stats/stats_x86_64.c b/frida_mode/src/stats/stats_x86_64.c index ab914951..0bfe3baa 100644 --- a/frida_mode/src/stats/stats_x86_64.c +++ b/frida_mode/src/stats/stats_x86_64.c @@ -3,8 +3,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ranges.h" #include "stats.h" #include "util.h" @@ -50,7 +48,7 @@ void starts_arch_init(void) { int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data_arch = shmat(shm_id, NULL, 0); g_assert(stats_data_arch != MAP_FAILED); @@ -60,7 +58,7 @@ void starts_arch_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } @@ -255,8 +253,8 @@ static x86_op_type stats_get_operand_type(const cs_insn *instr) { if (x86->op_count != 1) { - FATAL("Unexpected operand count (%d): %s %s\n", x86->op_count, - instr->mnemonic, instr->op_str); + FFATAL("Unexpected operand count (%d): %s %s\n", x86->op_count, + instr->mnemonic, instr->op_str); } @@ -295,7 +293,7 @@ static void stats_collect_call_arch(const cs_insn *instr) { stats_data_arch->num_call_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } @@ -316,7 +314,7 @@ static void stats_collect_jump_arch(const cs_insn *instr) { stats_data_arch->num_jmp_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } @@ -337,7 +335,7 @@ static void stats_collect_jump_cond_arch(const cs_insn *instr) { stats_data_arch->num_jmp_cond_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index 09e8a58b..2b0f7be6 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -1,7 +1,5 @@ #include "util.h" -#include "debug.h" - guint64 util_read_address(char *key) { char *value_str = getenv(key); @@ -66,3 +64,19 @@ guint64 util_read_num(char *key) { } +gboolean util_output_enabled(void) { + + static gboolean initialized = FALSE; + static gboolean enabled = TRUE; + + if (!initialized) { + + initialized = TRUE; + if (getenv("AFL_DEBUG_CHILD") == NULL) { enabled = FALSE; } + + } + + return enabled; + +} + -- cgit 1.4.1 From af02fa1670db6d19feaf0a3e54d9d8013ad3312f Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Nov 2021 17:08:39 +0000 Subject: Improve JS bindings for hooking functions --- frida_mode/Scripting.md | 333 ++++++++++++++++++++++++++++------------- frida_mode/frida.map | 1 + frida_mode/include/js.h | 3 + frida_mode/src/js/api.js | 10 +- frida_mode/src/js/js.c | 3 +- frida_mode/src/js/js_api.c | 7 + frida_mode/src/main.c | 20 ++- frida_mode/test/js/GNUmakefile | 12 ++ frida_mode/test/js/main.js | 44 ++++++ frida_mode/ts/lib/afl.ts | 23 ++- 10 files changed, 337 insertions(+), 119 deletions(-) create mode 100644 frida_mode/test/js/main.js (limited to 'frida_mode/src/main.c') diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index 691b03d1..2ee0c858 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -246,7 +246,7 @@ FRIDA mode supports the replacement of any function, with an implementation generated by CModule. This allows for a bespoke harness to be written as follows: -``` +```js const slow = DebugSymbol.fromName('slow').address; Afl.print(`slow: ${slow}`); @@ -281,13 +281,90 @@ Afl.done(); Here, we replace the function `slow` with our own code. This code is then selected as the entry point as well as the persistent loop address. -**WARNING** There are two key limitations in replacing a function in this way: -- The function which is to be replaced must not be `main` this is because this -is the point at which FRIDA mode is initialized and at the point the the JS has -been run, the start of the `main` function has already been instrumented and -cached. -- The replacement function must not call itself. e.g. in this example we -couldn't replace `LLVMFuzzerTestOneInput` and call itself. +## Replacing LLVMFuzzerTestOneInput +The function `LLVMFuzzerTestOneInput` can be replaced just like any other. Also +any replaced function can also call itself. In the example below, we replace +`LLVMFuzzerTestOneInput` with `My_LLVMFuzzerTestOneInput` which ignores the +parameters `buf` and `len` and then calls the original `LLVMFuzzerTestOneInput` +with the paramaters `__afl_fuzz_ptr` and `__afl_fuzz_len`. This allows us to +carry out in-memory fuzzing without the need for any hook function. It should be +noted that the replacement function and the original can *NOT* share the same +name, since otherwise the `C` code in the `CModule` will not compile due to a +symbol name collision. + +```js +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + void My_LLVMFuzzerTestOneInput(char *buf, int len) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput); +Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput); +Afl.setInMemoryFuzzing(); +Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput); +``` + +## Hooking `main` +Lastly, it should be noted that using FRIDA mode's scripting support to hook +the `main` function is a special case. This is because the `main` function is +already hooked by the FRIDA mode engine itself and hence the function `main` (or +at least the first basic block