about summary refs log tree commit diff
path: root/afl-dyninst.cc
diff options
context:
space:
mode:
Diffstat (limited to 'afl-dyninst.cc')
-rw-r--r--afl-dyninst.cc693
1 files changed, 693 insertions, 0 deletions
diff --git a/afl-dyninst.cc b/afl-dyninst.cc
new file mode 100644
index 0000000..cb580d0
--- /dev/null
+++ b/afl-dyninst.cc
@@ -0,0 +1,693 @@
+// Binary instrumentation tool
+//
+// SPDX-FileCopyrightText: 2016 Aleksandar Nikolic <anikolich@sourcefire.com>
+// SPDX-FileCopyrightText: 2018-2021 Marc "van Hauser" Heuse <vh@thc.org>
+// SPDX-License-Identifier: Apache-2.0
+//
+// SPDX-FileCopyrightText: 2024 Nguyễn Gia Phong <cnx@loang.net>
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+#include "afl-dyninst.h"
+
+// DyninstAPI includes
+#include "BPatch.h"
+#include "BPatch_flowGraph.h"
+#include "BPatch_point.h"
+
+#include <cstdlib>
+#include <fcntl.h>
+#include <getopt.h>
+#include <iostream>
+#include <sstream>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <string>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <vector>
+
+using namespace std;
+using namespace Dyninst;
+
+// cmd line options
+char *originalBinary;
+char *instrumentedBinary;
+char *entryPointName = NULL;
+int verbose = 0;
+
+Dyninst::Address entryPoint;
+set<string> todo;
+set<string> instrumentLibraries;
+set<string> runtimeLibraries;
+set<string> skipAddresses;
+set<string> onlyAddresses;
+set<unsigned long> exitAddresses;
+unsigned int bbMinSize = 10;
+int bbSkip = 0, performance = 1;
+bool skipMainModule = false, do_bb = true, dynfix = false;
+unsigned long int insertions = 0;
+uintptr_t mapaddr = 0;
+
+BPatch_function *save_rdi;
+BPatch_function *restore_rdi;
+
+const char *functions[] = {"main", "_main", "_initproc", "_init", "start", "_start", NULL};
+
+static const char *OPT_STR = "fi:o:l:e:E:vs:dr:m:S:I:Dx";
+static const char *USAGE = " -vxD -i <binary> -o <binary> -e <address> -E <address> -s <number> -S <funcname> -I <funcname> -m <size>\n \
+  -i: input binary \n \
+  -o: output binary\n \
+  -r: runtime library to instrument (path to, repeat for more than one)\n \
+  -e: entry point address to patch (required for stripped binaries)\n \
+  -E: exit point - force exit(0) at this address (repeat for more than one)\n \
+  -s: number of initial basic blocks to skip in binary\n \
+  -m: minimum size of a basic bock to instrument (default: 10)\n \
+  -I: only instrument this function and nothing else (repeat for more than one)\n \
+  -S: do not instrument this function (repeat for more than one)\n \
+  -D: instrument only a simple fork server and also forced exit functions\n \
+  -x: experimental performance mode (~25-50% speed improvement)\n \
+  -v: verbose output\n";
+
+bool parseOptions(int argc, char **argv) {
+  int c;
+
+  while ((c = getopt(argc, argv, OPT_STR)) != -1) {
+    switch ((char)c) {
+    case 'x':
+      performance++;
+      /*
+            if (performance == 3) {
+      #if ( __amd64__ || __x86_64__ )
+              fprintf(stderr, "Warning: performance level 3 is currently totally experimental\n");
+      #else
+              fprintf(stderr, "Warning: maximum performance level for non-intelx64 x86 is 2\n");
+              performance = 2;
+      #endif
+            } else*/
+      if (performance > 2) performance = 2;
+      break;
+    case 'I':
+      onlyAddresses.insert(optarg);
+      break;
+    case 'S':
+      skipAddresses.insert(optarg);
+      break;
+    case 'e':
+      if ((entryPoint = strtoul(optarg, NULL, 16)) < 0x1000)
+        entryPointName = optarg;
+      break;
+    case 'i':
+      originalBinary = optarg;
+      instrumentLibraries.insert(optarg);
+      break;
+    case 'o':
+      instrumentedBinary = optarg;
+      break;
+    case 'E':
