From 9586c77174bea63e25159b52848be87918966b03 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 1 Sep 2021 19:07:05 +0100 Subject: Fixes to build on Ubuntu 18.04 --- frida_mode/src/instrument/instrument_coverage.c | 1 - frida_mode/src/seccomp/seccomp.c | 136 ++---------------------- frida_mode/src/seccomp/seccomp_atomic.c | 4 + frida_mode/src/seccomp/seccomp_callback.c | 120 +++++++++++++++++++++ frida_mode/src/seccomp/seccomp_child.c | 6 +- frida_mode/src/seccomp/seccomp_event.c | 8 +- frida_mode/src/seccomp/seccomp_filter.c | 15 ++- frida_mode/src/seccomp/seccomp_print.c | 30 ++++++ frida_mode/src/seccomp/seccomp_socket.c | 4 + frida_mode/src/seccomp/seccomp_syscall.c | 4 + 10 files changed, 194 insertions(+), 134 deletions(-) create mode 100644 frida_mode/src/seccomp/seccomp_callback.c create mode 100644 frida_mode/src/seccomp/seccomp_print.c (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 46c816bc..513df29a 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -711,7 +711,6 @@ void instrument_coverage_normal_init(void) { void instrument_coverage_unstable_find_output(void) { - pid_t parent = getpid(); gchar *fds_name = g_strdup_printf("/proc/%d/fd/", getppid()); gchar *root = g_file_read_link("/proc/self/root", NULL); diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 7683cd71..99111591 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -1,9 +1,3 @@ -#include -#include -#include -#include -#include - #include "frida-gumjs.h" #include "debug.h" @@ -13,111 +7,15 @@ char *seccomp_filename = NULL; -static void seccomp_vprint(int fd, char *format, va_list ap) { - - char buffer[4096] = {0}; - int len; - - if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } - - len = strnlen(buffer, sizeof(buffer)); - IGNORED_RETURN(write(fd, buffer, len)); - -} - -void seccomp_print(char *format, ...) { - - va_list ap; - va_start(ap, format); - seccomp_vprint(SECCOMP_OUTPUT_FILE_FD, format, ap); - va_end(ap); - -} - -static void seccomp_filter_callback(struct seccomp_notif * req, - struct seccomp_notif_resp *resp, - GumReturnAddressArray * frames) { - - GumDebugSymbolDetails details = {0}; - if (req->data.nr == SYS_OPENAT) { - - seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); - - } - - seccomp_print( - "\nID (%#llx) for PID %d - %d (%s) [0x%llx 0x%llx 0x%llx 0x%llx 0x%llx " - "0x%llx ]\n", - req->id, req->pid, req->data.nr, seccomp_syscall_lookup(req->data.nr), - req->data.args[0], req->data.args[1], req->data.args[2], - req->data.args[3], req->data.args[4], req->data.args[5]); - - seccomp_print("FRAMES: (%u)\n", frames->len); - char **syms = backtrace_symbols(frames->items, frames->len); - if (syms == NULL) { FATAL("Failed to get symbols"); } - - for (guint i = 0; i < frames->len; i++) { - - if (gum_symbol_details_from_address(frames->items[i], &details)) { - - seccomp_print("\t%3d. %s!%s\n", i, details.module_name, - details.symbol_name); - - } else { - - seccomp_print("\t%3d. %s\n", i, syms[i]); - - } - - } - - free(syms); - - resp->error = 0; - resp->val = 0; - resp->id = req->id; - resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; - -} - -static void seccomp_child(int signal_parent, void *ctx) { - - int sock_fd = *((int *)ctx); - int fd = seccomp_socket_recv(sock_fd); - - if (close(sock_fd) < 0) { FATAL("child - close"); } - - seccomp_event_signal(signal_parent); - seccomp_filter_child_install(); - seccomp_filter_run(fd, seccomp_filter_callback); - -} - void seccomp_on_fork(void) { - int sock[2] = {-1, -1}; - pid_t child = -1; - int child_fd = -1; - if (seccomp_filename == NULL) { return; } - seccomp_socket_create(sock); - seccomp_child_run(seccomp_child, sock, &child, &child_fd); - - if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FATAL("dup2"); } - - if (close(child_fd) < 0) { FATAL("seccomp_on_fork - close (1)"); } - - if (close(sock[STDIN_FILENO]) < 0) { FATAL("grandparent - close (2)"); } - - int fd = seccomp_filter_install(child); - seccomp_socket_send(sock[STDOUT_FILENO], fd); - - if (close(sock[STDOUT_FILENO]) < 0) { FATAL("grandparent - close (3)"); } - - if (close(fd) < 0) { FATAL("grandparent - close (4)"); } - - seccomp_child_wait(SECCOMP_PARENT_EVENT_FD); +#ifdef __APPLE__ + FATAL("Seccomp not supported on OSX"); +#else + seccomp_callback_parent(); +#endif } @@ -129,29 +27,15 @@ void seccomp_config(void) { void seccomp_init(void) { - char *path = NULL; - int fd; - OKF("Seccomp - file [%s]", seccomp_filename); if (seccomp_filename == NULL) { return; } - path = g_canonicalize_filename(seccomp_filename, g_get_current_dir()); - - OKF("Seccomp - path [%s]", path); - - fd = open(path, O_RDWR | O_CREAT | O_TRUNC, - S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - - if (dup2(fd, SECCOMP_OUTPUT_FILE_FD) < 0) { - - FATAL("Failed to duplicate seccomp output file"); - - } - - if (close(fd) < 0) { FATAL("Failed to close seccomp output file fd"); } - - g_free(path); +#ifdef __APPLE__ + FATAL("Seccomp not supported on OSX"); +#else + seccomp_callback_initialize(); +#endif } diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c index 1720a726..e089b21f 100644 --- a/frida_mode/src/seccomp/seccomp_atomic.c +++ b/frida_mode/src/seccomp/seccomp_atomic.c @@ -3,6 +3,8 @@ #include "debug.h" +#ifndef __APPLE__ + void seccomp_atomic_set(volatile bool *ptr, bool val) { if (!__sync_bool_compare_and_swap(ptr, !val, val)) { @@ -26,3 +28,5 @@ void seccomp_atomic_wait(volatile bool *ptr, bool val) { } +#endif + diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c new file mode 100644 index 00000000..ef069805 --- /dev/null +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -0,0 +1,120 @@ +#include +#include + +#include "seccomp.h" + +#include "debug.h" + +#ifndef __APPLE__ + +static void seccomp_callback_filter(struct seccomp_notif * req, + struct seccomp_notif_resp *resp, + GumReturnAddressArray * frames) { + + GumDebugSymbolDetails details = {0}; + if (req->data.nr == SYS_OPENAT) { + + seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); + + } + + seccomp_print( + "\nID (%#llx) for PID %d - %d (%s) [0x%llx 0x%llx 0x%llx 0x%llx 0x%llx " + "0x%llx ]\n", + req->id, req->pid, req->data.nr, seccomp_syscall_lookup(req->data.nr), + req->data.args[0], req->data.args[1], req->data.args[2], + req->data.args[3], req->data.args[4], req->data.args[5]); + + seccomp_print("FRAMES: (%u)\n", frames->len); + char **syms = backtrace_symbols(frames->items, frames->len); + if (syms == NULL) { FATAL("Failed to get symbols"); } + + for (guint i = 0; i < frames->len; i++) { + + if (gum_symbol_details_from_address(frames->items[i], &details)) { + + seccomp_print("\t%3d. %s!%s\n", i, details.module_name, + details.symbol_name); + + } else { + + seccomp_print("\t%3d. %s\n", i, syms[i]); + + } + + } + + free(syms); + + resp->error = 0; + resp->val = 0; + resp->id = req->id; + resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; + +} + +static void seccomp_callback_child(int signal_parent, void *ctx) { + + int sock_fd = *((int *)ctx); + int fd = seccomp_socket_recv(sock_fd); + + if (close(sock_fd) < 0) { FATAL("child - close"); } + + seccomp_event_signal(signal_parent); + seccomp_filter_child_install(); + seccomp_filter_run(fd, seccomp_callback_filter); + +} + +void seccomp_callback_parent(void) { + + int sock[2] = {-1, -1}; + pid_t child = -1; + int child_fd = -1; + + seccomp_socket_create(sock); + seccomp_child_run(seccomp_callback_child, sock, &child, &child_fd); + + if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FATAL("dup2"); } + + if (close(child_fd) < 0) { FATAL("seccomp_on_fork - close (1)"); } + + if (close(sock[STDIN_FILENO]) < 0) { FATAL("grandparent - close (2)"); } + + int fd = seccomp_filter_install(child); + seccomp_socket_send(sock[STDOUT_FILENO], fd); + + if (close(sock[STDOUT_FILENO]) < 0) { FATAL("grandparent - close (3)"); } + + if (close(fd) < 0) { FATAL("grandparent - close (4)"); } + + seccomp_child_wait(SECCOMP_PARENT_EVENT_FD); + +} + +void seccomp_callback_initialize(void) { + + char *path = NULL; + int fd; + + path = g_canonicalize_filename(seccomp_filename, g_get_current_dir()); + + OKF("Seccomp - path [%s]", path); + + fd = open(path, O_RDWR | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + + if (dup2(fd, SECCOMP_OUTPUT_FILE_FD) < 0) { + + FATAL("Failed to duplicate seccomp output file"); + + } + + if (close(fd) < 0) { FATAL("Failed to close seccomp output file fd"); } + + g_free(path); + +} + +#endif + diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c index 4d494137..a437fd7a 100644 --- a/frida_mode/src/seccomp/seccomp_child.c +++ b/frida_mode/src/seccomp/seccomp_child.c @@ -12,7 +12,9 @@ #include "seccomp.h" -#define SECCOMP_CHILD_STACK_SIZE (1UL << 20) +#ifndef __APPLE__ + + #define SECCOMP_CHILD_STACK_SIZE (1UL << 20) typedef void (*seccomp_child_func_t)(int event_fd, void *ctx); @@ -67,3 +69,5 @@ void seccomp_child_wait(int event_fd) { } +#endif + diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index ecb9be32..a7cf1f10 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -1,15 +1,17 @@ #include #include -#include +#include #include #include "debug.h" #include "seccomp.h" +#ifndef __APPLE__ + int seccomp_event_create(void) { - int fd = eventfd(0, 0); + int fd = syscall(SYS_eventfd, 0, 0); if (fd < 0) { FATAL("seccomp_event_create"); } return fd; @@ -43,3 +45,5 @@ void seccomp_event_destroy(int fd) { } +#endif + diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index c16e7ebd..ff824597 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,7 +2,6 @@ #include #include #include -#include #include #include #include @@ -21,7 +20,9 @@ #include "seccomp.h" #include "util.h" -#define SECCOMP_FILTER_NUM_FRAMES 512 +#ifndef __APPLE__ + + #define SECCOMP_FILTER_NUM_FRAMES 512 extern void gum_linux_parse_ucontext(const ucontext_t *uc, GumCpuContext *ctx); @@ -127,7 +128,10 @@ static GumBacktracer * seccomp_filter_backtracer = NULL; static void seccomp_filter_child_handler(int sig, siginfo_t *info, void *ucontext) { - GumCpuContext cpu_context; + UNUSED_PARAMETER(sig); + UNUSED_PARAMETER(info); + UNUSED_PARAMETER(ucontext); + if (seccomp_filter_backtracer == NULL) { seccomp_filter_backtracer = gum_backtracer_make_fuzzy(); @@ -150,7 +154,8 @@ static void seccomp_filter_parent_handler(int sig, siginfo_t *info, ucontext_t *uc = (ucontext_t *)ucontext; gum_linux_parse_ucontext(uc, &seccomp_filter_cpu_context); - if (tgkill(seccomp_filter_child, seccomp_filter_child, SIGUSR1) < 0) { + if (syscall(SYS_tgkill, seccomp_filter_child, seccomp_filter_child, SIGUSR1) < + 0) { FATAL("kill"); @@ -256,3 +261,5 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { } +#endif + diff --git a/frida_mode/src/seccomp/seccomp_print.c b/frida_mode/src/seccomp/seccomp_print.c new file mode 100644 index 00000000..5b621f67 --- /dev/null +++ b/frida_mode/src/seccomp/seccomp_print.c @@ -0,0 +1,30 @@ +#include + +#include "seccomp.h" +#include "util.h" + +#ifndef __APPLE__ + +static void seccomp_print_v(int fd, char *format, va_list ap) { + + char buffer[4096] = {0}; + int len; + + if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } + + len = strnlen(buffer, sizeof(buffer)); + IGNORED_RETURN(write(fd, buffer, len)); + +} + +void seccomp_print(char *format, ...) { + + va_list ap; + va_start(ap, format); + seccomp_print_v(SECCOMP_OUTPUT_FILE_FD, format, ap); + va_end(ap); + +} + +#endif + diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c index ca42e158..7c6b234e 100644 --- a/frida_mode/src/seccomp/seccomp_socket.c +++ b/frida_mode/src/seccomp/seccomp_socket.c @@ -7,6 +7,8 @@ #include "seccomp.h" +#ifndef __APPLE__ + union cmsg { char buf[CMSG_SPACE(sizeof(int))]; @@ -119,3 +121,5 @@ int seccomp_socket_recv(int sockfd) { } +#endif + diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c index b2c084c8..c4e4a970 100644 --- a/frida_mode/src/seccomp/seccomp_syscall.c +++ b/frida_mode/src/seccomp/seccomp_syscall.c @@ -5,6 +5,8 @@ #include "seccomp.h" +#ifndef __APPLE__ + typedef struct { int id; @@ -333,3 +335,5 @@ char *seccomp_syscall_lookup(int id) { } +#endif + -- cgit 1.4.1 From 5485ea3cc785866d6589987ad99f885bb1521047 Mon Sep 17 00:00:00 2001 From: jon Date: Wed, 1 Sep 2021 20:22:32 +0100 Subject: Fixes to make seccomp compile on OSX --- frida_mode/src/seccomp/seccomp_atomic.c | 8 +++--- frida_mode/src/seccomp/seccomp_callback.c | 10 +++---- frida_mode/src/seccomp/seccomp_child.c | 24 ++++++++--------- frida_mode/src/seccomp/seccomp_event.c | 14 +++++----- frida_mode/src/seccomp/seccomp_filter.c | 44 +++++++++++++++---------------- frida_mode/src/seccomp/seccomp_print.c | 8 +++--- frida_mode/src/seccomp/seccomp_socket.c | 14 +++++----- frida_mode/src/seccomp/seccomp_syscall.c | 10 +++---- 8 files changed, 66 insertions(+), 66 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c index e089b21f..5097511a 100644 --- a/frida_mode/src/seccomp/seccomp_atomic.c +++ b/frida_mode/src/seccomp/seccomp_atomic.c @@ -1,9 +1,9 @@ -#include -#include +#ifndef __APPLE__ -#include "debug.h" + #include + #include -#ifndef __APPLE__ + #include "debug.h" void seccomp_atomic_set(volatile bool *ptr, bool val) { diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index ef069805..4af2ed0c 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,11 +1,11 @@ -#include -#include +#ifndef __APPLE__ -#include "seccomp.h" + #include + #include -#include "debug.h" + #include "seccomp.h" -#ifndef __APPLE__ + #include "debug.h" static void seccomp_callback_filter(struct seccomp_notif * req, struct seccomp_notif_resp *resp, diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c index a437fd7a..f665f472 100644 --- a/frida_mode/src/seccomp/seccomp_child.c +++ b/frida_mode/src/seccomp/seccomp_child.c @@ -1,18 +1,18 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include +#ifndef __APPLE__ -#include "debug.h" + #include + #include + #include + #include + #include + #include + #include + #include + #include -#include "seccomp.h" + #include "debug.h" -#ifndef __APPLE__ + #include "seccomp.h" #define SECCOMP_CHILD_STACK_SIZE (1UL << 20) diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index a7cf1f10..dd4abde7 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -1,13 +1,13 @@ -#include -#include -#include -#include +#ifndef __APPLE__ -#include "debug.h" + #include + #include + #include + #include -#include "seccomp.h" + #include "debug.h" -#ifndef __APPLE__ + #include "seccomp.h" int seccomp_event_create(void) { diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index ff824597..13ff7522 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -1,27 +1,27 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "debug.h" - -#include "frida-gumjs.h" - -#include "seccomp.h" -#include "util.h" - #ifndef __APPLE__ + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #include "debug.h" + + #include "frida-gumjs.h" + + #include "seccomp.h" + #include "util.h" + #define SECCOMP_FILTER_NUM_FRAMES 512 extern void gum_linux_parse_ucontext(const ucontext_t *uc, GumCpuContext *ctx); diff --git a/frida_mode/src/seccomp/seccomp_print.c b/frida_mode/src/seccomp/seccomp_print.c index 5b621f67..be4d80ce 100644 --- a/frida_mode/src/seccomp/seccomp_print.c +++ b/frida_mode/src/seccomp/seccomp_print.c @@ -1,9 +1,9 @@ -#include +#ifndef __APPLE__ -#include "seccomp.h" -#include "util.h" + #include -#ifndef __APPLE__ + #include "seccomp.h" + #include "util.h" static void seccomp_print_v(int fd, char *format, va_list ap) { diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c index 7c6b234e..fae95805 100644 --- a/frida_mode/src/seccomp/seccomp_socket.c +++ b/frida_mode/src/seccomp/seccomp_socket.c @@ -1,13 +1,13 @@ -#include -#include -#include -#include +#ifndef __APPLE__ -#include "debug.h" + #include + #include + #include + #include -#include "seccomp.h" + #include "debug.h" -#ifndef __APPLE__ + #include "seccomp.h" union cmsg { diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c index c4e4a970..e023c131 100644 --- a/frida_mode/src/seccomp/seccomp_syscall.c +++ b/frida_mode/src/seccomp/seccomp_syscall.c @@ -1,11 +1,11 @@ -#include -#include +#ifndef __APPLE__ -#include "debug.h" + #include + #include -#include "seccomp.h" + #include "debug.h" -#ifndef __APPLE__ + #include "seccomp.h" typedef struct { -- cgit 1.4.1 From c8f6a313110db8db033bfbfc4eb3d7043daa430d Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 22 Sep 2021 23:05:54 +0100 Subject: Performance improvements (#1094) --- frida_mode/src/instrument/instrument_x64.c | 202 +++++++++++++++++++++++---- frida_mode/test/freetype2/GNUmakefile | 192 +++++++++++++++++++++++++ frida_mode/test/freetype2/Makefile | 13 ++ frida_mode/test/freetype2/get_symbol_addr.py | 36 +++++ 4 files changed, 413 insertions(+), 30 deletions(-) create mode 100644 frida_mode/test/freetype2/GNUmakefile create mode 100644 frida_mode/test/freetype2/Makefile create mode 100755 frida_mode/test/freetype2/get_symbol_addr.py (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index fec8afbb..8948c4df 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -1,6 +1,9 @@ +#include + #include "frida-gumjs.h" #include "config.h" +#include "debug.h" #include "instrument.h" @@ -8,38 +11,120 @@ static GumAddress current_log_impl = GUM_ADDRESS(0); -static const guint8 afl_log_code[] = { + #pragma pack(push, 1) + +typedef struct { + + /* + * pushfq + * push rdx + * mov rdx, [&previouspc] (rip relative addr) + * xor rdx, rdi (current_pc) + * shr rdi. 1 + * mov [&previouspc], rdi + * lea rsi, [&_afl_area_ptr] (rip relative) + * add rdx, rsi + * add byte ptr [rdx], 1 + * adc byte ptr [rdx], 0 + + * pop rdx + * popfq + */ + uint8_t push_fq; + uint8_t push_rdx; + uint8_t mov_rdx_rip_off[7]; + uint8_t xor_rdx_rdi[3]; + uint8_t shr_rdi[3]; + uint8_t mov_rip_off_rdi[7]; + + uint8_t lea_rdi_rip_off[7]; + uint8_t add_rdx_rdi[3]; + uint8_t add_byte_ptr_rdx[3]; + uint8_t adc_byte_ptr_rdx[3]; + + uint8_t pop_rdx; + uint8_t pop_fq; + uint8_t ret; + +} afl_log_code_asm_t; + + #pragma pack(pop) + + #pragma pack(push, 8) +typedef struct { + + afl_log_code_asm_t assembly; + uint64_t current_pc; + +} afl_log_code_t; + + #pragma pack(pop) + +typedef union { + + afl_log_code_t data; + uint8_t bytes[0]; + +} afl_log_code; + +static const afl_log_code_asm_t template = { + + .push_fq = 0x9c, + .push_rdx = 0x52, + .mov_rdx_rip_off = + { + + 0x48, 0x8b, 0x15, + /* TBC */ + + }, + + .xor_rdx_rdi = + { + + 0x48, + 0x31, + 0xfa, + + }, + + .shr_rdi = {0x48, 0xd1, 0xef}, + .mov_rip_off_rdi = {0x48, 0x89, 0x3d}, + + .lea_rdi_rip_off = + { + + 0x48, + 0x8d, + 0x3d, - 0x9c, /* pushfq */ - 0x51, /* push rcx */ - 0x52, /* push rdx */ + }, - 0x48, 0x8b, 0x0d, 0x26, - 0x00, 0x00, 0x00, /* mov rcx, sym.&previous_pc */ - 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ - 0x48, 0x31, 0xfa, /* xor rdx, rdi */ + .add_rdx_rdi = {0x48, 0x01, 0xfA}, - 0x48, 0x03, 0x15, 0x11, - 0x00, 0x00, 0x00, /* add rdx, sym._afl_area_ptr_ptr */ + .add_byte_ptr_rdx = + { - 0x80, 0x02, 0x01, /* add byte ptr [rdx], 1 */ - 0x80, 0x12, 0x00, /* adc byte ptr [rdx], 0 */ - 0x66, 0xd1, 0xcf, /* ror di, 1 */ - 0x48, 0x89, 0x39, /* mov qword [rcx], rdi */ + 0x80, + 0x02, + 0x01, - 0x5a, /* pop rdx */ - 0x59, /* pop rcx */ - 0x9d, /* popfq */ + }, - 0xc3, /* ret */ + .adc_byte_ptr_rdx = + { - 0x90 + 0x80, + 0x12, + 0x00, - /* Read-only data goes here: */ - /* uint8_t* __afl_area_ptr */ - /* uint64_t* &previous_pc */ + }, -}; + .pop_rdx = 0x5a, + .pop_fq = 0x9d, + .ret = 0xc3}; + +static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; gboolean instrument_is_coverage_optimize_supported(void) { @@ -47,12 +132,19 @@ gboolean instrument_is_coverage_optimize_supported(void) { } -static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; +static gboolean instrument_coverage_in_range(gssize offset) { + + return (offset >= G_MININT32 && offset <= G_MAXINT32); + +} static void instrument_coverate_write_function(GumStalkerOutput *output) { guint64 misalign = 0; GumX86Writer *cw = output->writer.x86; + GumAddress code_addr = 0; + afl_log_code code = {0}; + guint64 instrument_hash_zero = 0; if (current_log_impl == 0 || !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || @@ -71,13 +163,63 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } current_log_impl = cw->pc; - gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code)); + // gum_x86_writer_put_breakpoint(cw); + code_addr = cw->pc; + + code.data.assembly = template; + code.data.current_pc = instrument_get_offset_hash(0); + + gssize current_pc_value1 = + GPOINTER_TO_SIZE(&instrument_previous_pc) - + (code_addr + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) + + sizeof(code.data.assembly.mov_rdx_rip_off)); + gssize patch_offset1 = + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) + + sizeof(code.data.assembly.mov_rdx_rip_off) - sizeof(gint); + if (!instrument_coverage_in_range(current_pc_value1)) { + + FATAL("Patch out of range (current_pc_value1): 0x%016lX", + current_pc_value1); + + } + + *((gint *)&code.bytes[patch_offset1]) = (gint)current_pc_value1; + + gssize current_pc_value2 = + GPOINTER_TO_SIZE(&instrument_previous_pc) - + (code_addr + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) + + sizeof(code.data.assembly.mov_rip_off_rdi)); + gssize patch_offset2 = + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) + + sizeof(code.data.assembly.mov_rip_off_rdi) - sizeof(gint); + + if (!instrument_coverage_in_range(current_pc_value2)) { + + FATAL("Patch out of range (current_pc_value2): 0x%016lX", + current_pc_value2); + + } + + *((gint *)&code.bytes[patch_offset2]) = (gint)current_pc_value2; + + gsize afl_area_ptr_value = + GPOINTER_TO_SIZE(__afl_area_ptr) - + (code_addr + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) + + sizeof(code.data.assembly.lea_rdi_rip_off)); + gssize afl_area_ptr_offset = + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) + + sizeof(code.data.assembly.lea_rdi_rip_off) - sizeof(gint); + + if (!instrument_coverage_in_range(afl_area_ptr_value)) { + + FATAL("Patch out of range (afl_area_ptr_value): 0x%016lX", + afl_area_ptr_value); + + } + + *((gint *)&code.bytes[afl_area_ptr_offset]) = (gint)afl_area_ptr_value; - uint64_t *afl_prev_loc_ptr = &instrument_previous_pc; - gum_x86_writer_put_bytes(cw, (const guint8 *)&__afl_area_ptr, - sizeof(__afl_area_ptr)); - gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, - sizeof(afl_prev_loc_ptr)); + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); gum_x86_writer_put_label(cw, after_log_impl); diff --git a/frida_mode/test/freetype2/GNUmakefile b/frida_mode/test/freetype2/GNUmakefile new file mode 100644 index 00000000..891660ca --- /dev/null +++ b/frida_mode/test/freetype2/GNUmakefile @@ -0,0 +1,192 @@ +PWD:=$(shell pwd)/ +ROOT:=$(PWD)../../../ +BUILD_DIR:=$(PWD)build/ + +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so + +# git clone git://git.sv.nongnu.org/freetype/freetype2.git +# git clone https://github.com/unicode-org/text-rendering-tests.git TRT +# wget https://github.com/libarchive/libarchive/releases/download/v3.4.3/libarchive-3.4.3.tar.xz + +# cp TRT/fonts/TestKERNOne.otf $OUT/seeds/ +# cp TRT/fonts/TestGLYFOne.ttf $OUT/seeds/ + +# $CXX $CXXFLAGS -std=c++11 -I include -I . src/tools/ftfuzzer/ftfuzzer.cc \ +# objs/.libs/libfreetype.a $FUZZER_LIB -L /usr/local/lib -larchive \ +# -o $OUT/ftfuzzer + +LIBARCHIVE_URL:=https://github.com/libarchive/libarchive/releases/download/v3.4.3/libarchive-3.4.3.tar.xz +LIBARCHIVE_BUILD_DIR:=$(BUILD_DIR)libarchive/ +LIBARCHIVE_TARBALL:=$(LIBARCHIVE_BUILD_DIR)libarchive-3.4.3.tar.xz +LIBARCHIVE_DIR:=$(LIBARCHIVE_BUILD_DIR)libarchive-3.4.3/ +LIBARCHIVE_LIB:=$(LIBARCHIVE_DIR).libs/libarchive.a + +FREETYPE2_GIT_REPO:=git://git.sv.nongnu.org/freetype/freetype2.git +FREETYPE2_BUILD_DIR:=$(BUILD_DIR)freetype2/ +FREETYPE2_DIR:=$(FREETYPE2_BUILD_DIR)freetype2/ +FREETYPE2_LIB:=$(FREETYPE2_DIR)objs/.libs/libfreetype.a + +HARNESS_URL:=https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c +HARNESS_SRC:=$(BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(BUILD_DIR)StandaloneFuzzTargetMain.o + +TRT_GIT_REPO:=https://github.com/unicode-org/text-rendering-tests.git +TRT_DIR:=$(BUILD_DIR)TRT/ + +FUZZER_SRC:=$(FREETYPE2_DIR)src/tools/ftfuzzer/ftfuzzer.cc + + +LDFLAGS += -lpthread + +TEST_BIN:=$(BUILD_DIR)test +ifeq "$(shell uname)" "Darwin" +TEST_BIN_LDFLAGS:=-undefined dynamic_lookup -Wl,-no_pie +endif + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +TEST_DATA_FILE:=$(TEST_DATA_DIR)default_seed + +FRIDA_OUT:=$(BUILD_DIR)frida-out +QEMU_OUT:=$(BUILD_DIR)qemu-out + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x4000000000) + +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x56555000) +endif + +.PHONY: all clean frida hook + +all: $(TEST_BIN) + make -C $(ROOT)frida_mode/ + +32: + CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +########## LIBARCHIVE ####### + +$(LIBARCHIVE_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(LIBARCHIVE_TARBALL): | $(LIBARCHIVE_BUILD_DIR) + wget -O $@ $(LIBARCHIVE_URL) + +$(LIBARCHIVE_DIR): | $(LIBARCHIVE_TARBALL) + tar Jxvf $(LIBARCHIVE_TARBALL) -C $(LIBARCHIVE_BUILD_DIR) + +$(LIBARCHIVE_DIR)Makefile: | $(LIBARCHIVE_DIR) + cd $(LIBARCHIVE_DIR) && ./configure --disable-shared + +$(LIBARCHIVE_LIB): $(LIBARCHIVE_DIR)Makefile + make -C $(LIBARCHIVE_DIR) clean all + +########## FREETYPE2 ####### + +$(FREETYPE2_BUILD_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(FREETYPE2_DIR): | $(FREETYPE2_BUILD_DIR) + git clone $(FREETYPE2_GIT_REPO) $@ + git -C $(FREETYPE2_DIR) checkout cd02d359a6d0455e9d16b87bf9665961c4699538 + +$(FREETYPE2_LIB): | $(FREETYPE2_DIR) + cd $(FREETYPE2_DIR) && ./autogen.sh + cd $(FREETYPE2_DIR) && ./configure --with-harfbuzz=no --with-bzip2=no --with-png=no --without-zlib + make -C $(FREETYPE2_DIR) all + +########## HARNESS ####### + +$(HARNESS_SRC): + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_SRC) + $(CC) -o $@ -c $< + +########## TEST ####### + +$(TEST_BIN): $(LIBARCHIVE_LIB) $(FREETYPE2_LIB) $(HARNESS_OBJ) + $(CXX) \ + $(CXXFLAGS) \ + -std=c++11 \ + -I $(FREETYPE2_DIR)include \ + -I $(FREETYPE2_DIR) \ + -I $(LIBARCHIVE_DIR)/libarchive \ + $(FUZZER_SRC) \ + $(FREETYPE2_LIB) \ + $(LIBARCHIVE_LIB) \ + $(HARNESS_OBJ) \ + -o $@ + +########## DUMMY ####### + +$(TRT_DIR): | $(BUILD_DIR) + git clone $(TRT_GIT_REPO) $@ + +$(TEST_DATA_DIR): | $(TRT_DIR) + mkdir -p $@ + cp $(TRT_DIR)fonts/TestKERNOne.otf $@ + cp $(TRT_DIR)fonts/TestGLYFOne.ttf $@ + +$(TEST_DATA_FILE): | $(TEST_DATA_DIR) + dd if=/dev/zero bs=1048576 count=1 of=$@ + +###### TEST DATA ####### + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -m none \ + -d \ + -O \ + -V 30 \ + -- \ + $(TEST_BIN) $(TEST_DATA_FILE) + +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) + AFL_QEMU_PERSISTENT_CNT=1000000 \ + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -m none \ + -d \ + -Q \ + -V 30 \ + -- \ + $(TEST_BIN) $(TEST_DATA_FILE) diff --git a/frida_mode/test/freetype2/Makefile b/frida_mode/test/freetype2/Makefile new file mode 100644 index 00000000..07b139e9 --- /dev/null +++ b/frida_mode/test/freetype2/Makefile @@ -0,0 +1,13 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida diff --git a/frida_mode/test/freetype2/get_symbol_addr.py b/frida_mode/test/freetype2/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/freetype2/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) -- cgit 1.4.1 From e80131bef50d343e71a08cdf6ae1aa57b4475867 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 2 Oct 2021 22:47:22 +0200 Subject: fix some compiler warnings in 32-bit linux --- frida_mode/src/instrument/instrument_x64.c | 11 +++++++---- frida_mode/src/prefetch.c | 8 +++++--- include/config.h | 4 ++-- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- unicorn_mode/unicornafl | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 8948c4df..1c2cf113 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -144,7 +144,7 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { GumX86Writer *cw = output->writer.x86; GumAddress code_addr = 0; afl_log_code code = {0}; - guint64 instrument_hash_zero = 0; + /*guint64 instrument_hash_zero = 0;*/ if (current_log_impl == 0 || !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || @@ -183,7 +183,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[patch_offset1]) = (gint)current_pc_value1; + gint *dst_pc_value = (gint *)&code.bytes[patch_offset1]; + *dst_pc_value = (gint)current_pc_value1; gssize current_pc_value2 = GPOINTER_TO_SIZE(&instrument_previous_pc) - @@ -200,7 +201,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[patch_offset2]) = (gint)current_pc_value2; + dst_pc_value = (gint *)&code.bytes[patch_offset2]; + *dst_pc_value = (gint)current_pc_value2; gsize afl_area_ptr_value = GPOINTER_TO_SIZE(__afl_area_ptr) - @@ -217,7 +219,8 @@ static void instrument_coverate_write_function(GumStalkerOutput *output) { } - *((gint *)&code.bytes[afl_area_ptr_offset]) = (gint)afl_area_ptr_value; + gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset]; + *dst_afl_area_ptr_value = (gint)afl_area_ptr_value; gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 0efbc9bf..c30ca65c 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -44,8 +44,9 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self, sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size; if (sizeof(gsize) + size > remaining) { return; } - *(gsize *)(&prefetch_data->backpatch_data[prefetch_data->backpatch_size]) = - size; + gsize *dst_backpatch_size = (gsize *) + &prefetch_data->backpatch_data[prefetch_data->backpatch_size]; + *dst_backpatch_size = size; prefetch_data->backpatch_size += sizeof(gsize); memcpy(&prefetch_data->backpatch_data[prefetch_data->backpatch_size], @@ -115,7 +116,8 @@ static void prefetch_read_patches(void) { remaining > sizeof(gsize); remaining = prefetch_data->backpatch_size - offset) { - gsize size = *(gsize *)(&prefetch_data->backpatch_data[offset]); + gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset]; + gsize size = *src_backpatch_data; offset += sizeof(gsize); if (prefetch_data->backpatch_size - offset < size) { diff --git a/include/config.h b/include/config.h index da74989e..4630da0c 100644 --- a/include/config.h +++ b/include/config.h @@ -237,11 +237,11 @@ (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c and afl-fuzz-state.c have to be changed as well! */ -#define MAX_FILE (1 * 1024 * 1024U) +#define MAX_FILE (1 * 1024 * 1024L) /* The same, for the test case minimizer: */ -#define TMIN_MAX_FILE (10 * 1024 * 1024) +#define TMIN_MAX_FILE (10 * 1024 * 1024L) /* Block normalization steps for afl-tmin: */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index eef08494..8295488d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -184,7 +184,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 87da9798..92a37697 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1348,7 +1348,7 @@ int main(int argc, char **argv_orig, char **envp) { } else if (afl->q_testcase_max_cache_size < 2 * MAX_FILE) { - FATAL("AFL_TESTCACHE_SIZE must be set to %u or more, or 0 to disable", + FATAL("AFL_TESTCACHE_SIZE must be set to %ld or more, or 0 to disable", (2 * MAX_FILE) % 1048576 == 0 ? (2 * MAX_FILE) / 1048576 : 1 + ((2 * MAX_FILE) / 1048576)); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index e143371e..75b0ff99 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -413,7 +413,7 @@ static u32 read_file(u8 *in_file) { if (!be_quiet && !quiet_mode) { - WARNF("Input file '%s' is too large, only reading %u bytes.", in_file, + WARNF("Input file '%s' is too large, only reading %ld bytes.", in_file, MAX_FILE); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index dff51e84..4f3a6b80 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -221,7 +221,7 @@ static void read_initial_file(void) { if (st.st_size >= TMIN_MAX_FILE) { - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); } diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index c0e03d2c..1c47d1eb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8 +Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93 -- cgit 1.4.1 From 1a79a36762ccb5cac6da8ce09fd681166d02352b Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 3 Oct 2021 00:32:59 +0200 Subject: fix compiler warning in 32-Bit --- frida_mode/src/seccomp/seccomp_callback.