From 17bb51756faeaeda6fb17d63ede0a1a9d8ae4b5c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 22 Sep 2019 19:38:53 +0200 Subject: persistent qemu retaddr offset --- qemu_mode/patches/afl-qemu-common.h | 1 + qemu_mode/patches/afl-qemu-cpu-inl.h | 4 ++++ qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) (limited to 'qemu_mode') diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 2b7bd51c..e435c62f 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -61,6 +61,7 @@ extern target_long persistent_stack_offset; extern unsigned char persistent_first_pass; extern unsigned char persistent_save_gpr; extern target_ulong persistent_saved_gpr[CPU_NB_REGS]; +extern int persisent_retaddr_offset; extern __thread abi_ulong afl_prev_loc; diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index ee7d12e0..cfea04d6 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -90,6 +90,7 @@ target_long persistent_stack_offset; unsigned char persistent_first_pass; unsigned char persistent_save_gpr; target_ulong persistent_saved_gpr[CPU_NB_REGS]; +int persisent_retaddr_offset; /* Instrumentation ratio: */ @@ -218,6 +219,9 @@ static void afl_setup(void) { if (getenv("AFL_QEMU_PERSISTENT_GPR")) persistent_save_gpr = 1; + + if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET")) + persisent_retaddr_offset = strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 16); if (getenv("AFL_QEMU_PERSISTENT_CNT")) afl_persistent_cnt = strtoll(getenv("AFL_QEMU_PERSISTENT_CNT"), NULL, 16); diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 48b11c64..126cf255 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -195,7 +195,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, if (afl_persistent_ret_addr == 0) { \ \ TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ - tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \ + tcg_gen_st_tl(paddr, cpu_regs[R_ESP], persisent_retaddr_offset); \ \ } \ tcg_gen_afl_call0(&afl_persistent_loop); \ -- cgit 1.4.1 From ff1f6af7e900ab4d76c91b9f2f4a60da259cd91d Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 22 Sep 2019 20:01:44 +0200 Subject: wine mode && fix llvm makefile --- Makefile | 3 ++- afl-wine-trace | 12 +++++++++--- llvm_mode/Makefile | 2 +- qemu_mode/build_qemu_support.sh | 2 ++ qemu_mode/libcompcov/compcovtest | Bin 8624 -> 0 bytes qemu_mode/unsigaction/Makefile | 34 ++++++++++++++++++++++++++++++++++ qemu_mode/unsigaction/README.md | 7 +++++++ qemu_mode/unsigaction/unsigaction.c | 3 +++ 8 files changed, 58 insertions(+), 5 deletions(-) delete mode 100755 qemu_mode/libcompcov/compcovtest create mode 100644 qemu_mode/unsigaction/Makefile create mode 100644 qemu_mode/unsigaction/README.md create mode 100644 qemu_mode/unsigaction/unsigaction.c (limited to 'qemu_mode') diff --git a/Makefile b/Makefile index a6154561..42c6d737 100644 --- a/Makefile +++ b/Makefile @@ -228,11 +228,12 @@ all_done: test_build .NOTPARALLEL: clean clean: - rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 + rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn $(MAKE) -C llvm_mode clean $(MAKE) -C libdislocator clean $(MAKE) -C libtokencap clean + $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean distrib: all diff --git a/afl-wine-trace b/afl-wine-trace index fa552051..f8284d7e 100755 --- a/afl-wine-trace +++ b/afl-wine-trace @@ -18,13 +18,19 @@ os.environ["WINELOADERNOEXEC"] = "1" pe = pefile.PE(sys.argv[1]) -os.environ["AFL_ENTRYPOINT"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint) +if "AFL_ENTRYPOINT" not in os.environ: + os.environ["AFL_ENTRYPOINT"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint) if not os.getenv("AFL_INST_LIBS"): if "AFL_CODE_START" not in os.environ: os.environ["AFL_CODE_START"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode) if "AFL_CODE_END" not in os.environ: os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode) +if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]: + os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so") +else: + os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so") + if os.getenv("WINECOV_QEMU_PATH"): qemu_path = os.getenv("WINECOV_QEMU_PATH") elif os.path.exists(os.path.join(my_dir, "afl-qemu-trace")): @@ -36,7 +42,7 @@ else: elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]: qemu_path += "i386" else: - print ("[afl-wine-trace] unsupported architecture\n") + print ("[wine-cov] unsuppoted architecture\n") exit(1) qemu_path = shutil.which(qemu_path) @@ -49,7 +55,7 @@ else: elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]: pass else: - print ("[wine-cov] unsuppoted architecture\n") + print ("[afl-wine-trace] unsopported architecture\n") exit(1) os.execve(qemu_path, [qemu_path, wine_path] + sys.argv[1:], os.environ) diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 2d35505e..96aba898 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -83,7 +83,7 @@ CXX = $(LLVM_BINDIR)/clang++ ifeq "$(shell test -e $(CC) || echo 1 )" "1" # llvm-config --bindir is not providing a valid path, so ... - ifeq "$(shell test -e "$(BIN_DIR)/clang" && echo 1)" "1" + ifeq "$(shell test -e '$(BIN_DIR)/clang' && echo 1)" "1" # we found one in the local install directory, lets use these CC = $(BIN_DIR)/clang CXX = $(BIN_DIR)/clang++ diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 0ca3f494..02379eb2 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -212,6 +212,8 @@ fi echo "[+] Building libcompcov ..." make -C libcompcov +echo "[+] Building unsigaction ..." +make -C unsigaction echo "[+] libcompcov ready" echo "[+] All done for qemu_mode, enjoy!" diff --git a/qemu_mode/libcompcov/compcovtest b/qemu_mode/libcompcov/compcovtest deleted file mode 100755 index 0bb68d60..00000000 Binary files a/qemu_mode/libcompcov/compcovtest and /dev/null differ diff --git a/qemu_mode/unsigaction/Makefile b/qemu_mode/unsigaction/Makefile new file mode 100644 index 00000000..9aa96330 --- /dev/null +++ b/qemu_mode/unsigaction/Makefile @@ -0,0 +1,34 @@ +# +# american fuzzy lop - unsigaction +# -------------------------------- +# +# Written by Andrea Fioraldi +# +# Copyright 2019 Andrea Fioraldi. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +ifndef AFL_NO_X86 + +all: lib_i386 lib_amd64 + +lib_i386: + $(CC) -m32 -fPIC -shared unsigaction.c -o unsigaction32.so + +lib_amd64: + $(CC) -fPIC -shared unsigaction.c -o unsigaction64.so + +clean: + rm -f unsigaction32.so unsigaction64.so + +else + +all: + @echo "[!] Note: skipping compilation of unsigaction (AFL_NO_X86 set)." + +endif diff --git a/qemu_mode/unsigaction/README.md b/qemu_mode/unsigaction/README.md new file mode 100644 index 00000000..0f3707fd --- /dev/null +++ b/qemu_mode/unsigaction/README.md @@ -0,0 +1,7 @@ +# unsigation + +This library disable sigaction when preloaded. + +Mainly needed by Wine mode but can be used as a separate tool. + +A similar solution can be found in is [preeny](https://github.com/zardus/preeny). diff --git a/qemu_mode/unsigaction/unsigaction.c b/qemu_mode/unsigaction/unsigaction.c new file mode 100644 index 00000000..004084f9 --- /dev/null +++ b/qemu_mode/unsigaction/unsigaction.c @@ -0,0 +1,3 @@ +int sigaction(int signum, void *act, void *oldact) { + return 0; +} -- cgit 1.4.1 From 897fb9c2e407304f4015482f4fb27896b6fbe0b7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 22 Sep 2019 20:24:13 +0200 Subject: binary readme --- README.md | 2 ++ qemu_mode/README.md | 63 ++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 45 insertions(+), 20 deletions(-) (limited to 'qemu_mode') diff --git a/README.md b/README.md index b1a04611..71c626fe 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,8 @@ * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage * Persistent mode and deferred forkserver for qemu_mode + + * Win32 PE binary-only fuzzing with QEMU and Wine A more thorough list is available in the PATCHES file. diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 54fbf874..7bce2a05 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -44,25 +44,19 @@ Note: if you want the QEMU helper to be installed on your system for all users, you need to build it before issuing 'make install' in the parent directory. -## 3) Options +## 3) Bonus feature #1: deferred initialization -There is ./libcompcov/ which implements laf-intel (splitting memcmp, -strncmp, etc. to make these conditions easier solvable by afl-fuzz). -Highly recommended. +As for LLVM mode (referes to its README for mode details) QEMU mode support +the deferred initialization. -The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL. -AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate -values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all -comparison instructions and memory comparison functions when libcompcov -is preloaded. Comparison instructions are currently instrumented only -on the x86 and x86_64 targets. - -Another option is the environment variable AFL_ENTRYPOINT which allows -move the forkserver to a different part, e.g. just before the file is +This can be enabled setting the environment variable AFL_ENTRYPOINT which allows +to move the forkserver to a different part, e.g. just before the file is opened (e.g. way after command line parsing and config file loading, etc) which can be a huge speed improvement. Note that the specified address must be an address of a basic block. +## 4) Bonus feature #2: persistent mode + QEMU mode support also persistent mode for x86 and x86_64 targets. The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=`start addr`. In this variable you must specify the address of the function that @@ -78,11 +72,40 @@ Note that the format of the addresses in such variables is hex. Note that the base address of PIE binaries in QEMU user is 0x4000000000. -Warning: in x86_64 parameters are passed via registers and so the target -function of persistent mode cannot make use of arguments. An option to restore -the state of each