+      exitAddresses.insert(strtoul(optarg, NULL, 16));
+      break;
+    case 'r':
+      runtimeLibraries.insert(optarg);
+      break;
+    case 's':
+      bbSkip = atoi(optarg);
+      break;
+    case 'm':
+      bbMinSize = atoi(optarg);
+      break;
+    case 'D':
+      do_bb = false;
+      break;
+    case 'v':
+      verbose++;
+      break;
+    default:
+      cerr << "Usage: " << argv[0] << USAGE;
+      return false;
+    }
+  }
+
+  if (originalBinary == NULL) {
+    cerr << "Input binary is required!" << endl;
+    cerr << "Usage: " << argv[0] << USAGE;
+    return false;
+  }
+
+  if (instrumentedBinary == NULL) {
+    cerr << "Output binary is required!" << endl;
+    cerr << "Usage: " << argv[0] << USAGE;
+    return false;
+  }
+
+  return true;
+}
+
+BPatch_function *findFuncByName(BPatch_image *appImage, char *funcName) {
+  BPatch_Vector<BPatch_function *> funcs;
+
+  if (NULL == appImage->findFunction(funcName, funcs) || !funcs.size() || NULL == funcs[0]) {
+    cerr << "Failed to find " << funcName << " function." << endl;
+    return NULL;
+  }
+
+  return funcs[0];
+}
+
+// insert callback to initialization function in the instrumentation library
+// either at _init or at manualy specified entry point.
+bool insertCallToInit(BPatch_addressSpace *appBin, BPatch_function *instIncFunc, BPatch_module *module, BPatch_function *funcInit, bool install_hack) {
+  /* Find the instrumentation points */
+  vector<BPatch_point *> points;
+  vector<BPatch_point *> *funcEntry = funcInit->findPoint(BPatch_entry);
+  BPatch_image *appImage = appBin->getImage();
+  BPatchSnippetHandle *handle;
+
+  if (NULL == funcEntry) {
+    cerr << "Failed to find entry for function. " << endl;
+    return false;
+  }
+
+  // THIS BLOCK IS DISABLED - dyninst is too volatile for this to work reliably
+  // disabled because performance can not be greater than 2
+  if (performance >= 3 && install_hack == true) {
+    cout << "Inserting global variables" << endl;
+    // we set up a fake map so we do not have crashes if the the forkserver
+    // is not installed in _init but later for speed reasons.
+    // we could also check in the bb() code if map == 0 but that would
+    // cost precious instructions.
+    BPatch_variableExpr *fakemap = appBin->malloc(65536);
+    BPatch_constExpr fakemap_ptr(fakemap->getBaseAddr());
+    BPatch_variableExpr *map = appBin->malloc(*(appImage->findType("size_t")), "map");
+    BPatch_arithExpr initmap(BPatch_assign, *map, fakemap_ptr);
+
+    appBin->insertSnippet(initmap, *funcEntry, BPatch_firstSnippet);
+    BPatch_constExpr map_ptr(map->getBaseAddr());
+    BPatch_variableExpr *prev_id = appBin->malloc(*(appImage->findType("size_t")), "prev_id");
+    BPatch_arithExpr initprevid(BPatch_assign, *prev_id, BPatch_constExpr(0));
+
+    appBin->insertSnippet(initprevid, *funcEntry);
+    BPatch_Vector<BPatch_snippet *> instArgs;
+    cout << "Inserting init callback." << endl;
+    instArgs.push_back(&map_ptr);
+    BPatch_funcCallExpr instIncExpr(*instIncFunc, instArgs);
+
+    handle = appBin->insertSnippet(instIncExpr, *funcEntry, BPatch_callBefore, BPatch_lastSnippet);
+  } else {
+    BPatch_Vector<BPatch_snippet *> instArgs;
+    cout << "Inserting init callback." << endl;
+    BPatch_funcCallExpr instIncExpr(*instIncFunc, instArgs);
+
+    handle = appBin->insertSnippet(instIncExpr, *funcEntry, BPatch_callBefore, BPatch_lastSnippet);
+  }
+
+  if (!handle) {
+    cerr << "Failed to insert init callback." << endl;
+    return false;
+  }
+  return true;
+}
+
+// inserts a callback for each basic block assigning it an instrumentation
+// time 16bit random ID just as afl
+bool insertBBCallback(BPatch_addressSpace *appBin, BPatch_function *curFunc, char *funcName, BPatch_function *instBBIncFunc, int *bbIndex) {