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index 4af2ed0c..7e1e2070 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -14,8 +14,12 @@ static void seccomp_callback_filter(struct seccomp_notif * req, GumDebugSymbolDetails details = {0}; if (req->data.nr == SYS_OPENAT) { +#if UINTPTR_MAX == 0xffffffffffffffffu seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); - +#endif +#if UINTPTR_MAX == 0xffffffff + seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]); +#endif } seccomp_print( -- cgit 1.4.1 From fc48a58e64b8c5abafa83b50ea68bf8e47d00552 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 3 Oct 2021 07:35:13 +0100 Subject: frida mode macOs warning fix, syscall being deprecated, using pthread_threadid_np available since snow leopard --- frida_mode/src/instrument/instrument.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index fd0982f8..71d9bdf6 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -341,8 +341,14 @@ void instrument_init(void) { * parallel fuzzing. The seed itself, doesn't have to be random, it * just needs to be different for each instance. */ + guint64 tid; +#if defined(__APPLE__) + pthread_threadid_np(NULL, &tid); +#else + tid = syscall(SYS_gettid); +#endif instrument_hash_seed = g_get_monotonic_time() ^ - (((guint64)getpid()) << 32) ^ syscall(SYS_gettid); + (((guint64)getpid()) << 32) ^ tid; } -- cgit 1.4.1 From d22b28d17b8cffabbb59c9e82373338a6343c648 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 12 Oct 2021 08:13:29 +0100 Subject: Minimize inline assembly --- frida_mode/GNUmakefile | 3 +- frida_mode/include/instrument.h | 1 + frida_mode/include/ranges.h | 2 + frida_mode/src/instrument/instrument.c | 1 + frida_mode/src/instrument/instrument_x64.c | 346 ++++++++++++++++------------- frida_mode/src/ranges.c | 13 +- 6 files changed, 203 insertions(+), 163 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 3e35e2f6..ab6efecf 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -31,7 +31,8 @@ AFL_CFLAGS:=-Wno-unused-parameter \ LDFLAGS+=-shared \ -lpthread \ -lresolv \ - -ldl + -ldl \ + -lrt ifdef DEBUG CFLAGS+=-Werror \ diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index 909b2a2c..cac5ee93 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -29,6 +29,7 @@ GumStalkerTransformer *instrument_get_transformer(void); /* Functions to be implemented by the different architectures */ gboolean instrument_is_coverage_optimize_supported(void); +void instrument_coverage_optimize_init(void); void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output); diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h index 0220a59d..3bd9eaa6 100644 --- a/frida_mode/include/ranges.h +++ b/frida_mode/include/ranges.h @@ -10,6 +10,8 @@ extern gboolean ranges_inst_jit; void ranges_config(void); void ranges_init(void); +void ranges_print_debug_maps(void); + gboolean range_is_excluded(GumAddress address); void ranges_exclude(); diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 71d9bdf6..81d85aa1 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -356,6 +356,7 @@ void instrument_init(void) { instrument_hash_seed); instrument_hash_zero = instrument_get_offset_hash(0); + instrument_coverage_optimize_init(); instrument_debug_init(); instrument_coverage_init(); asan_init(); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 1c2cf113..dc040a20 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -1,4 +1,9 @@ +#include #include +#include +#include +#include +#include #include "frida-gumjs.h" @@ -6,245 +11,274 @@ #include "debug.h" #include "instrument.h" +#include "ranges.h" #if defined(__x86_64__) -static GumAddress current_log_impl = GUM_ADDRESS(0); +gboolean instrument_is_coverage_optimize_supported(void) { - #pragma pack(push, 1) + return true; + +} + +static gboolean instrument_coverage_in_range(gssize offset) { + + return (offset >= G_MININT32 && offset <= G_MAXINT32); +} + + #pragma pack(push, 1) typedef struct { - /* - * pushfq - * push rdx - * mov rdx, [&previouspc] (rip relative addr) - * xor rdx, rdi (current_pc) - * shr rdi. 1 - * mov [&previouspc], rdi - * lea rsi, [&_afl_area_ptr] (rip relative) - * add rdx, rsi - * add byte ptr [rdx], 1 - * adc byte ptr [rdx], 0 - - * pop rdx - * popfq - */ + // cur_location = (block_address >> 4) ^ (block_address << 8); + // shared_mem[cur_location ^ prev_location]++; + // prev_location = cur_location >> 1; + + // => 0x7ffff6cfb086: lea rsp,[rsp-0x80] + // 0x7ffff6cfb08b: pushf + // 0x7ffff6cfb08c: push rsi + // 0x7ffff6cfb08d: mov rsi,0x228 + // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740 + // 0x7ffff6cfb09b: xor rsi,0x451 + // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1 + // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0 + // 0x7ffff6cfb0b0: pop rsi + // 0x7ffff6cfb0b1: popf + // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] + + + uint8_t lea_rsp_rsp_sub_rz[5]; uint8_t push_fq; - uint8_t push_rdx; - uint8_t mov_rdx_rip_off[7]; - uint8_t xor_rdx_rdi[3]; - uint8_t shr_rdi[3]; - uint8_t mov_rip_off_rdi[7]; - - uint8_t lea_rdi_rip_off[7]; - uint8_t add_rdx_rdi[3]; - uint8_t add_byte_ptr_rdx[3]; - uint8_t adc_byte_ptr_rdx[3]; - - uint8_t pop_rdx; + uint8_t push_rsi; + + uint8_t mov_rsi_curr_loc_shr_1[7]; + uint8_t xchg_rsi_prev_loc_curr_loc[7]; + uint8_t xor_rsi_curr_loc[7]; + + uint8_t add_rsi_1[7]; + uint8_t adc_rsi_0[7]; + + uint8_t pop_rsi; uint8_t pop_fq; - uint8_t ret; + uint8_t lsa_rsp_rsp_add_rz[8]; } afl_log_code_asm_t; #pragma pack(pop) - #pragma pack(push, 8) -typedef struct { +typedef union { - afl_log_code_asm_t assembly; - uint64_t current_pc; + afl_log_code_asm_t code; + uint8_t bytes[0]; -} afl_log_code_t; +} afl_log_code; - #pragma pack(pop) +static const afl_log_code_asm_t template = + { -typedef union { + .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80}, + .push_fq = 0x9c, + .push_rsi = 0x56, - afl_log_code_t data; - uint8_t bytes[0]; + .mov_rsi_curr_loc_shr_1 = {0x48, 0xC7, 0xC6}, + .xchg_rsi_prev_loc_curr_loc = {0x48, 0x87, 0x35}, + .xor_rsi_curr_loc = {0x48, 0x81, 0xF6}, -} afl_log_code; + .add_rsi_1 = {0x80, 0x86, 0x00, 0x00, 0x00, 0x00, 0x01}, + .adc_rsi_0 = {0x80, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00}, -static const afl_log_code_asm_t template = { + .pop_rsi = 0x5E, + .pop_fq = 0x9D, + .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00}, - .push_fq = 0x9c, - .push_rdx = 0x52, - .mov_rdx_rip_off = - { +} - 0x48, 0x8b, 0x15, - /* TBC */ +; - }, +static gboolean instrument_coverage_find_low(const GumRangeDetails *details, + gpointer user_data) { - .xor_rdx_rdi = - { + static GumAddress last_limit = (64ULL << 10); + gpointer * address = (gpointer *)user_data; - 0x48, - 0x31, - 0xfa, + if ((details->range->base_address - last_limit) > __afl_map_size) { - }, + *address = GSIZE_TO_POINTER(last_limit); + return FALSE; - .shr_rdi = {0x48, 0xd1, 0xef}, - .mov_rip_off_rdi = {0x48, 0x89, 0x3d}, + } - .lea_rdi_rip_off = - { + if (details->range->base_address > ((2ULL << 20) - __afl_map_size)) { - 0x48, - 0x8d, - 0x3d, + return FALSE; - }, + } - .add_rdx_rdi = {0x48, 0x01, 0xfA}, + last_limit = details->range->base_address + details->range->size; + return TRUE; - .add_byte_ptr_rdx = - { +} - 0x80, - 0x02, - 0x01, +static void instrument_coverage_optimize_map_mmap_anon(gpointer address) { - }, + __afl_area_ptr = + mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); + if (__afl_area_ptr != address) { - .adc_byte_ptr_rdx = - { + FATAL("Failed to map mmap __afl_area_ptr: %d", errno); - 0x80, - 0x12, - 0x00, + } - }, +} - .pop_rdx = 0x5a, - .pop_fq = 0x9d, - .ret = 0xc3}; +static void instrument_coverage_optimize_map_mmap(char * shm_file_path, + gpointer address) { -static guint8 align_pad[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; + int shm_fd = -1; -gboolean instrument_is_coverage_optimize_supported(void) { + if (munmap(__afl_area_ptr, __afl_map_size) != 0) { - return true; + FATAL("Failed to unmap previous __afl_area_ptr"); -} + } -static gboolean instrument_coverage_in_range(gssize offset) { + __afl_area_ptr = NULL; - return (offset >= G_MININT32 && offset <= G_MAXINT32); + shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); + if (shm_fd == -1) { FATAL("shm_open() failed\n"); } + + __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, + MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); + if (__afl_area_ptr != address) { + + FATAL("Failed to map mmap __afl_area_ptr: %d", errno); + + } + + if (close(shm_fd) != 0) { FATAL("Failed to close shm_fd"); } } -static void instrument_coverate_write_function(GumStalkerOutput *output) { +static void instrument_coverage_optimize_map_shm(guint64 shm_env_val, + gpointer address) { - guint64 misalign = 0; - GumX86Writer *cw = output->writer.x86; - GumAddress code_addr = 0; - afl_log_code code = {0}; - /*guint64 instrument_hash_zero = 0;*/ + if (shmdt(__afl_area_ptr) != 0) { + + FATAL("Failed to detach previous __afl_area_ptr"); - if (current_log_impl == 0 || - !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || - !gum_x86_writer_can_branch_directly_between(cw->pc + 128, - current_log_impl)) { + } - gconstpointer after_log_impl = cw->code + 1; + __afl_area_ptr = shmat(shm_env_val, address, 0); + if (__afl_area_ptr != address) { - gum_x86_writer_put_jmp_near_label(cw, after_log_impl); + FATAL("Failed to map shm __afl_area_ptr: %d", errno); - misalign = (cw->pc & 0x7); - if (misalign != 0) { + } - gum_x86_writer_put_bytes(cw, align_pad, 8 - misalign); +} - } +void instrument_coverage_optimize_init(void) { - current_log_impl = cw->pc; - // gum_x86_writer_put_breakpoint(cw); - code_addr = cw->pc; + gpointer low_address = NULL; - code.data.assembly = template; - code.data.current_pc = instrument_get_offset_hash(0); + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low, + &low_address); - gssize current_pc_value1 = - GPOINTER_TO_SIZE(&instrument_previous_pc) - - (code_addr + offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) + - sizeof(code.data.assembly.mov_rdx_rip_off)); - gssize patch_offset1 = - offsetof(afl_log_code, data.assembly.mov_rdx_rip_off) + - sizeof(code.data.assembly.mov_rdx_rip_off) - sizeof(gint); - if (!instrument_coverage_in_range(current_pc_value1)) { + OKF("Low address: %p", low_address); - FATAL("Patch out of range (current_pc_value1): 0x%016lX", - current_pc_value1); + if (low_address == 0 || + GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) { - } + FATAL("Invalid low_address: %p", low_address); - gint *dst_pc_value = (gint *)&code.bytes[patch_offset1]; - *dst_pc_value = (gint)current_pc_value1; + } - gssize current_pc_value2 = - GPOINTER_TO_SIZE(&instrument_previous_pc) - - (code_addr + offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) + - sizeof(code.data.assembly.mov_rip_off_rdi)); - gssize patch_offset2 = - offsetof(afl_log_code, data.assembly.mov_rip_off_rdi) + - sizeof(code.data.assembly.mov_rip_off_rdi) - sizeof(gint); + ranges_print_debug_maps(); - if (!instrument_coverage_in_range(current_pc_value2)) { + char *shm_env = getenv(SHM_ENV_VAR); + OKF("SHM_ENV_VAR: %s", shm_env); - FATAL("Patch out of range (current_pc_value2): 0x%016lX", - current_pc_value2); + if (shm_env == NULL) { - } + WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); - dst_pc_value = (gint *)&code.bytes[patch_offset2]; - *dst_pc_value = (gint)current_pc_value2; + instrument_coverage_optimize_map_mmap_anon(low_address); - gsize afl_area_ptr_value = - GPOINTER_TO_SIZE(__afl_area_ptr) - - (code_addr + offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) + - sizeof(code.data.assembly.lea_rdi_rip_off)); - gssize afl_area_ptr_offset = - offsetof(afl_log_code, data.assembly.lea_rdi_rip_off) + - sizeof(code.data.assembly.lea_rdi_rip_off) - sizeof(gint); + } else { - if (!instrument_coverage_in_range(afl_area_ptr_value)) { + guint64 shm_env_val = g_ascii_strtoull(shm_env, NULL, 10); - FATAL("Patch out of range (afl_area_ptr_value): 0x%016lX", - afl_area_ptr_value); + if (shm_env_val == 0) { - } + instrument_coverage_optimize_map_mmap(shm_env, low_address); - gint *dst_afl_area_ptr_value = (gint *)&code.bytes[afl_area_ptr_offset]; - *dst_afl_area_ptr_value = (gint)afl_area_ptr_value; + } else { - gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + instrument_coverage_optimize_map_shm(shm_env_val, low_address); - gum_x86_writer_put_label(cw, after_log_impl); + } } + OKF("__afl_area_ptr: %p", __afl_area_ptr); + OKF("instrument_previous_pc: %p", &instrument_previous_pc); + } void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { + afl_log_code code = {0}; GumX86Writer *cw = output->writer.x86; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); - instrument_coverate_write_function(output); - - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - -GUM_RED_ZONE_SIZE); - gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, area_offset); - gum_x86_writer_put_call_address(cw, current_log_impl); - gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - GUM_RED_ZONE_SIZE); + GumAddress code_addr = 0; + + // gum_x86_writer_put_breakpoint(cw); + code_addr = cw->pc; + code.code = template; + + gssize curr_loc_shr_1_offset = + offsetof(afl_log_code, code.mov_rsi_curr_loc_shr_1) + + sizeof(code.code.mov_rsi_curr_loc_shr_1) - sizeof(guint32); + + *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = + (guint32)(area_offset >> 1); + + gssize prev_loc_value = + GPOINTER_TO_SIZE(&instrument_previous_pc) - + (code_addr + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + + sizeof(code.code.xchg_rsi_prev_loc_curr_loc)); + gssize prev_loc_value_offset = + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + + sizeof(code.code.xchg_rsi_prev_loc_curr_loc) - sizeof(gint); + if (!instrument_coverage_in_range(prev_loc_value)) { + + FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); + + } + + *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; + + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_rsi_curr_loc) + + sizeof(code.code.xor_rsi_curr_loc) - + sizeof(guint32); + + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); + + gssize add_rsi_1_offset = offsetof(afl_log_code, code.add_rsi_1) + + sizeof(code.code.add_rsi_1) - sizeof(guint32) - 1; + + *((guint32 *)&code.bytes[add_rsi_1_offset]) = + (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); + + gssize adc_rsi_0_ffset = offsetof(afl_log_code, code.adc_rsi_0) + + sizeof(code.code.adc_rsi_0) - sizeof(guint32) - 1; + + *((guint32 *)&code.bytes[adc_rsi_0_ffset]) = + (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); + + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 5b6eb462..1b666fce 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -549,18 +549,19 @@ static GArray *merge_ranges(GArray *a) { } +void ranges_print_debug_maps(void) { + + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, NULL); + +} + void ranges_config(void) { if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; } if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; } if (getenv("AFL_FRIDA_INST_JIT") != NULL) { ranges_inst_jit = TRUE; } - if (ranges_debug_maps) { - - gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback, - NULL); - - } + if (ranges_debug_maps) { ranges_print_debug_maps(); } include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES"); exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES"); -- cgit 1.4.1 From 269dc29efe920abf3935d2052e11dfb94ec799e2 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 12 Oct 2021 12:48:54 +0100 Subject: frida mode fix on x86_64 archs --- frida_mode/GNUmakefile | 8 ++++---- frida_mode/src/instrument/instrument_arm32.c | 4 ++++ frida_mode/src/instrument/instrument_arm64.c | 3 +++ frida_mode/src/instrument/instrument_x64.c | 7 +++++-- frida_mode/src/instrument/instrument_x86.c | 3 +++ 5 files changed, 19 insertions(+), 6 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index ab6efecf..4d6d7147 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -30,9 +30,7 @@ AFL_CFLAGS:=-Wno-unused-parameter \ LDFLAGS+=-shared \ -lpthread \ - -lresolv \ - -ldl \ - -lrt + -lresolv ifdef DEBUG CFLAGS+=-Werror \ @@ -72,7 +70,9 @@ ifdef DEBUG endif LDFLAGS+= -z noexecstack \ -Wl,--gc-sections \ - -Wl,--exclude-libs,ALL + -Wl,--exclude-libs,ALL \ + -ldl \ + -lrt LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map endif diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 0e15940a..4b0a648e 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -22,6 +22,10 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_coverage_optimize_init(void) { + WARNF("Optimized coverage not supported on this architecture"); +} + void instrument_flush(GumStalkerOutput *output) { gum_arm_writer_flush(output->writer.arm); diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index cf37e048..80d1d845 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -95,6 +95,9 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_coverage_optimize_init(void) { +} + void instrument_flush(GumStalkerOutput *output) { gum_arm64_writer_flush(output->writer.arm64); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index dc040a20..60f443e0 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -1,10 +1,13 @@ #include #include -#include #include -#include #include +#if defined(__linux__) +#include +#include +#endif + #include "frida-gumjs.h" #include "config.h" diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 7bf48f96..1ff5c920 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -83,6 +83,9 @@ void instrument_coverage_optimize(const cs_insn * instr, } +void instrument_coverage_optimize_init(void) { +} + void instrument_flush(GumStalkerOutput *output) { gum_x86_writer_flush(output->writer.x86); -- cgit 1.4.1 From 319db6759ba9dfaac454d5669214ae3aa65831fe Mon Sep 17 00:00:00 2001 From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com> Date: Wed, 13 Oct 2021 18:41:45 +0100 Subject: Fix missing MAP_FIXED_NOREPLACE (#1116) Co-authored-by: Your Name --- frida_mode/src/instrument/instrument_x64.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 60f443e0..ebdf1440 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -18,6 +18,14 @@ #if defined(__x86_64__) +#ifndef MAP_FIXED_NOREPLACE + #ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED + #else + #define MAP_FIXED_NOREPLACE MAP_FIXED + #endif +#endif + gboolean instrument_is_coverage_optimize_supported(void) { return true; -- cgit 1.4.1 From c96fdfac01829a5f6a9e98968817d6b6588389b8 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 16 Oct 2021 12:44:25 +0100 Subject: frida mode android build fix proposal. also protecting seccomp the other way around in case it is ported in another platform supported by frida. --- frida_mode/GNUmakefile | 16 ++++++++++++++++ frida_mode/README.md | 14 ++++++++++++++ frida_mode/src/instrument/instrument_x64.c | 12 ++++++++++++ frida_mode/src/seccomp/seccomp_atomic.c | 2 +- frida_mode/src/seccomp/seccomp_callback.c | 2 +- frida_mode/src/seccomp/seccomp_child.c | 2 +- frida_mode/src/seccomp/seccomp_event.c | 2 +- frida_mode/src/seccomp/seccomp_filter.c | 2 +- frida_mode/src/seccomp/seccomp_print.c | 2 +- frida_mode/src/seccomp/seccomp_socket.c | 2 +- frida_mode/src/seccomp/seccomp_syscall.c | 2 +- 11 files changed, 50 insertions(+), 8 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 4d6d7147..ed35c9f6 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -80,6 +80,22 @@ ifeq "$(shell uname)" "Linux" OS:=linux endif +ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" + OS:=android + ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" "" + ARCH:=arm64 + endif + ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" "" + ARCH:=arm + endif + ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" "" + ARCH:=x86_64 + endif + ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" "" + ARCH:=x86 + endif +endif + ifndef OS $(error "Operating system unsupported") endif diff --git a/frida_mode/README.md b/frida_mode/README.md index 165f8089..df40c771 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -55,6 +55,20 @@ tests in 32-bit mode, run `make ARCH=x86 frida`. When switching between architectures it may be necessary to run `make clean` first for a given build target to remove previously generated binaries for a different architecture. +### Android + +In order to build, you need to download the Android SDK. + +``` +https://developer.android.com/ndk/downloads +``` + +Then creating locally a standalone chain as follow. + +``` +https://developer.android.com/ndk/guides/standalone_toolchain +``` + ## Usage FRIDA mode added some small modifications to `afl-fuzz` and similar tools diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index ebdf1440..a7eb650a 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -4,8 +4,12 @@ #include #if defined(__linux__) +#if !defined(__ANDROID__) #include #include +#else +#include +#endif #endif #include "frida-gumjs.h" @@ -156,8 +160,16 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, __afl_area_ptr = NULL; +#if !defined(__ANDROID__) shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); if (shm_fd == -1) { FATAL("shm_open() failed\n"); } +#else + shm_fd = open("/dev/ashmem", O_RDWR); + if (shm_fd == -1) { FATAL("open() failed\n"); } + if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); } + if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); } + +#endif __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c index 5097511a..c2042f97 100644 --- a/frida_mode/src/seccomp/seccomp_atomic.c +++ b/frida_mode/src/seccomp/seccomp_atomic.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index 7e1e2070..a88196ac 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c index f665f472..43a79894 100644 --- a/frida_mode/src/seccomp/seccomp_child.c +++ b/frida_mode/src/seccomp/seccomp_child.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index dd4abde7..e2f592ca 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 13ff7522..8d56c367 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_print.c b/frida_mode/src/seccomp/seccomp_print.c index be4d80ce..3cea1239 100644 --- a/frida_mode/src/seccomp/seccomp_print.c +++ b/frida_mode/src/seccomp/seccomp_print.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c index fae95805..ef937420 100644 --- a/frida_mode/src/seccomp/seccomp_socket.c +++ b/frida_mode/src/seccomp/seccomp_socket.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c index e023c131..8335b93c 100644 --- a/frida_mode/src/seccomp/seccomp_syscall.c +++ b/frida_mode/src/seccomp/seccomp_syscall.c @@ -1,4 +1,4 @@ -#ifndef __APPLE__ +#if defined(__linux__) && !defined(__ANDROID__) #include #include -- cgit 1.4.1 From f68b9f5110f75068b65be35bd73d458f048f3fa1 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sat, 23 Oct 2021 20:09:36 +0100 Subject: frida mode display command line on mac --- frida_mode/src/main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c0de9c6b..c8183d8f 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -6,6 +6,7 @@ #ifdef __APPLE__ #include #include + #include #else #include #include @@ -90,6 +91,7 @@ static void embedded_init(void) { static void afl_print_cmdline(void) { +#if defined(__linux__) char * buffer = g_malloc0(PROC_MAX); gchar *fname = g_strdup_printf("/proc/%d/cmdline", getppid()); int fd = open(fname, O_RDONLY); @@ -123,6 +125,17 @@ static void afl_print_cmdline(void) { close(fd); g_free(fname); g_free(buffer); +#elif defined(__APPLE__) + int idx; + char **argv = *_NSGetArgv(); + int nargv = *_NSGetArgc(); + + for (idx = 0; idx < nargv; idx ++) { + + OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); + + } +#endif } -- cgit 1.4.1 From 85ca0df98988cdb235e1d0cb9b156affc5afc80e Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 25 Oct 2021 06:53:45 +0100 Subject: frida mode musl build fix --- frida_mode/GNUmakefile | 3 +++ frida_mode/src/seccomp/seccomp_callback.c | 4 ++++ 2 files changed, 7 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index ed35c9f6..b5fee7a6 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -78,6 +78,9 @@ endif ifeq "$(shell uname)" "Linux" OS:=linux + ifneq "$(findstring musl, $(shell ldd --version 2>&1 | head -n 1))" "" + CFLAGS+= -D__MUSL__ + endif endif ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index a88196ac..bc488489 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,6 +1,8 @@ #if defined(__linux__) && !defined(__ANDROID__) +#if !defined(__MUSL__) #include +#endif #include #include "seccomp.h" @@ -29,6 +31,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, req->data.args[0], req->data.args[1], req->data.args[2], req->data.args[3], req->data.args[4], req->data.args[5]); +#if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); if (syms == NULL) { FATAL("Failed to get symbols"); } @@ -49,6 +52,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); +#endif resp->error = 0; resp->val = 0; -- cgit 1.4.1 From 7407e2fb11675261173c625c3010ce9571a7d6f6 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 25 Oct 2021 09:37:51 +0100 Subject: frida mode musl further changes display stack trace --- frida_mode/src/seccomp/seccomp_callback.c | 16 ++++++++++++++++ frida_mode/src/seccomp/seccomp_filter.c | 2 ++ 2 files changed, 18 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index bc488489..4232d842 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -52,6 +52,22 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); +#else + void **syms = (void **)__builtin_frame_address(0); + void *framep = __builtin_frame_address(1); + int i = 0; + + syms = framep; + while (syms) { + + framep = *syms; + syms = framep; + + if (!syms) break; + + seccomp_print("\%3d. %s\n", i ++, (char *)framep); + + } #endif resp->error = 0; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 8d56c367..7ee5ead1 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,7 +2,9 @@ #include #include +#if !defined(__MUSL__) #include +#endif #include #include #include -- cgit 1.4.1 From f14b3bd9de4570a30c0f89bac2879ee3a7cfbcae Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 26 Oct 2021 18:48:13 +0100 Subject: Fix issues with Yama restrictions in FRIDA mode --- frida_mode/README.md | 6 ++++++ frida_mode/frida.map | 1 + frida_mode/include/entry.h | 3 +++ frida_mode/src/entry.c | 32 ++++++++++++++++++++++++++++++++ frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 6 ++++++ frida_mode/ts/lib/afl.ts | 12 ++++++++++++ include/envs.h | 1 + 8 files changed, 68 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/README.md b/frida_mode/README.md index df40c771..bb194080 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -288,6 +288,12 @@ ucomisd 2 ( 0.86%) * `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics information. Stats will be written whenever they are updated if the given interval has elapsed since last time they were written. +* `AFL_FRIDA_TRACEABLE` - Set the child process to be traceable by any process +to aid debugging and overcome the restrictions imposed by YAMA. Supported on +Linux only. Permits a non-root user to use `gcore` or similar to collect a core +dump of the instrumented target. Note that in order to capture the core dump you +must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` killing the +process whilst it is being dumped. ## FASAN - Frida Address Sanitizer Mode Frida mode also supports FASAN. The design of this is actually quite simple and diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 0fc48aa6..e2ae87a7 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -33,6 +33,7 @@ js_api_set_stats_interval; js_api_set_stderr; js_api_set_stdout; + js_api_set_traceable; local: *; diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index 3f0a4ecc..edc41467 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -4,6 +4,7 @@ #include "frida-gumjs.h" extern guint64 entry_point; +extern gboolean traceable; extern gboolean entry_compiled; extern gboolean entry_run; @@ -15,5 +16,7 @@ void entry_start(void); void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); +void entry_on_fork(void); + #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 186ddd3a..0ce2f3c3 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -1,5 +1,9 @@ #include +#if defined(__linux__) && !defined(__ANDROID__) + #include +#endif + #include "frida-gumjs.h" #include "debug.h" @@ -16,6 +20,7 @@ extern void __afl_manual_init(); guint64 entry_point = 0; +gboolean traceable = FALSE; gboolean entry_compiled = FALSE; gboolean entry_run = FALSE; @@ -26,21 +31,48 @@ static void entry_launch(void) { /* Child here */ entry_run = TRUE; + entry_on_fork(); instrument_on_fork(); seccomp_on_fork(); stats_on_fork(); } +#if defined(__linux__) && !defined(__ANDROID__) +void entry_on_fork(void) { + + if (traceable) { + + if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) < 0) { + + FATAL("Failed to PR_SET_PTRACER"); + + } + + } + +} + +#else +void entry_on_fork(void) { + + if (set_dumpable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + +} + +#endif + void entry_config(void) { entry_point = util_read_address("AFL_ENTRYPOINT"); + if (getenv("AFL_FRIDA_TRACEABLE") != NULL) { traceable = TRUE; } } void entry_init(void) { OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); + OKF("dumpable: [%c]", traceable ? 