From 23e477caa76a0fd56e61419c9c3cee84a7881438 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 11 Oct 2022 18:15:51 +0100 Subject: Updates following FRIDA API changes --- frida_mode/src/js/js.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 6bc31864..52b88d96 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -18,14 +18,10 @@ static GumScriptScheduler *scheduler; static GMainContext *context; static GMainLoop *main_loop; -static void js_msg(GumScript *script, const gchar *message, GBytes *data, - gpointer user_data) { - - UNUSED_PARAMETER(script); +static void js_msg(const gchar *message, GBytes *data, gpointer user_data) { UNUSED_PARAMETER(data); UNUSED_PARAMETER(user_data); FOKF("%s", message); - } void js_config(void) { @@ -124,8 +120,8 @@ void js_start(void) { main_loop = g_main_loop_new(context, true); g_main_context_push_thread_default(context); - gum_script_backend_create(backend, "example", source, cancellable, create_cb, - &error); + gum_script_backend_create(backend, "example", source, NULL, cancellable, + create_cb, &error); while (g_main_context_pending(context)) g_main_context_iteration(context, FALSE); -- cgit v1.2.3 From 4bb4d6ebfdbbdc1ceb6ebf66474180a5e9020ed3 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 11 Oct 2022 18:15:51 +0100 Subject: ARM branch suppression --- frida_mode/src/instrument/instrument_arm32.c | 63 +++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 5 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index f2e825ee..5b6ddf09 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -1,6 +1,7 @@ #include "frida-gumjs.h" #include "instrument.h" +#include "stalker.h" #include "util.h" #if defined(__arm__) @@ -10,6 +11,7 @@ gboolean instrument_cache_enabled = FALSE; gsize instrument_cache_size = 0; +static GHashTable *coverage_blocks = NULL; extern __thread guint64 instrument_previous_pc; @@ -22,8 +24,25 @@ typedef struct { // shared_mem[cur_location ^ prev_location]++; // prev_location = cur_location >> 1; - /* We can remove this branch when we add support for branch suppression */ - uint32_t b_code; /* b imm */ + // str r0, [sp, #-128] ; 0xffffff80 + // str r1, [sp, #-132] ; 0xffffff7c + // ldr r0, [pc, #-20] ; 0xf691b29c + // ldrh r1, [r0] + // movw r0, #33222 ; 0x81c6 + // eor r0, r0, r1 + // ldr r1, [pc, #-40] ; 0xf691b298 + // add r1, r1, r0 + // ldrb r0, [r1] + // add r0, r0, #1 + // add r0, r0, r0, lsr #8 + // strb r0, [r1] + // movw r0, #49379 ; 0xc0e3 + // ldr r1, [pc, #-64] ; 0xf691b29c + // strh r0, [r1] + // ldr r1, [sp, #-132] ; 0xffffff7c + // ldr r0, [sp, #-128] ; 0xffffff80 + + uint32_t b_code; /* b imm */ uint8_t *shared_mem; uint64_t *prev_location; @@ -115,15 +134,45 @@ gboolean instrument_is_coverage_optimize_supported(void) { } -static void patch_t3_insn(uint32_t *insn, uint16_t val) { +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer from_address, + gpointer start_address, + const cs_insn * from_insn, + gpointer * target) { + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(from_address); + UNUSED_PARAMETER(start_address); + UNUSED_PARAMETER(from_insn); + + if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { + return; + } + + *target += G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz); +} +static void instrument_coverage_suppress_init(void) { + static gboolean initialized = false; + if (initialized) { return; } + initialized = true; + + GumStalkerObserver * observer = stalker_get_observer(); + GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer); + iface->switch_callback = instrument_coverage_switch; + + coverage_blocks = g_hash_table_new(g_direct_hash, g_direct_equal); + if (coverage_blocks == NULL) { + FATAL("Failed to g_hash_table_new, errno: %d", errno); + } +} + +static void patch_t3_insn(uint32_t *insn, uint16_t val) { uint32_t orig = GUINT32_FROM_LE(*insn); uint32_t imm12 = (val & 0xfff); uint32_t imm4 = (val >> 12); orig |= imm12; orig |= (imm4 << 16); *insn = GUINT32_TO_LE(orig); - } void instrument_coverage_optimize(const cs_insn *instr, @@ -137,12 +186,16 @@ void instrument_coverage_optimize(const cs_insn *instr, gsize area_offset_ror; GumAddress code_addr = 0; - // gum_arm64_writer_put_brk_imm(cw, 0x0); + instrument_coverage_suppress_init(); code_addr = cw->pc; block_start = GSIZE_TO_POINTER(GUM_ADDRESS(cw->code)); + if (!g_hash_table_add(coverage_blocks, block_start)) { + FATAL("Failed - g_hash_table_add"); + } + code.code = template; g_assert(PAGE_ALIGNED(__afl_area_ptr)); -- cgit