+  BPatch_image *appImage = appBin->getImage();
+  BPatch_flowGraph *appCFG = curFunc->getCFG();
+  unsigned short randID;
+
+  if (!appCFG) {
+    cerr << "Failed to find CFG for function " << funcName << endl;
+    return false;
+  }
+
+  BPatch_Set<BPatch_basicBlock *> allBlocks;
+  if (!appCFG->getAllBasicBlocks(allBlocks)) {
+    cerr << "Failed to find basic blocks for function " << funcName << endl;
+    return false;
+  } else if (allBlocks.size() == 0) {
+    cerr << "No basic blocks for function " << funcName << endl;
+    return false;
+  }
+
+  BPatch_Set<BPatch_basicBlock *>::iterator iter;
+  for (iter = allBlocks.begin(); iter != allBlocks.end(); iter++) {
+    if (*bbIndex < bbSkip || (*iter)->size() < bbMinSize) { // skip over first bbSkip bbs or below minimum size
+      (*bbIndex)++;
+      continue;
+    }
+
+    BPatch_point *bbEntry = (*iter)->findEntryPoint();
+
+    if (performance >= 1) {
+      if ((*iter)->isEntryBlock() == false) {
+        bool good = false;
+
+        BPatch_Vector<BPatch_basicBlock *> sources;
+        (*iter)->getSources(sources);
+        for (unsigned int i = 0; i < sources.size() && good == false; i++) {
+          BPatch_Vector<BPatch_basicBlock *> targets;
+          sources[i]->getTargets(targets);
+          if (targets.size() > 1)
+            good = true;
+        }
+        if (good == false)
+          continue;
+      }
+    }
+
+    unsigned long address = (*iter)->getStartAddress();
+
+    randID = rand() % USHRT_MAX;
+    if (verbose >= 1) {
+      cout << "Instrumenting Basic Block 0x" << hex << address << " of " << funcName << " with size " << dec << (*iter)->size() << " with random id " << randID << "/0x" << hex << randID << endl;
+    }
+
+    if (NULL == bbEntry) {
+      // warn the user, but continue
+      cerr << "Failed to find entry for basic block at 0x" << hex << address << endl;
+      (*bbIndex)++;
+      continue;
+    }
+
+    BPatchSnippetHandle *handle;
+
+    // level 3 is disabled
+    if (performance >= 3) {
+      // these are dummy instructions we overwrite later
+      BPatch_variableExpr *pid = appImage->findVariable("prev_id");
+      BPatch_arithExpr new_prev_id(BPatch_assign, *pid, BPatch_arithExpr(BPatch_divide, BPatch_constExpr(8), BPatch_constExpr(2)));
+
+      handle = appBin->insertSnippet(new_prev_id, *bbEntry, BPatch_lastSnippet);
+      BPatch_variableExpr *map = appImage->findVariable("map");
+      BPatch_variableExpr *pid2 = appImage->findVariable("prev_id");
+      BPatch_arithExpr map_idx(BPatch_arithExpr(BPatch_plus, *map, BPatch_arithExpr(BPatch_divide, *pid2, BPatch_constExpr(2))));
+
+      if (mapaddr == 0) {
+        printf("Map for AFL is installed at: %p\n", (void *)map->getBaseAddr());
+        mapaddr = (uintptr_t)map->getBaseAddr();
+      }
+      handle = appBin->insertSnippet(map_idx, *bbEntry, BPatch_firstSnippet);
+    } else {
+      BPatch_Vector<BPatch_snippet *> instArgs1;
+      BPatch_Vector<BPatch_snippet *> instArgs;
+      BPatch_constExpr bbId(randID);
+
+      instArgs.push_back(&bbId);
+      BPatch_funcCallExpr instIncExpr(*instBBIncFunc, instArgs);
+
+
+      handle = appBin->insertSnippet(instIncExpr, *bbEntry, BPatch_callBefore);
+    }
+
+    if (!handle) {
+      // warn the user, but continue to next bb
+      cerr << "Failed to insert instrumention in basic block at 0x" << hex << address << endl;
+      (*bbIndex)++;
+      continue;
+    } else
+      insertions++;
+
+    (*bbIndex)++;
+  }
+
+  return true;
+}
+
+int main(int argc, char **argv) {
+  char *func2patch = NULL;
+  int loop;
+
+  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0 || strncmp(argv[1], "--h", 3) == 0) {
+    cout << "Usage: " << argv[0] << USAGE;
+    return false;
+  }
+