already been compiled by Stalker ready for +execution). Hence any attempt to use `Interceptor.replace` like in the example +above will not work. Instead the JS bindings provide a function `setJsMainHook` +for just this scenario as demonstrated in the example below. + +```js +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + int main(int argc, char **argv) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.main); +Afl.setPersistentAddress(cm.main); +Afl.setInMemoryFuzzing(); +Afl.setJsMainHook(cm.main); +``` +## Library Fuzzing + +It doesn't take too much imagination to see that the above example can be +extended to use FRIDA's `Module.load` API so that the replaced `main` function +can then call an arbitrary function. In this way, if we have a library which we +wish to fuzz rather than an execuatble, then a surrogate executable can be used. # Patching Consider the [following](test/js/test2.c) test code... @@ -620,41 +697,31 @@ value of the `-t` flag passed to `afl-fuzz`. # API ```js class Afl { - - /** - * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode - * implementation). - */ - public static module: Module = Process.getModuleByName("afl-frida-trace.so"); - /** * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to exclude several ranges. */ - public static addExcludedRange(addressess: NativePointer, size: number): void { - Afl.jsApiAddExcludeRange(addressess, size); + static addExcludedRange(addressess, size) { + Afl.jsApiAddExcludeRange(addressess, size); } - /** * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to include several ranges. */ - public static addIncludedRange(addressess: NativePointer, size: number): void { - Afl.jsApiAddIncludeRange(addressess, size); + static addIncludedRange(addressess, size) { + Afl.jsApiAddIncludeRange(addressess, size); } - /** * This must always be called at the end of your script. This lets * FRIDA mode know that your configuration is finished and that * execution has reached the end of your script. Failure to call * this will result in a fatal error. */ - public static done(): void { - Afl.jsApiDone(); + static done() { + Afl.jsApiDone(); } - /** * This function can be called within your script to cause FRIDA * mode to trigger a fatal error. This is useful if for example you @@ -662,49 +729,48 @@ class Afl { * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view * this error message. */ - public static error(msg: string): void { - const buf = Memory.allocUtf8String(msg); - Afl.jsApiError(buf); + static error(msg) { + const buf = Memory.allocUtf8String(msg); + Afl.jsApiError(buf); } - /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of * fuzzing data when using in-memory test case fuzzing. */ - public static getAflFuzzLen(): NativePointer { - - return Afl.jsApiGetSymbol("__afl_fuzz_len"); + static getAflFuzzLen() { + return Afl.jsApiGetSymbol("__afl_fuzz_len"); } - /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing * data when using in-memory test case fuzzing. */ - public static getAflFuzzPtr(): NativePointer { - - return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); + static getAflFuzzPtr() { + return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); } - /** * Print a message to the STDOUT. This should be preferred to * FRIDA's `console.log` since FRIDA will queue it's log messages. * If `console.log` is used in a callback in particular, then there * may no longer be a thread running to service this queue. */ - public static print(msg: string): void { - const STDOUT_FILENO = 2; - const log = `${msg}\n`; - const buf = Memory.allocUtf8String(log); - Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + static print(msg) { + const STDOUT_FILENO = 2; + const log = `${msg}\n`; + const buf = Memory.allocUtf8String(log); + Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + } + /** + * See `AFL_FRIDA_INST_NO_BACKPATCH`. + */ + static setBackpatchDisable() { + Afl.jsApiSetBackpatchDisable(); } - /** * See `AFL_FRIDA_DEBUG_MAPS`. */ - public static setDebugMaps(): void { - Afl.jsApiSetDebugMaps(); + static setDebugMaps() { + Afl.jsApiSetDebugMaps(); } - /** * This has the same effect as setting `AFL_ENTRYPOINT`, but has the * convenience of allowing you to use FRIDAs APIs to determine the @@ -713,143 +779,198 @@ class Afl { * function should be called with a `NativePointer` as its * argument. */ - public static setEntryPoint(address: NativePointer): void { - Afl.jsApiSetEntryPoint(address); + static setEntryPoint(address) { + Afl.jsApiSetEntryPoint(address); } - /** * Function used to enable in-memory test cases for fuzzing. */ - public static setInMemoryFuzzing(): void { - Afl.jsApiAflSharedMemFuzzing.writeInt(1); + static setInMemoryFuzzing() { + Afl.jsApiAflSharedMemFuzzing.writeInt(1); + } + /** + * See `AFL_FRIDA_INST_COVERAGE_FILE`. This function takes a single `string` + * as an argument. + */ + static setInstrumentCoverageFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentCoverageFile(buf); } - /** * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as * an argument. */ - public static setInstrumentDebugFile(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetInstrumentDebugFile(buf); + static setInstrumentDebugFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentDebugFile(buf); } - /** * See `AFL_FRIDA_INST_TRACE`. */ - public static setInstrumentEnableTracing(): void { - Afl.jsApiSetInstrumentTrace(); + static setInstrumentEnableTracing() { + Afl.jsApiSetInstrumentTrace(); + } + /** + * See `AFL_FRIDA_INST_JIT`. + */ + static setInstrumentJit() { + Afl.jsApiSetInstrumentJit(); } - /** * See `AFL_INST_LIBS`. */ - public static setInstrumentLibraries(): void { - Afl.jsApiSetInstrumentLibraries(); + static setInstrumentLibraries() { + Afl.jsApiSetInstrumentLibraries(); } - /** * See `AFL_FRIDA_INST_NO_OPTIMIZE` */ - public static setInstrumentNoOptimize(): void { - Afl.jsApiSetInstrumentNoOptimize(); + static setInstrumentNoOptimize() { + Afl.jsApiSetInstrumentNoOptimize(); + } + /* + * See `AFL_FRIDA_INST_SEED` + */ + static setInstrumentSeed(seed) { + Afl.jsApiSetInstrumentSeed(seed); } - /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ - public static setInstrumentTracingUnique(): void { - Afl.jsApiSetInstrumentTraceUnique(); + static setInstrumentTracingUnique() { + Afl.jsApiSetInstrumentTraceUnique(); + } + /** + * See `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE`. This function takes a single + * `string` as an argument. + */ + static setInstrumentUnstableCoverageFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentUnstableCoverageFile(buf); + } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + static setJsMainHook(address) { + Afl.jsApiSetJsMainHook(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. */ - public static setPersistentAddress(address: NativePointer): void { - Afl.jsApiSetPersistentAddress(address); + static setPersistentAddress(address) { + Afl.jsApiSetPersistentAddress(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a * `number` should be provided as it's argument. */ - public static setPersistentCount(count: number): void { - Afl.jsApiSetPersistentCount(count); + static setPersistentCount(count) { + Afl.jsApiSetPersistentCount(count); } - /** * See `AFL_FRIDA_PERSISTENT_DEBUG`. */ - public static setPersistentDebug(): void { - Afl.jsApiSetPersistentDebug(); + static setPersistentDebug() { + Afl.jsApiSetPersistentDebug(); } - /** * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an * argument. See above for examples of use. */ - public static setPersistentHook(address: NativePointer): void { - Afl.jsApiSetPersistentHook(address); + static setPersistentHook(address) { + Afl.jsApiSetPersistentHook(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a * `NativePointer` should be provided as it's argument. */ - public static setPersistentReturn(address: NativePointer): void { - Afl.jsApiSetPersistentReturn(address); + static setPersistentReturn(address) { + Afl.jsApiSetPersistentReturn(address); + } + /** + * See `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. + */ + static setPrefetchBackpatchDisable() { + Afl.jsApiSetPrefetchBackpatchDisable(); } - /** * See `AFL_FRIDA_INST_NO_PREFETCH`. */ - public static setPrefetchDisable(): void { - Afl.jsApiSetPrefetchDisable(); + static setPrefetchDisable() { + Afl.jsApiSetPrefetchDisable(); + } + /** + * See `AFL_FRIDA_SECCOMP_FILE`. This function takes a single `string` as + * an argument. + */ + static setSeccompFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetSeccompFile(buf); + } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + static setStalkerAdjacentBlocks(val) { + Afl.jsApiSetStalkerAdjacentBlocks(val); } - /* - * Set a function to be called for each instruction which is instrumented - * by AFL FRIDA mode. + * Set a function to be called for each instruction which is instrumented + * by AFL FRIDA mode. + */ + static setStalkerCallback(callback) { + Afl.jsApiSetStalkerCallback(callback); + } + /** + * See `AFL_FRIDA_STALKER_IC_ENTRIES`. */ - public static setStalkerCallback(callback: NativePointer): void { - Afl.jsApiSetStalkerCallback(callback); + static setStalkerIcEntries(val) { + Afl.jsApiSetStalkerIcEntries(val); } - /** * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as * an argument. */ - public static setStatsFile(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStatsFile(buf); + static setStatsFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStatsFile(buf); } - /** * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an * argument */ - public static setStatsInterval(interval: number): void { - Afl.jsApiSetStatsInterval(interval); + static setStatsInterval(interval) { + Afl.jsApiSetStatsInterval(interval); } - /** * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as * an argument. */ - public