v1.2.3 From fac6491ad0bbaee078352990eeb708d82aa412e3 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 11 Oct 2022 18:15:51 +0100 Subject: Bump FRIDA version --- frida_mode/src/ctx/ctx_arm32.c | 2 ++ frida_mode/src/instrument/instrument_arm32.c | 9 +++------ frida_mode/src/instrument/instrument_arm64.c | 29 ++++++++++++++++++++++++---- frida_mode/src/prefetch.c | 1 - frida_mode/src/stats/stats_arm32.c | 1 + 5 files changed, 31 insertions(+), 11 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c index 28fc706b..0e5b25a4 100644 --- a/frida_mode/src/ctx/ctx_arm32.c +++ b/frida_mode/src/ctx/ctx_arm32.c @@ -7,6 +7,8 @@ gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) { + UNUSED_PARAMETER(ctx); + UNUSED_PARAMETER(reg); FFATAL("ctx_read_reg unimplemented for this architecture"); } diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 5b6ddf09..44e37e11 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -137,8 +137,8 @@ gboolean instrument_is_coverage_optimize_supported(void) { static void instrument_coverage_switch(GumStalkerObserver *self, gpointer from_address, gpointer start_address, - const cs_insn * from_insn, - gpointer * target) { + void *from_insn, + gpointer *target) { UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); UNUSED_PARAMETER(start_address); @@ -148,7 +148,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, return; } - *target += G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz); + *target = (guint8 *)*target + G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz); } static void instrument_coverage_suppress_init(void) { @@ -184,12 +184,9 @@ void instrument_coverage_optimize(const cs_insn *instr, guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); gsize map_size_pow2; gsize area_offset_ror; - GumAddress code_addr = 0; instrument_coverage_suppress_init(); - code_addr = cw->pc; - block_start = GSIZE_TO_POINTER(GUM_ADDRESS(cw->code)); if (!g_hash_table_add(coverage_blocks, block_start)) { diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 87811b38..fe70a8bb 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -156,26 +156,47 @@ static gboolean instrument_is_deterministic(const cs_insn *from_insn) { } +cs_insn * +instrument_disassemble (gconstpointer address) +{ + csh capstone; + cs_insn * insn = NULL; + + cs_open (CS_ARCH_ARM64, GUM_DEFAULT_CS_ENDIAN, &capstone); + cs_option (capstone, CS_OPT_DETAIL, CS_OPT_ON); + + cs_disasm (capstone, address, 16, GPOINTER_TO_SIZE (address), 1, &insn); + + cs_close (&capstone); + + return insn; +} + static void instrument_coverage_switch(GumStalkerObserver *self, gpointer from_address, gpointer start_address, - const cs_insn *from_insn, + void *from_insn, gpointer *target) { UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); UNUSED_PARAMETER(start_address); + cs_insn * insn = NULL; + gboolean deterministic = FALSE; gsize fixup_offset; if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target)) && - !g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target + 4))) { + !g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER((guint8 *)*target + 4))) { return; } - if (instrument_is_deterministic(from_insn)) { return; } + insn = instrument_disassemble (from_insn); + deterministic = instrument_is_deterministic(insn); + cs_free (insn, 1); + if (deterministic) { return; } /* * Since each block is prefixed with a restoration prologue, we need to be @@ -208,7 +229,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, */ fixup_offset = GUM_RESTORATION_PROLOG_SIZE + G_STRUCT_OFFSET(afl_log_code_asm_t, restoration_prolog); - *target += fixup_offset; + *target = (guint8 *)*target + fixup_offset; } diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c index 905e0ae9..f093cd53 100644 --- a/frida_mode/src/prefetch.c +++ b/frida_mode/src/prefetch.c @@ -29,7 +29,6 @@ gboolean prefetch_enable = TRUE; gboolean prefetch_backpatch = TRUE; static prefetch_data_t *prefetch_data = NULL; -static int prefetch_shm_id = -1; static GHashTable *cant_prefetch = NULL; diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c index bd652aa3..6c72a476 100644 --- a/frida_mode/src/stats/stats_arm32.c +++ b/frida_mode/src/stats/stats_arm32.c @@ -13,6 +13,7 @@ void starts_arch_init(void) { void stats_write_arch(stats_data_t *data) { + UNUSED_PARAMETER(data); FFATAL("Stats not supported on this architecture"); } -- cgit v1.2.3 From 7461c52278ff3a96ebc4d71d369d3a8b24fd19b1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 