+  if (!parseOptions(argc, argv)) {
+    return EXIT_FAILURE;
+  }
+
+  BPatch bpatch;
+
+  if (performance >= 2) {
+    bpatch.setSaveFPR(false);
+    bpatch.setTrampRecursive(true);
+  }
+
+  const char *dyninstapi_rt_lib_old = getenv("DYNINSTAPI_RT_LIB");
+  if (setenv("DYNINSTAPI_RT_LIB", dyninstapi_rt_lib, true) != 0) {
+    cerr << "Failed to set DYNINSTAPI_RT_LIB\n"; // TODO: explain
+    return EXIT_FAILURE;
+  }
+  BPatch_addressSpace *appBin = bpatch.openBinary(originalBinary, instrumentLibraries.size() != 1);
+  if (dyninstapi_rt_lib_old == NULL)
+    unsetenv("DYNINSTAPI_RT_LIB");
+  else
+    setenv("DYNINSTAPI_RT_LIB", dyninstapi_rt_lib_old, true);
+  if (appBin == NULL) {
+    cerr << "Failed to open binary" << endl;
+    return EXIT_FAILURE;
+  }
+
+  BPatch_image *appImage = appBin->getImage();
+
+  // get and iterate over all modules, instrumenting only the default and manually specified ones
+  vector<BPatch_module *> *modules = appImage->getModules();
+  vector<BPatch_module *>::iterator moduleIter;
+  vector<BPatch_function *> *funcsInModule;
+  BPatch_module *defaultModule = NULL, *firstModule = NULL;
+  string defaultModuleName;
+
+  // look for _init
+  if (defaultModuleName.empty()) {
+    for (loop = 0; functions[loop] != NULL && func2patch == NULL; loop++) {
+      for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter) {
+        vector<BPatch_function *>::iterator funcsIterator;
+        char moduleName[1024];
+
+        if (firstModule == NULL)
+          firstModule = (*moduleIter);
+        (*moduleIter)->getName(moduleName, 1024);
+        funcsInModule = (*moduleIter)->getProcedures();
+        if (verbose >= 2)
+          cout << "Looking for init function " << functions[loop] << " in " << moduleName << endl;
+        for (funcsIterator = funcsInModule->begin(); funcsIterator != funcsInModule->end(); ++funcsIterator) {
+          char funcName[1024];
+
+          (*funcsIterator)->getName(funcName, 1024);
+          if (verbose >= 3 && loop == 0)
+            printf("module: %s function: %s\n", moduleName, funcName);
+          if (string(funcName) == string(functions[loop])) {
+            func2patch = (char *)functions[loop];
+            defaultModuleName = string(moduleName);
+            defaultModule = (*moduleIter);
+            if (verbose >= 1) {
+              cout << "Found " << func2patch << " in " << moduleName << endl;
+            }
+            break;
+          }
+        }
+        if (!defaultModuleName.empty())
+          break;
+      }
+      if (func2patch != NULL)
+        break;
+    }
+  }
+  // last resort, by name of the binary
+  if (defaultModuleName.empty())
+    defaultModuleName = string(originalBinary).substr(string(originalBinary).find_last_of("\\/") + 1);
+  if (defaultModule == NULL)
+    defaultModule = firstModule;
+
+  if (!appBin->loadLibrary(afl_dyninst_lib)) {
+    cerr << "Failed to open instrumentation library " << afl_dyninst_lib << endl;
+    cerr << "It needs to be located in the current working directory." << endl;
+    return EXIT_FAILURE;
+  }
+
+  /* Find code coverage functions in the instrumentation library */
+  BPatch_function *initAflForkServer;
+
+  BPatch_function *bbCallback = findFuncByName(appImage, (char *)"bbCallback");
+  BPatch_function *forceCleanExit = findFuncByName(appImage, (char *)"forceCleanExit");
+
+  if (do_bb == true) {
+    if (performance >= 3)
+      initAflForkServer = findFuncByName(appImage, (char *)"initAflForkServerVar");
+    else
+      initAflForkServer = findFuncByName(appImage, (char *)"initAflForkServer");
+  } else
+    initAflForkServer = findFuncByName(appImage, (char *)"initOnlyAflForkServer");
+
+  if (!initAflForkServer || !bbCallback || !forceCleanExit) {
