diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | afl-dyninst.cpp | 223 | ||||
| -rw-r--r-- | libAflDyninst.cpp | 39 |
3 files changed, 124 insertions, 140 deletions
diff --git a/README.md b/README.md index 0c36f77..82ede34 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Usage: afl-dyninst -dfvxD -i binary -o binary -l library -e address -E address -E: exit point - force exit(0) at this address (repeat for more than one) -s: number of initial basic blocks to skip in binary -m: minimum size of a basic bock to instrument (default: 10) - -f: try to fix a dyninst bug that leads to crashes (loss of 20%% performance) + -f: try to fix a dyninst bug that leads to crashes (loss of 20%% performance, only required for dyninst9) -I: only instrument this function and nothing else (repeat for more than one) -S: do not instrument this function (repeat for more than one) -D: instrument only a simple fork server and also forced exit functions diff --git a/afl-dyninst.cpp b/afl-dyninst.cpp index 157de21..d736ad7 100644 --- a/afl-dyninst.cpp +++ b/afl-dyninst.cpp @@ -1,46 +1,46 @@ +#include <climits> +#include <cstdlib> +#include <fcntl.h> +#include <getopt.h> +#include <iostream> +#include <sstream> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> -#include <stdint.h> -#include <getopt.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <unistd.h> #include <string.h> +#include <string> #include <sys/mman.h> -#include <cstdlib> -#include <iostream> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> #include <vector> -#include <string> -#include <sstream> -#include <climits> // DyninstAPI includes #include "BPatch.h" +#include "BPatch_addressSpace.h" #include "BPatch_binaryEdit.h" #include "BPatch_flowGraph.h" #include "BPatch_function.h" #include "BPatch_point.h" -#include "BPatch_addressSpace.h" #include "BPatch_process.h" -#include "dyninstversion.h" // if this include errors, compile and install https://github.com/dyninst/dyninst +#include "dyninstversion.h" // if this include errors, compile and install https://github.com/dyninst/dyninst using namespace std; using namespace Dyninst; -//cmd line options +// cmd line options char *originalBinary; char *instrumentedBinary; char *entryPointName = NULL; int verbose = 0; Dyninst::Address entryPoint; -set < string > todo; -set < string > instrumentLibraries; -set < string > runtimeLibraries; -set < string > skipAddresses; -set < string > onlyAddresses; -set < unsigned long > exitAddresses; +set<string> todo; +set<string> instrumentLibraries; +set<string> runtimeLibraries; +set<string> skipAddresses; +set<string> onlyAddresses; +set<unsigned long> exitAddresses; unsigned int bbMinSize = 10; int bbSkip = 0, performance = 0; bool skipMainModule = false, do_bb = true, dynfix = false; @@ -50,7 +50,7 @@ uintptr_t mapaddr = 0; BPatch_function *save_rdi; BPatch_function *restore_rdi; -const char *functions[] = { "main", "_main", "_initproc", "_init", "start", "_start", NULL }; +const char *functions[] = {"main", "_main", "_initproc", "_init", "start", "_start", NULL}; const char *instLibrary = "libAflDyninst.so"; @@ -65,7 +65,7 @@ static const char *USAGE = " -dfvxD -i <binary> -o <binary> -l <library> -e <add -E: exit point - force exit(0) at this address (repeat for more than one)\n \ -s: number of initial basic blocks to skip in binary\n \ -m: minimum size of a basic bock to instrument (default: 10)\n \ - -f: try to fix a dyninst bug that leads to crashes (loss of 20%% performance)\n \ + -f: fix a dyninst bug that leads to crashes (performance loss, only dyninst9)\n \ -I: only instrument this function and nothing else (repeat for more than one)\n \ -S: do not instrument this function (repeat for more than one)\n \ -D: instrument only a simple fork server and also forced exit functions\n \ @@ -78,18 +78,19 @@ bool parseOptions(int argc, char **argv) { int c; while ((c = getopt(argc, argv, OPT_STR)) != -1) { - switch ((char) c) { + switch ((char)c) { case 'x': performance++; -/* - if (performance == 3) { -#if ( __amd64__ || __x86_64__ ) - fprintf(stderr, "Warning: performance level 3 is currently totally experimental\n"); -#else - fprintf(stderr, "Warning: maximum performance level for non-intelx64 x86 is 2\n"); - performance = 2; -#endif - } else*/ if (performance > 2) { + /* + if (performance == 3) { + #if ( __amd64__ || __x86_64__ ) + fprintf(stderr, "Warning: performance level 3 is currently totally experimental\n"); + #else + fprintf(stderr, "Warning: maximum performance level for non-intelx64 x86 is 2\n"); + performance = 2; + #endif + } else*/ + if (performance > 2) { fprintf(stderr, "Warning: maximum performance level is 2\n"); performance = 2; } @@ -172,11 +173,10 @@ bool parseOptions(int argc, char **argv) { return true; } -BPatch_function *findFuncByName(BPatch_image * appImage, char *funcName) { - BPatch_Vector < BPatch_function * >funcs; +BPatch_function *findFuncByName(BPatch_image *appImage, char *funcName) { + BPatch_Vector<BPatch_function *> funcs; - if (NULL == appImage->findFunction(funcName, funcs) || !funcs.size() - || NULL == funcs[0]) { + if (NULL == appImage->findFunction(funcName, funcs) || !funcs.size() || NULL == funcs[0]) { cerr << "Failed to find " << funcName << " function." << endl; return NULL; } @@ -186,10 +186,10 @@ BPatch_function *findFuncByName(BPatch_image * appImage, char *funcName) { // insert callback to initialization function in the instrumentation library // either at _init or at manualy specified entry point. -bool insertCallToInit(BPatch_addressSpace * appBin, BPatch_function * instIncFunc, BPatch_module * module, BPatch_function * funcInit, bool install_hack) { +bool insertCallToInit(BPatch_addressSpace *appBin, BPatch_function *instIncFunc, BPatch_module *module, BPatch_function *funcInit, bool install_hack) { /* Find the instrumentation points */ - vector < BPatch_point * >points; - vector < BPatch_point * >*funcEntry = funcInit->findPoint(BPatch_entry); + vector<BPatch_point *> points; + vector<BPatch_point *> *funcEntry = funcInit->findPoint(BPatch_entry); BPatch_image *appImage = appBin->getImage(); BPatchSnippetHandle *handle; @@ -215,14 +215,14 @@ bool insertCallToInit(BPatch_addressSpace * appBin, BPatch_function * instIncFun BPatch_arithExpr initprevid(BPatch_assign, *prev_id, BPatch_constExpr(0)); appBin->insertSnippet(initprevid, *funcEntry); - BPatch_Vector < BPatch_snippet * >instArgs; + BPatch_Vector<BPatch_snippet *> instArgs; cout << "Inserting init callback." << endl; instArgs.push_back(&map_ptr); BPatch_funcCallExpr instIncExpr(*instIncFunc, instArgs); handle = appBin->insertSnippet(instIncExpr, *funcEntry, BPatch_callBefore, BPatch_lastSnippet); } else { - BPatch_Vector < BPatch_snippet * >instArgs; + BPatch_Vector<BPatch_snippet *> instArgs; cout << "Inserting init callback." << endl; BPatch_funcCallExpr instIncExpr(*instIncFunc, instArgs); @@ -238,7 +238,7 @@ bool insertCallToInit(BPatch_addressSpace * appBin, BPatch_function * instIncFun // inserts a callback for each basic block assigning it an instrumentation // time 16bit random ID just as afl -bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, char *funcName, BPatch_function * instBBIncFunc, int *bbIndex) { +bool insertBBCallback(BPatch_addressSpace *appBin, BPatch_function *curFunc, char *funcName, BPatch_function *instBBIncFunc, int *bbIndex) { BPatch_image *appImage = appBin->getImage(); BPatch_flowGraph *appCFG = curFunc->getCFG(); unsigned short randID; @@ -248,7 +248,7 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c return false; } - BPatch_Set < BPatch_basicBlock * >allBlocks; + BPatch_Set<BPatch_basicBlock *> allBlocks; if (!appCFG->getAllBasicBlocks(allBlocks)) { cerr << "Failed to find basic