From 574de9ff4cb2fdf2c28c32a3c2d7c5c773adb6ab Mon Sep 17 00:00:00 2001 From: hac425 Date: Sat, 9 Nov 2019 14:21:39 +0000 Subject: add basic supprt for qbdi_mode, test x86_64 Linux --- qbdi_mode/template.cpp | 214 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 214 insertions(+) create mode 100755 qbdi_mode/template.cpp (limited to 'qbdi_mode/template.cpp') diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp new file mode 100755 index 00000000..6c118a12 --- /dev/null +++ b/qbdi_mode/template.cpp @@ -0,0 +1,214 @@ +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#include +#include "../config.h" + +#include + +using namespace QBDI; + +typedef int (*target_func)(char *buf, int size); + +static const size_t STACK_SIZE = 0x100000; // 1MB +static const QBDI::rword FAKE_RET_ADDR = 0x40000; +target_func p_target_func = NULL; +rword module_base = 0; +rword module_end = 0; +static unsigned char + dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ +unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ + +unsigned long afl_prev_loc = 0; + + +/* Set up SHM region and initialize other stuff. */ + +int afl_setup(void) { + char *id_str = getenv(SHM_ENV_VAR); + int shm_id; + if (id_str) { + shm_id = atoi(id_str); + afl_area_ptr = (unsigned char*)shmat(shm_id, NULL, 0); + if (afl_area_ptr == (void *)-1) + return 0; + memset(afl_area_ptr, 0, MAP_SIZE); + } + return 1; +} + + +/* Fork server logic, invoked once we hit _start. */ + +static void afl_forkserver() +{ + + static unsigned char tmp[4]; + pid_t child_pid; + + if (write(FORKSRV_FD + 1, tmp, 4) != 4) + return; + + while (1) + { + + int status; + u32 was_killed; + // wait for afl-fuzz + if (read(FORKSRV_FD, &was_killed, 4) != 4) + exit(2); + + + child_pid = fork(); + if (child_pid < 0) + exit(4); + + if (!child_pid) + { + // child return to execute code + close(FORKSRV_FD); + close(FORKSRV_FD + 1); + return; + } + + // write child pid to afl-fuzz + if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) + exit(5); + + // wait child stop + if (waitpid(child_pid, &status, 0) < 0) + exit(6); + + // send child stop status to afl-fuzz + if (write(FORKSRV_FD + 1, &status, 4) != 4) + exit(7); + } +} + +void afl_maybe_log(unsigned long cur_loc) { + if(afl_area_ptr == NULL){ + return; + } + unsigned long afl_idx = cur_loc ^ afl_prev_loc; + afl_area_ptr[afl_idx % MAP_SIZE]++; + afl_prev_loc = cur_loc >> 1; +} +char* read_file(char* path, unsigned long* length) { + FILE *pFile = fopen(path, "rb"); + char *pBuf; + fseek(pFile, 0, SEEK_END); + unsigned long len = ftell(pFile); + pBuf = (char*)malloc(len); + rewind(pFile); + fread(pBuf, 1, len, pFile); + fclose(pFile); + *length = len; + return pBuf; +} + +char FPATH[200]; + +QBDI_NOINLINE int fuzz_func() +{ + + if(afl_setup()){ + afl_forkserver(); + } + + unsigned long len = 0; + char* data = read_file(FPATH, &len); + + printf("In fuzz_func\n"); + p_target_func(data, len); + return 1; +} + + + + + + +static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) { + // errno = SAVED_ERRNO; + + unsigned long pc = gprState->rip; + // printf("%p\n", pc); + if(pc >= module_base && pc <= module_end){ + unsigned long offset = pc - module_base; + printf("\toffset:%p\n", offset); + afl_maybe_log(offset); + } + return QBDI::VMAction::CONTINUE; +} + +int main(int argc, char **argv) +{ + + const char *lib_path; + lib_path = argv[1]; + // FPATH = argv[2]; + strcpy(FPATH, argv[2]); + void *handle = dlopen(lib_path, RTLD_LAZY); + + if (handle == nullptr) + { + perror("Cannot load library"); + exit(EXIT_FAILURE); + } + + const char *lib_name = lib_path; + if (strrchr(lib_name, '/') != nullptr) + lib_name = strrchr(lib_name, '/') + 1; + + // printf("library name:%s\n", lib_name); + + for (MemoryMap &map : getCurrentProcessMaps()) + { + // printf("module:%s\n", map.name.c_str()); + if ((map.permission & PF_EXEC) && strstr(map.name.c_str(), lib_name) != NULL) + { + module_base = map.range.start; + module_end = map.range.end; + } + } + + if (module_base == 0) + { + std::cerr << "Fail to find base address" << std::endl; + return -1; + } + // printf("module base:%p, module end:%p\n", module_base, module_end); + p_target_func = (target_func)dlsym(handle, "target_func"); + // p_target_func = (target_func)(module_base + 0x61a); + printf("p_target_func:%p\n", p_target_func); + + VM vm; + uint8_t *fakestack = nullptr; + + GPRState *state = vm.getGPRState(); + allocateVirtualStack(state, STACK_SIZE, &fakestack); + vm.addInstrumentedModuleFromAddr(module_base); + vm.addInstrumentedModuleFromAddr((rword)&main); + + + vm.addVMEventCB(BASIC_BLOCK_ENTRY, bbcallback, nullptr); + + + // QBDI::simulateCall(state, FAKE_RET_ADDR); + // vm.run((rword)&fuzz_func, (rword)FAKE_RET_ADDR); + + rword ret; + vm.call(&ret, (rword)&fuzz_func, {}); + + return 0; +} -- cgit v1.2.3 From ab8fb271f71c50f46fac86fb7ac09593542726b3 Mon Sep 17 00:00:00 2001 From: hac425 Date: Sat, 9 Nov 2019 15:18:24 +0000 Subject: add support for android x86, x86-64 in qbdi mode --- qbdi_mode/template.cpp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'qbdi_mode/template.cpp') diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 6c118a12..85b46d2f 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -10,10 +10,17 @@ #include #include +#ifdef __ANDROID__ +#include "../include/android-ashmem.h" +#endif +#include #include #include "../config.h" + + + #include using namespace QBDI; @@ -49,7 +56,6 @@ int afl_setup(void) { /* Fork server logic, invoked once we hit _start. */ - static void afl_forkserver() { @@ -141,8 +147,14 @@ QBDI_NOINLINE int fuzz_func() static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) { // errno = SAVED_ERRNO; +#ifdef __x86_64__ unsigned long pc = gprState->rip; - // printf("%p\n", pc); +#elif defined(i386) + unsigned long pc = gprState->eip; +#elif defined(__arm__) + unsigned long pc = gprState->pc; +#endif + if(pc >= module_base && pc <= module_end){ unsigned long offset = pc - module_base; printf("\toffset:%p\n", offset); -- cgit v1.2.3 From c8c004d568f639b09a70deecce6c634ac45d4842 Mon Sep 17 00:00:00 2001 From: hac425 Date: Thu, 14 Nov 2019 14:30:29 +0000 Subject: modify build.sh and add document --- qbdi_mode/template.cpp | 90 ++++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 44 deletions(-) (limited to 'qbdi_mode/template.cpp') diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 85b46d2f..f0b0c601 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -18,9 +18,6 @@ #include #include "../config.h" - - - #include using namespace QBDI; @@ -33,20 +30,21 @@ target_func p_target_func = NULL; rword module_base = 0; rword module_end = 0; static unsigned char - dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ -unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ + dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ +unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ unsigned long afl_prev_loc = 0; - /* Set up SHM region and initialize other stuff. */ -int afl_setup(void) { +int afl_setup(void) +{ char *id_str = getenv(SHM_ENV_VAR); int shm_id; - if (id_str) { + if (id_str) + { shm_id = atoi(id_str); - afl_area_ptr = (unsigned char*)shmat(shm_id, NULL, 0); + afl_area_ptr = (unsigned char *)shmat(shm_id, NULL, 0); if (afl_area_ptr == (void *)-1) return 