'X' : ' '); if (dlopen(NULL, RTLD_NOW) == NULL) { FATAL("Failed to dlopen: %d", errno); } diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 40bb4a16..6f9f05d8 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -243,6 +243,12 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetStdOut(buf); } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + static setTraceable() { + Afl.jsApiSetTraceable(); + } static jsApiGetFunction(name, retType, argTypes) { const addr = Afl.module.getExportByName(name); return new NativeFunction(addr, retType, argTypes); @@ -286,6 +292,7 @@ Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", [" Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); Afl.jsApiSetStdErr = Afl.jsApiGetFunction("js_api_set_stderr", "void", ["pointer"]); Afl.jsApiSetStdOut = Afl.jsApiGetFunction("js_api_set_stdout", "void", ["pointer"]); +Afl.jsApiSetTraceable = Afl.jsApiGetFunction("js_api_set_traceable", "void", []); Afl.jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 9dba79aa..f3d81a32 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -231,3 +231,9 @@ __attribute__((visibility("default"))) void js_api_set_stalker_ic_entries( } +__attribute__((visibility("default"))) void js_api_set_traceable(void) { + + traceable = TRUE; + +} + diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 8a1ebf1b..538d9b70 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -284,6 +284,13 @@ class Afl { Afl.jsApiSetStdOut(buf); } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + public static setTraceable(): void { + Afl.jsApiSetTraceable(); + } + private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction( "js_api_add_exclude_range", "void", @@ -431,6 +438,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetTraceable = Afl.jsApiGetFunction( + "js_api_set_traceable", + "void", + []); + private static readonly jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), diff --git a/include/envs.h b/include/envs.h index e3957147..61267a0d 100644 --- a/include/envs.h +++ b/include/envs.h @@ -76,6 +76,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", + "AFL_FRIDA_TRACEABLE", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", -- cgit 1.4.1 From d85f5d4d62d2ca986b077aef06e8cb32148d9361 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Tue, 26 Oct 2021 22:30:44 +0100 Subject: frida mode macOs build fix proposal --- frida_mode/src/entry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 0ce2f3c3..c51e202f 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -56,7 +56,7 @@ void entry_on_fork(void) { #else void entry_on_fork(void) { - if (set_dumpable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + if (traceable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } } -- cgit 1.4.1 From 5bcb7a8fed18247e827452b127c6e4a6240bb93b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 2 Nov 2021 20:21:43 +0100 Subject: modify frida for new cmplog --- frida_mode/src/cmplog/cmplog_arm64.c | 51 ++++++++++++++++++++++++++++-------- frida_mode/src/cmplog/cmplog_x64.c | 50 ++++++++++++++++++++++++++--------- frida_mode/src/cmplog/cmplog_x86.c | 51 +++++++++++++++++++++++++++--------- 3 files changed, 117 insertions(+), 35 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index dd97f38d..ccc8e89e 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -104,9 +104,9 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize x0 = ctx_read_reg(context, ARM64_REG_X0); gsize x1 = ctx_read_reg(context, ARM64_REG_X1); - if (((G_MAXULONG - x0) < 32) || ((G_MAXULONG - x1) < 32)) return; + if (((G_MAXULONG - x0) < 31) || ((G_MAXULONG - x1) < 31)) return; - if (!cmplog_is_readable(x0, 32) || !cmplog_is_readable(x1, 32)) return; + if (!cmplog_is_readable(x0, 31) || !cmplog_is_readable(x1, 31)) return; void *ptr1 = GSIZE_TO_POINTER(x0); void *ptr2 = GSIZE_TO_POINTER(x1); @@ -116,18 +116,36 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; + + } + + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } - u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].shape = 30; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -193,12 +211,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); + + } else { - __afl_cmp_map->headers[k].shape = (size - 1); + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 0d18767a..5319f727 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -99,9 +99,9 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize rdi = ctx_read_reg(context, X86_REG_RDI); gsize rsi = ctx_read_reg(context, X86_REG_RSI); - if (((G_MAXULONG - rdi) < 32) || ((G_MAXULONG - rsi) < 32)) return; + if (((G_MAXULONG - rdi) < 31) || ((G_MAXULONG - rsi) < 31)) return; - if (!cmplog_is_readable(rdi, 32) || !cmplog_is_readable(rsi, 32)) return; + if (!cmplog_is_readable(rdi, 31) || !cmplog_is_readable(rsi, 31)) return; void *ptr1 = GSIZE_TO_POINTER(rdi); void *ptr2 = GSIZE_TO_POINTER(rsi); @@ -111,18 +111,34 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; + + } + + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -179,13 +195,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 7; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); - __afl_cmp_map->headers[k].shape = (size - 1); + } else { + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; __afl_cmp_map->log[k][hits].v1 = operand2; diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index dd666c34..27d06720 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -104,9 +104,9 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { gsize arg1 = esp[0]; gsize arg2 = esp[1]; - if (((G_MAXULONG - arg1) < 32) || ((G_MAXULONG - arg2) < 32)) return; + if (((G_MAXULONG - arg1) < 31) || ((G_MAXULONG - arg2) < 31)) return; - if (!cmplog_is_readable(arg1, 32) || !cmplog_is_readable(arg2, 32)) return; + if (!cmplog_is_readable(arg1, 31) || !cmplog_is_readable(arg2, 31)) return; void *ptr1 = GSIZE_TO_POINTER(arg1); void *ptr2 = GSIZE_TO_POINTER(arg2); @@ -116,18 +116,34 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + __afl_cmp_map->headers[k].type = CMP_TYPE_RTN; + __afl_cmp_map->headers[k].hits = 0; + + } + + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { - __afl_cmp_map->headers[k].shape = 31; + __afl_cmp_map->headers[k].shape = 30; + + } else { + + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_RTN_H - 1; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0_len = 31; + ((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1_len = 31; gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0, ptr1, - 32); + 31); gum_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1, ptr2, - 32); + 31); } @@ -184,12 +200,23 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; - __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) + __afl_cmp_map->headers[k].hits = 0; - u32 hits = __afl_cmp_map->headers[k].hits; - __afl_cmp_map->headers[k].hits = hits + 1; + u32 hits = 0; + + if (__afl_cmp_map->headers[k].hits == 0) { + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + __afl_cmp_map->headers[k].shape = (size - 1); + + } else { - __afl_cmp_map->headers[k].shape = (size - 1); + hits = __afl_cmp_map->headers[k].hits; + + } + + __afl_cmp_map->headers[k].hits = hits + 1; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = operand1; -- cgit 1.4.1 From 6ce3d7fede6b32b522b6cc4403f7c0101cf4a4bc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 4 Nov 2021 15:53:17 +0100 Subject: add AFL_USE_TSAN --- TODO.md | 1 + docs/Changelog.md | 2 + docs/fuzzing_expert.md | 2 + frida_mode/src/instrument/instrument.c | 4 +- frida_mode/src/instrument/instrument_arm32.c | 2 + frida_mode/src/instrument/instrument_arm64.c | 1 + frida_mode/src/instrument/instrument_x64.c | 54 ++++++++++++++------------ frida_mode/src/instrument/instrument_x86.c | 1 + frida_mode/src/main.c | 7 ++-- frida_mode/src/prefetch.c | 6 +-- frida_mode/src/seccomp/seccomp_callback.c | 32 ++++++++------- frida_mode/src/seccomp/seccomp_filter.c | 6 +-- include/envs.h | 1 + instrumentation/SanitizerCoverageLTO.so.cc | 3 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 3 +- instrumentation/afl-llvm-pass.so.cc | 3 +- qemu_mode/libcompcov/libcompcov.so.c | 25 +++++++++--- src/afl-as.c | 1 + src/afl-cc.c | 9 +++++ utils/aflpp_driver/aflpp_qemu_driver.c | 2 +- 20 files changed, 106 insertions(+), 59 deletions(-) (limited to 'frida_mode/src') diff --git a/TODO.md b/TODO.md index 1d4270b4..30676312 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## TODO + - AFL_USE_TSAN to docs/env_variables.md after work over - screen update during input2stage - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/docs/Changelog.md b/docs/Changelog.md index 04b2fb2e..cfeb8cc1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,7 +26,9 @@ sending a mail to . - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: + - support llvm IR select instrumentation for default PCGUARD and LTO - fix for shared linking on MacOS + - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 96193f88..44ebade4 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++: vulnerabilities - which is however one of the most important and dangerous C++ memory corruption classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. + * TSAN = Thread SANitizer, finds thread race conditions. + Enabled with `export AFL_USE_TSAN=1` before compiling. * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really a security issue, but for developers this can be very valuable. Note that unlike the other sanitizers above this needs diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 81d85aa1..eeebe545 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -347,8 +347,8 @@ void instrument_init(void) { #else tid = syscall(SYS_gettid); #endif - instrument_hash_seed = g_get_monotonic_time() ^ - (((guint64)getpid()) << 32) ^ tid; + instrument_hash_seed = + g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ tid; } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 4b0a648e..395d56c1 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -23,7 +23,9 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + WARNF("Optimized coverage not supported on this architecture"); + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 80d1d845..358e8e6b 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -96,6 +96,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index a7eb650a..19ec81b2 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -4,12 +4,12 @@ #include #if defined(__linux__) -#if !defined(__ANDROID__) -#include -#include -#else -#include -#endif + #if !defined(__ANDROID__) + #include + #include + #else + #include + #endif #endif #include "frida-gumjs.h" @@ -22,13 +22,13 @@ #if defined(__x86_64__) -#ifndef MAP_FIXED_NOREPLACE - #ifdef MAP_EXCL - #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED - #else - #define MAP_FIXED_NOREPLACE MAP_FIXED + #ifndef MAP_FIXED_NOREPLACE + #ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED + #else + #define MAP_FIXED_NOREPLACE MAP_FIXED + #endif #endif -#endif gboolean instrument_is_coverage_optimize_supported(void) { @@ -53,15 +53,12 @@ typedef struct { // 0x7ffff6cfb08b: pushf // 0x7ffff6cfb08c: push rsi // 0x7ffff6cfb08d: mov rsi,0x228 - // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740 - // 0x7ffff6cfb09b: xor rsi,0x451 - // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1 - // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0 - // 0x7ffff6cfb0b0: pop rsi - // 0x7ffff6cfb0b1: popf + // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # + // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add + // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR + // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] - uint8_t lea_rsp_rsp_sub_rz[5]; uint8_t push_fq; uint8_t push_rsi; @@ -160,16 +157,25 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, __afl_area_ptr = NULL; -#if !defined(__ANDROID__) + #if !defined(__ANDROID__) shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); if (shm_fd == -1) { FATAL("shm_open() failed\n"); } -#else + #else shm_fd = open("/dev/ashmem", O_RDWR); if (shm_fd == -1) { FATAL("open() failed\n"); } - if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); } - if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); } + if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { -#endif + FATAL("ioctl(ASHMEM_SET_NAME) failed"); + + } + + if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { + + FATAL("ioctl(ASHMEM_SET_SIZE) failed"); + + } + + #endif __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 1ff5c920..f90c01c2 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -84,6 +84,7 @@ void instrument_coverage_optimize(const cs_insn * instr, } void instrument_coverage_optimize_init(void) { + } void instrument_flush(GumStalkerOutput *output) { diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c8183d8f..3599143b 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -126,15 +126,16 @@ static void afl_print_cmdline(void) { g_free(fname); g_free(buffer); #elif defined(__APPLE__) - int idx; + int idx; char **argv = *_NSGetArgv(); - int nargv = *_NSGetArgc(); + int nargv = *_NSGetArgc(); - for (idx = 0; idx < nargv; idx ++) { + for (idx = 0; idx < nargv; idx++) { OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); } + #endif } diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index c30ca65c..1ddbd5ed 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -44,8 +44,8 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self, sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size; if (sizeof(gsize) + size > remaining) { return; } - gsize *dst_backpatch_size = (gsize *) - &prefetch_data->backpatch_data[prefetch_data->backpatch_size]; + gsize *dst_backpatch_size = + (gsize *)&prefetch_data->backpatch_data[prefetch_data->backpatch_size]; *dst_backpatch_size = size; prefetch_data->backpatch_size += sizeof(gsize); @@ -117,7 +117,7 @@ static void prefetch_read_patches(void) { remaining = prefetch_data->backpatch_size - offset) { gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset]; - gsize size = *src_backpatch_data; + gsize size = *src_backpatch_data; offset += sizeof(gsize); if (prefetch_data->backpatch_size - offset < size) { diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index 4232d842..ac0fb8bb 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,8 +1,8 @@ #if defined(__linux__) && !defined(__ANDROID__) -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include "seccomp.h" @@ -16,12 +16,13 @@ static void seccomp_callback_filter(struct seccomp_notif * req, GumDebugSymbolDetails details = {0}; if (req->data.nr == SYS_OPENAT) { -#if UINTPTR_MAX == 0xffffffffffffffffu + #if UINTPTR_MAX == 0xffffffffffffffffu seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]); -#endif -#if UINTPTR_MAX == 0xffffffff + #endif + #if UINTPTR_MAX == 0xffffffff seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]); -#endif + #endif + } seccomp_print( @@ -31,7 +32,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, req->data.args[0], req->data.args[1], req->data.args[2], req->data.args[3], req->data.args[4], req->data.args[5]); -#if !defined(__MUSL__) + #if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); if (syms == NULL) { FATAL("Failed to get symbols"); } @@ -52,23 +53,24 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); -#else + #else void **syms = (void **)__builtin_frame_address(0); - void *framep = __builtin_frame_address(1); - int i = 0; + void * framep = __builtin_frame_address(1); + int i = 0; syms = framep; while (syms) { - - framep = *syms; + + framep = *syms; syms = framep; if (!syms) break; - seccomp_print("\%3d. %s\n", i ++, (char *)framep); + seccomp_print("\%3d. %s\n", i++, (char *)framep); } -#endif + + #endif resp->error = 0; resp->val = 0; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 7ee5ead1..0dcc4cbb 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,9 +2,9 @@ #include #include -#if !defined(__MUSL__) - #include -#endif + #if !defined(__MUSL__) + #include + #endif #include #include #include diff --git a/include/envs.h b/include/envs.h index 61267a0d..25d05539 100644 --- a/include/envs.h +++ b/include/envs.h @@ -203,6 +203,7 @@ static char *afl_environment_variables[] = { "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", + "AFL_USE_TSAN", "AFL_USE_CFISAN", "AFL_USE_LSAN", "AFL_WINE_PATH", diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index ee8c317e..4e25221a 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1142,10 +1142,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations (%u selects) without collisions (%llu " diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index be3f4f49..76bb2448 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -547,10 +547,11 @@ bool ModuleSanitizerCoverage::instrumentModule( else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations with no collisions (%s mode) of which are " diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index ecf28f31..9b7e625e 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -956,11 +956,12 @@ bool AFLCoverage::runOnModule(Module &M) { else { char modeline[100]; - snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s", getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks, modeline, inst_ratio); diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index 24867cda..eba3d80a 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -42,10 +42,10 @@ #endif /* !__linux__ */ #ifndef likely -# define likely(x) __builtin_expect((!!(x)),1) + #define likely(x) __builtin_expect((!!(x)), 1) #endif #ifndef unlikely -# define unlikely(x) __builtin_expect((!!(x)),0) + #define unlikely(x) __builtin_expect((!!(x)), 0) #endif /* Change this value to tune the compare coverage */ @@ -235,7 +235,12 @@ int strcmp(const char *str1, const char *str2) { int strncmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); } + if (unlikely(!__libc_strncmp)) { + + __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -265,7 +270,12 @@ int strncmp(const char *str1, const char *str2, size_t len) { int strcasecmp(const char *str1, const char *str2) { - if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); } + if (unlikely(!__libc_strcasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && @@ -296,7 +306,12 @@ int strcasecmp(const char *str1, const char *str2) { int strncasecmp(const char *str1, const char *str2, size_t len) { - if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); } + if (unlikely(!__libc_strncasecmp)) { + + __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); + + } + void *retaddr = __builtin_return_address(0); if (__compcov_is_in_bound(retaddr) && diff --git a/src/afl-as.c b/src/afl-as.c index 7119d630..774340ac 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -521,6 +521,7 @@ static void add_instrumentation(void) { getenv("AFL_HARDEN") ? "hardened" : "non-hardened", getenv("AFL_USE_ASAN") ? ", ASAN" : "", getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_TSAN") ? ", TSAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : "", getenv("AFL_USE_LSAN") ? ", LSAN" : ""); diff --git a/src/afl-cc.c b/src/afl-cc.c index e7f08aac..3837459b 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-fsanitize=undefined"; cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error"; cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; + + } + + if (getenv("AFL_USE_TSAN")) { + + cc_params[cc_par_cnt++] = "-fsanitize=thread"; + cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer"; } @@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) { " AFL_USE_CFISAN: activate control flow sanitizer\n" " AFL_USE_MSAN: activate memory sanitizer\n" " AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" + " AFL_USE_TSAN: activate thread sanitizer\n" " AFL_USE_LSAN: activate leak-checker sanitizer\n"); if (have_gcc_plugin) diff --git a/utils/aflpp_driver/aflpp_qemu_driver.c b/utils/aflpp_driver/aflpp_qemu_driver.c index 99a4c9a8..e47df1e6 100644 --- a/utils/aflpp_driver/aflpp_qemu_driver.c +++ b/utils/aflpp_driver/aflpp_qemu_driver.c @@ -22,7 +22,7 @@ int main(int argc, char **argv) { if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. - if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) { + if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) { afl_qemu_driver_stdin_input(); -- cgit 1.4.1 From 93b8f17242f6f354da189fee68e69c55288e2488 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 8 Nov 2021 18:17:09 +0000 Subject: Add support for option to disable backpatch --- frida_mode/README.md | 2 ++ frida_mode/frida.map | 1 + frida_mode/include/stalker.h | 3 ++- frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 6 ++++++ frida_mode/src/stalker.c | 9 +++++++-- frida_mode/ts/lib/afl.ts | 12 ++++++++++++ include/envs.h | 1 + 8 files changed, 38 insertions(+), 3 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/README.md b/frida_mode/README.md index bb194080..8211224d 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -174,6 +174,8 @@ file. * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage instrumentation (the default where available). Required to use `AFL_FRIDA_INST_TRACE`. +* `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing +each block, control will return to FRIDA to identify the next block to execute. * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork, implies diff --git a/frida_mode/frida.map b/frida_mode/frida.map index e2ae87a7..7be41aa0 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -8,6 +8,7 @@ js_api_add_include_range; js_api_done; js_api_error; + js_api_set_backpatch_disable; js_api_set_debug_maps; js_api_set_entrypoint; js_api_set_instrument_coverage_file; diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 955f3913..8a111b90 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -3,7 +3,8 @@ #include "frida-gumjs.h" -extern guint stalker_ic_entries; +extern guint stalker_ic_entries; +extern gboolean backpatch_enable; void stalker_config(void); void stalker_init(void); diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 6f9f05d8..5db62389 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -62,6 +62,12 @@ class Afl { const buf = Memory.allocUtf8String(log); Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); } + /** + * See `AFL_FRIDA_INST_NO_BACKPATCH`. + */ + static setBackpatchDisable() { + Afl.jsApiSetBackpatchDisable(); + } /** * See `AFL_FRIDA_DEBUG_MAPS`. */ @@ -267,6 +273,7 @@ Afl.jsApiAddIncludeRange = Afl.jsApiGetFunction("js_api_add_include_range", "voi Afl.jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing"); Afl.jsApiDone = Afl.jsApiGetFunction("js_api_done", "void", []); Afl.jsApiError = Afl.jsApiGetFunction("js_api_error", "void", ["pointer"]); +Afl.jsApiSetBackpatchDisable = Afl.jsApiGetFunction("js_api_set_backpatch_disable", "void", []); Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []); Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]); Afl.jsApiSetInstrumentCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_coverage_file", "void", ["pointer"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index f3d81a32..abc0ac30 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -237,3 +237,9 @@ __attribute__((visibility("default"))) void js_api_set_traceable(void) { } +__attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) { + + backpatch_enable = FALSE; + +} + diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 814aaeb3..6ba41bc6 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -6,7 +6,8 @@ #include "stats.h" #include "util.h" -guint stalker_ic_entries = 0; +guint stalker_ic_entries = 0; +gboolean backpatch_enable = TRUE; static GumStalker *stalker = NULL; @@ -58,6 +59,8 @@ void stalker_config(void) { if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); } + backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); + stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL); @@ -87,6 +90,8 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details, void stalker_init(void) { + OKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); + OKF("Stalker - ic_entries [%u]", stalker_ic_entries); #if !(defined(__x86_64__) || defined(__i386__)) @@ -134,7 +139,7 @@ void stalker_start(void) { void stalker_trust(void) { - gum_stalker_set_trust_threshold(stalker, 0); + if (backpatch_enable) { gum_stalker_set_trust_threshold(stalker, 0); } } diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 538d9b70..3639d670 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -77,6 +77,13 @@ class Afl { Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); } + /** + * See `AFL_FRIDA_INST_NO_BACKPATCH`. + */ + public static setBackpatchDisable(): void { + Afl.jsApiSetBackpatchDisable(); + } + /** * See `AFL_FRIDA_DEBUG_MAPS`. */ @@ -313,6 +320,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetBackpatchDisable = Afl.jsApiGetFunction( + "js_api_set_backpatch_disable", + "void", + []); + private static readonly jsApiSetDebugMaps = Afl.jsApiGetFunction( "js_api_set_debug_maps", "void", diff --git a/include/envs.h b/include/envs.h index fd459f14..0ba79092 100644 --- a/include/envs.h +++ b/include/envs.h @@ -59,6 +59,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE", "AFL_FRIDA_INST_JIT", + "AFL_FRIDA_INST_NO_BACKPATCH", "AFL_FRIDA_INST_NO_OPTIMIZE", "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH", -- cgit 1.4.1 From 3521268269c49db76157094aa2d8471d6f0f1c1d Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 8 Nov 2021 18:17:09 +0000 Subject: Suppress coverage for deterministic branches --- frida_mode/GNUmakefile | 2 +- frida_mode/src/instrument/instrument_x64.c | 74 ++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index b5fee7a6..c0abe14c 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -103,7 +103,7 @@ ifndef OS $(error "Operating system unsupported") endif -GUM_DEVKIT_VERSION=15.0.16 +GUM_DEVKIT_VERSION=15.1.10 GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)" diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 19ec81b2..27704f9b 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -19,6 +19,7 @@ #include "instrument.h" #include "ranges.h" +#include "stalker.h" #if defined(__x86_64__) @@ -30,6 +31,8 @@ #endif #endif +static GHashTable *coverage_blocks = NULL; + gboolean instrument_is_coverage_optimize_supported(void) { return true; @@ -207,6 +210,50 @@ static void instrument_coverage_optimize_map_shm(guint64 shm_env_val, } +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer start_address, + const cs_insn * from_insn, + gpointer * target) { + + cs_x86 * x86; + cs_x86_op *op; + if (from_insn == NULL) { return; } + + x86 = &from_insn->detail->x86; + op = x86->operands; + + if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { + + return; + + } + + switch (from_insn->id) { + + case X86_INS_CALL: + case X86_INS_JMP: + if (x86->op_count != 1) { + + FATAL("Unexpected operand count: %d", x86->op_count); + + } + + if (op[0].type != X86_OP_IMM) { return; } + + break; + case X86_INS_RET: + break; + default: + return; + + } + + // OKF("SKIP: %p %s %s", start_address, from_insn->mnemonic, + // from_insn->op_str); + *target = *target + sizeof(afl_log_code); + +} + void instrument_coverage_optimize_init(void) { gpointer low_address = NULL; @@ -255,6 +302,25 @@ void instrument_coverage_optimize_init(void) { } +static void instrument_coverage_suppress_init(void) { + + static gboolean initialized = false; + if (initialized) { return; } + initialized = true; + + GumStalkerObserver * observer = stalker_get_observer(); + GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer); + iface->switch_callback = instrument_coverage_switch; + + coverage_blocks = g_hash_table_new(g_direct_hash, g_direct_equal); + if (coverage_blocks == NULL) { + + FATAL("Failed to g_hash_table_new, errno: %d", errno); + + } + +} + void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { @@ -263,8 +329,16 @@ void instrument_coverage_optimize(const cs_insn * instr, guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); GumAddress code_addr = 0; + instrument_coverage_suppress_init(); + // gum_x86_writer_put_breakpoint(cw); code_addr = cw->pc; + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + code.code = template; gssize curr_loc_shr_1_offset = -- cgit 1.4.1 From b834f934d0e6a33f675a30402475c7bc816a37ee Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 8 Nov 2021 18:17:09 +0000 Subject: Changes to cmplog to use hashes block ID --- frida_mode/src/cmplog/cmplog_arm64.c | 6 ++---- frida_mode/src/cmplog/cmplog_x64.c | 6 ++---- frida_mode/src/cmplog/cmplog_x86.c | 6 ++---- 3 files changed, 6 insertions(+), 12 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index ccc8e89e..c6590bb4 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__aarch64__) @@ -111,10 +112,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { void *ptr1 = GSIZE_TO_POINTER(x0); void *ptr2 = GSIZE_TO_POINTER(x1); - uintptr_t k = address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 5319f727..7fbcf408 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__x86_64__) @@ -106,10 +107,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { void *ptr1 = GSIZE_TO_POINTER(rdi); void *ptr2 = GSIZE_TO_POINTER(rsi); - uintptr_t k = address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index 27d06720..bdd1af4e 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -5,6 +5,7 @@ #include "ctx.h" #include "frida_cmplog.h" +#include "instrument.h" #include "util.h" #if defined(__i386__) @@ -111,10 +112,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) { void *ptr1 = GSIZE_TO_POINTER(arg1); void *ptr2 = GSIZE_TO_POINTER(arg2); - uintptr_t k = address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + guint64 k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) { -- cgit 1.4.1 From 8578b6b01c5f41d8a75ae83cb2c058fe89bf90df Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 9 Nov 2021 18:29:25 +0000 Subject: Inline instrumentation optimization for x64 --- frida_mode/src/instrument/instrument_x64.c | 131 ++++++++++++++++++----------- 1 file changed, 82 insertions(+), 49 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 27704f9b..07605a04 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -52,29 +52,46 @@ typedef struct { // shared_mem[cur_location ^ prev_location]++; // prev_location = cur_location >> 1; - // => 0x7ffff6cfb086: lea rsp,[rsp-0x80] - // 0x7ffff6cfb08b: pushf - // 0x7ffff6cfb08c: push rsi - // 0x7ffff6cfb08d: mov rsi,0x228 - // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # - // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add - // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR - // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf - // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] + // 0x7ffff6cbca41: lea rsp,[rsp-0x80] + // + // 0x7ffff6cbca46: push rax + // 0x7ffff6cbca47: lahf + // 0x7ffff6cbca48: push rax + // + // 0x7ffff6cbca49: mov eax,DWORD PTR [rip+0x33bcf1] + // 0x7ffff6cbca4f: xor eax,0x3f77 + // 0x7ffff6cbca54: add eax,0x10000 + // 0x7ffff6cbca59: add BYTE PTR [rax],0x1 + // 0x7ffff6cbca5c: adc BYTE PTR [rax],0x0 + // + // 0x7ffff6cbca5f: mov eax,0xbf77 + // 0x7ffff6cbca64: mov DWORD PTR [rip+0x33bcd6],eax + // + // 0x7ffff6cbca6a: pop rax + // 0x7ffff6cbca6b: sahf + // 0x7ffff6cbca6c: pop rax + // + // 0x7ffff6cbca6d: lea rsp,[rsp+0x80] uint8_t lea_rsp_rsp_sub_rz[5]; - uint8_t push_fq; - uint8_t push_rsi; - uint8_t mov_rsi_curr_loc_shr_1[7]; - uint8_t xchg_rsi_prev_loc_curr_loc[7]; - uint8_t xor_rsi_curr_loc[7]; + uint8_t push_rax; + uint8_t lahf; + uint8_t push_rax2; - uint8_t add_rsi_1[7]; - uint8_t adc_rsi_0[7]; + uint8_t mov_eax_prev_loc[6]; + uint8_t xor_eax_curr_loc[5]; + uint8_t add_eax_afl_area[5]; + uint8_t add_rax_1[3]; + uint8_t adc_rax_0[3]; + + uint8_t mov_eax_curr_loc_shr_1[5]; + uint8_t mov_eax_prev_loc_curr_loc[6]; + + uint8_t pop_rax2; + uint8_t sahf; + uint8_t pop_rax; - uint8_t pop_rsi; - uint8_t pop_fq; uint8_t lsa_rsp_rsp_add_rz[8]; } afl_log_code_asm_t; @@ -92,18 +109,24 @@ static const afl_log_code_asm_t template = { .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80}, - .push_fq = 0x9c, - .push_rsi = 0x56, + .push_rax = 0x50, + .lahf = 0x9f, + .push_rax2 = 0x50, + + .mov_eax_prev_loc = {0x8b, 0x05}, + .xor_eax_curr_loc = {0x35}, + + .add_eax_afl_area = {0x05}, + .add_rax_1 = {0x80, 0x00, 0x01}, + .adc_rax_0 = {0x80, 0x10, 0x00}, - .mov_rsi_curr_loc_shr_1 = {0x48, 0xC7, 0xC6}, - .xchg_rsi_prev_loc_curr_loc = {0x48, 0x87, 0x35}, - .xor_rsi_curr_loc = {0x48, 0x81, 0xF6}, + .mov_eax_curr_loc_shr_1 = {0xb8}, + .mov_eax_prev_loc_curr_loc = {0x89, 0x05}, - .add_rsi_1 = {0x80, 0x86, 0x00, 0x00, 0x00, 0x00, 0x01}, - .adc_rsi_0 = {0x80, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00}, + .pop_rax2 = 0x58, + .sahf = 0x9e, + .pop_rax = 0x58, - .pop_rsi = 0x5E, - .pop_fq = 0x9D, .