blocks for function " << funcName << endl; return false; @@ -257,9 +257,9 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c return false; } - BPatch_Set < BPatch_basicBlock * >::iterator iter; + BPatch_Set<BPatch_basicBlock *>::iterator iter; for (iter = allBlocks.begin(); iter != allBlocks.end(); iter++) { - if (*bbIndex < bbSkip || (*iter)->size() < bbMinSize) { // skip over first bbSkip bbs or below minimum size + if (*bbIndex < bbSkip || (*iter)->size() < bbMinSize) { // skip over first bbSkip bbs or below minimum size (*bbIndex)++; continue; } @@ -270,10 +270,10 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c if ((*iter)->isEntryBlock() == false) { bool good = false; - BPatch_Vector < BPatch_basicBlock * >sources; + BPatch_Vector<BPatch_basicBlock *> sources; (*iter)->getSources(sources); for (unsigned int i = 0; i < sources.size() && good == false; i++) { - BPatch_Vector < BPatch_basicBlock * >targets; + BPatch_Vector<BPatch_basicBlock *> targets; sources[i]->getTargets(targets); if (targets.size() > 1) good = true; @@ -287,8 +287,7 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c randID = rand() % USHRT_MAX; if (verbose >= 1) { - cout << "Instrumenting Basic Block 0x" << hex << address << " of " << funcName << " with size " << dec << (*iter)->size() << " with random id " << randID << "/0x" << hex << - randID << endl; + cout << "Instrumenting Basic Block 0x" << hex << address << " of " << funcName << " with size " << dec << (*iter)->size() << " with random id " << randID << "/0x" << hex << randID << endl; } if (NULL == bbEntry) { @@ -311,13 +310,13 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c BPatch_arithExpr map_idx(BPatch_arithExpr(BPatch_plus, *map, BPatch_arithExpr(BPatch_divide, *pid2, BPatch_constExpr(2)))); if (mapaddr == 0) { - printf("Map for AFL is installed at: %p\n", (void *) map->getBaseAddr()); - mapaddr = (uintptr_t) map->getBaseAddr(); + printf("Map for AFL is installed at: %p\n", (void *)map->getBaseAddr()); + mapaddr = (uintptr_t)map->getBaseAddr(); } handle = appBin->insertSnippet(map_idx, *bbEntry, BPatch_firstSnippet); } else { - BPatch_Vector < BPatch_snippet * >instArgs1; - BPatch_Vector < BPatch_snippet * >instArgs; + BPatch_Vector<BPatch_snippet *> instArgs1; + BPatch_Vector<BPatch_snippet *> instArgs; BPatch_constExpr bbId(randID); instArgs.push_back(&bbId); @@ -349,7 +348,7 @@ bool insertBBCallback(BPatch_addressSpace * appBin, BPatch_function * curFunc, c int main(int argc, char **argv) { char *func2patch = NULL; int loop; - + cout << "afl-dyninst (c) 2017-2020 by Aleksandar Nikolic and Marc Heuse [https://github.com/vanhauser-thc/afl-dyninst] Apache 2.0 License" << endl; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0 || strncmp(argv[1], "--h", 3) == 0) { @@ -362,8 +361,7 @@ int main(int argc, char **argv) { } #if (__amd64__ || __x86_64__) if (do_bb == true) { - if (DYNINST_MAJOR_VERSION < 9 || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION < 3) - || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION == 3 && DYNINST_PATCH_VERSION <= 2)) { + if (DYNINST_MAJOR_VERSION < 9 || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION < 3) || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION == 3 && DYNINST_PATCH_VERSION <= 2)) { if (dynfix == false) fprintf(stderr, "Warning: your dyninst version does not include a critical fix, you should use the -f option!