static setStdErr(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStdErr(buf); + static setStdErr(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdErr(buf); } - /** * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as * an argument. */ - public static setStdOut(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStdOut(buf); + static setStdOut(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdOut(buf); + } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + static setTraceable() { + Afl.jsApiSetTraceable(); + } + static jsApiGetFunction(name, retType, argTypes) { + const addr = Afl.module.getExportByName(name); + return new NativeFunction(addr, retType, argTypes); + } + static jsApiGetSymbol(name) { + return Afl.module.getExportByName(name); } - } - ``` diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 61eb19ee..5276db91 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -20,6 +20,7 @@ js_api_set_instrument_trace; js_api_set_instrument_trace_unique; js_api_set_instrument_unstable_coverage_file; + js_api_set_js_main_hook; js_api_set_persistent_address; js_api_set_persistent_count; js_api_set_persistent_debug; diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h index a5ecb712..39aa0573 100644 --- a/frida_mode/include/js.h +++ b/frida_mode/include/js.h @@ -7,11 +7,14 @@ typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn, gboolean begin, gboolean excluded, GumStalkerOutput *output); +typedef int (*js_main_hook_t)(int argc, char **argv, char **envp); + extern unsigned char api_js[]; extern unsigned int api_js_len; extern gboolean js_done; extern js_api_stalker_callback_t js_user_callback; +extern js_main_hook_t js_main_hook; /* Frida Mode */ diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 8e810d09..215fbdaf 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -151,6 +151,13 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentUnstableCoverageFile(buf); } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + static setJsMainHook(address) { + Afl.jsApiSetJsMainHook(address); + } /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. @@ -291,6 +298,7 @@ Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); Afl.jsApiSetInstrumentUnstableCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_unstable_coverage_file", "void", ["pointer"]); +Afl.jsApiSetJsMainHook = Afl.jsApiGetFunction("js_api_set_js_main_hook", "void", ["pointer"]); Afl.jsApiSetPersistentAddress = Afl.jsApiGetFunction("js_api_set_persistent_address", "void", ["pointer"]); Afl.jsApiSetPersistentCount = Afl.jsApiGetFunction("js_api_set_persistent_count", "void", ["uint64"]); Afl.jsApiSetPersistentDebug = Afl.jsApiGetFunction("js_api_set_persistent_debug", "void", []); @@ -299,8 +307,8 @@ Afl.jsApiSetPersistentReturn = Afl.jsApiGetFunction("js_api_set_persistent_retur Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_backpatch_disable", "void", []); Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []); Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]); -Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); +Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]); Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]); Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 37cd377b..5f477388 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -3,10 +3,11 @@ #include "js.h" #include "util.h" -static char * js_script = NULL; gboolean js_done = FALSE; js_api_stalker_callback_t js_user_callback = NULL; +js_main_hook_t js_main_hook = NULL; +static char * js_script = NULL; static gchar * filename = "afl.js"; static gchar * contents; static GumScriptBackend * backend; diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 4221fb80..5021b531 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -255,3 +255,10 @@ __attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks( } +__attribute__((visibility("default"))) void js_api_set_js_main_hook( + const js_main_hook_t hook) { + + js_main_hook = hook; + +} + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index cb88eabe..913e3a46 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -36,13 +36,13 @@ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); #else -extern int __libc_start_main(int *(main)(int, char **, char **), int argc, +extern int __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)); #endif -typedef int *(*main_fn_t)(int argc, char **argv, char **envp); +typedef int (*main_fn_t)(int argc, char **argv, char **envp); static main_fn_t main_fn = NULL; @@ -217,7 +217,7 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { } -static int *on_main(int argc, char **argv, char **envp) { +static int on_main(int argc, char **argv, char **envp) { on_main_os(argc, argv, envp); @@ -225,12 +225,20 @@ static int *on_main(int argc, char **argv, char **envp) { afl_frida_start(); - return main_fn(argc, argv, envp); + if (js_main_hook != NULL) { + + return