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00}, } @@ -123,7 +146,7 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, } - if (details->range->base_address > ((2ULL << 20) - __afl_map_size)) { + if (details->range->base_address > ((2ULL << 30) - __afl_map_size)) { return FALSE; @@ -248,8 +271,6 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } - // OKF("SKIP: %p %s %s", start_address, from_insn->mnemonic, - // from_insn->op_str); *target = *target + sizeof(afl_log_code); } @@ -327,6 +348,7 @@ void instrument_coverage_optimize(const cs_insn * instr, afl_log_code code = {0}; GumX86Writer *cw = output->writer.x86; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); + guint64 area_offset_ror; GumAddress code_addr = 0; instrument_coverage_suppress_init(); @@ -342,19 +364,21 @@ void instrument_coverage_optimize(const cs_insn * instr, code.code = template; gssize curr_loc_shr_1_offset = - offsetof(afl_log_code, code.mov_rsi_curr_loc_shr_1) + - sizeof(code.code.mov_rsi_curr_loc_shr_1) - sizeof(guint32); + offsetof(afl_log_code, code.mov_eax_curr_loc_shr_1) + + sizeof(code.code.mov_eax_curr_loc_shr_1) - sizeof(guint32); - *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = - (guint32)(area_offset >> 1); + area_offset_ror = ((area_offset & (MAP_SIZE - 1) >> 1)) | + ((area_offset & 0x1) << (MAP_SIZE_POW2 - 1)); + + *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); gssize prev_loc_value = GPOINTER_TO_SIZE(&instrument_previous_pc) - - (code_addr + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + - sizeof(code.code.xchg_rsi_prev_loc_curr_loc)); + (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + + sizeof(code.code.mov_eax_prev_loc_curr_loc)); gssize prev_loc_value_offset = - offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + - sizeof(code.code.xchg_rsi_prev_loc_curr_loc) - sizeof(gint); + offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + + sizeof(code.code.mov_eax_prev_loc_curr_loc) - sizeof(gint); if (!instrument_coverage_in_range(prev_loc_value)) { FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); @@ -363,22 +387,31 @@ void instrument_coverage_optimize(const cs_insn * instr, *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; - gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_rsi_curr_loc) + - sizeof(code.code.xor_rsi_curr_loc) - - sizeof(guint32); + gssize prev_loc_value2 = + GPOINTER_TO_SIZE(&instrument_previous_pc) - + (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc)); + gssize prev_loc_value_offset2 = + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); + if (!instrument_coverage_in_range(prev_loc_value)) { - *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); + FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value2); + + } - gssize add_rsi_1_offset = offsetof(afl_log_code, code.add_rsi_1) + - sizeof(code.code.add_rsi_1) - sizeof(guint32) - 1; + *((gint *)&code.bytes[prev_loc_value_offset2]) = (gint)prev_loc_value2; - *((guint32 *)&code.bytes[add_rsi_1_offset]) = - (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) + + sizeof(code.code.xor_eax_curr_loc) - + sizeof(guint32); + + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); - gssize adc_rsi_0_ffset = offsetof(afl_log_code, code.adc_rsi_0) + - sizeof(code.code.adc_rsi_0) - sizeof(guint32) - 1; + gssize lea_rax_offset = offsetof(afl_log_code, code.add_eax_afl_area) + + sizeof(code.code.add_eax_afl_area) - sizeof(guint32); - *((guint32 *)&code.bytes[adc_rsi_0_ffset]) = + *((guint32 *)&code.bytes[lea_rax_offset]) = (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); -- cgit 1.4.1 From 02e8919cbc744064510f6cd99539f7662343073f Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 9 Nov 2021 18:29:25 +0000 Subject: Suppress spurious output --- frida_mode/include/util.h | 28 ++++++- frida_mode/src/asan/asan.c | 7 +- frida_mode/src/asan/asan_arm32.c | 6 +- frida_mode/src/asan/asan_arm64.c | 4 +- frida_mode/src/asan/asan_x64.c | 4 +- frida_mode/src/asan/asan_x86.c | 4 +- frida_mode/src/cmplog/cmplog.c | 22 +++-- frida_mode/src/cmplog/cmplog_arm32.c | 4 +- frida_mode/src/cmplog/cmplog_arm64.c | 6 +- frida_mode/src/cmplog/cmplog_x64.c | 6 +- frida_mode/src/cmplog/cmplog_x86.c | 8 +- frida_mode/src/ctx/ctx_arm32.c | 4 +- frida_mode/src/ctx/ctx_arm64.c | 12 ++- frida_mode/src/ctx/ctx_x64.c | 5 +- frida_mode/src/ctx/ctx_x86.c | 4 +- frida_mode/src/entry.c | 16 ++-- frida_mode/src/instrument/instrument.c | 21 +++-- frida_mode/src/instrument/instrument_arm32.c | 6 +- frida_mode/src/instrument/instrument_arm64.c | 1 - frida_mode/src/instrument/instrument_coverage.c | 66 +++++++-------- frida_mode/src/instrument/instrument_debug.c | 12 ++- frida_mode/src/instrument/instrument_x64.c | 17 ++-- frida_mode/src/instrument/instrument_x86.c | 2 - frida_mode/src/intercept.c | 5 +- frida_mode/src/js/js.c | 18 ++-- frida_mode/src/js/js_api.c | 3 +- frida_mode/src/lib/lib.c | 55 ++++++------ frida_mode/src/lib/lib_apple.c | 20 ++--- frida_mode/src/main.c | 21 +++-- frida_mode/src/output.c | 13 ++- frida_mode/src/persistent/persistent.c | 33 ++++---- frida_mode/src/persistent/persistent_arm32.c | 6 +- frida_mode/src/persistent/persistent_arm64.c | 3 +- frida_mode/src/persistent/persistent_x64.c | 3 +- frida_mode/src/persistent/persistent_x86.c | 3 +- frida_mode/src/prefetch.c | 14 ++-- frida_mode/src/ranges.c | 107 ++++++++++++------------ frida_mode/src/seccomp/seccomp.c | 8 +- frida_mode/src/seccomp/seccomp_atomic.c | 4 +- frida_mode/src/seccomp/seccomp_callback.c | 23 +++-- frida_mode/src/seccomp/seccomp_child.c | 7 +- frida_mode/src/seccomp/seccomp_event.c | 11 ++- frida_mode/src/seccomp/seccomp_filter.c | 24 +++--- frida_mode/src/seccomp/seccomp_socket.c | 23 +++-- frida_mode/src/seccomp/seccomp_syscall.c | 7 +- frida_mode/src/stalker.c | 15 ++-- frida_mode/src/stats/stats.c | 15 ++-- frida_mode/src/stats/stats_arm32.c | 8 +- frida_mode/src/stats/stats_arm64.c | 6 +- frida_mode/src/stats/stats_x86_64.c | 16 ++-- frida_mode/src/util.c | 18 +++- 51 files changed, 367 insertions(+), 387 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 525e9d40..77fbda94 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -3,12 +3,38 @@ #include "frida-gumjs.h" +#include "debug.h" + #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) guint64 util_read_address(char *key); -guint64 util_read_num(char *key); +guint64 util_read_num(char *key); +gboolean util_output_enabled(void); + +#define FOKF(x...) \ + do { \ + \ + if (!util_output_enabled()) { break; } \ + \ + OKF(x); \ + \ + } while (0) + +#define FWARNF(x...) \ + do { \ + \ + WARNF(x); \ + \ + } while (0) + +#define FFATAL(x...) \ + do { \ + \ + FATAL(x); \ + \ + } while (0) #endif diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index b2e763ca..d649bd76 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" +#include "util.h" static gboolean asan_enabled = FALSE; gboolean asan_initialized = FALSE; @@ -11,12 +10,12 @@ void asan_config(void) { if (getenv("AFL_USE_FASAN") != NULL) { - OKF("Frida ASAN mode enabled"); + FOKF("Frida ASAN mode enabled"); asan_enabled = TRUE; } else { - OKF("Frida ASAN mode disabled"); + FOKF("Frida ASAN mode disabled"); } diff --git a/frida_mode/src/asan/asan_arm32.c b/frida_mode/src/asan/asan_arm32.c index f5fa4713..21400881 100644 --- a/frida_mode/src/asan/asan_arm32.c +++ b/frida_mode/src/asan/asan_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "util.h" @@ -12,7 +10,7 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(iterator); if (asan_initialized) { - FATAL("ASAN mode not supported on this architecture"); + FFATAL("ASAN mode not supported on this architecture"); } @@ -20,7 +18,7 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { void asan_arch_init(void) { - FATAL("ASAN mode not supported on this architecture"); + FFATAL("ASAN mode not supported on this architecture"); } diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 65524e03..88c76535 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -86,7 +84,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c index 5c12669f..c7b70967 100644 --- a/frida_mode/src/asan/asan_x64.c +++ b/frida_mode/src/asan/asan_x64.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -83,7 +81,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c index 6d2f9e2b..afc89936 100644 --- a/frida_mode/src/asan/asan_x86.c +++ b/frida_mode/src/asan/asan_x86.c @@ -1,8 +1,6 @@ #include #include "frida-gumjs.h" -#include "debug.h" - #include "asan.h" #include "ctx.h" #include "util.h" @@ -83,7 +81,7 @@ void asan_arch_init(void) { asan_storeN = (asan_loadN_t)dlsym(RTLD_DEFAULT, "__asan_storeN"); if (asan_loadN == NULL || asan_storeN == NULL) { - FATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); + FFATAL("Frida ASAN failed to find '__asan_loadN' or '__asan_storeN'"); } diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index ae3116eb..81e1a4b0 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -7,8 +7,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "util.h" #define DEFAULT_MMAP_MIN_ADDR (32UL << 10) @@ -42,7 +40,7 @@ static gint cmplog_sort(gconstpointer a, gconstpointer b) { static void cmplog_get_ranges(void) { - OKF("CMPLOG - Collecting ranges"); + FOKF("CMPLOG - Collecting ranges"); cmplog_ranges = g_array_sized_new(false, false, sizeof(GumMemoryRange), 100); gum_process_enumerate_ranges(GUM_PAGE_READ, cmplog_range, cmplog_ranges); @@ -56,7 +54,7 @@ void cmplog_config(void) { void cmplog_init(void) { - OKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); + FOKF("CMPLOG - Enabled [%c]", __afl_cmp_map == NULL ? ' ' : 'X'); if (__afl_cmp_map == NULL) { return; } @@ -65,9 +63,9 @@ void cmplog_init(void) { for (guint i = 0; i < cmplog_ranges->len; i++) { GumMemoryRange *range = &g_array_index(cmplog_ranges, GumMemoryRange, i); - OKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER - "X - 0x%016" G_GINT64_MODIFIER "X", - i, range->base_address, range->base_address + range->size); + FOKF("CMPLOG Range - %3u: 0x%016" G_GINT64_MODIFIER + "X - 0x%016" G_GINT64_MODIFIER "X", + i, range->base_address, range->base_address + range->size); } @@ -78,14 +76,14 @@ void cmplog_init(void) { hash_yes = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_yes == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } hash_no = g_hash_table_new(g_direct_hash, g_direct_equal); if (hash_no == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -117,7 +115,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_no, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -127,7 +125,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { if (!g_hash_table_add(hash_yes, GSIZE_TO_POINTER(addr))) { - FATAL("Failed - g_hash_table_add"); + FFATAL("Failed - g_hash_table_add"); } @@ -139,7 +137,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) { gboolean cmplog_is_readable(guint64 addr, size_t size) { - if (cmplog_ranges == NULL) FATAL("CMPLOG not initialized"); + if (cmplog_ranges == NULL) FFATAL("CMPLOG not initialized"); /* * The Linux kernel prevents mmap from allocating from the very bottom of the diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c index ac703408..106baa52 100644 --- a/frida_mode/src/cmplog/cmplog_arm32.c +++ b/frida_mode/src/cmplog/cmplog_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "frida_cmplog.h" #include "util.h" @@ -11,7 +9,7 @@ void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(iterator); if (__afl_cmp_map == NULL) { return; } - FATAL("CMPLOG mode not supported on this architecture"); + FFATAL("CMPLOG mode not supported on this architecture"); } diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index c6590bb4..515a6256 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -67,7 +67,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -89,7 +89,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case ARM64_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -163,7 +163,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(arm64_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 7fbcf408..7d515336 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -62,7 +62,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint64 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -84,7 +84,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -157,7 +157,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index bdd1af4e..4a747417 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -59,7 +59,7 @@ static gboolean cmplog_read_mem(GumCpuContext *ctx, uint8_t size, *val = *((guint32 *)GSIZE_TO_POINTER(address)); return TRUE; default: - FATAL("Invalid operand size: %d\n", size); + FFATAL("Invalid operand size: %d\n", size); } @@ -81,7 +81,7 @@ static gboolean cmplog_get_operand_value(GumCpuContext *context, case X86_OP_MEM: return cmplog_read_mem(context, ctx->size, &ctx->mem, val); default: - FATAL("Invalid operand type: %d\n", ctx->type); + FFATAL("Invalid operand type: %d\n", ctx->type); } @@ -162,7 +162,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx, gum_memcpy(&ctx->mem, &operand->mem, sizeof(x86_op_mem)); break; default: - FATAL("Invalid operand type: %d\n", operand->type); + FFATAL("Invalid operand type: %d\n", operand->type); } @@ -228,7 +228,7 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) { gsize operand1; gsize operand2; - if (ctx->operand1.size != ctx->operand2.size) FATAL("Operand size mismatch"); + if (ctx->operand1.size != ctx->operand2.size) FFATAL("Operand size mismatch"); if (!cmplog_get_operand_value(context, &ctx->operand1, &operand1)) { return; } if (!cmplog_get_operand_value(context, &ctx->operand2, &operand2)) { return; } diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c index 9fc70fb4..049b5548 100644 --- a/frida_mode/src/ctx/ctx_arm32.c +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -1,14 +1,12 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__arm__) gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) { - FATAL("ctx_read_reg unimplemented for this architecture"); + FFATAL("ctx_read_reg unimplemented for this architecture"); } diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c index a735401b..01f321e3 100644 --- a/frida_mode/src/ctx/ctx_arm64.c +++ b/frida_mode/src/ctx/ctx_arm64.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__aarch64__) @@ -174,7 +172,7 @@ gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg) { ARM64_REG_64(ARM64_REG_SP, ctx->sp) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } @@ -206,7 +204,7 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { } mnemonic_len = strlen(instr->mnemonic); - if (mnemonic_len == 0) { FATAL("No mnemonic found"); }; + if (mnemonic_len == 0) { FFATAL("No mnemonic found"); }; char last = instr->mnemonic[mnemonic_len - 1]; switch (last) { @@ -252,14 +250,14 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { if (mnemonic_len < 3) { - FATAL("VAS Mnemonic too short: %s\n", instr->mnemonic); + FFATAL("VAS Mnemonic too short: %s\n", instr->mnemonic); } vas_digit = instr->mnemonic[2]; if (vas_digit < '0' || vas_digit > '9') { - FATAL("VAS Mnemonic digit out of range: %s\n", instr->mnemonic); + FFATAL("VAS Mnemonic digit out of range: %s\n", instr->mnemonic); } @@ -293,7 +291,7 @@ size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand) { case ARM64_VAS_16B: return 16 * count_byte; default: - FATAL("Unexpected VAS type: %s %d", instr->mnemonic, operand->vas); + FFATAL("Unexpected VAS type: %s %d", instr->mnemonic, operand->vas); } diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c index da5cb13a..02423416 100644 --- a/frida_mode/src/ctx/ctx_x64.c +++ b/frida_mode/src/ctx/ctx_x64.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" +#include "util.h" #if defined(__x86_64__) @@ -121,7 +120,7 @@ gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg) { X86_REG_64(X86_REG_RIP, ctx->rip) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c index 1a587702..abfeafc8 100644 --- a/frida_mode/src/ctx/ctx_x86.c +++ b/frida_mode/src/ctx/ctx_x86.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ctx.h" #if defined(__i386__) @@ -72,7 +70,7 @@ gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg) { X86_REG_32(X86_REG_EIP, ctx->eip) default: - FATAL("Failed to read register: %d", reg); + FFATAL("Failed to read register: %d", reg); return 0; } diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index c51e202f..a36daf88 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -6,8 +6,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "entry.h" #include "instrument.h" #include "persistent.h" @@ -26,7 +24,7 @@ gboolean entry_run = FALSE; static void entry_launch(void) { - OKF("Entry point reached"); + FOKF("Entry point reached"); __afl_manual_init(); /* Child here */ @@ -45,7 +43,7 @@ void entry_on_fork(void) { if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) < 0) { - FATAL("Failed to PR_SET_PTRACER"); + FFATAL("Failed to PR_SET_PTRACER"); } @@ -56,7 +54,7 @@ void entry_on_fork(void) { #else void entry_on_fork(void) { - if (traceable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + if (traceable) { FWARNF("AFL_FRIDA_TRACEABLE unsupported"); } } @@ -71,10 +69,10 @@ void entry_config(void) { void entry_init(void) { - OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); - OKF("dumpable: [%c]", traceable ? 'X' : ' '); + FOKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); + FOKF("dumpable: [%c]", traceable ? 'X' : ' '); - if (dlopen(NULL, RTLD_NOW) == NULL) { FATAL("Failed to dlopen: %d", errno); } + if (dlopen(NULL, RTLD_NOW) == NULL) { FFATAL("Failed to dlopen: %d", errno); } } @@ -96,7 +94,7 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) { void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) { UNUSED_PARAMETER(output); - OKF("AFL_ENTRYPOINT reached"); + FOKF("AFL_ENTRYPOINT reached"); if (persistent_start == 0) { diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index eeebe545..0262e461 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -6,7 +6,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "hash.h" #include "asan.h" @@ -261,14 +260,14 @@ void instrument_init(void) { if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false; - OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); - OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); - OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); - OKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", - instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); - OKF("Instrumentation - unstable coverage [%c] [%s]", - instrument_coverage_unstable_filename == NULL ? ' ' : 'X', - instrument_coverage_unstable_filename); + FOKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); + FOKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); + FOKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); + FOKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", + instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); + FOKF("Instrumentation - unstable coverage [%c] [%s]", + instrument_coverage_unstable_filename == NULL ? ' ' : 'X', + instrument_coverage_unstable_filename); if (instrument_tracing && instrument_optimize) { @@ -352,8 +351,8 @@ void instrument_init(void) { } - OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", - instrument_hash_seed); + FOKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", + instrument_hash_seed); instrument_hash_zero = instrument_get_offset_hash(0); instrument_coverage_optimize_init(); diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 395d56c1..fa8b0bd2 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -18,13 +16,13 @@ void instrument_coverage_optimize(const cs_insn * instr, UNUSED_PARAMETER(instr); UNUSED_PARAMETER(output); - FATAL("Optimized coverage not supported on this architecture"); + FFATAL("Optimized coverage not supported on this architecture"); } void instrument_coverage_optimize_init(void) { - WARNF("Optimized coverage not supported on this architecture"); + FWARNF("Optimized coverage not supported on this architecture"); } diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 358e8e6b..0f635458 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -1,7 +1,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 513df29a..95a24808 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -251,7 +249,7 @@ static void coverage_write(void *data, size_t size) { if (written < 0) { - FATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); + FFATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); } @@ -371,7 +369,7 @@ static void instrument_coverage_normal_run() { if (close(normal_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -379,7 +377,7 @@ static void instrument_coverage_normal_run() { g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, g_free); if (coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -396,7 +394,7 @@ static void instrument_coverage_normal_run() { } - if (bytes != 0) { FATAL("Coverage data truncated"); } + if (bytes != 0) { FFATAL("Coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -435,7 +433,7 @@ static GArray *instrument_coverage_unstable_read_unstable_ids(void) { if (!g_file_get_contents(unstable_coverage_fuzzer_stats, &contents, &length, NULL)) { - FATAL("Failed to read fuzzer_stats"); + FFATAL("Failed to read fuzzer_stats"); } @@ -526,7 +524,7 @@ static GHashTable *instrument_collect_unstable_blocks( GHashTable *child = (GHashTable *)g_hash_table_lookup(unstable_coverage_hash, *id); - if (child == NULL) { FATAL("Failed to find edge ID"); } + if (child == NULL) { FFATAL("Failed to find edge ID"); } GHashTableIter iter = {0}; gpointer value; @@ -565,7 +563,7 @@ static void instrument_coverage_unstable_run(void) { if (close(unstable_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -573,7 +571,7 @@ static void instrument_coverage_unstable_run(void) { g_direct_hash, g_direct_equal, NULL, (GDestroyNotify)g_hash_table_unref); if (unstable_coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -599,7 +597,7 @@ static void instrument_coverage_unstable_run(void) { if (!g_hash_table_insert(unstable_coverage_hash, GSIZE_TO_POINTER(value->edge), hash_value)) { - FATAL("Entry already in hashtable"); + FFATAL("Entry already in hashtable"); } @@ -613,7 +611,7 @@ static void instrument_coverage_unstable_run(void) { } - if (bytes != 0) { FATAL("Unstable coverage data truncated"); } + if (bytes != 0) { FFATAL("Unstable coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -659,33 +657,33 @@ void instrument_coverage_config(void) { void instrument_coverage_normal_init(void) { - OKF("Coverage - enabled [%c]", - instrument_coverage_filename == NULL ? ' ' : 'X'); + FOKF("Coverage - enabled [%c]", + instrument_coverage_filename == NULL ? ' ' : 'X'); if (instrument_coverage_filename == NULL) { return; } - OKF("Coverage - file [%s]", instrument_coverage_filename); + FOKF("Coverage - file [%s]", instrument_coverage_filename); char *path = g_canonicalize_filename(instrument_coverage_filename, g_get_current_dir()); - OKF("Coverage - path [%s]", path); + FOKF("Coverage - path [%s]", path); normal_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (normal_coverage_fd < 0) { - FATAL("Failed to open coverage file '%s'", path); + FFATAL("Failed to open coverage file '%s'", path); } g_free(path); - if (pipe(normal_coverage_pipes) != 0) { FATAL("Failed to create pipes"); } + if (pipe(normal_coverage_pipes) != 0) { FFATAL("Failed to create pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -697,13 +695,13 @@ void instrument_coverage_normal_init(void) { if (close(normal_coverage_fd) < 0) { - FATAL("Failed to close coverage output file"); + FFATAL("Failed to close coverage output file"); } if (close(normal_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -714,11 +712,11 @@ void instrument_coverage_unstable_find_output(void) { gchar *fds_name = g_strdup_printf("/proc/%d/fd/", getppid()); gchar *root = g_file_read_link("/proc/self/root", NULL); - if (root == NULL) { FATAL("Failed to read link"); } + if (root == NULL) { FFATAL("Failed to read link"); } GDir *dir = g_dir_open(fds_name, 0, NULL); - OKF("Coverage Unstable - fds: %s", fds_name); + FOKF("Coverage Unstable - fds: %s", fds_name); for (const gchar *filename = g_dir_read_name(dir); filename != NULL; filename = g_dir_read_name(dir)) { @@ -726,7 +724,7 @@ void instrument_coverage_unstable_find_output(void) { gchar *fullname = g_build_path("/", fds_name, filename, NULL); gchar *link = g_file_read_link(fullname, NULL); - if (link == NULL) { FATAL("Failed to read link: %s", fullname); } + if (link == NULL) { FFATAL("Failed to read link: %s", fullname); } gchar *basename = g_path_get_basename(link); if (g_strcmp0(basename, "default") != 0) { @@ -778,11 +776,11 @@ void instrument_coverage_unstable_find_output(void) { if (unstable_coverage_fuzzer_stats == NULL) { - FATAL("Failed to find fuzzer stats"); + FFATAL("Failed to find fuzzer stats"); } - OKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); + FOKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); } @@ -793,14 +791,14 @@ void instrument_coverage_unstable_init(void) { char *path = g_canonicalize_filename(instrument_coverage_unstable_filename, g_get_current_dir()); - OKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); + FOKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); unstable_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (unstable_coverage_fd < 0) { - FATAL("Failed to open unstable coverage file '%s'", path); + FFATAL("Failed to open unstable coverage file '%s'", path); } @@ -810,12 +808,12 @@ void instrument_coverage_unstable_init(void) { if (pipe(unstable_coverage_pipes) != 0) { - FATAL("Failed to create unstable pipes"); + FFATAL("Failed to create unstable pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -827,13 +825,13 @@ void instrument_coverage_unstable_init(void) { if (close(unstable_coverage_fd) < 0) { - FATAL("Failed to close unstable coverage output file"); + FFATAL("Failed to close unstable coverage output file"); } if (close(unstable_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -865,7 +863,7 @@ void instrument_coverage_end(uint64_t address) { if (write(normal_coverage_pipes[STDOUT_FILENO], &data, sizeof(normal_coverage_data_t)) != sizeof(normal_coverage_data_t)) { - FATAL("Coverage I/O error"); + FFATAL("Coverage I/O error"); } @@ -888,7 +886,7 @@ void instrument_coverage_unstable(guint64 edge, guint64 previous_rip, sizeof(unstable_coverage_data_t)) != sizeof(unstable_coverage_data_t)) { - FATAL("Unstable coverage I/O error"); + FFATAL("Unstable coverage I/O error"); } diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index b8cca634..a175b585 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -89,24 +87,24 @@ void instrument_debug_config(void) { void instrument_debug_init(void) { - OKF("Instrumentation debugging - enabled [%c]", - instrument_debug_filename == NULL ? ' ' : 'X'); + FOKF("Instrumentation debugging - enabled [%c]", + instrument_debug_filename == NULL ? ' ' : 'X'); if (instrument_debug_filename == NULL) { return; } - OKF("Instrumentation debugging - file [%s]", instrument_debug_filename); + FOKF("Instrumentation debugging - file [%s]", instrument_debug_filename); if (instrument_debug_filename == NULL) { return; } char *path = g_canonicalize_filename(instrument_debug_filename, g_get_current_dir()); - OKF("Instrumentation debugging - path [%s]", path); + FOKF("Instrumentation debugging - path [%s]", path); debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + if (debugging_fd < 0) { FFATAL("Failed to open stats file '%s'", path); } g_free(path); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 07605a04..e2cbb804 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -15,11 +15,11 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "ranges.h" #include "stalker.h" +#include "util.h" #if defined(__x86_64__) @@ -238,6 +238,9 @@ static void instrument_coverage_switch(GumStalkerObserver *self, const cs_insn * from_insn, gpointer * target) { + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(start_address); + cs_x86 * x86; cs_x86_op *op; if (from_insn == NULL) { return; } @@ -271,7 +274,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } - *target = *target + sizeof(afl_log_code); + *target = (guint8 *)*target + sizeof(afl_log_code); } @@ -282,7 +285,7 @@ void instrument_coverage_optimize_init(void) { gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low, &low_address); - OKF("Low address: %p", low_address); + FOKF("Low address: %p", low_address); if (low_address == 0 || GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) { @@ -294,11 +297,11 @@ void instrument_coverage_optimize_init(void) { ranges_print_debug_maps(); char *shm_env = getenv(SHM_ENV_VAR); - OKF("SHM_ENV_VAR: %s", shm_env); + FOKF("SHM_ENV_VAR: %s", shm_env); if (shm_env == NULL) { - WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); + FWARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); instrument_coverage_optimize_map_mmap_anon(low_address); @@ -318,8 +321,8 @@ void instrument_coverage_optimize_init(void) { } - OKF("__afl_area_ptr: %p", __afl_area_ptr); - OKF("instrument_previous_pc: %p", &instrument_previous_pc); + FOKF("__afl_area_ptr: %p", __afl_area_ptr); + FOKF("instrument_previous_pc: %p", &instrument_previous_pc); } diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index f90c01c2..79664afa 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" diff --git a/frida_mode/src/intercept.c b/frida_mode/src/intercept.c index ed8d27bd..26d20c50 100644 --- a/frida_mode/src/intercept.c +++ b/frida_mode/src/intercept.c @@ -1,8 +1,7 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "intercept.h" +#include "util.h" void intercept_hook(void *address, gpointer replacement, gpointer user_data) { @@ -10,7 +9,7 @@ void intercept_hook(void *address, gpointer replacement, gpointer user_data) { gum_interceptor_begin_transaction(interceptor); GumReplaceReturn ret = gum_interceptor_replace(interceptor, address, replacement, user_data); - if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); } + if (ret != GUM_REPLACE_OK) { FFATAL("gum_interceptor_attach: %d", ret); } gum_interceptor_end_transaction(interceptor); } diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index e3cd4933..37cd377b 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "js.h" #include "util.h" @@ -25,7 +23,7 @@ static void js_msg(GumScript *script, const gchar *message, GBytes *data, UNUSED_PARAMETER(script); UNUSED_PARAMETER(data); UNUSED_PARAMETER(user_data); - OKF("%s", message); + FOKF("%s", message); } @@ -50,14 +48,14 @@ static gchar *js_get_script() { } else { - FATAL("Could not load script file: %s", filename); + FFATAL("Could not load script file: %s", filename); } } else { - OKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename, - length); + FOKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename, + length); gchar *source = g_malloc0(api_js_len + length + 1); memcpy(source, api_js, api_js_len); @@ -75,7 +73,7 @@ static void js_print_script(gchar *source) { for (size_t i = 0; split[i] != NULL; i++) { - OKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]); + FOKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]); } @@ -89,7 +87,7 @@ static void load_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); gum_script_load_finish(script, result); - if (error != NULL) { FATAL("Failed to load script - %s", error->message); } + if (error != NULL) { FFATAL("Failed to load script - %s", error->message); } } @@ -99,7 +97,7 @@ static void create_cb(GObject *source_object, GAsyncResult *result, UNUSED_PARAMETER(source_object); UNUSED_PARAMETER(user_data); script = gum_script_backend_create_finish(backend, result, &error); - if (error != NULL) { FATAL("Failed to create script: %s", error->message); } + if (error != NULL) { FFATAL("Failed to create script: %s", error->message); } gum_script_set_message_handler(script, js_msg, NULL, NULL); @@ -128,7 +126,7 @@ void js_start(void) { while (g_main_context_pending(context)) g_main_context_iteration(context, FALSE); - if (!js_done) { FATAL("Script didn't call Afl.done()"); } + if (!js_done) { FFATAL("Script didn't call Afl.done()"); } } diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index abc0ac30..570da335 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -1,4 +1,3 @@ -#include "debug.h" #include "entry.h" #include "instrument.h" @@ -20,7 +19,7 @@ __attribute__((visibility("default"))) void js_api_done() { __attribute__((visibility("default"))) void js_api_error(char *msg) { - FATAL("%s", msg); + FFATAL("%s", msg); } diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c index 59a3fcf9..48d2ea2a 100644 --- a/frida_mode/src/lib/lib.c +++ b/frida_mode/src/lib/lib.c @@ -8,9 +8,8 @@ #include "frida-gumjs.h" - #include "debug.h" - #include "lib.h" + #include "util.h" #if defined(__arm__) || defined(__i386__) #define ELFCLASS ELFCLASS32 @@ -55,11 +54,11 @@ static gboolean lib_find_exe(const GumModuleDetails *details, static void lib_validate_hdr(Elf_Ehdr *hdr) { - if (hdr->e_ident[0] != ELFMAG0) FATAL("Invalid e_ident[0]"); - if (hdr->e_ident[1] != ELFMAG1) FATAL("Invalid e_ident[1]"); - if (hdr->e_ident[2] != ELFMAG2) FATAL("Invalid e_ident[2]"); - if (hdr->e_ident[3] != ELFMAG3) FATAL("Invalid e_ident[3]"); - if (hdr->e_ident[4] != ELFCLASS) FATAL("Invalid