\n"); } else { @@ -389,10 +387,10 @@ int main(int argc, char **argv) { BPatch_image *appImage = appBin->getImage(); - //get and iterate over all modules, instrumenting only the default and manually specified ones - vector < BPatch_module * >*modules = appImage->getModules(); - vector < BPatch_module * >::iterator moduleIter; - vector < BPatch_function * >*funcsInModule; + // get and iterate over all modules, instrumenting only the default and manually specified ones + vector<BPatch_module *> *modules = appImage->getModules(); + vector<BPatch_module *>::iterator moduleIter; + vector<BPatch_function *> *funcsInModule; BPatch_module *defaultModule = NULL, *firstModule = NULL; string defaultModuleName; @@ -400,7 +398,7 @@ int main(int argc, char **argv) { if (defaultModuleName.empty()) { for (loop = 0; functions[loop] != NULL && func2patch == NULL; loop++) { for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter) { - vector < BPatch_function * >::iterator funcsIterator; + vector<BPatch_function *>::iterator funcsIterator; char moduleName[1024]; if (firstModule == NULL) @@ -416,7 +414,7 @@ int main(int argc, char **argv) { if (verbose >= 3 && loop == 0) printf("module: %s function: %s\n", moduleName, funcName); if (string(funcName) == string(functions[loop])) { - func2patch = (char *) functions[loop]; + func2patch = (char *)functions[loop]; defaultModuleName = string(moduleName); defaultModule = (*moduleIter); if (verbose >= 1) { @@ -447,18 +445,18 @@ int main(int argc, char **argv) { /* Find code coverage functions in the instrumentation library */ BPatch_function *initAflForkServer; - save_rdi = findFuncByName(appImage, (char *) "save_rdi"); - restore_rdi = findFuncByName(appImage, (char *) "restore_rdi"); - BPatch_function *bbCallback = findFuncByName(appImage, (char *) "bbCallback"); - BPatch_function *forceCleanExit = findFuncByName(appImage, (char *) "forceCleanExit"); + save_rdi = findFuncByName(appImage, (char *)"save_rdi"); + restore_rdi = findFuncByName(appImage, (char *)"restore_rdi"); + BPatch_function *bbCallback = findFuncByName(appImage, (char *)"bbCallback"); + BPatch_function *forceCleanExit = findFuncByName(appImage, (char *)"forceCleanExit"); if (do_bb == true) { if (performance >= 3) - initAflForkServer = findFuncByName(appImage, (char *) "initAflForkServerVar"); + initAflForkServer = findFuncByName(appImage, (char *)"initAflForkServerVar"); else - initAflForkServer = findFuncByName(appImage, (char *) "initAflForkServer"); + initAflForkServer = findFuncByName(appImage, (char *)"initAflForkServer"); } else - initAflForkServer = findFuncByName(appImage, (char *) "initOnlyAflForkServer"); + initAflForkServer = findFuncByName(appImage, (char *)"initOnlyAflForkServer"); if (!initAflForkServer || !bbCallback || !save_rdi || !restore_rdi || !forceCleanExit) { cerr << "Instrumentation library lacks callbacks!" << endl; @@ -475,7 +473,7 @@ int main(int argc, char **argv) { cerr << "Couldn't locate _init, specify entry point manually with -e 0xaddr" << endl; return EXIT_FAILURE; } - BPatch_Vector < BPatch_function * >funcs; + BPatch_Vector<BPatch_function *> funcs; defaultModule->findFunction(func2patch, funcs); if (!funcs.size()) { cerr << "Couldn't locate _init, specify entry point manually with -e 0xaddr" << endl; @@ -486,7 +484,7 @@ int main(int argc, char **argv) { } else { if (entryPointName != NULL) { for (moduleIter = modules->begin(); moduleIter != modules->end() && funcToPatch == 0; ++moduleIter) { - BPatch_Vector < BPatch_function * >funcs; + BPatch_Vector<BPatch_function *> funcs; (*moduleIter)->findFunction(entryPointName, funcs); if (funcs.size() > 0) { char moduleName[1024]; @@ -502,18 +500,18 @@ int main(int argc, char **argv) { } if (!funcToPatch) { if (verbose > 1) - printf("Looking for entrypoint %p\n", (char *) entryPoint); + printf("Looking for entrypoint %p\n", (char *)entryPoint); funcToPatch = defaultModule->findFunctionByEntry(entryPoint); if (!funcToPatch && defaultModule != firstModule) { funcToPatch = firstModule->findFunctionByEntry(entryPoint); if (funcToPatch) defaultModule = firstModule; } - if (!funcToPatch) { // ok lets go hardcore ... + if (!funcToPatch) { // ok lets go hardcore ... if (verbose > 1) printf("OK we did not find the entrypoint so far, lets dig deeper ...