js_main_hook(argc, argv, envp); + + } else { + + return main_fn(argc, argv, envp); + + } } #if defined(EMBEDDED) -extern int *main(int argc, char **argv, char **envp); +extern int main(int argc, char **argv, char **envp); static void intercept_main(void) { @@ -253,7 +261,7 @@ static void intercept_main(void) { } #else -static int on_libc_start_main(int *(main)(int, char **, char **), int argc, +static int on_libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)) { diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile index ccd990c0..c702ad98 100644 --- a/frida_mode/test/js/GNUmakefile +++ b/frida_mode/test/js/GNUmakefile @@ -47,6 +47,18 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) clean: rm -rf $(BUILD_DIR) +frida_js_main: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_PRELOAD=$(AFL_PRELOAD) \ + AFL_FRIDA_JS_SCRIPT=main.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -t 10000+ \ + -- \ + $(TESTINSTBIN) $(AFLPP_DRIVER_DUMMY_INPUT) + frida_js_fuzz: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=fuzz.js \ diff --git a/frida_mode/test/js/main.js b/frida_mode/test/js/main.js new file mode 100644 index 00000000..06306fc4 --- /dev/null +++ b/frida_mode/test/js/main.js @@ -0,0 +1,44 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + int main(int argc, char **argv) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.main); +Afl.setPersistentAddress(cm.main); +Afl.setInMemoryFuzzing(); +Afl.setJsMainHook(cm.main); +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index e20ad3ec..0473cbf6 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -179,6 +179,14 @@ class Afl { Afl.jsApiSetInstrumentUnstableCoverageFile(buf); } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + public static setJsMainHook(address: NativePointer): void { + Afl.jsApiSetJsMainHook(address); + } + /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. @@ -387,6 +395,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetJsMainHook = Afl.jsApiGetFunction( + "js_api_set_js_main_hook", + "void", + ["pointer"]); + private static readonly jsApiSetPersistentAddress = Afl.jsApiGetFunction( "js_api_set_persistent_address", "void", @@ -427,16 +440,16 @@ class Afl { "void", ["pointer"]); - private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( - "js_api_set_stalker_callback", - "void", - ["pointer"]); - private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction( "js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); + private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( + "js_api_set_stalker_callback", + "void", + ["pointer"]); + private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction( "js_api_set_stalker_ic_entries", "void", -- cgit 1.4.1 From 0fbaaa4b32c803972fb2343188e6f0f9c1f7dc76 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 2 Dec 2021 17:23:07 +0000 Subject: Fixes for arm32 --- frida_mode/GNUmakefile | 26 ++++++++++++++++++-------- frida_mode/include/instrument.h | 3 ++- frida_mode/src/instrument/instrument.c | 15 ++++++++++++++- frida_mode/src/instrument/instrument_arm32.c | 10 +++++++++- frida_mode/src/instrument/instrument_debug.c | 20 +++++++++++++++----- frida_mode/src/main.c | 8 ++++++-- 6 files changed, 64 insertions(+), 18 deletions(-) (limited to 'frida_mode/src/main.c') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 52439979..2186517e 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -45,6 +45,11 @@ FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded +TARGET_CC?=$(CC) +TARGET_CXX?=$(CXX) +HOST_CC?=$(CC) +HOST_CXX?=$(CXX) + ifndef ARCH ARCH=$(shell uname -m) @@ -99,6 +104,11 @@ ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" endif endif +ifeq "$(ARCH)" "armhf" + TARGET_CC:=arm-linux-gnueabihf-gcc + TARGET_CXX:=arm-linux-gnueabihf-g++ +endif + ifndef OS $(error "Operating system unsupported") endif @@ -188,7 +198,7 @@ $(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL) ############################## AFL ############################################# $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ $(AFL_CFLAGS) \ -I $(ROOT) \ @@ -197,7 +207,7 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) -c $< $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ $(AFL_CFLAGS) \ -I $(ROOT) \ @@ -208,13 +218,13 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) ############################### JS ############################################# $(BIN2C): $(BIN2C_SRC) - $(CC) -D_GNU_SOURCE -o $@ $< + $(HOST_CC) -D_GNU_SOURCE -o $@ $< $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR) cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@ $(JS_OBJ): $(JS_SRC) GNUmakefile - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ -I $(ROOT)include \ -I $(FRIDA_BUILD_DIR) \ @@ -226,7 +236,7 @@ $(JS_OBJ): $(JS_SRC) GNUmakefile define BUILD_SOURCE $(2): $(1) $(INCLUDES) GNUmakefile | $(OBJ_DIR) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ -I $(ROOT)include \ -I $(FRIDA_BUILD_DIR) \ @@ -240,7 +250,7 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $( ######################## AFL-FRIDA-TRACE ####################################### $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR) - $(CXX) \ + $(TARGET_CXX) \ $(OBJS) \ $(JS_OBJ) \ $(GUM_DEVIT_LIBRARY) \ @@ -255,10 +265,10 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL ############################# HOOK ############################################# $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ + $(TARGET_CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ + $(TARGET_CC) $(CFLAGS) $(LDFLAGS) $< -o $@ hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index cac5ee93..a5d52616 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -36,7 +36,8 @@ void instrument_coverage_optimize(const cs_insn * instr, void instrument_debug_config(void); void instrument_debug_init(void); void instrument_debug_start(uint64_t address, GumStalkerOutput *output); -void instrument_debug_instruction(uint64_t address, uint16_t size); +void instrument_debug_instruction(uint64_t address, uint16_t size, + GumStalkerOutput *output); void instrument_debug_end(GumStalkerOutput *output); void instrument_flush(GumStalkerOutput *output); gpointer instrument_cur(GumStalkerOutput *output); diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 414dc84c..8ee21f5b 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -193,7 +193,20 @@ static void instrument_basic_block(GumStalkerIterator *iterator, instrument_debug_start(instr->address, output); instrument_coverage_start(instr->address); +#if defined(__arm__) + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + + prefetch_write(GSIZE_TO_POINTER(instr->address + 1)); + + } else { + + prefetch_write(GSIZE_TO_POINTER(instr->address)); + + } + +#else prefetch_write(GSIZE_TO_POINTER(instr->address)); +#endif if (likely(!excluded)) { @@ -213,7 +226,7 @@ static void instrument_basic_block(GumStalkerIterator *iterator, } - instrument_debug_instruction(instr->address, instr->size); + instrument_debug_instruction(instr->address, instr->size, output); if (likely(!excluded)) { diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index fa8b0bd2..16e8eaab 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -28,7 +28,15 @@ void instrument_coverage_optimize_init(void) { void instrument_flush(GumStalkerOutput *output) { - gum_arm_writer_flush(output->writer.arm); + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + + gum_thumb_writer_flush(output->writer.thumb); + + } else { + + gum_arm_writer_flush(output->writer.arm); + + } } diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index a175b585..9c95857f 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -32,18 +32,27 @@ static void instrument_debug(char *format, ...) { } -static void instrument_disasm(guint8 *start, guint8 *end) { +static void instrument_disasm(guint8 *start, guint8 *end, + GumStalkerOutput *output) { csh capstone; cs_err err; + cs_mode mode; uint16_t size; cs_insn *insn; size_t count = 0; size_t i; uint16_t len; + mode = GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN; + +#if defined(__arm__) + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { mode |= CS_MODE_THUMB; } +#endif + err = cs_open(GUM_DEFAULT_CS_ARCH, - GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone); + CS_MODE_THUMB | GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, + &capstone); g_assert(err == CS_ERR_OK); size = GPOINTER_TO_SIZE(end) - GPOINTER_TO_SIZE(start); @@ -121,11 +130,12 @@ void instrument_debug_start(uint64_t address, GumStalkerOutput *output) { } -void instrument_debug_instruction(uint64_t address, uint16_t size) { +void instrument_debug_instruction(uint64_t address, uint16_t size, + GumStalkerOutput *output) { if (likely(debugging_fd < 0)) { return; } uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); - instrument_disasm(start, start + size); + instrument_disasm(start, start + size, output); } @@ -136,7 +146,7 @@ void instrument_debug_end(GumStalkerOutput *output) { instrument_debug("\nGenerated block %p-%p\n", instrument_gen_start, instrument_gen_end); - instrument_disasm(instrument_gen_start, instrument_gen_end); + instrument_disasm(instrument_gen_start, instrument_gen_end, output); } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 913e3a46..1be63bc4 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -219,6 +219,8 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { static int on_main(int argc, char **argv, char **envp) { + int ret; + on_main_os(argc, argv, envp); intercept_unhook_self(); @@ -227,14 +229,16 @@ static int on_main(int argc, char **argv, char **envp) { if (js_main_hook != NULL) { - return js_main_hook(argc, argv, envp); + ret = js_main_hook(argc, argv, envp); } else { - return main_fn(argc, argv, envp); + ret = main_fn(argc, argv, envp); } + return ret; + } #if defined(EMBEDDED) -- cgit 1.4.1