class"); + if (hdr->e_ident[0] != ELFMAG0) FFATAL("Invalid e_ident[0]"); + if (hdr->e_ident[1] != ELFMAG1) FFATAL("Invalid e_ident[1]"); + if (hdr->e_ident[2] != ELFMAG2) FFATAL("Invalid e_ident[2]"); + if (hdr->e_ident[3] != ELFMAG3) FFATAL("Invalid e_ident[3]"); + if (hdr->e_ident[4] != ELFCLASS) FFATAL("Invalid class"); } @@ -88,18 +87,22 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { } - if (!found_preferred_base) { FATAL("Failed to find preferred load address"); } + if (!found_preferred_base) { + + FFATAL("Failed to find preferred load address"); + + } - OKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x", - preferred_base); + FOKF("Image preferred load address 0x%016" G_GSIZE_MODIFIER "x", + preferred_base); shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff); shstrtab = &shdr[hdr->e_shstrndx]; shstr = (char *)hdr + shstrtab->sh_offset; - OKF("shdr: %p", shdr); - OKF("shstrtab: %p", shstrtab); - OKF("shstr: %p", shstr); + FOKF("shdr: %p", shdr); + FOKF("shstrtab: %p", shstrtab); + FOKF("shstr: %p", shstr); for (size_t i = 0; i < hdr->e_shnum; i++) { @@ -108,16 +111,16 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) { if (curr->sh_name == 0) continue; section_name = &shstr[curr->sh_name]; - OKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER - "X size: 0x%016" G_GSIZE_MODIFIER "X %s", - i, curr->sh_addr, curr->sh_size, section_name); + FOKF("Section: %2" G_GSIZE_MODIFIER "u - base: 0x%016" G_GSIZE_MODIFIER + "X size: 0x%016" G_GSIZE_MODIFIER "X %s", + i, curr->sh_addr, curr->sh_size, section_name); if (memcmp(section_name, text_name, sizeof(text_name)) == 0 && text_base == 0) { text_base = lib_details->base_address + curr->sh_addr - preferred_base; text_limit = text_base + curr->sh_size; - OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); - OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); + FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); + FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); } @@ -132,16 +135,16 @@ static void lib_get_text_section(lib_details_t *details) { Elf_Ehdr *hdr; fd = open(details->path, O_RDONLY); - if (fd < 0) { FATAL("Failed to open %s", details->path); } + if (fd < 0) { FFATAL("Failed to open %s", details->path); } len = lseek(fd, 0, SEEK_END); - if (len == (off_t)-1) { FATAL("Failed to lseek %s", details->path); } + if (len == (off_t)-1) { FFATAL("Failed to lseek %s", details->path); } - OKF("len: %ld", len); + FOKF("len: %ld", len); hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0); - if (hdr == MAP_FAILED) { FATAL("Failed to map %s", details->path); } + if (hdr == MAP_FAILED) { FFATAL("Failed to map %s", details->path); } lib_validate_hdr(hdr); lib_read_text_section(details, hdr); @@ -159,22 +162,22 @@ void lib_init(void) { lib_details_t lib_details; gum_process_enumerate_modules(lib_find_exe, &lib_details); - OKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s", lib_details.base_address, - lib_details.path); + FOKF("Executable: 0x%016" G_GINT64_MODIFIER "x - %s", + lib_details.base_address, lib_details.path); lib_get_text_section(&lib_details); } guint64 lib_get_text_base(void) { - if (text_base == 0) FATAL("Lib not initialized"); + if (text_base == 0) FFATAL("Lib not initialized"); return text_base; } guint64 lib_get_text_limit(void) { - if (text_limit == 0) FATAL("Lib not initialized"); + if (text_limit == 0) FFATAL("Lib not initialized"); return text_limit; } diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c index 2aa48a13..3bdb8c10 100644 --- a/frida_mode/src/lib/lib_apple.c +++ b/frida_mode/src/lib/lib_apple.c @@ -1,8 +1,6 @@ #ifdef __APPLE__ #include "frida-gumjs.h" - #include "debug.h" - #include "lib.h" #include "util.h" @@ -22,7 +20,7 @@ static gboolean lib_get_main_module(const GumModuleDetails *details, details->path, mach_task_self(), details->range->base_address, GUM_DARWIN_MODULE_FLAGS_NONE, NULL); - OKF("Found main module: %s", module->name); + FOKF("Found main module: %s", module->name); *ret = module; @@ -37,18 +35,18 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details, static size_t idx = 0; char text_name[] = "__text"; - OKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER - "X size: 0x%016" G_GINT64_MODIFIER "X %s", - idx++, details->vm_address, details->vm_address + details->size, - details->section_name); + FOKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER + "X size: 0x%016" G_GINT64_MODIFIER "X %s", + idx++, details->vm_address, details->vm_address + details->size, + details->section_name); if (memcmp(details->section_name, text_name, sizeof(text_name)) == 0 && text_base == 0) { text_base = details->vm_address; text_limit = details->vm_address + details->size; - OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); - OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); + FOKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base); + FOKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit); } @@ -70,14 +68,14 @@ void lib_init(void) { guint64 lib_get_text_base(void) { - if (text_base == 0) FATAL("Lib not initialized"); + if (text_base == 0) FFATAL("Lib not initialized"); return text_base; } guint64 lib_get_text_limit(void) { - if (text_limit == 0) FATAL("Lib not initialized"); + if (text_limit == 0) FFATAL("Lib not initialized"); return text_limit; } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 3599143b..cb88eabe 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -15,7 +15,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "entry.h" #include "instrument.h" @@ -63,7 +62,7 @@ static void on_main_os(int argc, char **argv, char **envp) { /* Personality doesn't affect the current process, it only takes effect on * evec */ int persona = personality(ADDR_NO_RANDOMIZE); - if (persona == -1) { WARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); } + if (persona == -1) { FWARNF("Failed to set ADDR_NO_RANDOMIZE: %d", errno); } if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } GumInterceptor *interceptor = gum_interceptor_obtain(); @@ -98,7 +97,7 @@ static void afl_print_cmdline(void) { if (fd < 0) { - WARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); + FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); return; } @@ -106,7 +105,7 @@ static void afl_print_cmdline(void) { ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1); if (bytes_read < 0) { - FATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); + FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); } @@ -116,7 +115,7 @@ static void afl_print_cmdline(void) { if (i == 0 || buffer[i - 1] == '\0') { - OKF("AFL - COMMANDLINE: argv[%d] = %s", idx++, &buffer[i]); + FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx++, &buffer[i]); } @@ -132,7 +131,7 @@ static void afl_print_cmdline(void) { for (idx = 0; idx < nargv; idx++) { - OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); + FOKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); } @@ -148,7 +147,7 @@ static void afl_print_env(void) { if (fd < 0) { - WARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); + FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno); return; } @@ -156,7 +155,7 @@ static void afl_print_env(void) { ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1); if (bytes_read < 0) { - FATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); + FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno); } @@ -166,7 +165,7 @@ static void afl_print_env(void) { if (i == 0 || buffer[i - 1] == '\0') { - OKF("AFL - ENVIRONMENT %3d: %s", idx++, &buffer[i]); + FOKF("AFL - ENVIRONMENT %3d: %s", idx++, &buffer[i]); } @@ -244,9 +243,9 @@ static void intercept_main(void) { static void intercept_main(void) { mach_port_t task = mach_task_self(); - OKF("Task Id: %u", task); + FOKF("Task Id: %u", task); GumAddress entry = gum_darwin_find_entrypoint(task); - OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); + FOKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry); void *main = GSIZE_TO_POINTER(entry); main_fn = main; intercept_hook(main, on_main, NULL); diff --git a/frida_mode/src/output.c b/frida_mode/src/output.c index e2b744e7..f570fe91 100644 --- a/frida_mode/src/output.c +++ b/frida_mode/src/output.c @@ -4,9 +4,8 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "output.h" +#include "util.h" char *output_stdout = NULL; char *output_stderr = NULL; @@ -19,18 +18,18 @@ static void output_redirect(int fd, char *filename) { path = g_canonicalize_filename(filename, g_get_current_dir()); - OKF("Redirect %d -> '%s'", fd, path); + FOKF("Redirect %d -> '%s'", fd, path); int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); g_free(path); - if (output_fd < 0) { FATAL("Failed to open fd(%d) error %d", fd, errno); } + if (output_fd < 0) { FFATAL("Failed to open fd(%d) error %d", fd, errno); } if (dup2(output_fd, fd) < 0) { - FATAL("Failed to set fd(%d) error %d", fd, errno); + FFATAL("Failed to set fd(%d) error %d", fd, errno); } @@ -47,8 +46,8 @@ void output_config(void) { void output_init(void) { - OKF("Output - StdOut: %s", output_stdout); - OKF("Output - StdErr: %s", output_stderr); + FOKF("Output - StdOut: %s", output_stdout); + FOKF("Output - StdErr: %s", output_stderr); output_redirect(STDOUT_FILENO, output_stdout); output_redirect(STDERR_FILENO, output_stderr); diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index b2915a2f..e62f25d0 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -3,7 +3,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "entry.h" #include "persistent.h" @@ -31,7 +30,7 @@ void persistent_config(void) { if (persistent_count != 0 && persistent_start == 0) { - FATAL( + FFATAL( "AFL_FRIDA_PERSISTENT_ADDR must be specified if " "AFL_FRIDA_PERSISTENT_CNT is"); @@ -40,11 +39,11 @@ void persistent_config(void) { if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000; if (persistent_start != 0 && !persistent_is_supported()) - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); if (persistent_ret != 0 && persistent_start == 0) { - FATAL( + FFATAL( "AFL_FRIDA_PERSISTENT_ADDR must be specified if " "AFL_FRIDA_PERSISTENT_RET is"); @@ -54,33 +53,33 @@ void persistent_config(void) { void *hook_obj = dlopen(hook_name, RTLD_NOW); if (hook_obj == NULL) - FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); + FFATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name); int (*afl_persistent_hook_init_ptr)(void) = dlsym(hook_obj, "afl_persistent_hook_init"); if (afl_persistent_hook_init_ptr == NULL) - FATAL("Failed to find afl_persistent_hook_init in %s", hook_name); + FFATAL("Failed to find afl_persistent_hook_init in %s", hook_name); if (afl_persistent_hook_init_ptr() == 0) - FATAL("afl_persistent_hook_init returned a failure"); + FFATAL("afl_persistent_hook_init returned a failure"); persistent_hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook"); if (persistent_hook == NULL) - FATAL("Failed to find afl_persistent_hook in %s", hook_name); + FFATAL("Failed to find afl_persistent_hook in %s", hook_name); } void persistent_init(void) { - OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_start == 0 ? ' ' : 'X', persistent_start); - OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", - persistent_start == 0 ? ' ' : 'X', persistent_count); - OKF("Instrumentation - hook [%s]", hook_name); + FOKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_start == 0 ? ' ' : 'X', persistent_start); + FOKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)", + persistent_start == 0 ? ' ' : 'X', persistent_count); + FOKF("Instrumentation - hook [%s]", hook_name); - OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", - persistent_ret == 0 ? ' ' : 'X', persistent_ret); + FOKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)", + persistent_ret == 0 ? ' ' : 'X', persistent_ret); if (persistent_hook != NULL) { __afl_sharedmem_fuzzing = 1; } @@ -88,7 +87,7 @@ void persistent_init(void) { void persistent_prologue(GumStalkerOutput *output) { - OKF("AFL_FRIDA_PERSISTENT_ADDR reached"); + FOKF("AFL_FRIDA_PERSISTENT_ADDR reached"); entry_compiled = TRUE; ranges_exclude(); stalker_trust(); @@ -98,7 +97,7 @@ void persistent_prologue(GumStalkerOutput *output) { void persistent_epilogue(GumStalkerOutput *output) { - OKF("AFL_FRIDA_PERSISTENT_RET reached"); + FOKF("AFL_FRIDA_PERSISTENT_RET reached"); persistent_epilogue_arch(output); } diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c index 769f1505..b4e50897 100644 --- a/frida_mode/src/persistent/persistent_arm32.c +++ b/frida_mode/src/persistent/persistent_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "persistent.h" #include "util.h" @@ -64,14 +62,14 @@ gboolean persistent_is_supported(void) { void persistent_prologue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); } void persistent_epilogue_arch(GumStalkerOutput *output) { UNUSED_PARAMETER(output); - FATAL("Persistent mode not supported on this architecture"); + FFATAL("Persistent mode not supported on this architecture"); } diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c index 3cd61cd5..c9159ca1 100644 --- a/frida_mode/src/persistent/persistent_arm64.c +++ b/frida_mode/src/persistent/persistent_arm64.c @@ -2,7 +2,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -325,7 +324,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); instrument_persitent_save_regs(cw, &saved_regs); diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c index c0bd9a09..8cbde633 100644 --- a/frida_mode/src/persistent/persistent_x64.c +++ b/frida_mode/src/persistent/persistent_x64.c @@ -2,7 +2,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -270,7 +269,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8); diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index b911676a..902274b3 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -1,7 +1,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "persistent.h" @@ -210,7 +209,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) { gconstpointer loop = cw->code + 1; - OKF("Persistent loop reached"); + FOKF("Persistent loop reached"); /* Pop the return value */ gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4); diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 1ddbd5ed..8c9ce94d 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -4,8 +4,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "entry.h" #include "intercept.h" #include "prefetch.h" @@ -122,7 +120,7 @@ static void prefetch_read_patches(void) { if (prefetch_data->backpatch_size - offset < size) { - FATAL("Incomplete backpatch entry"); + FFATAL("Incomplete backpatch entry"); } @@ -180,9 +178,9 @@ static void prefetch_hook_fork(void) { void prefetch_init(void) { - OKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' '); - OKF("Instrumentation - prefetch_backpatch [%c]", - prefetch_backpatch ? 'X' : ' '); + FOKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' '); + FOKF("Instrumentation - prefetch_backpatch [%c]", + prefetch_backpatch ? 'X' : ' '); if (!prefetch_enable) { return; } /* @@ -194,7 +192,7 @@ void prefetch_init(void) { shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600); if (prefetch_shm_id < 0) { - FATAL("prefetch_shm_id < 0 - errno: %d\n", errno); + FFATAL("prefetch_shm_id < 0 - errno: %d\n", errno); } @@ -206,7 +204,7 @@ void prefetch_init(void) { */ if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 1b666fce..027417ee 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "lib.h" #include "ranges.h" #include "stalker.h" @@ -37,8 +35,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (token_count != 2) { - FATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", - token); + FFATAL("Invalid range (should have two addresses seperated by a '-'): %s\n", + token); } @@ -47,15 +45,15 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_str_has_prefix(from_str, "0x")) { - FATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", - token, from_str); + FFATAL("Invalid range: %s - Start address should have 0x prefix: %s\n", + token, from_str); } if (!g_str_has_prefix(to_str, "0x")) { - FATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, - to_str); + FFATAL("Invalid range: %s - End address should have 0x prefix: %s\n", token, + to_str); } @@ -66,8 +64,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_ascii_isxdigit(*c)) { - FATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", - token, from_str); + FFATAL("Invalid range: %s - Start address not formed of hex digits: %s\n", + token, from_str); } @@ -77,8 +75,8 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { if (!g_ascii_isxdigit(*c)) { - FATAL("Invalid range: %s - End address not formed of hex digits: %s\n", - token, to_str); + FFATAL("Invalid range: %s - End address not formed of hex digits: %s\n", + token, to_str); } @@ -87,24 +85,25 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) { guint64 from = g_ascii_strtoull(from_str, NULL, 16); if (from == 0) { - FATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, - from_str); + FFATAL("Invalid range: %s - Start failed hex conversion: %s\n", token, + from_str); } guint64 to = g_ascii_strtoull(to_str, NULL, 16); if (to == 0) { - FATAL("Invalid range: %s - End failed hex conversion: %s\n", token, to_str); + FFATAL("Invalid range: %s - End failed hex conversion: %s\n", token, + to_str); } if (from >= to) { - FATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER - "x) must be less than end " - "(0x%016" G_GINT64_MODIFIER "x)\n", - token, from, to); + FFATAL("Invalid range: %s - Start (0x%016" G_GINT64_MODIFIER + "x) must be less than end " + "(0x%016" G_GINT64_MODIFIER "x)\n", + token, from, to); } @@ -123,10 +122,10 @@ static gboolean convert_name_token_for_module(const GumModuleDetails *details, if (!g_str_has_suffix(details->path, ctx->suffix)) { return true; }; - OKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x %s", - ctx->suffix, details->range->base_address, - details->range->base_address + details->range->size, details->path); + FOKF("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x %s", + ctx->suffix, details->range->base_address, + details->range->base_address + details->range->size, details->path); *ctx->range = *details->range; ctx->done = true; @@ -140,7 +139,7 @@ static void convert_name_token(gchar *token, GumMemoryRange *range) { convert_name_ctx_t ctx = {.suffix = suffix, .range = range, .done = false}; gum_process_enumerate_modules(convert_name_token_for_module, &ctx); - if (!ctx.done) { FATAL("Failed to resolve module: %s\n", token); } + if (!ctx.done) { FFATAL("Failed to resolve module: %s\n", token); } g_free(suffix); } @@ -159,9 +158,9 @@ static void convert_token(gchar *token, GumMemoryRange *range) { } - OKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x\n", - token, range->base_address, range->base_address + range->size); + FOKF("Converted token: %s -> 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x\n", + token, range->base_address, range->base_address + range->size); } @@ -179,24 +178,24 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, if (details->file == NULL) { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %c%c%c", - details->range->base_address, - details->range->base_address + details->range->size, - details->protection & GUM_PAGE_READ ? 'R' : '-', - details->protection & GUM_PAGE_WRITE ? 'W' : '-', - details->protection & GUM_PAGE_EXECUTE ? 'X' : '-'); + FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %c%c%c", + details->range->base_address, + details->range->base_address + details->range->size, + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-'); } else { - OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER - "X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)", - details->range->base_address, - details->range->base_address + details->range->size, - details->protection & GUM_PAGE_READ ? 'R' : '-', - details->protection & GUM_PAGE_WRITE ? 'W' : '-', - details->protection & GUM_PAGE_EXECUTE ? 'X' : '-', details->file->path, - details->file->offset); + FOKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER + "X %c%c%c %s(0x%016" G_GINT64_MODIFIER "x)", + details->range->base_address, + details->range->base_address + details->range->size, + details->protection & GUM_PAGE_READ ? 'R' : '-', + details->protection & GUM_PAGE_WRITE ? 'W' : '-', + details->protection & GUM_PAGE_EXECUTE ? 'X' : '-', + details->file->path, details->file->offset); } @@ -206,14 +205,14 @@ static gboolean print_ranges_callback(const GumRangeDetails *details, static void print_ranges(char *key, GArray *ranges) { - OKF("Range: %s Length: %d", key, ranges->len); + FOKF("Range: %s Length: %d", key, ranges->len); for (guint i = 0; i < ranges->len; i++) { GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i); GumAddress curr_limit = curr->base_address + curr->size; - OKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - key, i, curr->base_address, curr_limit); + FOKF("Range: %s Idx: %3d - 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + key, i, curr->base_address, curr_limit); } @@ -250,10 +249,10 @@ static void check_for_overlaps(GArray *array) { GumAddress curr_limit = curr->base_address + curr->size; if (prev_limit > curr->base_address) { - FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER - "x-0x%016" G_GINT64_MODIFIER "x", - prev->base_address, prev_limit, curr->base_address, curr_limit); + FFATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER + "x-0x%016" G_GINT64_MODIFIER "x", + prev->base_address, prev_limit, curr->base_address, curr_limit); } @@ -577,13 +576,13 @@ void ranges_init(void) { GArray * step4; GArray * step5; - OKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' '); - OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); + FOKF("Ranges - Instrument jit [%c]", ranges_inst_jit ? 'X' : ' '); + FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges); - OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); + FOKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' '); print_ranges("AFL_FRIDA_INST_RANGES", include_ranges); print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges); @@ -660,7 +659,7 @@ void ranges_exclude() { GumMemoryRange *r; GumStalker * stalker = stalker_get(); - OKF("Excluding ranges"); + FOKF("Excluding ranges"); for (guint i = 0; i < ranges->len; i++) { diff --git a/frida_mode/src/seccomp/seccomp.c b/frida_mode/src/seccomp/seccomp.c index 99111591..9d8fdd5d 100644 --- a/frida_mode/src/seccomp/seccomp.c +++ b/frida_mode/src/seccomp/seccomp.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "seccomp.h" #include "util.h" @@ -12,7 +10,7 @@ void seccomp_on_fork(void) { if (seccomp_filename == NULL) { return; } #ifdef __APPLE__ - FATAL("Seccomp not supported on OSX"); + FFATAL("Seccomp not supported on OSX"); #else seccomp_callback_parent(); #endif @@ -27,12 +25,12 @@ void seccomp_config(void) { void seccomp_init(void) { - OKF("Seccomp - file [%s]", seccomp_filename); + FOKF("Seccomp - file [%s]", seccomp_filename); if (seccomp_filename == NULL) { return; } #ifdef __APPLE__ - FATAL("Seccomp not supported on OSX"); + FFATAL("Seccomp not supported on OSX"); #else seccomp_callback_initialize(); #endif diff --git a/frida_mode/src/seccomp/seccomp_atomic.c b/frida_mode/src/seccomp/seccomp_atomic.c index c2042f97..18cb6724 100644 --- a/frida_mode/src/seccomp/seccomp_atomic.c +++ b/frida_mode/src/seccomp/seccomp_atomic.c @@ -3,13 +3,13 @@ #include #include - #include "debug.h" + #include "util.h" void seccomp_atomic_set(volatile bool *ptr, bool val) { if (!__sync_bool_compare_and_swap(ptr, !val, val)) { - FATAL("Failed to set event"); + FFATAL("Failed to set event"); } diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index ac0fb8bb..f7aaf78b 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -6,8 +6,7 @@ #include #include "seccomp.h" - - #include "debug.h" + #include "util.h" static void seccomp_callback_filter(struct seccomp_notif * req, struct seccomp_notif_resp *resp, @@ -35,7 +34,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, #if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); - if (syms == NULL) { FATAL("Failed to get symbols"); } + if (syms == NULL) { FFATAL("Failed to get symbols"); } for (guint i = 0; i < frames->len; i++) { @@ -84,7 +83,7 @@ static void seccomp_callback_child(int signal_parent, void *ctx) { int sock_fd = *((int *)ctx); int fd = seccomp_socket_recv(sock_fd); - if (close(sock_fd) < 0) { FATAL("child - close"); } + if (close(sock_fd) < 0) { FFATAL("child - close"); } seccomp_event_signal(signal_parent); seccomp_filter_child_install(); @@ -101,18 +100,18 @@ void seccomp_callback_parent(void) { seccomp_socket_create(sock); seccomp_child_run(seccomp_callback_child, sock, &child, &child_fd); - if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FATAL("dup2"); } + if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FFATAL("dup2"); } - if (close(child_fd) < 0) { FATAL("seccomp_on_fork - close (1)"); } + if (close(child_fd) < 0) { FFATAL("seccomp_on_fork - close (1)"); } - if (close(sock[STDIN_FILENO]) < 0) { FATAL("grandparent - close (2)"); } + if (close(sock[STDIN_FILENO]) < 0) { FFATAL("grandparent - close (2)"); } int fd = seccomp_filter_install(child); seccomp_socket_send(sock[STDOUT_FILENO], fd); - if (close(sock[STDOUT_FILENO]) < 0) { FATAL("grandparent - close (3)"); } + if (close(sock[STDOUT_FILENO]) < 0) { FFATAL("grandparent - close (3)"); } - if (close(fd) < 0) { FATAL("grandparent - close (4)"); } + if (close(fd) < 0) { FFATAL("grandparent - close (4)"); } seccomp_child_wait(SECCOMP_PARENT_EVENT_FD); @@ -125,18 +124,18 @@ void seccomp_callback_initialize(void) { path = g_canonicalize_filename(seccomp_filename, g_get_current_dir()); - OKF("Seccomp - path [%s]", path); + FOKF("Seccomp - path [%s]", path); fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (dup2(fd, SECCOMP_OUTPUT_FILE_FD) < 0) { - FATAL("Failed to duplicate seccomp output file"); + FFATAL("Failed to duplicate seccomp output file"); } - if (close(fd) < 0) { FATAL("Failed to close seccomp output file fd"); } + if (close(fd) < 0) { FFATAL("Failed to close seccomp output file fd"); } g_free(path); diff --git a/frida_mode/src/seccomp/seccomp_child.c b/frida_mode/src/seccomp/seccomp_child.c index 43a79894..c02ef67c 100644 --- a/frida_mode/src/seccomp/seccomp_child.c +++ b/frida_mode/src/seccomp/seccomp_child.c @@ -10,9 +10,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" #define SECCOMP_CHILD_STACK_SIZE (1UL << 20) @@ -51,11 +50,11 @@ void seccomp_child_run(seccomp_child_func_t child_func, void *ctx, pid_t *child, char *stack = (char *)mmap(NULL, SECCOMP_CHILD_STACK_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (stack == MAP_FAILED) { FATAL("mmap"); } + if (stack == MAP_FAILED) { FFATAL("mmap"); } pid_t child_pid = clone(seccomp_child_func, &stack[SECCOMP_CHILD_STACK_SIZE], flags, child_ctx, NULL, NULL, NULL); - if (child_pid < 0) { FATAL("clone"); } + if (child_pid < 0) { FFATAL("clone"); } if (child != NULL) { *child = child_pid; } if (event_fd != NULL) { *event_fd = fd; } diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index e2f592ca..aca0967a 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -5,14 +5,13 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" int seccomp_event_create(void) { int fd = syscall(SYS_eventfd, 0, 0); - if (fd < 0) { FATAL("seccomp_event_create"); } + if (fd < 0) { FFATAL("seccomp_event_create"); } return fd; } @@ -22,7 +21,7 @@ void seccomp_event_signal(int fd) { uint64_t val = 1; if (write(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { - FATAL("seccomp_event_signal"); + FFATAL("seccomp_event_signal"); } @@ -33,7 +32,7 @@ void seccomp_event_wait(int fd) { uint64_t val = 1; if (read(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { - FATAL("seccomp_event_wait"); + FFATAL("seccomp_event_wait"); } @@ -41,7 +40,7 @@ void seccomp_event_wait(int fd) { void seccomp_event_destroy(int fd) { - if (close(fd) < 0) { FATAL("seccomp_event_destroy"); } + if (close(fd) < 0) { FFATAL("seccomp_event_destroy"); } } diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 0dcc4cbb..a7c0926c 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -17,8 +17,6 @@ #include #include - #include "debug.h" - #include "frida-gumjs.h" #include "seccomp.h" @@ -159,7 +157,7 @@ static void seccomp_filter_parent_handler(int sig, siginfo_t *info, if (syscall(SYS_tgkill, seccomp_filter_child, seccomp_filter_child, SIGUSR1) < 0) { - FATAL("kill"); + FFATAL("kill"); } @@ -172,7 +170,7 @@ void seccomp_filter_child_install(void) { const struct sigaction sa = {.sa_sigaction = seccomp_filter_child_handler, .sa_flags = SA_SIGINFO | SA_RESTART}; - if (sigaction(SIGUSR1, &sa, NULL) < 0) { FATAL("sigaction"); } + if (sigaction(SIGUSR1, &sa, NULL) < 0) { FFATAL("sigaction"); } } @@ -187,17 +185,17 @@ int seccomp_filter_install(pid_t child) { .len = sizeof(filter) / sizeof(struct sock_filter), .filter = filter}; - if (sigaction(SIGUSR1, &sa, NULL) < 0) { FATAL("sigaction"); } + if (sigaction(SIGUSR1, &sa, NULL) < 0) { FFATAL("sigaction"); } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - FATAL("PR_SET_NO_NEW_PRIVS %d", errno); + FFATAL("PR_SET_NO_NEW_PRIVS %d", errno); } int fd = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &filter_prog); - if (fd < 0) { FATAL("SYS_seccomp %d", fd); } + if (fd < 0) { FFATAL("SYS_seccomp %d", fd); } return fd; @@ -211,19 +209,19 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { if (syscall(SYS_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes) == -1) { - FATAL("seccomp-SECCOMP_GET_NOTIF_SIZES"); + FFATAL("seccomp-SECCOMP_GET_NOTIF_SIZES"); } if (sizes.seccomp_notif != sizeof(struct seccomp_notif)) { - FATAL("size - seccomp_notif"); + FFATAL("size - seccomp_notif"); } if (sizes.seccomp_notif_resp != sizeof(struct seccomp_notif_resp)) { - FATAL("size - seccomp_notif"); + FFATAL("size - seccomp_notif"); } @@ -237,7 +235,7 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) { if (errno == EINTR) { continue; } - FATAL("SECCOMP_IOCTL_NOTIF_RECV: %d\n", fd); + FFATAL("SECCOMP_IOCTL_NOTIF_RECV: %d\n", fd); } @@ -247,14 +245,14 @@ void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) { } else { - if (kill(req->pid, SIGUSR1) < 0) { FATAL("kill"); } + if (kill(req->pid, SIGUSR1) < 0) { FFATAL("kill"); } } if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) { if (errno == ENOENT) { continue; } - OKF("SECCOMP_IOCTL_NOTIF_SEND"); + FOKF("SECCOMP_IOCTL_NOTIF_SEND"); continue; } diff --git a/frida_mode/src/seccomp/seccomp_socket.c b/frida_mode/src/seccomp/seccomp_socket.c index ef937420..a01e88ee 100644 --- a/frida_mode/src/seccomp/seccomp_socket.c +++ b/frida_mode/src/seccomp/seccomp_socket.c @@ -5,9 +5,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" union cmsg { @@ -21,31 +20,31 @@ void seccomp_socket_create(int *sock) { int tmp_sock[2] = {-1, -1}; if (socketpair(AF_UNIX, SOCK_STREAM, 0, tmp_sock) < 0) { - FATAL("socketpair"); + FFATAL("socketpair"); } if (dup2(tmp_sock[STDIN_FILENO], SECCOMP_SOCKET_RECV_FD) < 0) { - FATAL("seccomp_socket_create - dup2 (1)"); + FFATAL("seccomp_socket_create - dup2 (1)"); } if (dup2(tmp_sock[STDOUT_FILENO], SECCOMP_SOCKET_SEND_FD) < 0) { - FATAL("seccomp_socket_create - dup2 (1)"); + FFATAL("seccomp_socket_create - dup2 (1)"); } if (close(tmp_sock[STDIN_FILENO]) < 0) { - FATAL("seccomp_socket_create - close (1)"); + FFATAL("seccomp_socket_create - close (1)"); } if (close(tmp_sock[STDOUT_FILENO]) < 0) { - FATAL("seccomp_socket_create - close (2)"); + FFATAL("seccomp_socket_create - close (2)"); } @@ -76,7 +75,7 @@ void seccomp_socket_send(int sockfd, int fd) { memcpy(CMSG_DATA(&control_msg.hdr), &fd, sizeof(int)); - if (sendmsg(sockfd, &message, 0) == -1) { FATAL("sendmsg"); } + if (sendmsg(sockfd, &message, 0) == -1) { FFATAL("sendmsg"); } } @@ -95,23 +94,23 @@ int seccomp_socket_recv(int sockfd) { int fd; - if (recvmsg(sockfd, &message, 0) < 0) { FATAL("recvmsg"); } + if (recvmsg(sockfd, &message, 0) < 0) { FFATAL("recvmsg"); } if (control_msg.hdr.cmsg_len != CMSG_LEN(sizeof(int))) { - FATAL("control_msg.hdr.cmsg_len"); + FFATAL("control_msg.hdr.cmsg_len"); } if (control_msg.hdr.cmsg_level != SOL_SOCKET) { - FATAL("control_msg.hdr.cmsg_level"); + FFATAL("control_msg.hdr.cmsg_level"); } if (control_msg.hdr.cmsg_type != SCM_RIGHTS) { - FATAL("control_msg.hdr.cmsg_type"); + FFATAL("control_msg.hdr.cmsg_type"); } diff --git a/frida_mode/src/seccomp/seccomp_syscall.c b/frida_mode/src/seccomp/seccomp_syscall.c index 8335b93c..2eac1af3 100644 --- a/frida_mode/src/seccomp/seccomp_syscall.c +++ b/frida_mode/src/seccomp/seccomp_syscall.c @@ -3,9 +3,8 @@ #include #include - #include "debug.h" - #include "seccomp.h" + #include "util.h" typedef struct { @@ -324,10 +323,10 @@ static syscall_entry_t seccomp_syscall_table[] = { char *seccomp_syscall_lookup(int id) { - if (id < 0) { FATAL("Invalid id: %d", id); } + if (id < 0) { FFATAL("Invalid id: %d", id); } if ((uint32_t)id >= sizeof(seccomp_syscall_table) / sizeof(syscall_entry_t)) { - FATAL("Invalid id: %d", id); + FFATAL("Invalid id: %d", id); } diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 6ba41bc6..35a9d856 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -1,4 +1,3 @@ -#include "debug.h" #include "instrument.h" #include "prefetch.h" @@ -57,7 +56,7 @@ static void gum_afl_stalker_observer_init(GumAflStalkerObserver *self) { void stalker_config(void) { - if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); } + if (!gum_stalker_is_supported()) { FFATAL("Failed to initialize embedded"); } backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); @@ -90,14 +89,14 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details, void stalker_init(void) { - OKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); + FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); - OKF("Stalker - ic_entries [%u]", stalker_ic_entries); + FOKF("Stalker - ic_entries [%u]", stalker_ic_entries); #if !