11 Oct 2022 18:15:51 +0100 Subject: Fixes for x64 --- frida_mode/src/instrument/instrument_arm32.c | 28 ++++++++++++++------ frida_mode/src/instrument/instrument_arm64.c | 34 ++++++++++++------------ frida_mode/src/instrument/instrument_x64.c | 39 ++++++++++++++++++++++++---- frida_mode/src/instrument/instrument_x86.c | 39 ++++++++++++++++++++++++---- frida_mode/src/js/js.c | 2 ++ 5 files changed, 107 insertions(+), 35 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 44e37e11..cb2a322b 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -9,8 +9,8 @@ #define PAGE_MASK (~(GUM_ADDRESS(0xfff))) #define PAGE_ALIGNED(x) ((GUM_ADDRESS(x) & PAGE_MASK) == GUM_ADDRESS(x)) -gboolean instrument_cache_enabled = FALSE; -gsize instrument_cache_size = 0; +gboolean instrument_cache_enabled = FALSE; +gsize instrument_cache_size = 0; static GHashTable *coverage_blocks = NULL; extern __thread guint64 instrument_previous_pc; @@ -42,7 +42,7 @@ typedef struct { // ldr r1, [sp, #-132] ; 0xffffff7c // ldr r0, [sp, #-128] ; 0xffffff80 - uint32_t b_code; /* b imm */ + uint32_t b_code; /* b imm */ uint8_t *shared_mem; uint64_t *prev_location; @@ -136,43 +136,53 @@ gboolean instrument_is_coverage_optimize_supported(void) { static void instrument_coverage_switch(GumStalkerObserver *self, gpointer from_address, - gpointer start_address, - void *from_insn, - gpointer *target) { + gpointer start_address, void *from_insn, + gpointer *target) { + UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); UNUSED_PARAMETER(start_address); UNUSED_PARAMETER(from_insn); if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { + return; + } - *target = (guint8 *)*target + G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz); + *target = + (guint8 *)*target + G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz); + } static void instrument_coverage_suppress_init(void) { + static gboolean initialized = false; if (initialized) { return; } initialized = true; - GumStalkerObserver * observer = stalker_get_observer(); + GumStalkerObserver *observer = stalker_get_observer(); GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer); iface->switch_callback = instrument_coverage_switch; coverage_blocks = g_hash_table_new(g_direct_hash, g_direct_equal); if (coverage_blocks == NULL) { + FATAL("Failed to g_hash_table_new, errno: %d", errno); + } + } static void patch_t3_insn(uint32_t *insn, uint16_t val) { + uint32_t orig = GUINT32_FROM_LE(*insn); uint32_t imm12 = (val & 0xfff); uint32_t imm4 = (val >> 12); orig |= imm12; orig |= (imm4 << 16); *insn = GUINT32_TO_LE(orig); + } void instrument_coverage_optimize(const cs_insn *instr, @@ -190,7 +200,9 @@ void instrument_coverage_optimize(const cs_insn *instr, block_start = GSIZE_TO_POINTER(GUM_ADDRESS(cw->code)); if (!g_hash_table_add(coverage_blocks, block_start)) { + FATAL("Failed - g_hash_table_add"); + } code.code = template; diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index fe70a8bb..c7584a87 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -156,46 +156,46 @@ static gboolean instrument_is_deterministic(const cs_insn *from_insn) { } -cs_insn * -instrument_disassemble (gconstpointer address) -{ - csh capstone; - cs_insn * insn = NULL; +cs_insn *instrument_disassemble(gconstpointer address) { - cs_open (CS_ARCH_ARM64, GUM_DEFAULT_CS_ENDIAN, &capstone); - cs_option (capstone, CS_OPT_DETAIL, CS_OPT_ON); + csh capstone; + cs_insn *insn = NULL; - cs_disasm (capstone, address, 16, GPOINTER_TO_SIZE (address), 1, &insn); + cs_open(CS_ARCH_ARM64, GUM_DEFAULT_CS_ENDIAN, &capstone); + cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON); - cs_close (&capstone); + cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn); + + cs_close(&capstone); return insn; + } static void instrument_coverage_switch(GumStalkerObserver *self, gpointer from_address, - gpointer start_address, - void *from_insn, - gpointer *target) { + gpointer start_address, void *from_insn, + gpointer *target) { UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); UNUSED_PARAMETER(start_address); - cs_insn * insn = NULL; + cs_insn *insn = NULL; gboolean deterministic = FALSE; - gsize fixup_offset; + gsize fixup_offset; if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target)) && - !g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER((guint8 *)*target + 4))) { + !g_hash_table_contains(coverage_blocks, + GSIZE_TO_POINTER((guint8 *)*target + 