1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#include <unistd.h>
#include "frida-gum.h"
#include "config.h"
#include "debug.h"
#include "asan.h"
#include "entry.h"
#include "frida_cmplog.h"
#include "instrument.h"
#include "persistent.h"
#include "prefetch.h"
#include "ranges.h"
#include "stalker.h"
#include "util.h"
static gboolean tracing = false;
static gboolean optimize = false;
static GumStalkerTransformer *transformer = NULL;
__thread uint64_t previous_pc = 0;
__attribute__((hot)) static void on_basic_block(GumCpuContext *context,
gpointer user_data) {
UNUSED_PARAMETER(context);
/*
* This function is performance critical as it is called to instrument every
* basic block. By moving our print buffer to a global, we avoid it affecting
* the critical path with additional stack adjustments if tracing is not
* enabled. If tracing is enabled, then we're printing a load of diagnostic
* information so this overhead is unlikely to be noticeable.
*/
static char buffer[200];
int len;
GumAddress current_pc = GUM_ADDRESS(user_data);
uint8_t * cursor;
uint64_t value;
if (unlikely(tracing)) {
/* Avoid any functions which may cause an allocation since the target app
* may already be running inside malloc and it isn't designed to be
* re-entrant on a single thread */
len = snprintf(buffer, sizeof(buffer),
"current_pc: 0x%016" G_GINT64_MODIFIER
"x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n",
current_pc, previous_pc);
IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1));
}
current_pc = (current_pc >> 4) ^ (current_pc << 8);
current_pc &= MAP_SIZE - 1;
cursor = &__afl_area_ptr[current_pc ^ previous_pc];
value = *cursor;
if (value == 0xff) {
value = 1;
} else {
value++;
}
*cursor = value;
previous_pc = current_pc >> 1;
}
static void instr_basic_block(GumStalkerIterator *iterator,
GumStalkerOutput *output, gpointer user_data) {
UNUSED_PARAMETER(user_data);
const cs_insn *instr;
gboolean begin = TRUE;
while (gum_stalker_iterator_next(iterator, &instr)) {
if (instr->address == entry_start) { entry_prologue(iterator, output); }
if (instr->address == persistent_start) { persistent_prologue(output); }
if (begin) {
prefetch_write(GSIZE_TO_POINTER(instr->address));
if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
if (optimize) {
instrument_coverage_optimize(instr, output);
} else {
gum_stalker_iterator_put_callout(
iterator, on_basic_block, GSIZE_TO_POINTER(instr->address), NULL);
}
}
begin = FALSE;
}
if (!range_is_excluded(GSIZE_TO_POINTER(instr->address))) {
asan_instrument(instr, iterator);
cmplog_instrument(instr, iterator);
}
gum_stalker_iterator_keep(iterator);
}
}
void instrument_init(void) {
optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL);
tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL);
if (!instrument_is_coverage_optimize_supported()) optimize = false;
OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' ');
OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' ');
if (tracing && optimize) {
FATAL("AFL_FRIDA_INST_OPTIMIZE and AFL_FRIDA_INST_TRACE are incompatible");
}
if (__afl_map_size != 0x10000) {
FATAL("Bad map size: 0x%08x", __afl_map_size);
}
transformer =
gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL);
asan_init();
cmplog_init();
}
GumStalkerTransformer *instrument_get_transformer(void) {
if (transformer == NULL) { FATAL("Instrumentation not initialized"); }
return transformer;
}
|