(defined(__x86_64__) || defined(__i386__)) if (stalker_ic_entries != 0) { - FATAL("AFL_FRIDA_STALKER_IC_ENTRIES not supported"); + FFATAL("AFL_FRIDA_STALKER_IC_ENTRIES not supported"); } @@ -112,7 +111,7 @@ void stalker_init(void) { stalker = gum_stalker_new(); #endif - if (stalker == NULL) { FATAL("Failed to initialize stalker"); } + if (stalker == NULL) { FFATAL("Failed to initialize stalker"); } gum_stalker_set_trust_threshold(stalker, -1); @@ -123,7 +122,7 @@ void stalker_init(void) { GumStalker *stalker_get(void) { - if (stalker == NULL) { FATAL("Stalker uninitialized"); } + if (stalker == NULL) { FFATAL("Stalker uninitialized"); } return stalker; } @@ -145,7 +144,7 @@ void stalker_trust(void) { GumStalkerObserver *stalker_get_observer(void) { - if (observer == NULL) { FATAL("Stalker not yet initialized"); } + if (observer == NULL) { FFATAL("Stalker not yet initialized"); } return GUM_STALKER_OBSERVER(observer); } diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 7972b881..a61834d6 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -8,7 +8,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "util.h" #include "entry.h" @@ -330,12 +329,12 @@ void stats_config(void) { void stats_init(void) { - OKF("Stats - file [%s]", stats_filename); - OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); + FOKF("Stats - file [%s]", stats_filename); + FOKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); if (stats_interval != 0 && stats_filename == NULL) { - FATAL( + FFATAL( "AFL_FRIDA_STATS_FILE must be specified if " "AFL_FRIDA_STATS_INTERVAL is"); @@ -348,18 +347,18 @@ void stats_init(void) { char *path = g_canonicalize_filename(stats_filename, g_get_current_dir()); - OKF("Stats - path [%s]", path); + FOKF("Stats - path [%s]", path); stats_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - if (stats_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + if (stats_fd < 0) { FFATAL("Failed to open stats file '%s'", path); } g_free(path); int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data = shmat(shm_id, NULL, 0); g_assert(stats_data != MAP_FAILED); @@ -372,7 +371,7 @@ void stats_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c index 5860d33b..bd652aa3 100644 --- a/frida_mode/src/stats/stats_arm32.c +++ b/frida_mode/src/stats/stats_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "stats.h" #include "util.h" @@ -9,13 +7,13 @@ void starts_arch_init(void) { - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } void stats_write_arch(stats_data_t *data) { - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } @@ -23,7 +21,7 @@ void stats_collect_arch(const cs_insn *instr, gboolean begin) { UNUSED_PARAMETER(instr); UNUSED_PARAMETER(begin); - FATAL("Stats not supported on this architecture"); + FFATAL("Stats not supported on this architecture"); } diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c index 54b3faf1..313ab47a 100644 --- a/frida_mode/src/stats/stats_arm64.c +++ b/frida_mode/src/stats/stats_arm64.c @@ -3,8 +3,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ranges.h" #include "stats.h" #include "util.h" @@ -48,7 +46,7 @@ void starts_arch_init(void) { int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data_arch = shmat(shm_id, NULL, 0); g_assert(stats_data_arch != MAP_FAILED); @@ -58,7 +56,7 @@ void starts_arch_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } diff --git a/frida_mode/src/stats/stats_x86_64.c b/frida_mode/src/stats/stats_x86_64.c index ab914951..0bfe3baa 100644 --- a/frida_mode/src/stats/stats_x86_64.c +++ b/frida_mode/src/stats/stats_x86_64.c @@ -3,8 +3,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "ranges.h" #include "stats.h" #include "util.h" @@ -50,7 +48,7 @@ void starts_arch_init(void) { int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t), IPC_CREAT | IPC_EXCL | 0600); - if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } + if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); } stats_data_arch = shmat(shm_id, NULL, 0); g_assert(stats_data_arch != MAP_FAILED); @@ -60,7 +58,7 @@ void starts_arch_init(void) { */ if (shmctl(shm_id, IPC_RMID, NULL) < 0) { - FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); + FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno); } @@ -255,8 +253,8 @@ static x86_op_type stats_get_operand_type(const cs_insn *instr) { if (x86->op_count != 1) { - FATAL("Unexpected operand count (%d): %s %s\n", x86->op_count, - instr->mnemonic, instr->op_str); + FFATAL("Unexpected operand count (%d): %s %s\n", x86->op_count, + instr->mnemonic, instr->op_str); } @@ -295,7 +293,7 @@ static void stats_collect_call_arch(const cs_insn *instr) { stats_data_arch->num_call_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } @@ -316,7 +314,7 @@ static void stats_collect_jump_arch(const cs_insn *instr) { stats_data_arch->num_jmp_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } @@ -337,7 +335,7 @@ static void stats_collect_jump_cond_arch(const cs_insn *instr) { stats_data_arch->num_jmp_cond_mem++; break; default: - FATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); + FFATAL("Invalid operand type: %s %s\n", instr->mnemonic, instr->op_str); } diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index 09e8a58b..2b0f7be6 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -1,7 +1,5 @@ #include "util.h" -#include "debug.h" - guint64 util_read_address(char *key) { char *value_str = getenv(key); @@ -66,3 +64,19 @@ guint64 util_read_num(char *key) { } +gboolean util_output_enabled(void) { + + static gboolean initialized = FALSE; + static gboolean enabled = TRUE; + + if (!initialized) { + + initialized = TRUE; + if (getenv("AFL_DEBUG_CHILD") == NULL) { enabled = FALSE; } + + } + + return enabled; + +} + -- cgit 1.4.1 From 7e1dba2e6b00f620d6ec3f1c2a75e69dcc7a82e5 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 10 Nov 2021 18:05:29 +0000 Subject: Fix block ID handling --- frida_mode/include/util.h | 2 ++ frida_mode/src/instrument/instrument.c | 12 +++++++----- frida_mode/src/instrument/instrument_x64.c | 7 ++++--- frida_mode/src/util.c | 21 +++++++++++++++++++++ 4 files changed, 34 insertions(+), 8 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 77fbda94..77491ea8 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -12,6 +12,8 @@ guint64 util_read_address(char *key); guint64 util_read_num(char *key); gboolean util_output_enabled(void); +gsize util_rotate(gsize val, gsize shift, gsize size); +gsize util_log2(gsize val); #define FOKF(x...) \ do { \ diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 0262e461..d5823654 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -68,7 +68,8 @@ guint64 instrument_get_offset_hash(GumAddress current_rip) { guint64 area_offset = hash64((unsigned char *)¤t_rip, sizeof(GumAddress), instrument_hash_seed); - return area_offset &= MAP_SIZE - 1; + gsize map_size_pow2 = util_log2(__afl_map_size); + return area_offset &= ((1 << map_size_pow2) - 1); } @@ -134,8 +135,8 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context, previous_rip = current_rip; previous_end = current_end; - instrument_previous_pc = ((current_pc & (MAP_SIZE - 1) >> 1)) | - ((current_pc & 0x1) << (MAP_SIZE_POW2 - 1)); + gsize map_size_pow2 = util_log2(__afl_map_size); + instrument_previous_pc = util_rotate(current_pc, 1, map_size_pow2); } @@ -303,7 +304,8 @@ void instrument_init(void) { if (instrument_unique) { - int shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + int shm_id = + shmget(IPC_PRIVATE, __afl_map_size, IPC_CREAT | IPC_EXCL | 0600); if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); } edges_notified = shmat(shm_id, NULL, 0); @@ -320,7 +322,7 @@ void instrument_init(void) { } /* Clear it, not sure it's necessary, just seems like good practice */ - memset(edges_notified, '\0', MAP_SIZE); + memset(edges_notified, '\0', __afl_map_size); } diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index e2cbb804..7273119b 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -351,7 +351,8 @@ void instrument_coverage_optimize(const cs_insn * instr, afl_log_code code = {0}; GumX86Writer *cw = output->writer.x86; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); - guint64 area_offset_ror; + gsize map_size_pow2; + gsize area_offset_ror; GumAddress code_addr = 0; instrument_coverage_suppress_init(); @@ -370,8 +371,8 @@ void instrument_coverage_optimize(const cs_insn * instr, offsetof(afl_log_code, code.mov_eax_curr_loc_shr_1) + sizeof(code.code.mov_eax_curr_loc_shr_1) - sizeof(guint32); - area_offset_ror = ((area_offset & (MAP_SIZE - 1) >> 1)) | - ((area_offset & 0x1) << (MAP_SIZE_POW2 - 1)); + map_size_pow2 = util_log2(__afl_map_size); + area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index 2b0f7be6..d84b7065 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -80,3 +80,24 @@ gboolean util_output_enabled(void) { } +gsize util_rotate(gsize val, gsize shift, gsize size) { + + if (shift == 0) { return val; } + gsize result = ((val >> shift) | (val << (size - shift))); + result = result & ((1 << size) - 1); + return result; + +} + +gsize util_log2(gsize val) { + + for (gsize i = 0; i < 64; i++) { + + if (((gsize)1 << i) == val) { return i; } + + } + + FFATAL("Not a power of two"); + +} + -- cgit 1.4.1 From 62a7ed635efb61d0a1eb4092e89c61529b6222b7 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 10 Nov 2021 18:05:29 +0000 Subject: Minor change to inline assembly --- frida_mode/src/instrument/instrument_x64.c | 69 +++++++++++++++++------------- 1 file changed, 40 insertions(+), 29 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 7273119b..c474d034 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -52,42 +52,49 @@ typedef struct { // shared_mem[cur_location ^ prev_location]++; // prev_location = cur_location >> 1; - // 0x7ffff6cbca41: lea rsp,[rsp-0x80] + // 0x7ffff6cbb9b6: lea rsp,[rsp-0x80] // - // 0x7ffff6cbca46: push rax - // 0x7ffff6cbca47: lahf - // 0x7ffff6cbca48: push rax + // 0x7ffff6cbb9bb: push rax + // 0x7ffff6cbb9bc: lahf + // 0x7ffff6cbb9bd: push rax + // 0x7ffff6cbb9be: push rbx // - // 0x7ffff6cbca49: mov eax,DWORD PTR [rip+0x33bcf1] - // 0x7ffff6cbca4f: xor eax,0x3f77 - // 0x7ffff6cbca54: add eax,0x10000 - // 0x7ffff6cbca59: add BYTE PTR [rax],0x1 - // 0x7ffff6cbca5c: adc BYTE PTR [rax],0x0 + // 0x7ffff6cbb9bf: mov eax,DWORD PTR [rip+0x33bd7b] + // 0x7ffff6cbb9c5: xor eax,0x3f77 + // 0x7ffff6cbb9ca: add eax,0x10000 + // 0x7ffff6cbb9cf: mov bl,BYTE PTR [rax] + // 0x7ffff6cbb9d1: add bl,0x1 + // 0x7ffff6cbb9d4: adc bl,0x0 + // 0x7ffff6cbb9d7: mov BYTE PTR [rax],bl // - // 0x7ffff6cbca5f: mov eax,0xbf77 - // 0x7ffff6cbca64: mov DWORD PTR [rip+0x33bcd6],eax + // 0x7ffff6cbb9d9: mov DWORD PTR [rip+0x33bd5d],0x9fbb // - // 0x7ffff6cbca6a: pop rax - // 0x7ffff6cbca6b: sahf - // 0x7ffff6cbca6c: pop rax + // 0x7ffff6cbb9e3: pop rbx + // 0x7ffff6cbb9e4: pop rax + // 0x7ffff6cbb9e5: sahf + // 0x7ffff6cbb9e6: pop rax // - // 0x7ffff6cbca6d: lea rsp,[rsp+0x80] + // 0x7ffff6cbb9e7: lea rsp,[rsp+0x80] uint8_t lea_rsp_rsp_sub_rz[5]; uint8_t push_rax; uint8_t lahf; uint8_t push_rax2; + uint8_t push_rbx; uint8_t mov_eax_prev_loc[6]; uint8_t xor_eax_curr_loc[5]; uint8_t add_eax_afl_area[5]; - uint8_t add_rax_1[3]; - uint8_t adc_rax_0[3]; - uint8_t mov_eax_curr_loc_shr_1[5]; - uint8_t mov_eax_prev_loc_curr_loc[6]; + uint8_t mov_rbx_ptr_rax[2]; + uint8_t add_bl_1[3]; + uint8_t adc_bl_0[3]; + uint8_t mov_ptr_rax_rbx[2]; + uint8_t mov_prev_loc_curr_loc_shr1[10]; + + uint8_t pop_rbx; uint8_t pop_rax2; uint8_t sahf; uint8_t pop_rax; @@ -112,17 +119,20 @@ static const afl_log_code_asm_t template = .push_rax = 0x50, .lahf = 0x9f, .push_rax2 = 0x50, + .push_rbx = 0x53, .mov_eax_prev_loc = {0x8b, 0x05}, .xor_eax_curr_loc = {0x35}, .add_eax_afl_area = {0x05}, - .add_rax_1 = {0x80, 0x00, 0x01}, - .adc_rax_0 = {0x80, 0x10, 0x00}, + .mov_rbx_ptr_rax = {0x8a, 0x18}, + .add_bl_1 = {0x80, 0xc3, 0x01}, + .adc_bl_0 = {0x80, 0xd3, 0x00}, + .mov_ptr_rax_rbx = {0x88, 0x18}, - .mov_eax_curr_loc_shr_1 = {0xb8}, - .mov_eax_prev_loc_curr_loc = {0x89, 0x05}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, + .pop_rbx = 0x5b, .pop_rax2 = 0x58, .sahf = 0x9e, .pop_rax = 0x58, @@ -368,8 +378,8 @@ void instrument_coverage_optimize(const cs_insn * instr, code.code = template; gssize curr_loc_shr_1_offset = - offsetof(afl_log_code, code.mov_eax_curr_loc_shr_1) + - sizeof(code.code.mov_eax_curr_loc_shr_1) - sizeof(guint32); + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); map_size_pow2 = util_log2(__afl_map_size); area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); @@ -378,11 +388,12 @@ void instrument_coverage_optimize(const cs_insn * instr, gssize prev_loc_value = GPOINTER_TO_SIZE(&instrument_previous_pc) - - (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + - sizeof(code.code.mov_eax_prev_loc_curr_loc)); + (code_addr + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1)); gssize prev_loc_value_offset = - offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + - sizeof(code.code.mov_eax_prev_loc_curr_loc) - sizeof(gint); + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(gint) - + sizeof(guint32); if (!instrument_coverage_in_range(prev_loc_value)) { FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); -- cgit 1.4.1 From a15b5ef458f5265082db59c636ca2c3c4954020f Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 11 Nov 2021 18:32:35 +0000 Subject: Changes to fix use of unstable coverage --- frida_mode/src/entry.c | 2 +- frida_mode/src/instrument/instrument_coverage.c | 56 +++++++++++++------------ frida_mode/test/unstable/GNUmakefile | 14 ++++++- 3 files changed, 43 insertions(+), 29 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index a36daf88..562e74eb 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -36,7 +36,7 @@ static void entry_launch(void) { } -#if defined(__linux__) && !defined(__ANDROID__) +#if defined(__linux__) && defined(PR_SET_PTRACER) && !defined(__ANDROID__) void entry_on_fork(void) { if (traceable) { diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 95a24808..c1984eb2 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -237,7 +237,7 @@ static void instrument_coverage_mark(void *key, void *value, void *user_data) { } -static void coverage_write(void *data, size_t size) { +static void coverage_write(int fd, void *data, size_t size) { ssize_t written; size_t remain = size; @@ -245,7 +245,7 @@ static void coverage_write(void *data, size_t size) { for (char *cursor = (char *)data; remain > 0; remain -= written, cursor += written) { - written = write(normal_coverage_fd, cursor, remain); + written = write(fd, cursor, remain); if (written < 0) { @@ -257,7 +257,7 @@ static void coverage_write(void *data, size_t size) { } -static void coverage_format(char *format, ...) { +static void coverage_format(int fd, char *format, ...) { va_list ap; char buffer[4096] = {0}; @@ -272,11 +272,11 @@ static void coverage_format(char *format, ...) { len = strnlen(buffer, sizeof(buffer)); - coverage_write(buffer, len); + coverage_write(fd, buffer, len); } -static void coverage_write_modules(GArray *coverage_modules) { +static void coverage_write_modules(int fd, GArray *coverage_modules) { guint emitted = 0; for (guint i = 0; i < coverage_modules->len; i++) { @@ -285,16 +285,16 @@ static void coverage_write_modules(GArray *coverage_modules) { &g_array_index(coverage_modules, coverage_range_t, i); if (module->count == 0) continue; - coverage_format("%3u, ", emitted); - coverage_format("%016" G_GINT64_MODIFIER "X, ", module->base_address); - coverage_format("%016" G_GINT64_MODIFIER "X, ", module->limit); + coverage_format(fd, "%3u, ", emitted); + coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", module->base_address); + coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", module->limit); /* entry */ - coverage_format("%016" G_GINT64_MODIFIER "X, ", 0); + coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0); /* checksum */ - coverage_format("%016" G_GINT64_MODIFIER "X, ", 0); + coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0); /* timestamp */ - coverage_format("%08" G_GINT32_MODIFIER "X, ", 0); - coverage_format("%s\n", module->path); + coverage_format(fd, "%08" G_GINT32_MODIFIER "X, ", 0); + coverage_format(fd, "%s\n", module->path); emitted++; } @@ -304,7 +304,7 @@ static void coverage_write_modules(GArray *coverage_modules) { static void coverage_write_events(void *key, void *value, void *user_data) { UNUSED_PARAMETER(key); - UNUSED_PARAMETER(user_data); + int fd = *((int *)user_data); normal_coverage_data_t *val = (normal_coverage_data_t *)value; if (val->module == NULL) { return; } @@ -317,20 +317,20 @@ static void coverage_write_events(void *key, void *value, void *user_data) { }; - coverage_write(&evt, sizeof(coverage_event_t)); + coverage_write(fd, &evt, sizeof(coverage_event_t)); } -static void coverage_write_header(guint coverage_marked_modules) { +static void coverage_write_header(int fd, guint coverage_marked_modules) { char version[] = "DRCOV VERSION: 2\n"; char flavour[] = "DRCOV FLAVOR: frida\n"; char columns[] = "Columns: id, base, end, entry, checksum, timestamp, path\n"; - coverage_write(version, sizeof(version) - 1); - coverage_write(flavour, sizeof(flavour) - 1); - coverage_format("Module Table: version 2, count %u\n", + coverage_write(fd, version, sizeof(version) - 1); + coverage_write(fd, flavour, sizeof(flavour) - 1); + coverage_format(fd, "Module Table: version 2, count %u\n", coverage_marked_modules); - coverage_write(columns, sizeof(columns) - 1); + coverage_write(fd, columns, sizeof(columns) - 1); } @@ -412,10 +412,11 @@ static void instrument_coverage_normal_run() { instrument_coverage_print("Coverage - Marked Modules: %u\n", coverage_marked_modules); - coverage_write_header(coverage_marked_modules); - coverage_write_modules(coverage_modules); - coverage_format("BB Table: %u bbs\n", ctx.count); - g_hash_table_foreach(coverage_hash, coverage_write_events, NULL); + coverage_write_header(normal_coverage_fd, coverage_marked_modules); + coverage_write_modules(normal_coverage_fd, coverage_modules); + coverage_format(normal_coverage_fd, "BB Table: %u bbs\n", ctx.count); + g_hash_table_foreach(coverage_hash, coverage_write_events, + &normal_coverage_fd); g_hash_table_unref(coverage_hash); @@ -636,10 +637,11 @@ static void instrument_coverage_unstable_run(void) { instrument_coverage_print("Coverage - Marked Modules: %u\n", coverage_marked_modules); - coverage_write_header(coverage_marked_modules); - coverage_write_modules(coverage_modules); - coverage_format("BB Table: %u bbs\n", ctx.count); - g_hash_table_foreach(unstable_blocks, coverage_write_events, NULL); + coverage_write_header(unstable_coverage_fd, coverage_marked_modules); + coverage_write_modules(unstable_coverage_fd, coverage_modules); + coverage_format(unstable_coverage_fd, "BB Table: %u bbs\n", ctx.count); + g_hash_table_foreach(unstable_blocks, coverage_write_events, + &unstable_coverage_fd); g_hash_table_unref(unstable_blocks); g_array_free(unstable_edge_ids, TRUE); diff --git a/frida_mode/test/unstable/GNUmakefile b/frida_mode/test/unstable/GNUmakefile index 0ccc5fb1..54bbe662 100644 --- a/frida_mode/test/unstable/GNUmakefile +++ b/frida_mode/test/unstable/GNUmakefile @@ -86,11 +86,23 @@ frida: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) $(UNSTABLE_BIN) @@ frida_coverage: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) - AFL_DEBUG=1 \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \ AFL_FRIDA_OUTPUT_STDERR=/tmp/stderr.txt \ AFL_FRIDA_INST_COVERAGE_FILE=/tmp/coverage.dat \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(UNSTABLE_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -- \ + $(UNSTABLE_BIN) @@ + +frida_unstable: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) + AFL_DEBUG=1 \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \ + AFL_FRIDA_OUTPUT_STDERR=/tmp/stderr.txt \ AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE=/tmp/unstable.dat \ $(ROOT)afl-fuzz \ -D \ -- cgit 1.4.1 From b033a2d98b2597bb3f61277bec8f1b04d701f251 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 11 Nov 2021 18:32:35 +0000 Subject: Fix to handling of persistent mode using JS --- frida_mode/src/js/js_api.c | 8 ++++++++ frida_mode/test/png/persistent/hook/GNUmakefile | 1 + 2 files changed, 9 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 570da335..c1f092c9 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -47,6 +47,14 @@ __attribute__((visibility("default"))) void js_api_set_persistent_address( persistent_start = GPOINTER_TO_SIZE(address); + if (getenv("__AFL_PERSISTENT") == NULL) { + + FATAL( + "You must set __AFL_PERSISTENT manually if using persistent mode " + "configured using JS"); + + } + } __attribute__((visibility("default"))) void js_api_set_persistent_return( diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 5010662b..23aa94d0 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -144,6 +144,7 @@ frida_entry_slow: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $ frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ + __AFL_PERSISTENT=1 \ AFL_FRIDA_JS_SCRIPT=load.js \ $(ROOT)afl-fuzz \ -D \ -- cgit 1.4.1 From e1d3fe30dec150aa7111cb623a7362a8026963a8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 15 Nov 2021 17:14:04 +0000 Subject: Changes to allow configuration of stalker adjacent blocks --- frida_mode/README.md | 5 +++++ frida_mode/frida.map | 1 + frida_mode/include/stalker.h | 1 + frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 8 ++++++++ frida_mode/src/stalker.c | 18 +++++++++++++++--- frida_mode/ts/lib/afl.ts | 12 ++++++++++++ include/envs.h | 2 ++ 8 files changed, 51 insertions(+), 3 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/README.md b/frida_mode/README.md index 8211224d..a75324d5 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -215,6 +215,11 @@ gdb \ ``` * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to the specified file. +* `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks + to fetch when generating instrumented code. By fetching blocks in the same + order they appear in the original program, rather than the order of execution + should help reduce locallity and adjacency. This includes allowing us to vector + between adjancent blocks using a NOP slide rather than an immediate branch. * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries stored along-side branch instructions which provide a cache to avoid having to call back into FRIDA to find the next block. Default is 32. diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 7be41aa0..61eb19ee 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -29,6 +29,7 @@ js_api_set_prefetch_disable; js_api_set_seccomp_file; js_api_set_stalker_callback; + js_api_set_stalker_adjacent_blocks; js_api_set_stalker_ic_entries; js_api_set_stats_file; js_api_set_stats_interval; diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 8a111b90..666787e9 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -5,6 +5,7 @@ extern guint stalker_ic_entries; extern gboolean backpatch_enable; +extern guint stalker_adjacent_blocks; void stalker_config(void); void stalker_init(void); diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 5db62389..8e810d09 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -205,6 +205,12 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetSeccompFile(buf); } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + static setStalkerAdjacentBlocks(val) { + Afl.jsApiSetStalkerAdjacentBlocks(val); + } /* * Set a function to be called for each instruction which is instrumented * by AFL FRIDA mode. @@ -294,6 +300,7 @@ Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []); Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]); Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); +Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]); Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]); Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index c1f092c9..8e0a549c 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -250,3 +250,11 @@ __attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) { } + +__attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks( + guint val) { + + stalker_adjacent_blocks = val; + +} + diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 35a9d856..65ed5d50 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -7,6 +7,7 @@ guint stalker_ic_entries = 0; gboolean backpatch_enable = TRUE; +guint stalker_adjacent_blocks = 0; static GumStalker *stalker = NULL; @@ -60,7 +61,9 @@ void stalker_config(void) { backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); - stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); + stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS"); + + stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL); @@ -92,6 +95,7 @@ void stalker_init(void) { FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); FOKF("Stalker - ic_entries [%u]", stalker_ic_entries); + FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks); #if !(defined(__x86_64__) || defined(__i386__)) if (stalker_ic_entries != 0) { @@ -100,13 +104,21 @@ void stalker_init(void) { } + if (stalker_adjacent_blocks != 0) { + + FFATAL("AFL_FRIDA_STALKER_ADJACENT_BLOCKS not supported"); + + } + #endif if (stalker_ic_entries == 0) { stalker_ic_entries = 32; } + if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; } + #if defined(__x86_64__) || defined(__i386__) - stalker = - g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, NULL); + stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, + "adjacent-blocks", stalker_adjacent_blocks, NULL); #else stalker = gum_stalker_new(); #endif diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 3639d670..e20ad3ec 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -241,6 +241,13 @@ class Afl { Afl.jsApiSetSeccompFile(buf); } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + public static setStalkerAdjacentBlocks(val: number): void { + Afl.jsApiSetStalkerAdjacentBlocks(val); + } + /* * Set a function to be called for each instruction which is instrumented * by AFL FRIDA mode. @@ -425,6 +432,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction( + "js_api_set_stalker_adjacent_blocks", + "void", + ["uint32"]); + private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction( "js_api_set_stalker_ic_entries", "void", diff --git a/include/envs.h b/include/envs.h index 0ba79092..a3ba5e88 100644 --- a/include/envs.h +++ b/include/envs.h @@ -76,6 +76,8 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK", "AFL_FRIDA_PERSISTENT_RET", + "AFL_FRIDA_STALKER_IC_ENTRIES", + "AFL_FRIDA_STALKER_ADJACENT_BLOCKS", "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", "AFL_FRIDA_TRACEABLE", -- cgit 1.4.1 From f719b426e38af9f73442606cd22071722435f560 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 15 Nov 2021 17:14:04 +0000 Subject: Further optimization to coverage code --- frida_mode/src/instrument/instrument_x64.c | 99 +++++++++++++----------------- frida_mode/src/js/js_api.c | 1 - 2 files changed, 41 insertions(+), 59 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index c474d034..c271adc1 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -52,54 +52,41 @@ typedef struct { // shared_mem[cur_location ^ prev_location]++; // prev_location = cur_location >> 1; - // 0x7ffff6cbb9b6: lea rsp,[rsp-0x80] - // - // 0x7ffff6cbb9bb: push rax - // 0x7ffff6cbb9bc: lahf - // 0x7ffff6cbb9bd: push rax - // 0x7ffff6cbb9be: push rbx - // - // 0x7ffff6cbb9bf: mov eax,DWORD PTR [rip+0x33bd7b] - // 0x7ffff6cbb9c5: xor eax,0x3f77 - // 0x7ffff6cbb9ca: add eax,0x10000 - // 0x7ffff6cbb9cf: mov bl,BYTE PTR [rax] - // 0x7ffff6cbb9d1: add bl,0x1 - // 0x7ffff6cbb9d4: adc bl,0x0 - // 0x7ffff6cbb9d7: mov BYTE PTR [rax],bl - // - // 0x7ffff6cbb9d9: mov DWORD PTR [rip+0x33bd5d],0x9fbb - // - // 0x7ffff6cbb9e3: pop rbx - // 0x7ffff6cbb9e4: pop rax - // 0x7ffff6cbb9e5: sahf - // 0x7ffff6cbb9e6: pop rax - // - // 0x7ffff6cbb9e7: lea rsp,[rsp+0x80] - - uint8_t lea_rsp_rsp_sub_rz[5]; - - uint8_t push_rax; + // mov QWORD PTR [rsp-0x80],rax + // lahf + // mov QWORD PTR [rsp-0x88],rax + // mov QWORD PTR [rsp-0x90],rbx + // mov eax,DWORD PTR [rip+0x333d5a] # 0x7ffff6ff2740 + // mov DWORD PTR [rip+0x333d3c],0x9fbb # 0x7ffff6ff2740 + // xor eax,0x103f77 + // mov bl,BYTE PTR [rax] + // add bl,0x1 + // adc bl,0x0 + // mov BYTE PTR [rax],bl + // mov rbx,QWORD PTR [rsp-0x90] + // mov rax,QWORD PTR [rsp-0x88] + // sahf + // mov rax,QWORD PTR [rsp-0x80] + + uint8_t mov_rax_rsp_80[5]; uint8_t lahf; - uint8_t push_rax2; - uint8_t push_rbx; + uint8_t mov_rax_rsp_88[8]; + uint8_t mov_rbx_rsp_90[8]; uint8_t mov_eax_prev_loc[6]; + uint8_t mov_prev_loc_curr_loc_shr1[10]; + uint8_t xor_eax_curr_loc[5]; - uint8_t add_eax_afl_area[5]; uint8_t mov_rbx_ptr_rax[2]; uint8_t add_bl_1[3]; uint8_t adc_bl_0[3]; uint8_t mov_ptr_rax_rbx[2]; - uint8_t mov_prev_loc_curr_loc_shr1[10]; - - uint8_t pop_rbx; - uint8_t pop_rax2; + uint8_t mov_rsp_90_rbx[8]; + uint8_t mov_rsp_88_rax[8]; uint8_t sahf; - uint8_t pop_rax; - - uint8_t lsa_rsp_rsp_add_rz[8]; + uint8_t mov_rsp_80_rax[5]; } afl_log_code_asm_t; @@ -115,29 +102,24 @@ typedef union { static const afl_log_code_asm_t template = { - .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80}, - .push_rax = 0x50, + .mov_rax_rsp_80 = {0x48, 0x89, 0x44, 0x24, 0x80}, .lahf = 0x9f, - .push_rax2 = 0x50, - .push_rbx = 0x53, + .mov_rax_rsp_88 = {0x48, 0x89, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + .mov_rbx_rsp_90 = {0x48, 0x89, 0x9C, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, .mov_eax_prev_loc = {0x8b, 0x05}, - .xor_eax_curr_loc = {0x35}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, - .add_eax_afl_area = {0x05}, + .xor_eax_curr_loc = {0x35}, .mov_rbx_ptr_rax = {0x8a, 0x18}, .add_bl_1 = {0x80, 0xc3, 0x01}, .adc_bl_0 = {0x80, 0xd3, 0x00}, .mov_ptr_rax_rbx = {0x88, 0x18}, - .