From f68b9f5110f75068b65be35bd73d458f048f3fa1 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sat, 23 Oct 2021 20:09:36 +0100 Subject: frida mode display command line on mac --- frida_mode/src/main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c index c0de9c6b..c8183d8f 100644 --- a/frida_mode/src/main.c +++ b/frida_mode/src/main.c @@ -6,6 +6,7 @@ #ifdef __APPLE__ #include #include + #include #else #include #include @@ -90,6 +91,7 @@ static void embedded_init(void) { static void afl_print_cmdline(void) { +#if defined(__linux__) char * buffer = g_malloc0(PROC_MAX); gchar *fname = g_strdup_printf("/proc/%d/cmdline", getppid()); int fd = open(fname, O_RDONLY); @@ -123,6 +125,17 @@ static void afl_print_cmdline(void) { close(fd); g_free(fname); g_free(buffer); +#elif defined(__APPLE__) + int idx; + char **argv = *_NSGetArgv(); + int nargv = *_NSGetArgc(); + + for (idx = 0; idx < nargv; idx ++) { + + OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]); + + } +#endif } -- cgit 1.4.1 From 85ca0df98988cdb235e1d0cb9b156affc5afc80e Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 25 Oct 2021 06:53:45 +0100 Subject: frida mode musl build fix --- frida_mode/GNUmakefile | 3 +++ frida_mode/src/seccomp/seccomp_callback.c | 4 ++++ 2 files changed, 7 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index ed35c9f6..b5fee7a6 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -78,6 +78,9 @@ endif ifeq "$(shell uname)" "Linux" OS:=linux + ifneq "$(findstring musl, $(shell ldd --version 2>&1 | head -n 1))" "" + CFLAGS+= -D__MUSL__ + endif endif ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" "" diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index a88196ac..bc488489 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -1,6 +1,8 @@ #if defined(__linux__) && !defined(__ANDROID__) +#if !defined(__MUSL__) #include +#endif #include #include "seccomp.h" @@ -29,6 +31,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, req->data.args[0], req->data.args[1], req->data.args[2], req->data.args[3], req->data.args[4], req->data.args[5]); +#if !defined(__MUSL__) seccomp_print("FRAMES: (%u)\n", frames->len); char **syms = backtrace_symbols(frames->items, frames->len); if (syms == NULL) { FATAL("Failed to get symbols"); } @@ -49,6 +52,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); +#endif resp->error = 0; resp->val = 0; -- cgit 1.4.1 From 7407e2fb11675261173c625c3010ce9571a7d6f6 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 25 Oct 2021 09:37:51 +0100 Subject: frida mode musl further changes display stack trace --- frida_mode/src/seccomp/seccomp_callback.c | 16 ++++++++++++++++ frida_mode/src/seccomp/seccomp_filter.c | 2 ++ 2 files changed, 18 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c index bc488489..4232d842 100644 --- a/frida_mode/src/seccomp/seccomp_callback.c +++ b/frida_mode/src/seccomp/seccomp_callback.c @@ -52,6 +52,22 @@ static void seccomp_callback_filter(struct seccomp_notif * req, } free(syms); +#else + void **syms = (void **)__builtin_frame_address(0); + void *framep = __builtin_frame_address(1); + int i = 0; + + syms = framep; + while (syms) { + + framep = *syms; + syms = framep; + + if (!syms) break; + + seccomp_print("\%3d. %s\n", i ++, (char *)framep); + + } #endif resp->error = 0; diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c index 8d56c367..7ee5ead1 100644 --- a/frida_mode/src/seccomp/seccomp_filter.c +++ b/frida_mode/src/seccomp/seccomp_filter.c @@ -2,7 +2,9 @@ #include #include +#if !defined(__MUSL__) #include +#endif #include #include #include -- cgit 1.4.1 From f14b3bd9de4570a30c0f89bac2879ee3a7cfbcae Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 26 Oct 2021 18:48:13 +0100 Subject: Fix issues with Yama restrictions in FRIDA mode --- frida_mode/README.md | 6 ++++++ frida_mode/frida.map | 1 + frida_mode/include/entry.h | 3 +++ frida_mode/src/entry.c | 32 ++++++++++++++++++++++++++++++++ frida_mode/src/js/api.js | 7 +++++++ frida_mode/src/js/js_api.c | 6 ++++++ frida_mode/ts/lib/afl.ts | 12 ++++++++++++ include/envs.h | 1 + 8 files changed, 68 insertions(+) (limited to 'frida_mode/src') diff --git a/frida_mode/README.md b/frida_mode/README.md index df40c771..bb194080 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -288,6 +288,12 @@ ucomisd 2 ( 0.86%) * `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics information. Stats will be written whenever they are updated if the given interval has elapsed since last time they were written. +* `AFL_FRIDA_TRACEABLE` - Set the child process to be traceable by any process +to aid debugging and overcome the restrictions imposed by YAMA. Supported on +Linux only. Permits a non-root user to use `gcore` or similar to collect a core +dump of the instrumented target. Note that in order to capture the core dump you +must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` killing the +process whilst