class Afl { /** * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode * implementation). */ public static module: Module = Process.getModuleByName("afl-frida-trace.so"); /** * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to exclude several ranges. */ public static addExcludedRange(addressess: NativePointer, size: number): void { Afl.jsApiAddExcludeRange(addressess, size); } /** * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`, * it takes as arguments a `NativePointer` and a `number`. It can be * called multiple times to include several ranges. */ public static addIncludedRange(addressess: NativePointer, size: number): void { Afl.jsApiAddIncludeRange(addressess, size); } /** * This must always be called at the end of your script. This lets * FRIDA mode know that your configuration is finished and that * execution has reached the end of your script. Failure to call * this will result in a fatal error. */ public static done(): void { Afl.jsApiDone(); } /** * This function can be called within your script to cause FRIDA * mode to trigger a fatal error. This is useful if for example you * discover a problem you weren't expecting and want everything to * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view * this error message. */ public static error(msg: string): void { const buf = Memory.allocUtf8String(msg); Afl.jsApiError(buf); } /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of * fuzzing data when using in-memory test case fuzzing. */ public static getAflFuzzLen(): NativePointer { return Afl.jsApiGetSymbol("__afl_fuzz_len"); } /** * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing * data when using in-memory test case fuzzing. */ public static getAflFuzzPtr(): NativePointer { return Afl.jsApiGetSymbol("__afl_fuzz_ptr"); } /** * Print a message to the STDOUT. This should be preferred to * FRIDA's `console.log` since FRIDA will queue it's log messages. * If `console.log` is used in a callback in particular, then there * may no longer be a thread running to service this queue. */ public static print(msg: string): void { const STDOUT_FILENO = 2; const log = `${msg}\n`; const buf = Memory.allocUtf8String(log); Afl.jsApiWrite(STDOUT_FILENO, buf, log.length); } /** * See `AFL_FRIDA_STALKER_NO_BACKPATCH`. */ public static setBackpatchDisable(): void { Afl.jsApiSetBackpatchDisable(); } /** * See `AFL_FRIDA_INST_NO_CACHE`. */ public static setCacheDisable(): void { Afl.jsApiSetCacheDisable(); } /** * See `AFL_FRIDA_DEBUG_MAPS`. */ public static setDebugMaps(): void { Afl.jsApiSetDebugMaps(); } /** * This has the same effect as setting `AFL_ENTRYPOINT`, but has the * convenience of allowing you to use FRIDAs APIs to determine the * address you would like to configure, rather than having to grep * the output of `readelf` or something similarly ugly. This * function should be called with a `NativePointer` as its * argument. */ public static setEntryPoint(address: NativePointer): void { Afl.jsApiSetEntryPoint(address); } /** * Function used to enable in-memory test cases for fuzzing. */ public static setInMemoryFuzzing(): void { Afl.jsApiAflSharedMemFuzzing.writeInt(1); } /** * See `AFL_FRIDA_INST_CACHE_SIZE`. This function takes a single `number` * as an argument. */ public static setInstrumentCacheSize(size: number): void { Afl.jsApiSetInstrumentCacheSize(size); } /** * See `AFL_FRIDA_INST_COVERAGE_ABSOLUTE`. */ public static setInstrumentCoverageAbsolute(): void { Afl.jsApiSetInstrumentCoverageAbsolute(); } /** * See `AFL_FRIDA_INST_COVERAGE_FILE`. This function takes a single `string` * as an argument. */ public static setInstrumentCoverageFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentCoverageFile(buf); } /** * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as * an argument. */ public static setInstrumentDebugFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentDebugFile(buf); } /** * See `AFL_FRIDA_INST_TRACE`. */ public static setInstrumentEnableTracing(): void { Afl.jsApiSetInstrumentTrace(); } /** * See `AFL_FRIDA_INST_INSN` */ public static setInstrumentInstructions(): void { Afl.jsApiSetInstrumentInstructions(); } /** * See `AFL_FRIDA_INST_JIT`. */ public static setInstrumentJit(): void { Afl.jsApiSetInstrumentJit(); } /** * See `AFL_INST_LIBS`. */ public static setInstrumentLibraries(): void { Afl.jsApiSetInstrumentLibraries(); } /** * See `AFL_FRIDA_INST_NO_OPTIMIZE` */ public static setInstrumentNoOptimize(): void { Afl.jsApiSetInstrumentNoOptimize(); } /** * See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as * an argument. */ public static setInstrumentRegsFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentRegsFile(buf); } /* * See `AFL_FRIDA_INST_SEED` */ public static setInstrumentSeed(seed: NativePointer): void { Afl.jsApiSetInstrumentSeed(seed); } /** * See `AFL_FRIDA_INST_TRACE_UNIQUE`. */ public static setInstrumentTracingUnique(): void { Afl.jsApiSetInstrumentTraceUnique(); } /** * See `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE`. This function takes a single * `string` as an argument. */ public static setInstrumentUnstableCoverageFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetInstrumentUnstableCoverageFile(buf); } /* * Set a callback to be called in place of the usual `main` function. This see * `Scripting.md` for details. */ public static setJsMainHook(address: NativePointer): void { Afl.jsApiSetJsMainHook(address); } /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a * `NativePointer` should be provided as it's argument. */ public static setPersistentAddress(address: NativePointer): void { Afl.jsApiSetPersistentAddress(address); } /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a * `number` should be provided as it's argument. */ public static setPersistentCount(count: number): void { Afl.jsApiSetPersistentCount(count); } /** * See `AFL_FRIDA_PERSISTENT_DEBUG`. */ public static setPersistentDebug(): void { Afl.jsApiSetPersistentDebug(); } /** * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an * argument. See above for examples of use. */ public static setPersistentHook(address: NativePointer): void { Afl.jsApiSetPersistentHook(address); } /** * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a * `NativePointer` should be provided as it's argument. */ public static setPersistentReturn(address: NativePointer): void { Afl.jsApiSetPersistentReturn(address); } /** * See `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. */ public static setPrefetchBackpatchDisable(): void { Afl.jsApiSetPrefetchBackpatchDisable(); } /** * See `AFL_FRIDA_INST_NO_PREFETCH`. */ public static setPrefetchDisable(): void { Afl.jsApiSetPrefetchDisable(); } /** * See `AFL_FRIDA_SECCOMP_FILE`. This function takes a single `string` as * an argument. */ public static setSeccompFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetSeccompFile(buf); } /** * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. */ public static setStalkerAdjacentBlocks(val: number): void { Afl.jsApiSetStalkerAdjacentBlocks(val); } /* * Set a function to be called for each instruction which is instrumented * by AFL FRIDA mode. */ public static setStalkerCallback(callback: NativePointer): void { Afl.jsApiSetStalkerCallback(callback); } /** * See `AFL_FRIDA_STALKER_IC_ENTRIES`. */ public static setStalkerIcEntries(val: number): void { Afl.jsApiSetStalkerIcEntries(val); } /** * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as * an argument. */ public static setStatsFile(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetStatsFile(buf); } /** * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an * argument */ public static setStatsInterval(interval: number): void { Afl.jsApiSetStatsInterval(interval); } /** * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as * an argument. */ public static setStdErr(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetStdErr(buf); } /** * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as * an argument. */ public static setStdOut(file: string): void { const buf = Memory.allocUtf8String(file); Afl.jsApiSetStdOut(buf); } /** * See `AFL_FRIDA_TRACEABLE`. */ public static setTraceable(): void { Afl.jsApiSetTraceable(); } /** * See `AFL_FRIDA_VERBOSE` */ public static setVerbose(): void { Afl.jsApiSetVerbose(); } private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction( "js_api_add_exclude_range", "void", ["pointer", "size_t"]); private static readonly jsApiAddIncludeRange = Afl.jsApiGetFunction( "js_api_add_include_range", "void", ["pointer", "size_t"]); private static readonly jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing"); private static readonly jsApiDone = Afl.jsApiGetFunction( "js_api_done", "void", []); private static readonly jsApiError = Afl.jsApiGetFunction( "js_api_error", "void", ["pointer"]); private static readonly jsApiSetBackpatchDisable = Afl.jsApiGetFunction( "js_api_set_backpatch_disable", "void", []); private static readonly jsApiSetCacheDisable = Afl.jsApiGetFunction( "js_api_set_cache_disable", "void", []); private