GPR each iteration of the loop is planned. +With the env variable AFL_QEMU_PERSISTENT_GPR you can tell QEMU to save the original +value of general purpose registers and restore them ech cycle. +This allow to use as persistent loop functions that make use of arguments on +x86_64. + +With AFL_QEMU_PERSISTENT_RETADDR_OFFSET you can specify the offset from the stack pointer in which +QEME can find the return address when `start addr` is hitted. + +Use this mode with caution, problably will not work at first shot. + +## 5) Bonus feature #3: CompareCoverage + +CompareCoverage is a sub-instrumentation with effects similar to laf-intel. + +The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL. +There is also ./libcompcov/ which implements CompareCoverage for *cmp functions +(splitting memcmp, strncmp, etc. to make these conditions easier solvable by afl-fuzz). +AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate +values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all +comparison instructions and memory comparison functions when libcompcov +is preloaded. Comparison instructions are currently instrumented only +on the x86 and x86_64 targets. + +Highly recommended. + +## 6) Bonus feature #3: Wine mode + +AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz. + +Note that some binaries require user interaction with GUI and must be patched. + +For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO). -## 4) Notes on linking +## 7) Notes on linking The feature is supported only on Linux. Supporting BSD may amount to porting the changes made to linux-user/elfload.c and applying them to @@ -103,7 +126,7 @@ practice, this means two things: Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic and instrument every basic block encountered. -## 5) Benchmarking +## 8) Benchmarking If you want to compare the performance of the QEMU instrumentation with that of afl-gcc compiled code against the same target, you need to build the @@ -118,7 +141,7 @@ Comparative measurements of execution speed or instrumentation coverage will be fairly meaningless if the optimization levels or instrumentation scopes don't match. -## 6) Gotchas, feedback, bugs +## 9) Gotchas, feedback, bugs If you need to fix up checksums or do other cleanup on mutated test cases, see experimental/post_library/ for a viable solution. @@ -139,7 +162,7 @@ with -march=core2, can help. Beyond that, this is an early-stage mechanism, so fields reports are welcome. You can send them to . -## 7) Alternatives: static rewriting +## 10) Alternatives: static rewriting Statically rewriting binaries just once, instead of attempting to translate them at run time, can be a faster alternative. That said, static rewriting is -- cgit 1.4.1 From 74ef58e310d8f24596380fdb906b9fec41a7446a Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 22 Sep 2019 21:51:11 +0200 Subject: readme binary only --- qemu_mode/README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'qemu_mode') diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 7bce2a05..b994e4c6 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -19,7 +19,7 @@ Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining. ## 2) How to use -The feature is implemented with a patch to QEMU 3.1.0. The simplest way +The feature is implemented with a patch to QEMU 3.1.1. The simplest way to build it is to run ./build_qemu_support.sh. The script will download, configure, and compile the QEMU binary for you. @@ -72,13 +72,14 @@ Note that the format of the addresses in such variables is hex. Note that the base address of PIE binaries in QEMU user is 0x4000000000. -With the env variable AFL_QEMU_PERSISTENT_GPR you can tell QEMU to save the original -value of general purpose registers and restore them ech cycle. +With the env variable AFL_QEMU_PERSISTENT_GPR you can tell QEMU to save the +original value of general purpose registers and restore them ech cycle. This allow to use as persistent loop functions that make use of arguments on x86_64. -With AFL_QEMU_PERSISTENT_RETADDR_OFFSET you can specify the offset from the stack pointer in which -QEME can find the return address when `start addr` is hitted. +With AFL_QEMU_PERSISTENT_RETADDR_OFFSET you can specify the offset from the +stack pointer in which QEME can find the return address when `start addr` is +hitted. Use this mode with caution, problably will not work at first shot. @@ -88,7 +89,8 @@ CompareCoverage is a sub-instrumentation with effects similar to laf-intel. The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL. There is also ./libcompcov/ which implements CompareCoverage for *cmp functions -(splitting memcmp, strncmp, etc. to make these conditions easier solvable by afl-fuzz). +(splitting memcmp, strncmp, etc. to make these conditions easier solvable by +afl-fuzz). AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all comparison instructions and memory comparison functions when libcompcov -- cgit 1.4.1