4))) { return; } - insn = instrument_disassemble (from_insn); + insn = instrument_disassemble(from_insn); deterministic = instrument_is_deterministic(insn); - cs_free (insn, 1); + cs_free(insn, 1); if (deterministic) { return; } /* diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 13ced4a3..f7b7d6c5 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -171,11 +171,11 @@ void instrument_coverage_optimize_init(void) { } -static void instrument_coverage_switch(GumStalkerObserver *self, - gpointer from_address, - gpointer start_address, - const cs_insn *from_insn, - gpointer *target) { +static void instrument_coverage_switch_insn(GumStalkerObserver *self, + gpointer from_address, + gpointer start_address, + const cs_insn *from_insn, + gpointer *target) { UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); @@ -224,6 +224,35 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } +cs_insn *instrument_disassemble(gconstpointer address) { + + csh capstone; + cs_insn *insn = NULL; + + cs_open(CS_ARCH_X86, GUM_CPU_MODE, &capstone); + cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON); + + cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn); + + cs_close(&capstone); + + return insn; + +} + +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer from_address, + gpointer start_address, void *from_insn, + gpointer *target) { + + if (from_insn == NULL) { return; } + cs_insn *insn = instrument_disassemble(from_insn); + instrument_coverage_switch_insn(self, from_address, start_address, insn, + target); + cs_free(insn, 1); + +} + static void instrument_coverage_suppress_init(void) { static gboolean initialized = false; diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index eabd5be4..f15893cb 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -83,11 +83,11 @@ gboolean instrument_is_coverage_optimize_supported(void) { } -static void instrument_coverage_switch(GumStalkerObserver *self, - gpointer from_address, - gpointer start_address, - const cs_insn *from_insn, - gpointer *target) { +static void instrument_coverage_switch_insn(GumStalkerObserver *self, + gpointer from_address, + gpointer start_address, + const cs_insn *from_insn, + gpointer *target) { UNUSED_PARAMETER(self); UNUSED_PARAMETER(from_address); @@ -130,6 +130,35 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } +cs_insn *instrument_disassemble(gconstpointer address) { + + csh capstone; + cs_insn *insn = NULL; + + cs_open(CS_ARCH_X86, GUM_CPU_MODE, &capstone); + cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON); + + cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn); + + cs_close(&capstone); + + return insn; + +} + +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer from_address, + gpointer start_address, void *from_insn, + gpointer *target) { + + if (from_insn == NULL) { return; } + cs_insn *insn = instrument_disassemble(from_insn); + instrument_coverage_switch_insn(self, from_address, start_address, insn, + target); + cs_free(insn, 1); + +} + static void instrument_coverage_suppress_init(void) { static gboolean initialized = false; diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c index 52b88d96..25187694 100644 --- a/frida_mode/src/js/js.c +++ b/frida_mode/src/js/js.c @@ -19,9 +19,11 @@ static GMainContext *context; static GMainLoop *main_loop; static void js_msg(const gchar *message, GBytes *data, gpointer user_data) { + UNUSED_PARAMETER(data); UNUSED_PARAMETER(user_data); FOKF("%s", message); + } void js_config(void) { -- cgit v1.2.3 From ad6a4cf1c2b7089179c77544b9749e72a2dd6d0f Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 18 Nov 2022 08:11:26 +0000 Subject: Fix cmplog block ID generation to use hashes rather than bit-shifts --- frida_mode/src/cmplog/cmplog_arm64.c | 5 +---- frida_mode/src/cmplog/cmplog_x64.c | 5 +---- frida_mode/src/cmplog/cmplog_x86.c | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index 5792cbfa..095dc242 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -204,10 +204,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = context->pc; - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 17912648..ce6b8681 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -188,10 +188,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = ctx_read_reg(context, X86_REG_RIP); - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 7; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index a3a02457..fa06d611 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -193,10 +193,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = ctx_read_reg(context, X86_REG_EIP); - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; -- cgit v1.2.3 From 9734d0b3c09b3d604941d43fd96454100349d8b1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 23 Nov 2022 18:18:26 +0000 Subject: Fixes to make things easier to build for ARM --- frida_mode/src/instrument/instrument_arm32.