\n"); for (moduleIter = modules->begin(); moduleIter != modules->end() && funcToPatch != NULL; ++moduleIter) { - vector < BPatch_function * >::iterator funcsIterator; + vector<BPatch_function *>::iterator funcsIterator; funcToPatch = (*moduleIter)->findFunctionByEntry(entryPoint); if (funcToPatch) defaultModule = (*moduleIter); @@ -524,7 +522,7 @@ int main(int argc, char **argv) { defaultModule->getName(moduleName, 1024); defaultModuleName = string(moduleName); - printf("Found entypoint %p in module %s\n", (void *) entryPoint, moduleName); + printf("Found entypoint %p in module %s\n", (void *)entryPoint, moduleName); } } } @@ -543,9 +541,7 @@ int main(int argc, char **argv) { (*moduleIter)->getName(moduleName, 1024); if ((*moduleIter)->isSharedLib()) { - if (instrumentLibraries.find(moduleName) == instrumentLibraries.end() - && string(moduleName).find(".so") != string::npos - ) { + if (instrumentLibraries.find(moduleName) == instrumentLibraries.end() && string(moduleName).find(".so") != string::npos) { cout << "Skipping library: " << moduleName << endl; continue; } @@ -558,8 +554,8 @@ int main(int argc, char **argv) { if (do_bb == true) { cout << "Instrumenting module: " << moduleName << endl; - vector < BPatch_function * >*allFunctions = (*moduleIter)->getProcedures(); - vector < BPatch_function * >::iterator funcIter; + vector<BPatch_function *> *allFunctions = (*moduleIter)->getProcedures(); + vector<BPatch_function *>::iterator funcIter; // iterate over all functions in the module for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) { BPatch_function *curFunc = *funcIter; @@ -570,10 +566,10 @@ int main(int argc, char **argv) { if (string(funcName) == string("_init") || string(funcName) == string("__libc_csu_init") || string(funcName) == string("_start")) { if (verbose) cout << "Skipping instrumenting function " << funcName << endl; - continue; // here's a bug on hlt // XXX: check what happens if removed + continue; // here's a bug on hlt // XXX: check what happens if removed } if (!skipAddresses.empty()) { - set < string >::iterator saiter; + set<string>::iterator saiter; for (saiter = skipAddresses.begin(); saiter != skipAddresses.end() && do_patch == 1; saiter++) if (*saiter == string(funcName)) do_patch = 0; @@ -584,7 +580,7 @@ int main(int argc, char **argv) { } if (!onlyAddresses.empty()) { do_patch = 0; - set < string >::iterator saiter; + set<string>::iterator saiter; for (saiter = onlyAddresses.begin(); saiter != onlyAddresses.end() && do_patch == 1; saiter++) if (*saiter == string(funcName)) do_patch = 1; @@ -600,10 +596,10 @@ int main(int argc, char **argv) { if (!exitAddresses.empty()) { cout << "Instrumenting forced exit addresses." << endl; - set < unsigned long >::iterator uliter; + set<unsigned long>::iterator uliter; for (uliter = exitAddresses.begin(); uliter != exitAddresses.end(); uliter++) { - if (*uliter > 0 && (signed long) *uliter != -1) { + if (*uliter > 0 && (signed long)*uliter != -1) { funcToPatch = defaultModule->findFunctionByEntry(*uliter); if (!funcToPatch) { cerr << "Could not find enty point 0x" << hex << *uliter << " (continuing)" << endl; @@ -617,17 +613,17 @@ int main(int argc, char **argv) { cout << "Saving the instrumented binary to " << instrumentedBinary << " ..." << endl; // Output the instrumented binary - BPatch_binaryEdit *appBinr = dynamic_cast < BPatch_binaryEdit * >(appBin); + BPatch_binaryEdit *appBinr = dynamic_cast<BPatch_binaryEdit *>(appBin); if (!appBinr->writeFile(instrumentedBinary)) { cerr << "Failed to write output file: " << instrumentedBinary << endl; return EXIT_FAILURE; } todo.insert(instrumentedBinary); - + if (!runtimeLibraries.empty()) { cout << "Instrumenting runtime libraries." << endl; - set < string >::iterator rtLibIter; + set<string>::iterator rtLibIter; for (rtLibIter = runtimeLibraries.begin(); rtLibIter != runtimeLibraries.end(); rtLibIter++) { BPatch_addressSpace *libBin = bpatch.openBinary((*rtLibIter).c_str(), false); @@ -637,15 +633,15 @@ int main(int argc, char **argv) { } BPatch_image *libImg = libBin->getImage(); - vector < BPatch_module * >*modules = libImg->getModules(); + vector<BPatch_module *> *modules = libImg->getModules(); moduleIter = modules->begin(); for (; moduleIter != modules->end(); ++moduleIter) { char moduleName[1024]; (*moduleIter)->getName(moduleName, 1024); cout << "Instrumenting module: " << moduleName << endl; - vector < BPatch_function * >*allFunctions = (*moduleIter)->getProcedures(); - vector < BPatch_function * >::iterator funcIter; + vector<BPatch_function *> *allFunctions = (*moduleIter)->getProcedures(); + vector<BPatch_function *>::iterator funcIter; // iterate over all functions in the module for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) { BPatch_function *curFunc = *funcIter; @@ -656,7 +652,7 @@ int main(int argc, char **argv) { if (string(funcName) == string("_init") || string(funcName) == string("__libc_csu_init") || string(funcName) == string("_start")) continue; if (!skipAddresses.empty()) { - set < string >::iterator saiter; + set<string>::iterator saiter; for (saiter = skipAddresses.begin(); saiter != skipAddresses.end() && do_patch == 1; saiter++) if (*saiter == string(funcName)) do_patch = 0; @@ -669,7 +665,7 @@ int main(int argc, char **argv) { insertBBCallback(libBin, curFunc, funcName, bbCallback, &bbIndex); } } - appBinr = dynamic_cast < BPatch_binaryEdit * >(libBin); + appBinr = dynamic_cast<BPatch_binaryEdit *>(libBin); if (!appBinr->writeFile((*rtLibIter + ".ins").c_str())) { cerr << "Failed to write output file: " << (*rtLibIter + ".ins").c_str() << endl; return EXIT_FAILURE; @@ -679,45 +675,36 @@ int main(int argc, char **argv) { } } } - + printf("Did a total of %lu basic block insertions\n", insertions); - + if (performance >= 3) { int fd; struct stat st; uint64_t i, found = 0; unsigned char *ptr; - unsigned char snip1[] = { - 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - unsigned char snip2[] = { - 0x08, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - unsigned char fullsnip[] = { - 0x53, 0x50, 0x41, 0x52, 0x48, 0xBB, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x49, 0xBA, 0x08, 0x00, 0x71, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0x81, 0xf3, 0x99, 0x99, 0x48, 0x0f, 0xb7, 0xdb, 0x80, 0x04, 0x18, 0x01, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0xd1, 0xfb, - 0x66, 0x41, 0x89, 0x1a, - 0x41, 0x5a, 0x58, 0x5b, 0x90, 0x90, 0x90, 0x90 - }; - memcpy(snip1, (char *) &mapaddr, sizeof(mapaddr)); - memcpy(fullsnip + 6, (char *) &mapaddr, sizeof(mapaddr)); + unsigned char snip1[] = {0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00}; + unsigned char snip2[] = {0x08, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00}; + unsigned char fullsnip[] = {0x53, 0x50, 0x41, 0x52, 0x48, 0xBB, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x49, 0xBA, 0x08, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0x81, 0xf3, 0x99, 0x99, 0x48, 0x0f, 0xb7, 0xdb, 0x80, 0x04, 0x18, 0x01, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0xd1, 0xfb, 0x66, 0x41, 0x89, 0x1a, 0x41, 0x5a, 0x58, 0x5b, 0x90, 0x90, 0x90, 0x90}; + memcpy(snip1, (char *)&mapaddr, sizeof(mapaddr)); + memcpy(fullsnip + 6, (char *)&mapaddr, sizeof(mapaddr)); mapaddr += sizeof(mapaddr); - memcpy(snip2, (char *) &mapaddr, sizeof(mapaddr)); - memcpy(fullsnip + 24, (char *) &mapaddr, sizeof(mapaddr)); - set < string >::iterator fn; + memcpy(snip2, (char *)&mapaddr, sizeof(mapaddr)); + memcpy(fullsnip + 24, (char *)&mapaddr, sizeof(mapaddr)); + set<string>::iterator fn; for (fn = todo.begin(); fn != todo.end(); fn++) { cout << "Reinstrumenting " << *fn << " ..." << endl; - if ((fd = open((const char *) (fn->c_str()), O_RDWR)) == -1 || fstat(fd, &st) != 0) { + if ((fd = open((const char *)(fn->c_str()), O_RDWR)) == -1 || fstat(fd, &st) != 0) { cerr << "Error: file is gone: " << *fn << endl; exit(-1); } - if ((size_t) st.st_size < (size_t) sizeof(fullsnip)) { + if ((size_t)st.st_size < (size_t)sizeof(fullsnip)) { cerr << "Error: somethings horrible wrong here with " << *fn << " ..." << endl; continue; } - ptr = (unsigned char *) mmap(NULL, st.st_size, PROT_WRITE | PROT_READ, MAP_SHARED, fd, 0); - for (i = 2; i < (size_t) st.st_size - (size_t) sizeof(fullsnip); i++) { + ptr = (unsigned char *)mmap(NULL, st.st_size, PROT_WRITE | PROT_READ, MAP_SHARED, fd, 0); + for (i = 2; i < (size_t)st.st_size - (size_t)sizeof(fullsnip); i++) { if (memcmp(ptr + i, snip1, sizeof(snip1)) == 0 && memcmp(ptr + i + sizeof(snip1) + 4, snip2, sizeof(snip2)) == 0) { found++; fullsnip[0x27] = rand() % 256; @@ -725,8 +712,8 @@ int main(int argc, char **argv) { memcpy(ptr + i - 2, fullsnip, sizeof(fullsnip)); } } - //printf("found %lu entries, snipsize %u\n", found, (unsigned int)sizeof(fullsnip)); - munmap((void *) ptr, st.st_size); + // printf("found %lu entries, snipsize %u\n", found, (unsigned int)sizeof(fullsnip)); + munmap((void *)ptr, st.st_size); close(fd); } if (found == insertions) { diff --git a/libAflDyninst.cpp b/libAflDyninst.cpp index fb0ba9c..e7c2a0f 100644 --- a/libAflDyninst.cpp +++ b/libAflDyninst.cpp @@ -1,16 +1,16 @@ -#include <cstdlib> +#include "config.h" +#include <algorithm> #include <cstdio> -#include <iostream> +#include <cstdlib> #include <cstring> -#include <vector> -#include <algorithm> -#include "config.h" -#include <sys/types.h> +#include <fcntl.h> +#include <iostream> #include <sys/shm.h> -#include <unistd.h> -#include <sys/wait.h> #include <sys/stat.h> -#include <fcntl.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <unistd.h> +#include <vector> using namespace std; @@ -23,16 +23,16 @@ static unsigned short int prev_id = 0; static bool forkserver_installed = false; #if (__amd64__ || __x86_64__) static long saved_di; -register long rdi asm("di"); // the warning is fine - we need the warning because of a bug in dyninst +register long rdi asm("di"); // the warning is fine - we need the warning because of a bug in dyninst9 #endif -#define PRINT_ERROR(string) (void)(write(2, string, strlen(string))+1) // the (...+1) weirdness is so we do not get an ignoring return value warning +#define PRINT_ERROR(string) (void)(write(2, string, strlen(string)) + 1) // the (...+1) weirdness is so we do not get an ignoring return value warning void initAflForkServer() { if (forkserver_installed == true) return; forkserver_installed = true; - + // we can not use fprint* stdout/stderr functions here, it fucks up some programs char *shm_env_var = getenv(SHM_ENV_VAR); @@ -41,8 +41,8 @@ void initAflForkServer() { return; } shm_id = atoi(shm_env_var); - trace_bits = (u8 *) shmat(shm_id, NULL, 0); - if (trace_bits == (u8 *) - 1) { + trace_bits = (u8 *)shmat(shm_id, NULL, 0); + if (trace_bits == (u8 *)-1) { PRINT_ERROR("Error: shmat\n"); return; } @@ -89,9 +89,7 @@ void bbCallback(unsigned short id) { prev_id = id >> 1; } -void forceCleanExit() { - exit(0); -} +void forceCleanExit() { exit(0); } void save_rdi() { #if __amd64__ || __x86_64__ @@ -147,14 +145,13 @@ void initOnlyAflForkServer() { } } - void initAflForkServerVar(u8 *map) { // we can not use fprint* stdout/stderr functions here, it fucks up some programs if (forkserver_installed == true) return; forkserver_installed = true; - u8 **ptr = (u8**) map; + u8 **ptr = (u8 **)map; char *shm_env_var = getenv(SHM_ENV_VAR); if (!shm_env_var) { char buf[256]; @@ -165,8 +162,8 @@ void initAflForkServerVar(u8 *map) { } shm_id = atoi(shm_env_var); - *ptr = (u8*)shmat(shm_id, NULL, 0); - if ((u8*)*ptr == (u8 *) - 1) { + *ptr = (u8 *)shmat(shm_id, NULL, 0); + if ((u8 *)*ptr == (u8 *)-1) { PRINT_ERROR("Error: shmat\n"); return; } |