0; memset(afl_area_ptr, 0, MAP_SIZE); @@ -54,7 +52,6 @@ int afl_setup(void) { return 1; } - /* Fork server logic, invoked once we hit _start. */ static void afl_forkserver() { @@ -74,7 +71,6 @@ static void afl_forkserver() if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); - child_pid = fork(); if (child_pid < 0) exit(4); @@ -101,25 +97,28 @@ static void afl_forkserver() } } -void afl_maybe_log(unsigned long cur_loc) { - if(afl_area_ptr == NULL){ - return; - } - unsigned long afl_idx = cur_loc ^ afl_prev_loc; - afl_area_ptr[afl_idx % MAP_SIZE]++; - afl_prev_loc = cur_loc >> 1; +void afl_maybe_log(unsigned long cur_loc) +{ + if (afl_area_ptr == NULL) + { + return; + } + unsigned long afl_idx = cur_loc ^ afl_prev_loc; + afl_area_ptr[afl_idx % MAP_SIZE]++; + afl_prev_loc = cur_loc >> 1; } -char* read_file(char* path, unsigned long* length) { - FILE *pFile = fopen(path, "rb"); - char *pBuf; - fseek(pFile, 0, SEEK_END); - unsigned long len = ftell(pFile); - pBuf = (char*)malloc(len); - rewind(pFile); - fread(pBuf, 1, len, pFile); - fclose(pFile); - *length = len; - return pBuf; +char *read_file(char *path, unsigned long *length) +{ + FILE *pFile = fopen(path, "rb"); + char *pBuf; + fseek(pFile, 0, SEEK_END); + unsigned long len = ftell(pFile); + pBuf = (char *)malloc(len); + rewind(pFile); + fread(pBuf, 1, len, pFile); + fclose(pFile); + *length = len; + return pBuf; } char FPATH[200]; @@ -127,24 +126,21 @@ char FPATH[200]; QBDI_NOINLINE int fuzz_func() { - if(afl_setup()){ + if (afl_setup()) + { afl_forkserver(); } unsigned long len = 0; - char* data = read_file(FPATH, &len); + char *data = read_file(FPATH, &len); printf("In fuzz_func\n"); p_target_func(data, len); return 1; } - - - - - -static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) { +static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) +{ // errno = SAVED_ERRNO; #ifdef __x86_64__ @@ -154,9 +150,11 @@ static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *st #elif defined(__arm__) unsigned long pc = gprState->pc; #endif - - if(pc >= module_base && pc <= module_end){ - unsigned long offset = pc - module_base; + + // just log the module path + if (pc >= module_base && pc <= module_end) + { + unsigned long offset = pc - module_base; printf("\toffset:%p\n", offset); afl_maybe_log(offset); } @@ -166,6 +164,12 @@ static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *st int main(int argc, char **argv) { + if (argc < 3) + { + puts("usage: ./loader library_path input_file_path"); + exit(0); + } + const char *lib_path; lib_path = argv[1]; // FPATH = argv[2]; @@ -183,9 +187,9 @@ int main(int argc, char **argv) lib_name = strrchr(lib_name, '/') + 1; // printf("library name:%s\n", lib_name); - + // load library module address for log path for (MemoryMap &map : getCurrentProcessMaps()) - { + { // printf("module:%s\n", map.name.c_str()); if ((map.permission & PF_EXEC) && strstr(map.name.c_str(), lib_name) != NULL) { @@ -212,10 +216,8 @@ int main(int argc, char **argv) vm.addInstrumentedModuleFromAddr(module_base); vm.addInstrumentedModuleFromAddr((rword)&main); - vm.addVMEventCB(BASIC_BLOCK_ENTRY, bbcallback, nullptr); - // QBDI::simulateCall(state, FAKE_RET_ADDR); // vm.run((rword)&fuzz_func, (rword)FAKE_RET_ADDR); -- cgit v1.2.3 From 0071e537f3aa1ccb6dbc38a2e88bd53595021775 Mon Sep 17 00:00:00 2001 From: hac425 Date: Thu, 14 Nov 2019 14:38:04 +0000 Subject: format code for demo-so.c and template.cpp --- qbdi_mode/template.cpp | 325 +++++++++++++++++++++++++------------------------ 1 file changed, 166 insertions(+), 159 deletions(-) (limited to 'qbdi_mode/template.cpp') diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index