it is being dumped. ## FASAN - Frida Address Sanitizer Mode Frida mode also supports FASAN. The design of this is actually quite simple and diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 0fc48aa6..e2ae87a7 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -33,6 +33,7 @@ js_api_set_stats_interval; js_api_set_stderr; js_api_set_stdout; + js_api_set_traceable; local: *; diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h index 3f0a4ecc..edc41467 100644 --- a/frida_mode/include/entry.h +++ b/frida_mode/include/entry.h @@ -4,6 +4,7 @@ #include "frida-gumjs.h" extern guint64 entry_point; +extern gboolean traceable; extern gboolean entry_compiled; extern gboolean entry_run; @@ -15,5 +16,7 @@ void entry_start(void); void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); +void entry_on_fork(void); + #endif diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 186ddd3a..0ce2f3c3 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -1,5 +1,9 @@ #include +#if defined(__linux__) && !defined(__ANDROID__) + #include +#endif + #include "frida-gumjs.h" #include "debug.h" @@ -16,6 +20,7 @@ extern void __afl_manual_init(); guint64 entry_point = 0; +gboolean traceable = FALSE; gboolean entry_compiled = FALSE; gboolean entry_run = FALSE; @@ -26,21 +31,48 @@ static void entry_launch(void) { /* Child here */ entry_run = TRUE; + entry_on_fork(); instrument_on_fork(); seccomp_on_fork(); stats_on_fork(); } +#if defined(__linux__) && !defined(__ANDROID__) +void entry_on_fork(void) { + + if (traceable) { + + if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) < 0) { + + FATAL("Failed to PR_SET_PTRACER"); + + } + + } + +} + +#else +void entry_on_fork(void) { + + if (set_dumpable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + +} + +#endif + void entry_config(void) { entry_point = util_read_address("AFL_ENTRYPOINT"); + if (getenv("AFL_FRIDA_TRACEABLE") != NULL) { traceable = TRUE; } } void entry_init(void) { OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point); + OKF("dumpable: [%c]", traceable ? 'X' : ' '); if (dlopen(NULL, RTLD_NOW) == NULL) { FATAL("Failed to dlopen: %d", errno); } diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 40bb4a16..6f9f05d8 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -243,6 +243,12 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetStdOut(buf); } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + static setTraceable() { + Afl.jsApiSetTraceable(); + } static jsApiGetFunction(name, retType, argTypes) { const addr = Afl.module.getExportByName(name); return new NativeFunction(addr, retType, argTypes); @@ -286,6 +292,7 @@ Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", [" Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); Afl.jsApiSetStdErr = Afl.jsApiGetFunction("js_api_set_stderr", "void", ["pointer"]); Afl.jsApiSetStdOut = Afl.jsApiGetFunction("js_api_set_stdout", "void", ["pointer"]); +Afl.jsApiSetTraceable = Afl.jsApiGetFunction("js_api_set_traceable", "void", []); Afl.jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index 9dba79aa..f3d81a32 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -231,3 +231,9 @@ __attribute__((visibility("default"))) void js_api_set_stalker_ic_entries( } +__attribute__((visibility("default"))) void js_api_set_traceable(void) { + + traceable = TRUE; + +} + diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 8a1ebf1b..538d9b70 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -284,6 +284,13 @@ class Afl { Afl.jsApiSetStdOut(buf); } + /** + * See `AFL_FRIDA_TRACEABLE`. + */ + public static setTraceable(): void { + Afl.jsApiSetTraceable(); + } + private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction( "js_api_add_exclude_range", "void", @@ -431,6 +438,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetTraceable = Afl.jsApiGetFunction( + "js_api_set_traceable", + "void", + []); + private static readonly jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), diff --git a/include/envs.h b/include/envs.h index e3957147..61267a0d 100644 --- a/include/envs.h +++ b/include/envs.h @@ -76,6 +76,7 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", + "AFL_FRIDA_TRACEABLE", "AFL_FUZZER_ARGS", // oss-fuzz "AFL_GDB", "AFL_GCC_ALLOWLIST", -- cgit 1.4.1 From d85f5d4d62d2ca986b077aef06e8cb32148d9361 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Tue, 26 Oct 2021 22:30:44 +0100 Subject: frida mode macOs build fix proposal --- frida_mode/src/entry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'frida_mode/src') diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c index 0ce2f3c3..c51e202f 100644 --- a/frida_mode/src/entry.c +++ b/frida_mode/src/entry.c @@ -56,7 +56,7 @@ void entry_on_fork(void) { #else void entry_on_fork(void) { - if (set_dumpable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } + if (traceable) { WARNF("AFL_FRIDA_TRACEABLE unsupported"); } } -- cgit 1.4.1