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, - - .pop_rbx = 0x5b, - .pop_rax2 = 0x58, + .mov_rsp_90_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, .sahf = 0x9e, - .pop_rax = 0x58, - - .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00}, + .mov_rsp_80_rax = {0x48, 0x8B, 0x44, 0x24, 0x80}, } @@ -162,7 +144,13 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, } - last_limit = details->range->base_address + details->range->size; + /* + * Align our buffer on a 64k boundary so that the low 16-bits of the address + * are zero, then we can just XOR the base address in, when we XOR with the + * current block ID. + */ + last_limit = GUM_ALIGN_SIZE( + details->range->base_address + details->range->size, (64ULL << 10)); return TRUE; } @@ -421,13 +409,8 @@ void instrument_coverage_optimize(const cs_insn * instr, sizeof(code.code.xor_eax_curr_loc) - sizeof(guint32); - *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); - - gssize lea_rax_offset = offsetof(afl_log_code, code.add_eax_afl_area) + - sizeof(code.code.add_eax_afl_area) - sizeof(guint32); - - *((guint32 *)&code.bytes[lea_rax_offset]) = - (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = + (guint32)(GPOINTER_TO_SIZE(__afl_area_ptr) | area_offset); gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 8e0a549c..102423d9 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -250,7 +250,6 @@ __attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) { } - __attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks( guint val) { -- cgit 1.4.1 From 75145658585705445998aac89d92f517a943eb6c Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 17 Nov 2021 20:27:45 +0000 Subject: Fix sorting of ranges --- frida_mode/src/cmplog/cmplog.c | 18 ++++++++++++++++-- frida_mode/src/ranges.c | 20 +++++++++++++++++--- 2 files changed, 33 insertions(+), 5 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c index 81e1a4b0..443baa1d 100644 --- a/frida_mode/src/cmplog/cmplog.c +++ b/frida_mode/src/cmplog/cmplog.c @@ -33,8 +33,22 @@ static gboolean cmplog_range(const GumRangeDetails *details, static gint cmplog_sort(gconstpointer a, gconstpointer b) { - return ((GumMemoryRange *)b)->base_address - - ((GumMemoryRange *)a)->base_address; + GumMemoryRange *ra = (GumMemoryRange *)a; + GumMemoryRange *rb = (GumMemoryRange *)b; + + if (ra->base_address < rb->base_address) { + + return -1; + + } else if (ra->base_address > rb->base_address) { + + return 1; + + } else { + + return 0; + + } } diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c index 027417ee..9844c74c 100644 --- a/frida_mode/src/ranges.c +++ b/frida_mode/src/ranges.c @@ -166,8 +166,22 @@ static void convert_token(gchar *token, GumMemoryRange *range) { gint range_sort(gconstpointer a, gconstpointer b) { - return ((GumMemoryRange *)a)->base_address - - ((GumMemoryRange *)b)->base_address; + GumMemoryRange *ra = (GumMemoryRange *)a; + GumMemoryRange *rb = (GumMemoryRange *)b; + + if (ra->base_address < rb->base_address) { + + return -1; + + } else if (ra->base_address > rb->base_address) { + + return 1; + + } else { + + return 0; + + } } @@ -249,7 +263,7 @@ static void check_for_overlaps(GArray *array) { GumAddress curr_limit = curr->base_address + curr->size; if (prev_limit > curr->base_address) { - FFATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER + FFATAL("Overlapping ranges 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER "x-0x%016" G_GINT64_MODIFIER "x", prev->base_address, prev_limit, curr->base_address, curr_limit); -- cgit 1.4.1 From 67a6481b36a1fc9c846c8974fac6202bf7a27568 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 17 Nov 2021 20:27:45 +0000 Subject: Fixes to exclude ASAN DSO --- frida_mode/include/asan.h | 1 + frida_mode/src/asan/asan.c | 32 ++++++++++++++++++++++++++++++++ frida_mode/src/asan/asan_arm64.c | 2 ++ frida_mode/src/asan/asan_x64.c | 2 ++ frida_mode/src/asan/asan_x86.c | 2 ++ 5 files changed, 39 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/include/asan.h b/frida_mode/include/asan.h index 67d33591..6745eb02 100644 --- a/frida_mode/include/asan.h +++ b/frida_mode/include/asan.h @@ -9,6 +9,7 @@ void asan_config(void); void asan_init(void); void asan_arch_init(void); void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator); +void asan_exclude_module_by_symbol(gchar *symbol_name); #endif diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index d649bd76..fae1d655 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -1,6 +1,7 @@ #include "frida-gumjs.h" #include "asan.h" +#include "ranges.h" #include "util.h" static gboolean asan_enabled = FALSE; @@ -32,3 +33,34 @@ void asan_init(void) { } +gboolean asan_exclude_range(const GumRangeDetails *details, + gpointer user_data) { + + UNUSED_PARAMETER(user_data); + + FOKF("Exclude ASAN: 0x%016lx-0x%016lx", details->range->base_address, + details->range->base_address + details->range->size); + + ranges_add_exclude((GumMemoryRange *)details->range); + +} + +static gboolean asan_exclude_module(const GumModuleDetails *details, + gpointer user_data) { + + gchar * symbol_name = (gchar *)user_data; + GumAddress address; + + address = gum_module_find_export_by_name(details->name, symbol_name); + if (address == 0) { return TRUE; } + + gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, asan_exclude_range, NULL); + +} + +void asan_exclude_module_by_symbol(gchar *symbol_name) { + + gum_process_enumerate_modules(asan_exclude_module, "__asan_loadN"); + +} + diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c index 88c76535..b2adfa52 100644 --- a/frida_mode/src/asan/asan_arm64.c +++ b/frida_mode/src/asan/asan_arm64.c @@ -88,6 +88,8 @@ void asan_arch_init(void) { } + asan_exclude_module_by_symbol("__asan_loadN"); + } #endif diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c index c7b70967..a287ea34 100644 --- a/frida_mode/src/asan/asan_x64.c +++ b/frida_mode/src/asan/asan_x64.c @@ -85,6 +85,8 @@ void asan_arch_init(void) { } + asan_exclude_module_by_symbol("__asan_loadN"); + } #endif diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c index afc89936..331d026b 100644 --- a/frida_mode/src/asan/asan_x86.c +++ b/frida_mode/src/asan/asan_x86.c @@ -85,6 +85,8 @@ void asan_arch_init(void) { } + asan_exclude_module_by_symbol("__asan_loadN"); + } #endif -- cgit 1.4.1 From 43458f7e8b4963f2c3fbade69379c2d2e0654989 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 17 Nov 2021 20:27:45 +0000 Subject: Disable fetching adjacent blocks when coverage is enabled --- frida_mode/src/stalker.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 65ed5d50..b4dd5a47 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -111,10 +111,23 @@ void stalker_init(void) { } #endif - if (stalker_ic_entries == 0) { stalker_ic_entries = 32; } - if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; } + if (instrument_coverage_filename == NULL) { + + if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; } + + } else { + + if (stalker_adjacent_blocks != 0) { + + FFATAL( + "AFL_FRIDA_STALKER_ADJACENT_BLOCKS and AFL_FRIDA_INST_COVERAGE_FILE " + "are incompatible"); + + } + + } #if defined(__x86_64__) || defined(__i386__) stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, -- cgit 1.4.1 From e88509ac224e21738063c25a86e32f57e655f2dd Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 17 Nov 2021 20:27:45 +0000 Subject: Add __afl_set_persistent_mode --- frida_mode/src/js/js_api.c | 12 +++++------- frida_mode/test/png/persistent/hook/GNUmakefile | 1 - instrumentation/afl-compiler-rt.o.c | 9 +++++++-- 3 files changed, 12 insertions(+), 10 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 102423d9..4221fb80 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -11,6 +11,10 @@ #include "stats.h" #include "util.h" +typedef uint8_t u8; + +extern void __afl_set_persistent_mode(u8 mode); + __attribute__((visibility("default"))) void js_api_done() { js_done = TRUE; @@ -47,13 +51,7 @@ __attribute__((visibility("default"))) void js_api_set_persistent_address( persistent_start = GPOINTER_TO_SIZE(address); - if (getenv("__AFL_PERSISTENT") == NULL) { - - FATAL( - "You must set __AFL_PERSISTENT manually if using persistent mode " - "configured using JS"); - - } + __afl_set_persistent_mode(1); } diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile index 23aa94d0..5010662b 100644 --- a/frida_mode/test/png/persistent/hook/GNUmakefile +++ b/frida_mode/test/png/persistent/hook/GNUmakefile @@ -144,7 +144,6 @@ frida_entry_slow: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $ frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR) AFL_PRELOAD=$(AFL_PRELOAD) \ - __AFL_PERSISTENT=1 \ AFL_FRIDA_JS_SCRIPT=load.js \ $(ROOT)afl-fuzz \ -D \ diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 759c813a..3489c7f8 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1904,8 +1904,7 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { if (unlikely(!len)) return; int l = MIN(31, len); - if ((l = area_is_valid(ptr1, l)) <= 0 || - (l = area_is_valid(ptr2, l)) <= 0) + if ((l = area_is_valid(ptr1, l)) <= 0 || (l = area_is_valid(ptr2, l)) <= 0) return; // fprintf(stderr, "RTN2 %u\n", l); @@ -2247,5 +2246,11 @@ void __afl_coverage_interesting(u8 val, u32 id) { } +void __afl_set_persistent_mode(u8 mode) { + + is_persistent = mode; + +} + #undef write_error -- cgit 1.4.1 From af02fa1670db6d19feaf0a3e54d9d8013ad3312f Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Nov 2021 17:08:39 +0000 Subject: Improve JS bindings for hooking functions --- frida_mode/Scripting.md | 333 ++++++++++++++++++++++++++++------------- frida_mode/frida.map | 1 + frida_mode/include/js.h | 3 + frida_mode/src/js/api.js | 10 +- frida_mode/src/js/js.c | 3 +- frida_mode/src/js/js_api.c | 7 + frida_mode/src/main.c | 20 ++- frida_mode/test/js/GNUmakefile | 12 ++ frida_mode/test/js/main.js | 44 ++++++ frida_mode/ts/lib/afl.ts | 23 ++- 10 files changed, 337 insertions(+), 119 deletions(-) create mode 100644 frida_mode/test/js/main.js (limited to 'frida_mode/src') diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index 691b03d1..2ee0c858 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -246,7 +246,7 @@ FRIDA mode supports the replacement of any function, with an implementation generated by CModule. This allows for a bespoke harness to be written as follows: -``` +```js const slow = DebugSymbol.fromName('slow').address; Afl.print(`slow: ${slow}`); @@ -281,13 +281,90 @@ Afl.done(); Here, we replace the function `slow` with our own code. This code is then selected as the entry point as well as the persistent loop address. -**WARNING** There are two key limitations in replacing a function in this way: -- The function which is to be replaced must not be `main` this is because this -is the point at which FRIDA mode is initialized and at the point the the JS has -been run, the start of the `main` function has already been instrumented and -cached. -- The replacement function must not call itself. e.g. in this example we -couldn't replace `LLVMFuzzerTestOneInput` and call itself. +## Replacing LLVMFuzzerTestOneInput +The function `LLVMFuzzerTestOneInput` can be replaced just like any other. Also +any replaced function can also call itself. In the example below, we replace +`LLVMFuzzerTestOneInput` with `My_LLVMFuzzerTestOneInput` which ignores the +parameters `buf` and `len` and then calls the original `LLVMFuzzerTestOneInput` +with the paramaters `__afl_fuzz_ptr` and `__afl_fuzz_len`. This allows us to +carry out in-memory fuzzing without the need for any hook function. It should be +noted that the replacement function and the original can *NOT* share the same +name, since otherwise the `C` code in the `CModule` will not compile due to a +symbol name collision. + +```js +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + void My_LLVMFuzzerTestOneInput(char *buf, int len) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput); +Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput); +Afl.setInMemoryFuzzing(); +Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput); +``` + +## Hooking `main` +Lastly, it should be noted that using FRIDA mode's scripting support to hook +the `main` function is a special case. This is because the `main` function is +already hooked by the FRIDA mode engine itself and hence the function `main` (or +at least the first basic block already been compiled by Stalker ready for +execution). Hence any attempt to use `Interceptor.replace` like in the example +above will not work. Instead the JS bindings provide a function `setJsMainHook` +for just this scenario as demonstrated in the example below. + +```js +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + int main(int argc, char **argv) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.main); +Afl.setPersistentAddress(cm.main); +Afl.setInMemoryFuzzing(); +Afl.setJsMainHook(cm.main); +``` +## Library Fuzzing + +It doesn't take too much imagination to see that the above example can be +extended to use FRIDA's `Module.load` API so that the replaced `main` function +can then call an arbitrary function. In this way, if we have a library which we +wish to fuzz rather than an execuatble, then a surrogate executable can be used. # Patching Consider the [following](test/js/test2.c) test code... @@ -620,41 +697,31 @@ value of the `-t` flag passed to `afl-fuzz`. # API ```js class Afl { - - /** - * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode - * implementation). - */ - public static module: Module = Process.getModuleByName("afl-frida-trace.so"); - /** * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to exclude several ranges. */ - public static addExcludedRange(addressess: NativePointer, size: number): void { - Afl.jsApiAddExcludeRange(addressess, size); + static addExcludedRange(addressess, size) { + Afl.jsApiAddExcludeRange(addressess, size); } - /** * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to include several ranges. */ - public static addIncludedRange(addressess: NativePointer, size: number): void { - Afl.jsApiAddIncludeRange(addressess, size); + static addIncludedRange(addressess, size) { + Afl.jsApiAddIncludeRange(addressess, size); } - /** * This must always be called at the end of your script. This lets * FRIDA mode know that your configuration is finished and that * execution has reached the end of your script. Failure to call * this will result in a fatal error. */ - public static done(): void { - Afl.jsApiDone(); + static done() { + Afl.jsApiDone(); } - /** * This function can be called within your script to cause FRIDA * mode to trigger a fatal error. This is useful if for example you @@ -662,49 +729,48 @@ class Afl { * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view * this error message. */ - public static error(msg: string): void { - const buf = Memory.allocUtf8String(msg); - Afl.jsApiError(buf); + static error(msg) { + const buf = Memory.allocUtf8String(msg); + Afl.jsApiError(buf); } - /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of * fuzzing data when using in-memory test case fuzzing. */ - public static getAflFuzzLen(): NativePointer { - - return Afl.jsApiGetSymbol("__afl_fuzz_len"); + static getAflFuzzLen() { + return Afl.jsApiGetSymbol("__afl_fuzz_len"); } - /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing * data when using in-memory test case fuzzing. */ - public static getAflFuzzPtr(): NativePointer { - - return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); + static getAflFuzzPtr() { + return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); } - /** * Print a message to the STDOUT. This should be preferred to * FRIDA's `console.log` since FRIDA will queue it's log messages. * If `console.log` is used in a callback in particular, then there * may no longer be a thread running to service this queue. */ - public static print(msg: string): void { - const STDOUT_FILENO = 2; - const log = `${msg}\n`; - const buf = Memory.allocUtf8String(log); - Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + static print(msg) { + const STDOUT_FILENO = 2; + const log = `${msg}\n`; + const buf = Memory.allocUtf8String(log); + Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); + } + /** + * See `AFL_FRIDA_INST_NO_BACKPATCH`. + */ + static setBackpatchDisable() { + Afl.jsApiSetBackpatchDisable(); } - /** * See `AFL_FRIDA_DEBUG_MAPS`. */ - public static setDebugMaps(): void { - Afl.jsApiSetDebugMaps(); + static setDebugMaps() { + Afl.jsApiSetDebugMaps(); } - /** * This has the same effect as setting `AFL_ENTRYPOINT`, but has the * convenience of allowing you to use FRIDAs APIs to determine the @@ -713,143 +779,198 @@ class Afl { * function should be called with a `NativePointer` as its * argument. */ - public static setEntryPoint(address: NativePointer): void { - Afl.jsApiSetEntryPoint(address); + static setEntryPoint(address) { + Afl.jsApiSetEntryPoint(address); } - /** * Function used to enable in-memory test cases for fuzzing. */ - public static setInMemoryFuzzing(): void { - Afl.jsApiAflSharedMemFuzzing.writeInt(1); + static setInMemoryFuzzing() { + Afl.jsApiAflSharedMemFuzzing.writeInt(1); + } + /** + * See `AFL_FRIDA_INST_COVERAGE_FILE`. This function takes a single `string` + * as an argument. + */ + static setInstrumentCoverageFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentCoverageFile(buf); } - /** * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as * an argument. */ - public static setInstrumentDebugFile(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetInstrumentDebugFile(buf); + static setInstrumentDebugFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentDebugFile(buf); } - /** * See `AFL_FRIDA_INST_TRACE`. */ - public static setInstrumentEnableTracing(): void { - Afl.jsApiSetInstrumentTrace(); + static setInstrumentEnableTracing() { + Afl.jsApiSetInstrumentTrace(); + } + /** + * See `AFL_FRIDA_INST_JIT`. + */ + static setInstrumentJit() { + Afl.jsApiSetInstrumentJit(); } - /** * See `AFL_INST_LIBS`. */ - public static setInstrumentLibraries(): void { - Afl.jsApiSetInstrumentLibraries(); + static setInstrumentLibraries() { + Afl.jsApiSetInstrumentLibraries(); } - /** * See `AFL_FRIDA_INST_NO_OPTIMIZE` */ - public static setInstrumentNoOptimize(): void { - Afl.jsApiSetInstrumentNoOptimize(); + static setInstrumentNoOptimize() { + Afl.jsApiSetInstrumentNoOptimize(); + } + /* + * See `AFL_FRIDA_INST_SEED` + */ + static setInstrumentSeed(seed) { + Afl.jsApiSetInstrumentSeed(seed); } - /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ - public static setInstrumentTracingUnique(): void { - Afl.jsApiSetInstrumentTraceUnique(); + static setInstrumentTracingUnique() { + Afl.jsApiSetInstrumentTraceUnique(); + } + /** + * See `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE`. This function takes a single + * `string` as an argument. + */ + static setInstrumentUnstableCoverageFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetInstrumentUnstableCoverageFile(buf); + } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + static setJsMainHook(address) { + Afl.jsApiSetJsMainHook(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. */ - public static setPersistentAddress(address: NativePointer): void { - Afl.jsApiSetPersistentAddress(address); + static setPersistentAddress(address) { + Afl.jsApiSetPersistentAddress(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a * `number` should be provided as it's argument. */ - public static setPersistentCount(count: number): void { - Afl.jsApiSetPersistentCount(count); + static setPersistentCount(count) { + Afl.jsApiSetPersistentCount(count); } - /** * See `AFL_FRIDA_PERSISTENT_DEBUG`. */ - public static setPersistentDebug(): void { - Afl.jsApiSetPersistentDebug(); + static setPersistentDebug() { + Afl.jsApiSetPersistentDebug(); } - /** * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an * argument. See above for examples of use. */ - public static setPersistentHook(address: NativePointer): void { - Afl.jsApiSetPersistentHook(address); + static setPersistentHook(address) { + Afl.jsApiSetPersistentHook(address); } - /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a * `NativePointer` should be provided as it's argument. */ - public static setPersistentReturn(address: NativePointer): void { - Afl.jsApiSetPersistentReturn(address); + static setPersistentReturn(address) { + Afl.jsApiSetPersistentReturn(address); + } + /** + * See `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. + */ + static setPrefetchBackpatchDisable() { + Afl.jsApiSetPrefetchBackpatchDisable(); } - /** * See `AFL_FRIDA_INST_NO_PREFETCH`. */ - public static setPrefetchDisable(): void { - Afl.jsApiSetPrefetchDisable(); + static setPrefetchDisable() { + Afl.jsApiSetPrefetchDisable(); + } + /** + * See `AFL_FRIDA_SECCOMP_FILE`. This function takes a single `string` as + * an argument. + */ + static setSeccompFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetSeccompFile(buf); + } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + static setStalkerAdjacentBlocks(val) { + Afl.jsApiSetStalkerAdjacentBlocks(val); } - /* - * Set a function to be called for each instruction which is instrumented - * by AFL FRIDA mode. + * Set a function to be called for each instruction which is instrumented + * by AFL FRIDA mode. + */ + static setStalkerCallback(callback) { + Afl.jsApiSetStalkerCallback(callback); + } + /** + * See `AFL_FRIDA_STALKER_IC_ENTRIES`. */ - public static setStalkerCallback(callback: NativePointer): void { - Afl.jsApiSetStalkerCallback(callback); + static setStalkerIcEntries(val) { + Afl.jsApiSetStalkerIcEntries(val); } - /** * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as * an argument. */ - public static setStatsFile(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStatsFile(buf); + static setStatsFile(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStatsFile(buf); } - /** * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an * argument */ - public static setStatsInterval(interval: number): void { - Afl.jsApiSetStatsInterval(interval); + static setStatsInterval(interval) { + Afl.jsApiSetStatsInterval(interval); } - /** * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as * an argument. */ - public static setStdErr(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStdErr(buf); + static setStdErr(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdErr(buf); } - /** * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as * an argument. */ - public static setStdOut(file: string): void { - const buf = Memory.allocUtf8String(file); - Afl.jsApiSetStdOut(buf); + static setStdOut(file) { + const buf = Memory.allocUtf8String(file); + Afl.jsApiSetStdOut(buf); + } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + static setTraceable() { + Afl.jsApiSetTraceable(); + } + static jsApiGetFunction(name, retType, argTypes) { + const addr = Afl.module.getExportByName(name); + return new NativeFunction(addr, retType, argTypes); + } + static jsApiGetSymbol(name) { + return Afl.module.getExportByName(name); } - } - ``` diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 61eb19ee..5276db91 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -20,6 +20,7 @@ js_api_set_instrument_trace; js_api_set_instrument_trace_unique; js_api_set_instrument_unstable_coverage_file; + js_api_set_js_main_hook; js_api_set_persistent_address; js_api_set_persistent_count; js_api_set_persistent_debug; diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h index a5ecb712..39aa0573 100644 --- a/frida_mode/include/js.h +++ b/frida_mode/include/js.h @@ -7,11 +7,14 @@ typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn, gboolean begin, gboolean excluded, GumStalkerOutput *output); +typedef int (*js_main_hook_t)(int argc, char **argv, char **envp); + extern unsigned char api_js[]; extern unsigned int api_js_len; extern gboolean js_done; extern js_api_stalker_callback_t js_user_callback; +extern js_main_hook_t js_main_hook; /* Frida Mode */ diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 8e810d09..215fbdaf 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -151,6 +151,13 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentUnstableCoverageFile(buf); } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + static setJsMainHook(address) { + Afl.jsApiSetJsMainHook(address); + } /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. @@ -291,6 +298,7 @@ Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); Afl.jsApiSetInstrumentUnstableCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_unstable_coverage_file", "void", ["pointer"]); +Afl.jsApiSetJsMainHook = Afl.jsApiGetFunction("js_api_set_js_main_hook", "void", ["pointer"]); Afl.jsApiSetPersistentAddress = Afl.jsApiGetFunction("js_api_set_persistent_address", "void", ["pointer"]); Afl.jsApiSetPersistentCount = Afl.jsApiGetFunction("js_api_set_persistent_count", "void", ["uint64"]); Afl.jsApiSetPersistentDebug = Afl.jsApiGetFunction("js_api_set_persistent_debug", "void", []); @@ -299,8 +307,8 @@ Afl.jsApiSetPersistentReturn = Afl.jsApiGetFunction("js_api_set_persistent_retur Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_backpatch_disable", "void", []); Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []); Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]); -Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); +Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]); Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]); Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 37cd377b..5f477388 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -3,10 +3,11 @@ #include "js.h" #include "util.h" -static char * js_script = NULL; gboolean js_done = FALSE; js_api_stalker_callback_t js_user_callback = NULL; +js_main_hook_t js_main_hook = NULL; +static char * js_script = NULL; static gchar * filename = "afl.js"; static gchar * contents; static GumScriptBackend * backend; diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 4221fb80..5021b531 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -255,3 +255,10 @@ __attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks( } +__attribute__((visibility("default"))) void js_api_set_js_main_hook( + const js_main_hook_t hook) { + + js_main_hook = hook; + +} + diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index cb88eabe..913e3a46 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -36,13 +36,13 @@ extern mach_port_t mach_task_self(); extern GumAddress gum_darwin_find_entrypoint(mach_port_t task); #else -extern int __libc_start_main(int *(main)(int, char **, char **), int argc, +extern int __libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)); #endif -typedef int *(*main_fn_t)(int argc, char **argv, char **envp); +typedef int (*main_fn_t)(int argc, char **argv, char **envp); static main_fn_t main_fn = NULL; @@ -217,7 +217,7 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { } -static int *on_main(int argc, char **argv, char **envp) { +static int on_main(int argc, char **argv, char **envp) { on_main_os(argc, argv, envp); @@ -225,12 +225,20 @@ static int *on_main(int argc, char **argv, char **envp) { afl_frida_start(); - return main_fn(argc, argv, envp); + if (js_main_hook != NULL) { + + return js_main_hook(argc, argv, envp); + + } else { + + return main_fn(argc, argv, envp); + + } } #if defined(EMBEDDED) -extern int *main(int argc, char **argv, char **envp); +extern int main(int argc, char **argv, char **envp); static void intercept_main(void) { @@ -253,7 +261,7 @@ static void intercept_main(void) { } #else -static int on_libc_start_main(int *(main)(int, char **, char **), int argc, +static int on_libc_start_main(int (*main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void(*stack_end)) { diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile index ccd990c0..c702ad98 100644 --- a/frida_mode/test/js/GNUmakefile +++ b/frida_mode/test/js/GNUmakefile @@ -47,6 +47,18 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR) clean: rm -rf $(BUILD_DIR) +frida_js_main: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) + AFL_PRELOAD=$(AFL_PRELOAD) \ + AFL_FRIDA_JS_SCRIPT=main.js \ + $(ROOT)afl-fuzz \ + -D \ + -O \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -t 10000+ \ + -- \ + $(TESTINSTBIN) $(AFLPP_DRIVER_DUMMY_INPUT) + frida_js_fuzz: $(TESTINSTBIN) $(TEST_DATA_FILE) $(AFLPP_DRIVER_DUMMY_INPUT) AFL_PRELOAD=$(AFL_PRELOAD) \ AFL_FRIDA_JS_SCRIPT=fuzz.js \ diff --git a/frida_mode/test/js/main.js b/frida_mode/test/js/main.js new file mode 100644 index 00000000..06306fc4 --- /dev/null +++ b/frida_mode/test/js/main.js @@ -0,0 +1,44 @@ +Afl.print('******************'); +Afl.print('* AFL FRIDA MODE *'); +Afl.print('******************'); +Afl.print(''); + +Afl.print(`PID: ${Process.id}`); + +const name = Process.enumerateModules()[0].name; +Afl.print(`Name: ${name}`); + +new ModuleMap().values().forEach(m => { + Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); +}); + +const main = DebugSymbol.fromName('main').address; +Afl.print(`main: ${main}`); + +const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; +Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); + +const cm = new CModule(` + + extern unsigned char * __afl_fuzz_ptr; + extern unsigned int * __afl_fuzz_len; + extern void LLVMFuzzerTestOneInput(char *buf, int len); + + int main(int argc, char **argv) { + + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); + + } + `, + { + LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, + __afl_fuzz_ptr: Afl.getAflFuzzPtr(), + __afl_fuzz_len: Afl.getAflFuzzLen() + }); + +Afl.setEntryPoint(cm.main); +Afl.setPersistentAddress(cm.main); +Afl.setInMemoryFuzzing(); +Afl.setJsMainHook(cm.main); +Afl.print("done"); +Afl.done(); diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index e20ad3ec..0473cbf6 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -179,6 +179,14 @@ class Afl { Afl.jsApiSetInstrumentUnstableCoverageFile(buf); } + /* + * Set a callback to be called in place of the usual `main` function. This see + * `Scripting.md` for details. + */ + public static setJsMainHook(address: NativePointer): void { + Afl.jsApiSetJsMainHook(address); + } + /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. @@ -387,6 +395,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetJsMainHook = Afl.jsApiGetFunction( + "js_api_set_js_main_hook", + "void", + ["pointer"]); + private static readonly jsApiSetPersistentAddress = Afl.jsApiGetFunction( "js_api_set_persistent_address", "void", @@ -427,16 +440,16 @@ class Afl { "void", ["pointer"]); - private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( - "js_api_set_stalker_callback", - "void", - ["pointer"]); - private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction( "js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); + private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( + "js_api_set_stalker_callback", + "void", + ["pointer"]); + private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction( "js_api_set_stalker_ic_entries", "void", -- cgit 1.4.1 From b0f7691c2986eb3bcfc5a7c42fc4a4f022dfe961 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Nov 2021 17:08:39 +0000 Subject: Fix ASAN DSO exclusion --- frida_mode/src/asan/asan.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index fae1d655..f095fb46 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -33,18 +33,6 @@ void asan_init(void) { } -gboolean asan_exclude_range(const GumRangeDetails *details, - gpointer user_data) { - - UNUSED_PARAMETER(user_data); - - FOKF("Exclude ASAN: 0x%016lx-0x%016lx", details->range->base_address, - details->range->base_address + details->range->size); - - ranges_add_exclude((GumMemoryRange *)details->range); - -} - static gboolean asan_exclude_module(const GumModuleDetails *details, gpointer user_data) { @@ -54,7 +42,8 @@ static gboolean asan_exclude_module(const GumModuleDetails *details, address = gum_module_find_export_by_name(details->name, symbol_name); if (address == 0) { return TRUE; } - gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, asan_exclude_range, NULL); + ranges_add_exclude((GumMemoryRange *)details->range); + return FALSE; } -- cgit 1.4.1 From 8c9ce591e5aaaf2ce16322f6dd873bb0a2969a8c Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 19 Nov 2021 18:06:15 +0000 Subject: Shift saved values down the stack by 8 bytes --- frida_mode/src/instrument/instrument_x64.