+    cerr << "Instrumentation library lacks callbacks!" << endl;
+    return EXIT_FAILURE;
+  }
+
+  int bbIndex = 0;
+
+  // if an entrypoint was set then find function, else find _init
+  BPatch_function *funcToPatch = NULL;
+
+  if (entryPoint == 0 && entryPointName == NULL) {
+    if (func2patch == NULL) {
+      cerr << "Couldn't locate _init, specify entry point manually with -e 0xaddr" << endl;
+      return EXIT_FAILURE;
+    }
+    BPatch_Vector<BPatch_function *> funcs;
+    defaultModule->findFunction(func2patch, funcs);
+    if (!funcs.size()) {
+      cerr << "Couldn't locate _init, specify entry point manually with -e 0xaddr" << endl;
+      return EXIT_FAILURE;
+    }
+    // there should really be only one
+    funcToPatch = funcs[0];
+  } else {
+    if (entryPointName != NULL) {
+      for (moduleIter = modules->begin(); moduleIter != modules->end() && funcToPatch == 0; ++moduleIter) {
+        BPatch_Vector<BPatch_function *> funcs;
+        (*moduleIter)->findFunction(entryPointName, funcs);
+        if (funcs.size() > 0) {
+          char moduleName[1024];
+
+          funcToPatch = funcs[0];
+          defaultModule = (*moduleIter);
+          defaultModule->getName(moduleName, 1024);
+          defaultModuleName = string(moduleName);
+          printf("Found entypoint %s in module %s\n", entryPointName, moduleName);
+          break;
+        }
+      }
+    }
+    if (!funcToPatch) {
+      if (verbose > 1)
+        printf("Looking for entrypoint %p\n", (char *)entryPoint);
+      funcToPatch = defaultModule->findFunctionByEntry(entryPoint);
+      if (!funcToPatch && defaultModule != firstModule) {
+        funcToPatch = firstModule->findFunctionByEntry(entryPoint);
+        if (funcToPatch)
+          defaultModule = firstModule;
+      }
+      if (!funcToPatch) { // ok lets go hardcore ...
+        if (verbose > 1)
+          printf("OK we did not find the entrypoint so far, lets dig deeper ...\n");
+        for (moduleIter = modules->begin(); moduleIter != modules->end() && funcToPatch != NULL; ++moduleIter) {
+          vector<BPatch_function *>::iterator funcsIterator;
+          funcToPatch = (*moduleIter)->findFunctionByEntry(entryPoint);
+          if (funcToPatch)
+            defaultModule = (*moduleIter);
+        }
+      }
+      if (funcToPatch && verbose >= 1) {
+        char moduleName[1024];
+
+        defaultModule->getName(moduleName, 1024);
+        defaultModuleName = string(moduleName);
+        printf("Found entypoint %p in module %s\n", (void *)entryPoint, moduleName);
+      }
+    }
+  }
+  if (!funcToPatch) {
+    cerr << "Couldn't locate function at given entry point. " << endl;
+    cerr << "Try: readelf -ls " << originalBinary << " | egrep 'Entry|FUNC.*GLOBAL.*DEFAULT' | egrep -v '@|UND'" << endl;
+    return EXIT_FAILURE;
+  }
+  if (!insertCallToInit(appBin, initAflForkServer, defaultModule, funcToPatch, true)) {
+    cerr << "Could not insert init callback at given entry point." << endl;
+    return EXIT_FAILURE;
+  }
+
+  for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter) {
+    char moduleName[1024];
+
+    (*moduleIter)->getName(moduleName, 1024);
+    if ((*moduleIter)->isSharedLib()) {
+      if (instrumentLibraries.find(moduleName) == instrumentLibraries.end() && string(moduleName).find(".so") != string::npos) {
+        cout << "Skipping library: " << moduleName << endl;
+        continue;
+      }
+    }
+
+    if (string(moduleName).find(defaultModuleName) != string::npos) {
+      if (skipMainModule)
+        continue;
+    }
+
+    if (do_bb == true) {
+      cout << "Instrumenting module: " << moduleName << endl;
+      vector<BPatch_function *> *allFunctions = (*moduleIter)->getProcedures();
+      vector<BPatch_function *>::iterator funcIter;