static readonly jsApiSetDebugMaps = Afl.jsApiGetFunction( "js_api_set_debug_maps", "void", []); private static readonly jsApiSetEntryPoint = Afl.jsApiGetFunction( "js_api_set_entrypoint", "void", ["pointer"]); private static readonly jsApiSetInstrumentCacheSize = Afl.jsApiGetFunction( "js_api_set_instrument_cache_size", "void", ["size_t"]); private static readonly jsApiSetInstrumentCoverageAbsolute = Afl.jsApiGetFunction( "js_api_set_instrument_coverage_absolute", "void", [] ); private static readonly jsApiSetInstrumentCoverageFile = Afl.jsApiGetFunction( "js_api_set_instrument_coverage_file", "void", ["pointer"]); private static readonly jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction( "js_api_set_instrument_debug_file", "void", ["pointer"]); private static readonly jsApiSetInstrumentInstructions = Afl.jsApiGetFunction( "js_api_set_instrument_instructions", "void", []); private static readonly jsApiSetInstrumentJit = Afl.jsApiGetFunction( "js_api_set_instrument_jit", "void", []); private static readonly jsApiSetInstrumentLibraries = Afl.jsApiGetFunction( "js_api_set_instrument_libraries", "void", []); private static readonly jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction( "js_api_set_instrument_no_optimize", "void", []); private static readonly jsApiSetInstrumentRegsFile = Afl.jsApiGetFunction( "js_api_set_instrument_regs_file", "void", ["pointer"]); private static readonly jsApiSetInstrumentSeed = Afl.jsApiGetFunction( "js_api_set_instrument_seed", "void", ["uint64"]); private static readonly jsApiSetInstrumentTrace = Afl.jsApiGetFunction( "js_api_set_instrument_trace", "void", []); private static readonly jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction( "js_api_set_instrument_trace_unique", "void", []); private static readonly jsApiSetInstrumentUnstableCoverageFile = Afl.jsApiGetFunction( "js_api_set_instrument_unstable_coverage_file", "void", ["pointer"]); private static readonly jsApiSetJsMainHook = Afl.jsApiGetFunction( "js_api_set_js_main_hook", "void", ["pointer"]); private static readonly jsApiSetPersistentAddress = Afl.jsApiGetFunction( "js_api_set_persistent_address", "void", ["pointer"]); private static readonly jsApiSetPersistentCount = Afl.jsApiGetFunction( "js_api_set_persistent_count", "void", ["uint64"]); private static readonly jsApiSetPersistentDebug = Afl.jsApiGetFunction( "js_api_set_persistent_debug", "void", []); private static readonly jsApiSetPersistentHook = Afl.jsApiGetFunction( "js_api_set_persistent_hook", "void", ["pointer"]); private static readonly jsApiSetPersistentReturn = Afl.jsApiGetFunction( "js_api_set_persistent_return", "void", ["pointer"]); private static readonly jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction( "js_api_set_prefetch_backpatch_disable", "void", []); private static readonly jsApiSetPrefetchDisable = Afl.jsApiGetFunction( "js_api_set_prefetch_disable", "void", []); private static readonly jsApiSetSeccompFile = Afl.jsApiGetFunction( "js_api_set_seccomp_file", "void", ["pointer"]); private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction( "js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction( "js_api_set_stalker_callback", "void", ["pointer"]); private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction( "js_api_set_stalker_ic_entries", "void", ["uint32"]); private static readonly jsApiSetStatsFile = Afl.jsApiGetFunction( "js_api_set_stats_file", "void", ["pointer"]); private static readonly jsApiSetStatsInterval = Afl.jsApiGetFunction( "js_api_set_stats_interval", "void", ["uint64"]); private static readonly jsApiSetStdErr = Afl.jsApiGetFunction( "js_api_set_stderr", "void", ["pointer"]); private static readonly jsApiSetStdOut = Afl.jsApiGetFunction( "js_api_set_stdout", "void", ["pointer"]); private static readonly jsApiSetTraceable = Afl.jsApiGetFunction( "js_api_set_traceable", "void", []); private static readonly jsApiSetVerbose = Afl.jsApiGetFunction( "js_api_set_verbose", "void", []); private static readonly jsApiWrite = new NativeFunction( /* tslint:disable-next-line:no-null-keyword */ Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]); private static jsApiGetFunction(name: string, retType: NativeType, argTypes: NativeType[]): NativeFunction { const addr: NativePointer = Afl.module.getExportByName(name); return new NativeFunction(addr, retType, argTypes); } private static jsApiGetSymbol(name: string): NativePointer { return Afl.module.getExportByName(name); } } export { Afl };