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index cb2a322b..84dbb3be 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -273,7 +273,15 @@ void instrument_flush(GumStalkerOutput *output) { gpointer instrument_cur(GumStalkerOutput *output) { - return gum_arm_writer_cur(output->writer.arm); + gpointer curr = NULL; + + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + curr = gum_thumb_writer_cur(output->writer.thumb); + } else { + curr = gum_arm_writer_cur(output->writer.arm); + } + + return curr; } -- cgit v1.2.3 From 0885dda767ec29330c57c88f3102d5ee565b645d Mon Sep 17 00:00:00 2001 From: Your Date: Thu, 1 Dec 2022 18:17:21 +0000 Subject: Fix branch suppression for ARM64 --- frida_mode/src/instrument/instrument_arm64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index c7584a87..39e32b12 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -196,7 +196,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, insn = instrument_disassemble(from_insn); deterministic = instrument_is_deterministic(insn); cs_free(insn, 1); - if (deterministic) { return; } + if (!deterministic) { return; } /* * Since each block is prefixed with a restoration prologue, we need to be -- cgit v1.2.3 From e26c173041b185d7ea37aa923cca3ec4aed51b1b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 13 Dec 2022 09:13:52 +0100 Subject: code format --- frida_mode/src/instrument/instrument_arm32.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 84dbb3be..51f78a35 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -276,9 +276,13 @@ gpointer instrument_cur(GumStalkerOutput *output) { gpointer curr = NULL; if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + curr = gum_thumb_writer_cur(output->writer.thumb); + } else { + curr = gum_arm_writer_cur(output->writer.arm); + } return curr; -- cgit v1.2.3 From 31727f36a8438cc3274b9a87c5ceab420ddf34e5 Mon Sep 17 00:00:00 2001 From: Your Date: Tue, 31 Jan 2023 06:23:00 +0000 Subject: Changes to revert broken branch suppression fix --- frida_mode/src/instrument/instrument_arm64.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 39e32b12..77aa8c1d 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -196,7 +196,15 @@ static void instrument_coverage_switch(GumStalkerObserver *self, insn = instrument_disassemble(from_insn); deterministic = instrument_is_deterministic(insn); cs_free(insn, 1); - if (!deterministic) { return; } + + /* + * If the branch is deterministic, then we should start execution at the + * begining of the block. From here, we will branch and skip the coverage + * code and jump right to the target code of the instrumented block. + * Otherwise, if the branch is non-deterministic, then we need to branch + * part way into the block to where the coverage instrumentation starts. + */ + if (deterministic) { return; } /* * Since each block is prefixed with a restoration prologue, we need to be -- cgit v1.2.3 From 0d55feb11db1f79ee92db5f44ed04277388c933d Mon Sep 17 00:00:00 2001 From: Your Date: Tue, 31 Jan 2023 06:49:32 +0000 Subject: Add support for disabling branch suppression --- frida_mode/src/instrument/instrument.c | 5 +++++ frida_mode/src/instrument/instrument_arm64.c | 22 ++++++++++++++++++---- frida_mode/src/instrument/instrument_x64.c | 10 +++++++--- frida_mode/src/instrument/instrument_x86.c | 12 ++++++++---- frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 7 +++++++ 6 files changed, 52 insertions(+), 11 deletions(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index e1e4ac22..a6aac666 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -27,6 +27,7 @@ gboolean instrument_optimize = false; gboolean instrument_unique = false; guint64 instrument_hash_zero = 0; guint64 instrument_hash_seed = 0; +gboolean instrument_suppress = false; gboolean instrument_use_fixed_seed = FALSE; guint64 instrument_fixed_seed = 0; @@ -290,6 +291,7 @@ void instrument_config(void) { (getenv("AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE")); instrument_coverage_insn = (getenv("AFL_FRIDA_INST_INSN") != NULL); instrument_regs_filename = getenv("AFL_FRIDA_INST_REGS_FILE"); + instrument_suppress = (getenv("AFL_FRIDA_INST_NO_SUPPRESS") == NULL); instrument_debug_config(); instrument_coverage_config(); @@ -321,6 +323,9 @@ void instrument_init(void) { FOKF(cBLU "Instrumentation" cRST " - " cGRN "instructions:" cYEL " [%c]", instrument_coverage_insn ? 