+      // iterate over all functions in the module
+      for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) {
+        BPatch_function *curFunc = *funcIter;
+        char funcName[1024];
+        int do_patch = 1;
+
+        curFunc->getName(funcName, 1024);
+        if (string(funcName) == string("_init") || string(funcName) == string("__libc_csu_init") || string(funcName) == string("_start")) {
+          if (verbose)
+            cout << "Skipping instrumenting function " << funcName << endl;
+          continue; // here's a bug on hlt // XXX: check what happens if removed
+        }
+        if (!skipAddresses.empty()) {
+          set<string>::iterator saiter;
+          for (saiter = skipAddresses.begin(); saiter != skipAddresses.end() && do_patch == 1; saiter++)
+            if (*saiter == string(funcName))
+              do_patch = 0;
+          if (do_patch == 0) {
+            cout << "Skipping instrumenting function " << funcName << endl;
+            continue;
+          }
+        }
+        if (!onlyAddresses.empty()) {
+          do_patch = 0;
+          set<string>::iterator saiter;
+          for (saiter = onlyAddresses.begin(); saiter != onlyAddresses.end() && do_patch == 1; saiter++)
+            if (*saiter == string(funcName))
+              do_patch = 1;
+          if (do_patch == 0) {
+            cout << "Skipping instrumenting function " << funcName << endl;
+            continue;
+          }
+        }
+        insertBBCallback(appBin, curFunc, funcName, bbCallback, &bbIndex);
+      }
+    }
+  }
+
+  if (!exitAddresses.empty()) {
+    cout << "Instrumenting forced exit addresses." << endl;
+    set<unsigned long>::iterator uliter;
+
+    for (uliter = exitAddresses.begin(); uliter != exitAddresses.end(); uliter++) {
+      if (*uliter > 0 && (signed long)*uliter != -1) {
+        funcToPatch = defaultModule->findFunctionByEntry(*uliter);
+        if (!funcToPatch) {
+          cerr << "Could not find enty point 0x" << hex << *uliter << " (continuing)" << endl;
+        } else {
+          if (!insertCallToInit(appBin, forceCleanExit, defaultModule, funcToPatch, false))
+            cerr << "Could not insert force clean exit callback at 0x" << hex << *uliter << " (continuing)" << endl;
+        }
+      }
+    }
+  }
+
+  cout << "Saving the instrumented binary to " << instrumentedBinary << " ..." << endl;
+  // Output the instrumented binary
+  BPatch_binaryEdit *appBinr = dynamic_cast<BPatch_binaryEdit *>(appBin);
+
+  if (!appBinr->writeFile(instrumentedBinary)) {
+    cerr << "Failed to write output file: " << instrumentedBinary << endl;
+    return EXIT_FAILURE;
+  }
+  todo.insert(instrumentedBinary);
+
+  if (!runtimeLibraries.empty()) {
+    cout << "Instrumenting runtime libraries." << endl;
+    set<string>::iterator rtLibIter;
+    for (rtLibIter = runtimeLibraries.begin(); rtLibIter != runtimeLibraries.end(); rtLibIter++) {
+      BPatch_addressSpace *libBin = bpatch.openBinary((*rtLibIter).c_str(), false);
+
+      if (libBin == NULL) {
+        cerr << "Failed to open binary " << *rtLibIter << endl;
+        return EXIT_FAILURE;
+      }
+      BPatch_image *libImg = libBin->getImage();
+
+      vector<BPatch_module *> *modules = libImg->getModules();
+      moduleIter = modules->begin();
+      for (; moduleIter != modules->end(); ++moduleIter) {
+        char moduleName[1024];
+
+        (*moduleIter)->getName(moduleName, 1024);
+        cout << "Instrumenting module: " << moduleName << endl;
+        vector<BPatch_function *> *allFunctions = (*moduleIter)->getProcedures();
+        vector<BPatch_function *>::iterator funcIter;
+        // iterate over all functions in the module
+        for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) {