f0b0c601..601860d2 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -24,205 +24,212 @@ using namespace QBDI; typedef int (*target_func)(char *buf, int size); -static const size_t STACK_SIZE = 0x100000; // 1MB +static const size_t STACK_SIZE = 0x100000; // 1MB static const QBDI::rword FAKE_RET_ADDR = 0x40000; -target_func p_target_func = NULL; -rword module_base = 0; -rword module_end = 0; +target_func p_target_func = NULL; +rword module_base = 0; +rword module_end = 0; static unsigned char - dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ -unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ + dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ +unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ unsigned long afl_prev_loc = 0; /* Set up SHM region and initialize other stuff. */ -int afl_setup(void) -{ - char *id_str = getenv(SHM_ENV_VAR); - int shm_id; - if (id_str) - { - shm_id = atoi(id_str); - afl_area_ptr = (unsigned char *)shmat(shm_id, NULL, 0); - if (afl_area_ptr == (void *)-1) - return 0; - memset(afl_area_ptr, 0, MAP_SIZE); - } - return 1; +int afl_setup(void) { + + char *id_str = getenv(SHM_ENV_VAR); + int shm_id; + if (id_str) { + + shm_id = atoi(id_str); + afl_area_ptr = (unsigned char *)shmat(shm_id, NULL, 0); + if (afl_area_ptr == (void *)-1) return 0; + memset(afl_area_ptr, 0, MAP_SIZE); + + } + + return 1; + } /* Fork server logic, invoked once we hit _start. */ -static void afl_forkserver() -{ - - static unsigned char tmp[4]; - pid_t child_pid; - - if (write(FORKSRV_FD + 1, tmp, 4) != 4) - return; - - while (1) - { - - int status; - u32 was_killed; - // wait for afl-fuzz - if (read(FORKSRV_FD, &was_killed, 4) != 4) - exit(2); - - child_pid = fork(); - if (child_pid < 0) - exit(4); - - if (!child_pid) - { - // child return to execute code - close(FORKSRV_FD); - close(FORKSRV_FD + 1); - return; - } - - // write child pid to afl-fuzz - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) - exit(5); - - // wait child stop - if (waitpid(child_pid, &status, 0) < 0) - exit(6); - - // send child stop status to afl-fuzz - if (write(FORKSRV_FD + 1, &status, 4) != 4) - exit(7); +static void afl_forkserver() { + + static unsigned char tmp[4]; + pid_t child_pid; + + if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; + + while (1) { + + int status; + u32 was_killed; + // wait for afl-fuzz + if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); + + child_pid = fork(); + if (child_pid < 0) exit(4); + + if (!child_pid) { + + // child return to execute code + close(FORKSRV_FD); + close(FORKSRV_FD + 1); + return; + } + + // write child pid to afl-fuzz + if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5); + + // wait child stop + if (waitpid(child_pid, &status, 0) < 0) exit(6); + + // send child stop status to afl-fuzz + if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); + + } + } -void afl_maybe_log(unsigned long cur_loc) -{ - if (afl_area_ptr == NULL) - { - return; - } - unsigned long afl_idx = cur_loc ^ afl_prev_loc; - afl_area_ptr[afl_idx % MAP_SIZE]++; - afl_prev_loc = cur_loc >> 1; +void afl_maybe_log(unsigned long cur_loc) { + + if (afl_area_ptr == NULL) { return; } + unsigned long afl_idx = cur_loc ^ afl_prev_loc; + afl_area_ptr[afl_idx % MAP_SIZE]++; + afl_prev_loc = cur_loc >> 1; + } -char *read_file(char *path, unsigned long *length) -{ - FILE *pFile = fopen(path, "rb"); - char *pBuf; - fseek(pFile, 0, SEEK_END); - unsigned long len = ftell(pFile); - pBuf = (char *)malloc(len); - rewind(pFile); - fread(pBuf, 1, len, pFile); - fclose(pFile); - *length = len; - return pBuf; + +char *read_file(char *path, unsigned long *length) { + + FILE *pFile = fopen(path, "rb"); + char *pBuf; + fseek(pFile, 0, SEEK_END); + unsigned long len = ftell(pFile); + pBuf = (char *)malloc(len); + rewind(pFile); + fread(pBuf, 1, len, pFile); + fclose(pFile); + *length = len; + return pBuf; + } char FPATH[200]; -QBDI_NOINLINE int fuzz_func() -{ +QBDI_NOINLINE int fuzz_func() { - if (afl_setup()) - { - afl_forkserver(); - } + if (afl_setup()) { afl_forkserver(); } - unsigned long len = 0; - char *data = read_file(FPATH, &len); + unsigned long len = 0; + char * data = read_file(FPATH, &len); + + printf("In fuzz_func\n"); + p_target_func(data, len); + return 1; - printf("In fuzz_func\n"); - p_target_func(data, len); - return 1; } -static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) -{ - // errno = SAVED_ERRNO; +static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, + const QBDI::VMState *state, + QBDI::GPRState * gprState, + QBDI::FPRState *fprState, void *data) { + + // errno = SAVED_ERRNO; #ifdef __x86_64__ - unsigned long pc = gprState->rip; + unsigned long pc = gprState->rip; #elif defined(i386) - unsigned long pc = gprState->eip; + unsigned long pc = gprState->eip; #elif defined(__arm__) - unsigned long pc = gprState->pc; + unsigned long pc = gprState->pc; #endif - - // just log the module path - if (pc >= module_base && pc <= module_end) - { - unsigned long offset = pc - module_base; - printf("\toffset:%p\n", offset); - afl_maybe_log(offset); - } - return QBDI::VMAction::CONTINUE; + + // just log the module path + if (pc >= module_base && pc <= module_end) { + + unsigned long offset = pc - module_base; + printf("\toffset:%p\n", offset); + afl_maybe_log(offset); + + } + + return QBDI::VMAction::CONTINUE; + } -int main(int argc, char **argv) -{ +int main(int argc, char **argv) { - if (argc < 3) - { - puts("usage: ./loader library_path input_file_path"); - exit(0); - } + if (argc < 3) { - const char *lib_path; - lib_path = argv[1]; - // FPATH = argv[2]; - strcpy(FPATH, argv[2]); - void *handle = dlopen(lib_path, RTLD_LAZY); + puts("usage: ./loader library_path input_file_path"); + exit(0); - if (handle == nullptr) - { - perror("Cannot load library"); - exit(EXIT_FAILURE); - } + } - const char *lib_name = lib_path; - if (strrchr(lib_name, '/') != nullptr) - lib_name = strrchr(lib_name, '/') + 1; - - // printf("library name:%s\n", lib_name); - // load library module address for log path - for (MemoryMap &map : getCurrentProcessMaps()) - { - // printf("module:%s\n", map.name.c_str()); - if ((map.permission & PF_EXEC) && strstr(map.name.c_str(), lib_name) != NULL) - { - module_base = map.range.start; - module_end = map.range.end; - } - } + const char *lib_path; + lib_path = argv[1]; + // FPATH = argv[2]; + strcpy(FPATH, argv[2]); + void *handle = dlopen(lib_path, RTLD_LAZY); + + if (handle == nullptr) { + + perror("Cannot load library"); + exit(EXIT_FAILURE); + + } + + const char *lib_name = lib_path; + if (strrchr(lib_name, '/') != nullptr) lib_name = strrchr(lib_name, '/') + 1; + + // printf("library name:%s\n", lib_name); + // load library module address for log path + for (MemoryMap &map : getCurrentProcessMaps()) { + + // printf("module:%s\n", map.name.c_str()); + if ((map.permission & PF_EXEC) && + strstr(map.name.c_str(), lib_name) != NULL) { + + module_base = map.range.start; + module_end = map.range.end; - if (module_base == 0) - { - std::cerr << "Fail to find base address" << std::endl; - return -1; } - // printf("module base:%p, module end:%p\n", module_base, module_end); - p_target_func = (target_func)dlsym(handle, "target_func"); - // p_target_func = (target_func)(module_base + 0x61a); - printf("p_target_func:%p\n", p_target_func); - VM vm; - uint8_t *fakestack = nullptr; + } + + if (module_base == 0) { - GPRState *state = vm.getGPRState(); - allocateVirtualStack(state, STACK_SIZE, &fakestack); - vm.addInstrumentedModuleFromAddr(module_base); - vm.addInstrumentedModuleFromAddr((rword)&main); + std::cerr << "Fail to find base address" << std::endl; + return -1; - vm.addVMEventCB(BASIC_BLOCK_ENTRY, bbcallback, nullptr); + } - // QBDI::simulateCall(state, FAKE_RET_ADDR); - // vm.run((rword)&fuzz_func, (rword)FAKE_RET_ADDR); + // printf("module base:%p, module end:%p\n", module_base, module_end); + p_target_func = (target_func)dlsym(handle, "target_func"); + // p_target_func = (target_func)(module_base + 0x61a); + printf("p_target_func:%p\n", p_target_func); - rword ret; - vm.call(&ret, (rword)&fuzz_func, {}); + VM vm; + uint8_t *fakestack = nullptr; + + GPRState *state = vm.getGPRState(); + allocateVirtualStack(state, STACK_SIZE, &fakestack); + vm.addInstrumentedModuleFromAddr(module_base); + vm.addInstrumentedModuleFromAddr((rword)&main); + + vm.addVMEventCB(BASIC_BLOCK_ENTRY, bbcallback, nullptr); + + // QBDI::simulateCall(state, FAKE_RET_ADDR); + // vm.run((rword)&fuzz_func, (rword)FAKE_RET_ADDR); + + rword ret; + vm.call(&ret, (rword)&fuzz_func, {}); + + return 0; - return 0; } + -- cgit v1.2.3 From 7e022a09ccd88cf91cfafbc3d61cdb93b961bbe7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 17 Nov 2019 11:39:21 +0100 Subject: adjust qbdi mode --- qbdi_mode/template.cpp | 48 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 16 deletions(-) (limited to 'qbdi_mode/template.cpp') diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 601860d2..18766d31 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -20,6 +20,20 @@ #include +/* NeverZero */ + +#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) +#define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") +#else +#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ +#endif + using namespace QBDI; typedef int (*target_func)(char *buf, int size); @@ -35,6 +49,8 @@ unsigned char *afl_area_ptr = NULL; /* Exported for afl_gen_trace */ unsigned long afl_prev_loc = 0; +char input_pathname[PATH_MAX]; + /* Set up SHM region and initialize other stuff. */ int afl_setup(void) { @@ -98,36 +114,37 @@ void afl_maybe_log(unsigned long cur_loc) { if (afl_area_ptr == NULL) { return; } unsigned long afl_idx = cur_loc ^ afl_prev_loc; - afl_area_ptr[afl_idx % MAP_SIZE]++; + afl_idx &= MAP_SIZE -1; + INC_AFL_AREA(afl_idx); afl_prev_loc = cur_loc >> 1; } char *read_file(char *path, unsigned long *length) { - FILE *pFile = fopen(path, "rb"); - char *pBuf; - fseek(pFile, 0, SEEK_END); - unsigned long len = ftell(pFile); - pBuf = (char *)malloc(len); - rewind(pFile); - fread(pBuf, 1, len, pFile); - fclose(pFile); + unsigned long len; + char * buf; + + FILE *fp = fopen(path, "rb"); + fseek(fp, 0, SEEK_END); + len = ftell(fp); + buf = (char *)malloc(len); + rewind(fp); + fread(buf, 1, len, fp); + fclose(fp); *length = len; - return pBuf; + return buf; } -char FPATH[200]; - QBDI_NOINLINE int fuzz_func() { if (afl_setup()) { afl_forkserver(); } unsigned long len = 0; - char * data = read_file(FPATH, &len); + char * data = read_file(input_pathname, &len); - printf("In fuzz_func\n"); + // printf("In fuzz_func\n"); p_target_func(data, len); return 1; @@ -172,8 +189,7 @@ int main(int argc, char **argv) { const char *lib_path; lib_path = argv[1]; - // FPATH = argv[2]; - strcpy(FPATH, argv[2]); + strcpy(input_pathname, argv[2]); void *handle = dlopen(lib_path, RTLD_LAZY); if (handle == nullptr) { -- cgit v1.2.3