'X' : ' '); + FOKF(cBLU "Instrumentation" cRST " - " cGRN "suppression:" cYEL " [%c]", + instrument_suppress ? 'X' : ' '); + if (instrument_tracing && instrument_optimize) { WARNF("AFL_FRIDA_INST_TRACE implies AFL_FRIDA_INST_NO_OPTIMIZE"); diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 77aa8c1d..4372861d 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -313,7 +313,7 @@ void instrument_coverage_optimize(const cs_insn *instr, // gum_arm64_writer_put_brk_imm(cw, 0x0); - instrument_coverage_suppress_init(); + if (instrument_suppress) { instrument_coverage_suppress_init(); } code_addr = cw->pc; @@ -333,9 +333,13 @@ void instrument_coverage_optimize(const cs_insn *instr, block_start = GSIZE_TO_POINTER(GUM_ADDRESS(cw->code) - GUM_RESTORATION_PROLOG_SIZE); - if (!g_hash_table_add(coverage_blocks, block_start)) { + if (instrument_suppress) { - FATAL("Failed - g_hash_table_add"); + if (!g_hash_table_add(coverage_blocks, block_start)) { + + FATAL("Failed - g_hash_table_add"); + + } } @@ -371,7 +375,17 @@ void instrument_coverage_optimize(const cs_insn *instr, code.code.mov_x1_curr_loc_shr_1 |= (area_offset_ror << 5); - gum_arm64_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + if (instrument_suppress) { + + gum_arm64_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); + + } else { + + size_t offset = offsetof(afl_log_code, code.stp_x0_x1); + gum_arm64_writer_put_bytes(cw, &code.bytes[offset], + sizeof(afl_log_code) - offset); + + } } diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index f7b7d6c5..8338f8e7 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -380,11 +380,15 @@ void instrument_coverage_optimize(const cs_insn *instr, } - instrument_coverage_suppress_init(); + if (instrument_suppress) { - if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + instrument_coverage_suppress_init(); - FATAL("Failed - g_hash_table_add"); + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } } diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index f15893cb..4667ea29 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -203,13 +203,17 @@ void instrument_coverage_optimize(const cs_insn *instr, code.code = template; - instrument_coverage_suppress_init(); + if (instrument_suppress) { - // gum_x86_writer_put_breakpoint(cw); + instrument_coverage_suppress_init(); - if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + // gum_x86_writer_put_breakpoint(cw); - FATAL("Failed - g_hash_table_add"); + if (!g_hash_table_add(coverage_blocks, GSIZE_TO_POINTER(cw->code))) { + + FATAL("Failed - g_hash_table_add"); + + } } diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index fce7a5d7..f9ea1ffb 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -170,6 +170,12 @@ class Afl { static setInstrumentSeed(seed) { Afl.jsApiSetInstrumentSeed(seed); } + /* + * See `AFL_FRIDA_INST_NO_SUPPRESS` + */ + static setInstrumentSuppressDisable() { + Afl.jsApiSetInstrumentSuppressDisable(); + } /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ @@ -339,6 +345,7 @@ Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_li Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []); Afl.jsApiSetInstrumentRegsFile = Afl.jsApiGetFunction("js_api_set_instrument_regs_file", "void", ["pointer"]); Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", "void", ["uint64"]); +Afl.jsApiSetInstrumentSuppressDisable = Afl.jsApiGetFunction("js_api_set_instrument_suppress_disable", "void", []); Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []); Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []); Afl.jsApiSetInstrumentUnstableCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_unstable_coverage_file", "void", ["pointer"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 01bba4ff..2e996c1c 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -289,6 +289,13 @@ __attribute__((visibility("default"))) void js_api_set_instrument_cache_size( } +__attribute__((visibility("default"))) void +js_api_set_instrument_suppress_disable(void) { + + instrument_suppress = false; + +} + __attribute__((visibility("default"))) void js_api_set_js_main_hook( const js_main_hook_t hook) { -- cgit v1.2.3