+          BPatch_function *curFunc = *funcIter;
+          char funcName[1024];
+          int do_patch = 1;
+
+          curFunc->getName(funcName, 1024);
+          if (string(funcName) == string("_init") || string(funcName) == string("__libc_csu_init") || string(funcName) == string("_start"))
+            continue;
+          if (!skipAddresses.empty()) {
+            set<string>::iterator saiter;
+            for (saiter = skipAddresses.begin(); saiter != skipAddresses.end() && do_patch == 1; saiter++)
+              if (*saiter == string(funcName))
+                do_patch = 0;
+            if (do_patch == 0) {
+              cout << "Skipping instrumenting function " << funcName << endl;
+              continue;
+            }
+          }
+
+          insertBBCallback(libBin, curFunc, funcName, bbCallback, &bbIndex);
+        }
+      }
+      appBinr = dynamic_cast<BPatch_binaryEdit *>(libBin);
+      if (!appBinr->writeFile((*rtLibIter + ".ins").c_str())) {
+        cerr << "Failed to write output file: " << (*rtLibIter + ".ins").c_str() << endl;
+        return EXIT_FAILURE;
+      } else {
+        cout << "Saved the instrumented library to " << (*rtLibIter + ".ins").c_str() << "." << endl;
+        todo.insert(*rtLibIter + ".ins");
+      }
+    }
+  }
+
+  printf("Did a total of %lu basic block insertions\n", insertions);
+
+  if (performance >= 3) {
+    int fd;
+    struct stat st;
+    uint64_t i, found = 0;
+    unsigned char *ptr;
+
+    unsigned char snip1[] = {0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00};
+    unsigned char snip2[] = {0x08, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00};
+    unsigned char fullsnip[] = {0x53, 0x50, 0x41, 0x52, 0x48, 0xBB, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x49, 0xBA, 0x08, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0x81, 0xf3, 0x99, 0x99, 0x48, 0x0f, 0xb7, 0xdb, 0x80, 0x04, 0x18, 0x01, 0x66, 0x41, 0x8b, 0x1a, 0x66, 0xd1, 0xfb, 0x66, 0x41, 0x89, 0x1a, 0x41, 0x5a, 0x58, 0x5b, 0x90, 0x90, 0x90, 0x90};
+    memcpy(snip1, (char *)&mapaddr, sizeof(mapaddr));
+    memcpy(fullsnip + 6, (char *)&mapaddr, sizeof(mapaddr));
+    mapaddr += sizeof(mapaddr);
+    memcpy(snip2, (char *)&mapaddr, sizeof(mapaddr));
+    memcpy(fullsnip + 24, (char *)&mapaddr, sizeof(mapaddr));
+    set<string>::iterator fn;
+    for (fn = todo.begin(); fn != todo.end(); fn++) {
+      cout << "Reinstrumenting " << *fn << " ..." << endl;
+      if ((fd = open((const char *)(fn->c_str()), O_RDWR)) == -1 || fstat(fd, &st) != 0) {
+        cerr << "Error: file is gone: " << *fn << endl;
+        exit(-1);
+      }
+      if ((size_t)st.st_size < (size_t)sizeof(fullsnip)) {
+        cerr << "Error: somethings horrible wrong here with " << *fn << " ..." << endl;
+        continue;
+      }
+      ptr = (unsigned char *)mmap(NULL, st.st_size, PROT_WRITE | PROT_READ, MAP_SHARED, fd, 0);
+      for (i = 2; i < (size_t)st.st_size - (size_t)sizeof(fullsnip); i++) {
+        if (memcmp(ptr + i, snip1, sizeof(snip1)) == 0 && memcmp(ptr + i + sizeof(snip1) + 4, snip2, sizeof(snip2)) == 0) {
+          found++;
+          fullsnip[0x27] = rand() % 256;
+          fullsnip[0x28] = rand() % 256;
+          memcpy(ptr + i - 2, fullsnip, sizeof(fullsnip));
+        }
+      }
+      // printf("found %lu entries, snipsize %u\n", found, (unsigned int)sizeof(fullsnip));
+      munmap((void *)ptr, st.st_size);
+      close(fd);
+    }
+    if (found == insertions) {
+      printf("SUCCESS! Performance level 3 succeeded :)\n");
+    } else {
+      fprintf(stderr, "Error: can not complete performance level 3, could not find all insertions (%lu of %lu).\n", found, insertions);
+      exit(-1);
+    }
+  }
+
+  cout << "All done! Happy fuzzing!" << endl;
+  return EXIT_SUCCESS;
+}