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index c271adc1..f0bce7e2 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -68,10 +68,10 @@ typedef struct { // sahf // mov rax,QWORD PTR [rsp-0x80] - uint8_t mov_rax_rsp_80[5]; - uint8_t lahf; uint8_t mov_rax_rsp_88[8]; - uint8_t mov_rbx_rsp_90[8]; + uint8_t lahf; + uint8_t mov_rax_rsp_90[8]; + uint8_t mov_rbx_rsp_98[8]; uint8_t mov_eax_prev_loc[6]; uint8_t mov_prev_loc_curr_loc_shr1[10]; @@ -83,10 +83,10 @@ typedef struct { uint8_t adc_bl_0[3]; uint8_t mov_ptr_rax_rbx[2]; - uint8_t mov_rsp_90_rbx[8]; - uint8_t mov_rsp_88_rax[8]; + uint8_t mov_rsp_98_rbx[8]; + uint8_t mov_rsp_90_rax[8]; uint8_t sahf; - uint8_t mov_rsp_80_rax[5]; + uint8_t mov_rsp_88_rax[8]; } afl_log_code_asm_t; @@ -102,10 +102,10 @@ typedef union { static const afl_log_code_asm_t template = { - .mov_rax_rsp_80 = {0x48, 0x89, 0x44, 0x24, 0x80}, - .lahf = 0x9f, .mov_rax_rsp_88 = {0x48, 0x89, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, - .mov_rbx_rsp_90 = {0x48, 0x89, 0x9C, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .lahf = 0x9f, + .mov_rax_rsp_90 = {0x48, 0x89, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .mov_rbx_rsp_98 = {0x48, 0x89, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, .mov_eax_prev_loc = {0x8b, 0x05}, .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, @@ -116,10 +116,10 @@ static const afl_log_code_asm_t template = .adc_bl_0 = {0x80, 0xd3, 0x00}, .mov_ptr_rax_rbx = {0x88, 0x18}, - .mov_rsp_90_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, - .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + .mov_rsp_98_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + .mov_rsp_90_rax = {0x48, 0x8B, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, .sahf = 0x9e, - .mov_rsp_80_rax = {0x48, 0x8B, 0x44, 0x24, 0x80}, + .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, } -- cgit 1.4.1 From 4a2d944df3a3c3f00f46dd1a2f62cb7d977b28a0 Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 19 Nov 2021 18:06:15 +0000 Subject: Compilation warning fixes --- frida_mode/src/ctx/ctx_arm32.c | 1 + frida_mode/src/ctx/ctx_arm64.c | 1 + frida_mode/src/ctx/ctx_x86.c | 1 + frida_mode/src/persistent/persistent_x86.c | 1 + 4 files changed, 4 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c index 049b5548..28fc706b 100644 --- a/frida_mode/src/ctx/ctx_arm32.c +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -1,6 +1,7 @@ #include "frida-gumjs.h" #include "ctx.h" +#include "util.h" #if defined(__arm__) diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c index 01f321e3..63b6cf09 100644 --- a/frida_mode/src/ctx/ctx_arm64.c +++ b/frida_mode/src/ctx/ctx_arm64.c @@ -1,6 +1,7 @@ #include "frida-gumjs.h" #include "ctx.h" +#include "util.h" #if defined(__aarch64__) diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c index abfeafc8..438e1fde 100644 --- a/frida_mode/src/ctx/ctx_x86.c +++ b/frida_mode/src/ctx/ctx_x86.c @@ -1,6 +1,7 @@ #include "frida-gumjs.h" #include "ctx.h" +#include "util.h" #if defined(__i386__) diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c index 902274b3..5425b01b 100644 --- a/frida_mode/src/persistent/persistent_x86.c +++ b/frida_mode/src/persistent/persistent_x86.c @@ -4,6 +4,7 @@ #include "instrument.h" #include "persistent.h" +#include "util.h" #if defined(__i386__) -- cgit 1.4.1 From d61a4def5e73d7e552d929652a237bd124861c77 Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 19 Nov 2021 18:06:15 +0000 Subject: Minor ASAN fix (again) --- frida_mode/src/asan/asan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c index f095fb46..884bec53 100644 --- a/frida_mode/src/asan/asan.c +++ b/frida_mode/src/asan/asan.c @@ -49,7 +49,7 @@ static gboolean asan_exclude_module(const GumModuleDetails *details, void asan_exclude_module_by_symbol(gchar *symbol_name) { - gum_process_enumerate_modules(asan_exclude_module, "__asan_loadN"); + gum_process_enumerate_modules(asan_exclude_module, symbol_name); } -- cgit 1.4.1 From 0aae4589eee4319f36efae8c3b28a397ce21eb25 Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 19 Nov 2021 18:06:15 +0000 Subject: Optimize assembly for x86 --- frida_mode/src/instrument/instrument_x86.c | 137 ++++++++++++++++++++--------- 1 file changed, 93 insertions(+), 44 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index 79664afa..c2f36995 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -5,79 +5,128 @@ #if defined(__i386__) -static GumAddress current_log_impl = GUM_ADDRESS(0); + #pragma pack(push, 1) +typedef struct { -static void instrument_coverage_function(GumX86Writer *cw) { + // cur_location = (block_address >> 4) ^ (block_address << 8); + // shared_mem[cur_location ^ prev_location]++; + // prev_location = cur_location >> 1; - gum_x86_writer_put_pushfx(cw); - gum_x86_writer_put_push_reg(cw, GUM_REG_ECX); - gum_x86_writer_put_push_reg(cw, GUM_REG_EDX); + uint8_t mov_eax_esp_4[4]; + uint8_t lahf; + uint8_t mov_eax_esp_8[4]; + uint8_t mov_ebx_esp_c[4]; - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX, - GUM_ADDRESS(&instrument_previous_pc)); - gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_EDX, GUM_REG_ECX); - gum_x86_writer_put_xor_reg_reg(cw, GUM_REG_EDX, GUM_REG_EDI); + uint8_t mov_eax_prev_loc[5]; + uint8_t mov_prev_loc_curr_loc_shr1[10]; - gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EDX, GUM_ADDRESS(__afl_area_ptr)); + uint8_t xor_eax_curr_loc[5]; + uint8_t add_eax_area_ptr[5]; - /* add byte ptr [edx], 1 */ - uint8_t add_byte_ptr_edx_1[] = {0x80, 0x02, 0x01}; - gum_x86_writer_put_bytes(cw, add_byte_ptr_edx_1, sizeof(add_byte_ptr_edx_1)); + uint8_t mov_ebx_ptr_eax[2]; + uint8_t add_bl_1[3]; + uint8_t adc_bl_0[3]; + uint8_t mov_ptr_eax_ebx[2]; - /* adc byte ptr [edx], 0 */ - uint8_t adc_byte_ptr_edx_0[] = {0x80, 0x12, 0x00}; - gum_x86_writer_put_bytes(cw, adc_byte_ptr_edx_0, sizeof(adc_byte_ptr_edx_0)); + uint8_t mov_esp_c_ebx[4]; + uint8_t mov_esp_8_eax[4]; + uint8_t sahf; + uint8_t mov_esp_4_eax[4]; - uint8_t ror_di_1[] = {0x66, 0xd1, 0xcf}; - gum_x86_writer_put_bytes(cw, ror_di_1, sizeof(ror_di_1)); - gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_ECX, GUM_REG_EDI); +} afl_log_code_asm_t; - gum_x86_writer_put_pop_reg(cw, GUM_REG_EDX); - gum_x86_writer_put_pop_reg(cw, GUM_REG_ECX); - gum_x86_writer_put_popfx(cw); - gum_x86_writer_put_ret(cw); + #pragma pack(pop) -} +typedef union { -gboolean instrument_is_coverage_optimize_supported(void) { + afl_log_code_asm_t code; + uint8_t bytes[0]; - return true; +} afl_log_code; -} +static const afl_log_code_asm_t template = + { -static void instrument_coverate_write_function(GumStalkerOutput *output) { + .mov_eax_esp_4 = {0x89, 0x44, 0x24, 0xFC}, + .lahf = 0x9f, + .mov_eax_esp_8 = {0x89, 0x44, 0x24, 0xF8}, + .mov_ebx_esp_c = {0x89, 0x5C, 0x24, 0xF4}, - GumX86Writer *cw = output->writer.x86; + .mov_eax_prev_loc = {0xA1}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, - if (current_log_impl == 0 || - !gum_x86_writer_can_branch_directly_between(cw->pc, current_log_impl) || - !gum_x86_writer_can_branch_directly_between(cw->pc + 128, - current_log_impl)) { + .xor_eax_curr_loc = {0x35}, + .add_eax_area_ptr = {0x05}, + .mov_ebx_ptr_eax = {0x8a, 0x18}, + .add_bl_1 = {0x80, 0xc3, 0x01}, + .adc_bl_0 = {0x80, 0xd3, 0x00}, + .mov_ptr_eax_ebx = {0x88, 0x18}, - gconstpointer after_log_impl = cw->code + 1; + .mov_esp_c_ebx = {0x8B, 0x5C, 0x24, 0xF4}, + .mov_esp_8_eax = {0x8B, 0x44, 0x24, 0xF8}, + .sahf = 0x9e, + .mov_esp_4_eax = {0x8B, 0x44, 0x24, 0xFC}, - gum_x86_writer_put_jmp_near_label(cw, after_log_impl); +} - current_log_impl = cw->pc; - instrument_coverage_function(cw); +; - gum_x86_writer_put_label(cw, after_log_impl); +gboolean instrument_is_coverage_optimize_supported(void) { - } + return true; } void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { + afl_log_code code = {0}; GumX86Writer *cw = output->writer.x86; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); - instrument_coverate_write_function(output); + gsize map_size_pow2; + gsize area_offset_ror; + + code.code = template; + + // gum_x86_writer_put_breakpoint(cw); + + gssize prev_loc_value_offset2 = + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); + + *((gint *)&code.bytes[prev_loc_value_offset2]) = + (gint)GPOINTER_TO_SIZE(&instrument_previous_pc); + + gssize curr_loc_shr_1_offset = + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(guint32); + + map_size_pow2 = util_log2(__afl_map_size); + area_offset_ror = util_rotate(area_offset, 1, map_size_pow2); + + *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); + + gssize prev_loc_value_offset = + offsetof(afl_log_code, code.mov_prev_loc_curr_loc_shr1) + + sizeof(code.code.mov_prev_loc_curr_loc_shr1) - sizeof(gint) - + sizeof(guint32); + + *((gint *)&code.bytes[prev_loc_value_offset]) = + (gint)GPOINTER_TO_SIZE(&instrument_previous_pc); + + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) + + sizeof(code.code.xor_eax_curr_loc) - + sizeof(guint32); + + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)area_offset; + + gssize add_area_ptr_offset = offsetof(afl_log_code, code.add_eax_area_ptr) + + sizeof(code.code.add_eax_area_ptr) - + sizeof(guint32); + + *((guint32 *)&code.bytes[add_area_ptr_offset]) = (guint32)__afl_area_ptr; - gum_x86_writer_put_push_reg(cw, GUM_REG_EDI); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EDI, area_offset); - gum_x86_writer_put_call_address(cw, current_log_impl); - gum_x86_writer_put_pop_reg(cw, GUM_REG_EDI); + gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); } -- cgit 1.4.1 From f85edd9181a8e022b775e5ac9073fb59a23b544c Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 19 Nov 2021 18:06:15 +0000 Subject: Changes to skip coverage code on deterministic branches on x86 --- frida_mode/src/instrument/instrument_x86.c | 75 ++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index c2f36995..ad837e2d 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -1,10 +1,13 @@ #include "frida-gumjs.h" #include "instrument.h" +#include "stalker.h" #include "util.h" #if defined(__i386__) +static GHashTable *coverage_blocks = NULL; + #pragma pack(push, 1) typedef struct { @@ -77,6 +80,70 @@ gboolean instrument_is_coverage_optimize_supported(void) { } +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer start_address, + const cs_insn * from_insn, + gpointer * target) { + + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(start_address); + + cs_x86 * x86; + cs_x86_op *op; + if (from_insn == NULL) { return; } + + x86 = &from_insn->detail->x86; + op = x86->operands; + + if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { + + return; + + } + + switch (from_insn->id) { + + case X86_INS_CALL: + case X86_INS_JMP: + if (x86->op_count != 1) { + + FATAL("Unexpected operand count: %d", x86->op_count); + + } + + if (op[0].type != X86_OP_IMM) { return; } + + break; + case X86_INS_RET: + break; + default: + return; + + } + + *target = (guint8 *)*target + sizeof(afl_log_code); + +} + +static void instrument_coverage_suppress_init(void) { + + static gboolean initialized = false; + if (initialized) { return; } + initialized = true; + + GumStalkerObserver * observer = stalker_get_observer(); + GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer); + iface->switch_callback = instrument_coverage_switch; + + coverage_blocks = g_hash_table_new(g_direct_hash, g_direct_equal); + if (coverage_blocks == NULL) { + + FATAL("Failed to g_hash_table_new, errno: %d", errno); + + } + +} + void instrument_coverage_optimize(const cs_insn * instr, GumStalkerOutput *output) { @@ -88,8 +155,16 @@ void instrument_coverage_optimize(const cs_insn * instr, code.code = template; + instrument_coverage_suppress_init(); + // gum_x86_writer_put_breakpoint(cw); + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } + gssize prev_loc_value_offset2 = offsetof(afl_log_code, code.mov_eax_prev_loc) + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); -- cgit 1.4.1 From eb7db334a5feeaac9502bd2df5dd885d9d752f5b Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 19 Nov 2021 21:21:13 +0100 Subject: Fix compilation on RaspberryPi 32-bit (please review) --- frida_mode/src/instrument/instrument_x64.c | 2 +- frida_mode/src/seccomp/seccomp_filter.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index f0bce7e2..41162f2a 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -5,7 +5,7 @@ #if defined(__linux__) #if !defined(__ANDROID__) - #include + #include #include #else #include diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index a7c0926c..5aee398f 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -72,7 +72,13 @@ static struct sock_filter filter[] = { /* Allow us to make anonymous maps */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), +#ifdef __NR_mmap BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap, 0, 3), +#else +# ifdef __NR_mmap2 + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap2, 0, 3), +# endif +#endif BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, args[4]))), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, -1, 0, 1), -- cgit 1.4.1 From 3d18243fd7d20bb1926396ec5c05df74fcd2dd95 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 19 Nov 2021 22:11:24 +0100 Subject: Fix compilation error under RaspberryPi 64-Bit Manjaro Linux (no SYS_eventfd available here) --- frida_mode/src/seccomp/seccomp_event.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index aca0967a..0907eff8 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -10,7 +10,13 @@ int seccomp_event_create(void) { +#ifdef SYS_eventfd int fd = syscall(SYS_eventfd, 0, 0); +#else +# ifdef SYS_eventfd2 + int fd = syscall(SYS_eventfd2, 0, 0); +# endif +#endif if (fd < 0) { FFATAL("seccomp_event_create"); } return fd; -- cgit 1.4.1 From af2fcbc1d402c6e29e4a82af64b6cff9a6558459 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Nov 2021 17:38:06 +0000 Subject: Fix transposed configuration options --- frida_mode/src/stalker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index b4dd5a47..4ef52ee9 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -61,9 +61,9 @@ void stalker_config(void) { backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); - stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS"); + stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS"); - stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); + stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL); -- cgit 1.4.1 From 2cdd75a27493618d0e2a37a6af3623ee191ce5d7 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Nov 2021 17:38:06 +0000 Subject: Fix some minor formatting --- frida_mode/src/seccomp/seccomp_event.c | 10 +++++----- frida_mode/src/seccomp/seccomp_filter.c | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_event.c b/frida_mode/src/seccomp/seccomp_event.c index 0907eff8..e6585f1d 100644 --- a/frida_mode/src/seccomp/seccomp_event.c +++ b/frida_mode/src/seccomp/seccomp_event.c @@ -10,13 +10,13 @@ int seccomp_event_create(void) { -#ifdef SYS_eventfd + #ifdef SYS_eventfd int fd = syscall(SYS_eventfd, 0, 0); -#else -# ifdef SYS_eventfd2 + #else + #ifdef SYS_eventfd2 int fd = syscall(SYS_eventfd2, 0, 0); -# endif -#endif + #endif + #endif if (fd < 0) { FFATAL("seccomp_event_create"); } return fd; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 5aee398f..1d050303 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -72,13 +72,13 @@ static struct sock_filter filter[] = { /* Allow us to make anonymous maps */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), -#ifdef __NR_mmap + #ifdef __NR_mmap BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap, 0, 3), -#else -# ifdef __NR_mmap2 + #else + #ifdef __NR_mmap2 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mmap2, 0, 3), -# endif -#endif + #endif + #endif BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, args[4]))), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, -1, 0, 1), -- cgit 1.4.1 From b0c51964b7f1ca57455268ab3c65117526ba9742 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Nov 2021 17:38:06 +0000 Subject: Add support for parsing zero as a configuration setting --- frida_mode/include/util.h | 3 +-- frida_mode/src/util.c | 26 +++++++++++++++++++++++--- 2 files changed, 24 insertions(+), 5 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index 77491ea8..bcbdde26 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -8,8 +8,7 @@ #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) -guint64 util_read_address(char *key); - +guint64 util_read_address(char *key); guint64 util_read_num(char *key); gboolean util_output_enabled(void); gsize util_rotate(gsize val, gsize shift, gsize size); diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index d84b7065..c9ef0edc 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -3,6 +3,7 @@ guint64 util_read_address(char *key) { char *value_str = getenv(key); + char *end_ptr; if (value_str == NULL) { return 0; } @@ -25,8 +26,17 @@ guint64 util_read_address(char *key) { } - guint64 value = g_ascii_strtoull(value_str2, NULL, 16); - if (value == 0) { + errno = 0; + + guint64 value = g_ascii_strtoull(value_str2, &end_ptr, 16); + + if (errno != 0) { + + FATAL("Error (%d) during conversion: %s", errno, value_str); + + } + + if (value == 0 && end_ptr == value_str2) { FATAL("Invalid address failed hex conversion: %s=%s\n", key, value_str2); @@ -39,6 +49,7 @@ guint64 util_read_address(char *key) { guint64 util_read_num(char *key) { char *value_str = getenv(key); + char *end_ptr; if (value_str == NULL) { return 0; } @@ -53,8 +64,17 @@ guint64 util_read_num(char *key) { } + errno = 0; + guint64 value = g_ascii_strtoull(value_str, NULL, 10); - if (value == 0) { + + if (errno != 0) { + + FATAL("Error (%d) during conversion: %s", errno, value_str); + + } + + if (value == 0 && end_ptr == value_str) { FATAL("Invalid address failed numeric conversion: %s=%s\n", key, value_str); -- cgit 1.4.1 From b48999f7c9e66e81899f8f5486c0931968bf3c77 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Nov 2021 17:38:06 +0000 Subject: Changes to support defaults for configuration options --- frida_mode/include/util.h | 4 ++-- frida_mode/src/entry.c | 2 +- frida_mode/src/instrument/instrument.c | 2 +- frida_mode/src/persistent/persistent.c | 6 +++--- frida_mode/src/stalker.c | 22 +++++++++++----------- frida_mode/src/stats/stats.c | 6 +++--- frida_mode/src/util.c | 8 ++++---- 7 files changed, 25 insertions(+), 25 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h index bcbdde26..4dc05f20 100644 --- a/frida_mode/include/util.h +++ b/frida_mode/include/util.h @@ -8,8 +8,8 @@ #define UNUSED_PARAMETER(x) (void)(x) #define IGNORED_RETURN(x) (void)!(x) -guint64 util_read_address(char *key); -guint64 util_read_num(char *key); +guint64 util_read_address(char *key, guint64 default_value); +guint64 util_read_num(char *key, guint64 default_value); gboolean util_output_enabled(void); gsize util_rotate(gsize val, gsize shift, gsize size); gsize util_log2(gsize val); diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 562e74eb..de645fdb 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -62,7 +62,7 @@ void entry_on_fork(void) { void entry_config(void) { - entry_point = util_read_address("AFL_ENTRYPOINT"); + entry_point = util_read_address("AFL_ENTRYPOINT", 0); if (getenv("AFL_FRIDA_TRACEABLE") != NULL) { traceable = TRUE; } } diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index d5823654..414dc84c 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -246,7 +246,7 @@ void instrument_config(void) { instrument_tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL); instrument_unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL); instrument_use_fixed_seed = (getenv("AFL_FRIDA_INST_SEED") != NULL); - instrument_fixed_seed = util_read_num("AFL_FRIDA_INST_SEED"); + instrument_fixed_seed = util_read_num("AFL_FRIDA_INST_SEED", 0); instrument_coverage_unstable_filename = (getenv("AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE")); diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c index e62f25d0..817d9925 100644 --- a/frida_mode/src/persistent/persistent.c +++ b/frida_mode/src/persistent/persistent.c @@ -22,9 +22,9 @@ gboolean persistent_debug = FALSE; void persistent_config(void) { hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK"); - persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR"); - persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT"); - persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET"); + persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR", 0); + persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT", 0); + persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET", 0); if (getenv("AFL_FRIDA_PERSISTENT_DEBUG") != NULL) { persistent_debug = TRUE; } diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 4ef52ee9..caa16b3f 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -61,9 +61,10 @@ void stalker_config(void) { backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); - stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS"); + stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES", 32); - stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); + stalker_adjacent_blocks = + util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS", 32); observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL); @@ -98,33 +99,32 @@ void stalker_init(void) { FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks); #if !(defined(__x86_64__) || defined(__i386__)) - if (stalker_ic_entries != 0) { + if (getenv("AFL_FRIDA_STALKER_IC_ENTRIES") != NULL) { FFATAL("AFL_FRIDA_STALKER_IC_ENTRIES not supported"); } - if (stalker_adjacent_blocks != 0) { + if (getenv("AFL_FRIDA_STALKER_ADJACENT_BLOCKS") != NULL) { FFATAL("AFL_FRIDA_STALKER_ADJACENT_BLOCKS not supported"); } #endif - if (stalker_ic_entries == 0) { stalker_ic_entries = 32; } - if (instrument_coverage_filename == NULL) { + if (instrument_coverage_filename != NULL) { - if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; } - - } else { - - if (stalker_adjacent_blocks != 0) { + if (getenv("AFL_FRIDA_STALKER_ADJACENT_BLOCKS") != NULL) { FFATAL( "AFL_FRIDA_STALKER_ADJACENT_BLOCKS and AFL_FRIDA_INST_COVERAGE_FILE " "are incompatible"); + } else { + + stalker_adjacent_blocks = 0; + } } diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index a61834d6..83ecf89a 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -323,7 +323,7 @@ static void stats_observer_init(GumStalkerObserver *observer) { void stats_config(void) { stats_filename = getenv("AFL_FRIDA_STATS_FILE"); - stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL"); + stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL", 10); } @@ -332,7 +332,8 @@ void stats_init(void) { FOKF("Stats - file [%s]", stats_filename); FOKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval); - if (stats_interval != 0 && stats_filename == NULL) { + if (getenv("AFL_FRIDA_STATS_INTERVAL") != NULL && + getenv("AFL_FRIDA_STATS_FILE") == NULL) { FFATAL( "AFL_FRIDA_STATS_FILE must be specified if " @@ -340,7 +341,6 @@ void stats_init(void) { } - if (stats_interval == 0) { stats_interval = 10; } stats_interval_us = stats_interval * MICRO_TO_SEC; if (stats_filename == NULL) { return; } diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c index c9ef0edc..6f52b6cb 100644 --- a/frida_mode/src/util.c +++ b/frida_mode/src/util.c @@ -1,11 +1,11 @@ #include "util.h" -guint64 util_read_address(char *key) { +guint64 util_read_address(char *key, guint64 default_value) { char *value_str = getenv(key); char *end_ptr; - if (value_str == NULL) { return 0; } + if (value_str == NULL) { return default_value; } if (!g_str_has_prefix(value_str, "0x")) { @@ -46,12 +46,12 @@ guint64 util_read_address(char *key) { } -guint64 util_read_num(char *key) { +guint64 util_read_num(char *key, guint64 default_value) { char *value_str = getenv(key); char *end_ptr; - if (value_str == NULL) { return 0; } + if (value_str == NULL) { return default_value; } for (char *c = value_str; *c != '\0'; c++) { -- cgit 1.4.1 From 0fbaaa4b32c803972fb2343188e6f0f9c1f7dc76 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 2 Dec 2021 17:23:07 +0000 Subject: Fixes for arm32 --- frida_mode/GNUmakefile | 26 ++++++++++++++++++-------- frida_mode/include/instrument.h | 3 ++- frida_mode/src/instrument/instrument.c | 15 ++++++++++++++- frida_mode/src/instrument/instrument_arm32.c | 10 +++++++++- frida_mode/src/instrument/instrument_debug.c | 20 +++++++++++++++----- frida_mode/src/main.c | 8 ++++++-- 6 files changed, 64 insertions(+), 18 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 52439979..2186517e 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -45,6 +45,11 @@ FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/ FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded +TARGET_CC?=$(CC) +TARGET_CXX?=$(CXX) +HOST_CC?=$(CC) +HOST_CXX?=$(CXX) + ifndef ARCH ARCH=$(shell uname -m) @@ -99,6 +104,11 @@ ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" endif endif +ifeq "$(ARCH)" "armhf" + TARGET_CC:=arm-linux-gnueabihf-gcc + TARGET_CXX:=arm-linux-gnueabihf-g++ +endif + ifndef OS $(error "Operating system unsupported") endif @@ -188,7 +198,7 @@ $(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL) ############################## AFL ############################################# $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ $(AFL_CFLAGS) \ -I $(ROOT) \ @@ -197,7 +207,7 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC) -c $< $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ $(AFL_CFLAGS) \ -I $(ROOT) \ @@ -208,13 +218,13 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC) ############################### JS ############################################# $(BIN2C): $(BIN2C_SRC) - $(CC) -D_GNU_SOURCE -o $@ $< + $(HOST_CC) -D_GNU_SOURCE -o $@ $< $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR) cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@ $(JS_OBJ): $(JS_SRC) GNUmakefile - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ -I $(ROOT)include \ -I $(FRIDA_BUILD_DIR) \ @@ -226,7 +236,7 @@ $(JS_OBJ): $(JS_SRC) GNUmakefile define BUILD_SOURCE $(2): $(1) $(INCLUDES) GNUmakefile | $(OBJ_DIR) - $(CC) \ + $(TARGET_CC) \ $(CFLAGS) \ -I $(ROOT)include \ -I $(FRIDA_BUILD_DIR) \ @@ -240,7 +250,7 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $( ######################## AFL-FRIDA-TRACE ####################################### $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR) - $(CXX) \ + $(TARGET_CXX) \ $(OBJS) \ $(JS_OBJ) \ $(GUM_DEVIT_LIBRARY) \ @@ -255,10 +265,10 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL ############################# HOOK ############################################# $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ + $(TARGET_CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@ $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR) - $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ + $(TARGET_CC) $(CFLAGS) $(LDFLAGS) $< -o $@ hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h index cac5ee93..a5d52616 100644 --- a/frida_mode/include/instrument.h +++ b/frida_mode/include/instrument.h @@ -36,7 +36,8 @@ void instrument_coverage_optimize(const cs_insn * instr, void instrument_debug_config(void); void instrument_debug_init(void); void instrument_debug_start(uint64_t address, GumStalkerOutput *output); -void instrument_debug_instruction(uint64_t address, uint16_t size); +void instrument_debug_instruction(uint64_t address, uint16_t size, + GumStalkerOutput *output); void instrument_debug_end(GumStalkerOutput *output); void instrument_flush(GumStalkerOutput *output); gpointer instrument_cur(GumStalkerOutput *output); diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 414dc84c..8ee21f5b 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -193,7 +193,20 @@ static void instrument_basic_block(GumStalkerIterator *iterator, instrument_debug_start(instr->address, output); instrument_coverage_start(instr->address); +#if defined(__arm__) + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + + prefetch_write(GSIZE_TO_POINTER(instr->address + 1)); + + } else { + + prefetch_write(GSIZE_TO_POINTER(instr->address)); + + } + +#else prefetch_write(GSIZE_TO_POINTER(instr->address)); +#endif if (likely(!excluded)) { @@ -213,7 +226,7 @@ static void instrument_basic_block(GumStalkerIterator *iterator, } - instrument_debug_instruction(instr->address, instr->size); + instrument_debug_instruction(instr->address, instr->size, output); if (likely(!excluded)) { diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index fa8b0bd2..16e8eaab 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -28,7 +28,15 @@ void instrument_coverage_optimize_init(void) { void instrument_flush(GumStalkerOutput *output) { - gum_arm_writer_flush(output->writer.arm); + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + + gum_thumb_writer_flush(output->writer.thumb); + + } else { + + gum_arm_writer_flush(output->writer.arm); + + } } diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index a175b585..9c95857f 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -32,18 +32,27 @@ static void instrument_debug(char *format, ...) { } -static void instrument_disasm(guint8 *start, guint8 *end) { +static void instrument_disasm(guint8 *start, guint8 *end, + GumStalkerOutput *output) { csh capstone; cs_err err; + cs_mode mode; uint16_t size; cs_insn *insn; size_t count = 0; size_t i; uint16_t len; + mode = GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN; + +#if defined(__arm__) + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { mode |= CS_MODE_THUMB; } +#endif + err = cs_open(GUM_DEFAULT_CS_ARCH, - GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, &capstone); + CS_MODE_THUMB | GUM_DEFAULT_CS_MODE | GUM_DEFAULT_CS_ENDIAN, + &capstone); g_assert(err == CS_ERR_OK); size = GPOINTER_TO_SIZE(end) - GPOINTER_TO_SIZE(start); @@ -121,11 +130,12 @@ void instrument_debug_start(uint64_t address, GumStalkerOutput *output) { } -void instrument_debug_instruction(uint64_t address, uint16_t size) { +void instrument_debug_instruction(uint64_t address, uint16_t size, + GumStalkerOutput *output) { if (likely(debugging_fd < 0)) { return; } uint8_t *start = (uint8_t *)GSIZE_TO_POINTER(address); - instrument_disasm(start, start + size); + instrument_disasm(start, start + size, output); } @@ -136,7 +146,7 @@ void instrument_debug_end(GumStalkerOutput *output) { instrument_debug("\nGenerated block %p-%p\n", instrument_gen_start, instrument_gen_end); - instrument_disasm(instrument_gen_start, instrument_gen_end); + instrument_disasm(instrument_gen_start, instrument_gen_end, output); } diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index 913e3a46..1be63bc4 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -219,6 +219,8 @@ __attribute__((visibility("default"))) void afl_frida_start(void) { static int on_main(int argc, char **argv, char **envp) { + int ret; + on_main_os(argc, argv, envp); intercept_unhook_self(); @@ -227,14 +229,16 @@ static int on_main(int argc, char **argv, char **envp) { if (js_main_hook != NULL) { - return js_main_hook(argc, argv, envp); + ret = js_main_hook(argc, argv, envp); } else { - return main_fn(argc, argv, envp); + ret = main_fn(argc, argv, envp); } + return ret; + } #if defined(EMBEDDED) -- cgit 1.4.1