From 94466556172b90040f6bed5004498b7d64ec759f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 4 Jan 2019 11:08:27 +0100 Subject: dyninst 10 support --- CHANGES | 2 ++ Makefile | 25 ++++++++++++++++--------- README.txt | 37 ++++++++++++++++++++----------------- 3 files changed, 38 insertions(+), 26 deletions(-) diff --git a/CHANGES b/CHANGES index 16cbeb2..a5f8e47 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changelog ========= https://github.com/vanhauser-thc/afl-dyninst + - updated the README for guidance to build against dyninst version 10 + - added support for dyninst version 10 - added -x performance optimization options, before this afl-dyninst was meh, now it is OK. It supports 3 levels: -x (+45%, -xx additional +45%, -xxx additional ~3% but so far only on intel x64) diff --git a/Makefile b/Makefile index 8ed2c0b..9b42d96 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,16 @@ -# path to dyninst binaries +# EDIT: path to dyninst binaries DYNINST_ROOT = /usr/local +# EDIT: you must set this to your dyninst build directory if you build with v10 +DYNINST_BUILD = /path/to/dyninst/build + +# better dont touch these +DYNINST9=-lcommon -liberty +DYNINST10=-I$(DYNINST_BUILD)/tbb/src/TBB/src/include -lboost_system -L$(DYNINST_BUILD)/tbb/lib -ltbb -Wl,-rpath $(DYNINST_BUILD)/tbb/lib + +# EDIT: set this to either DYNINST9 or DYNINST10 depending on what you installed +DYNINST_OPT = $(DYNINST9) + # path to afl src AFL_ROOT = ./afl @@ -17,17 +27,14 @@ LIBFLAGS = -fpic -shared CC = gcc CFLAGS = -Wall -pedantic -g -std=gnu99 - all: afl-dyninst libAflDyninst.so -# afl-dyninst2 -afl-dyninst: afl-dyninst.o +afl-dyninst: afl-dyninst.o $(CXX) $(CXXFLAGS) -L$(DYNINST_ROOT)/lib \ -L$(DEPS_ROOT)/lib \ -o afl-dyninst afl-dyninst.o \ - -lcommon \ - -liberty \ - -ldyninstAPI + $(DYNINST_OPT) \ + -ldyninstAPI afl-dyninst2: afl-dyninst2.o $(CXX) $(CXXFLAGS) -L$(DYNINST_ROOT)/lib \ @@ -41,10 +48,10 @@ libAflDyninst.so: libAflDyninst.cpp $(CXX) $(CXXFLAGS) $(LIBFLAGS) -I$(AFL_ROOT) -I$(DEPS_ROOT)/include libAflDyninst.cpp -o libAflDyninst.so afl-dyninst.o: afl-dyninst.cpp - $(CXX) $(CXXFLAGS) -I$(DEPS_ROOT)/include -I$(DYNINST_ROOT)/include -c afl-dyninst.cpp + $(CXX) $(CXXFLAGS) $(DYNINST_OPT) -I$(DEPS_ROOT)/include -I$(DYNINST_ROOT)/include -c afl-dyninst.cpp afl-dyninst2.o: afl-dyninst2.cpp - $(CXX) $(CXXFLAGS) -I$(DEPS_ROOT)/include -I$(DYNINST_ROOT)/include -c afl-dyninst2.cpp + $(CXX) $(CXXFLAGS) $(DYNINST_OPT) -I$(DEPS_ROOT)/include -I$(DYNINST_ROOT)/include -c afl-dyninst2.cpp clean: rm -f afl-dyninst *.so *.o diff --git a/README.txt b/README.txt index 7b7868c..801f678 100644 --- a/README.txt +++ b/README.txt @@ -1,4 +1,4 @@ -American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries +# American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries The tool has two parts. The instrumentation tool and the instrumentation library. Instrumentation library has an initialization callback and basic @@ -9,8 +9,22 @@ inserting callbacks for each basic block and an initialization callback either at _init or at specified entry point. -Commandline options -------------------- +## Building / Compiling + +0. Clone, compile and install dyninst: https://github.com/dyninst/dyninst/ + +Note that you can also use dyninst 9.3.2, its actually less hassle, but has less platform support. And different bugs :) + +1. Edit the Makefile and set DYNINST_ROOT and AFL_ROOT to appropriate paths. + +if you installed dyninst 10.x or from github you also have to set DYNINST_BUILD set DYNINST_OPT to $(DYNINST10) + +2. make + +3. make install + + +## Commandline options Usage: ./afl-dyninst-dfvD -i -o -l -e
-E
-s -S -m -i: input binary @@ -88,17 +102,7 @@ level 3 (-xxx) gives only a very small additional speed and works differently, this is a good idea when you run into dyninst bugs. -Compiling: ----------- - -0. Clone, compile and install dyninst: https://github.com/dyninst/dyninst/ -1. Edit the Makefile and set DYNINST_ROOT and AFL_ROOT to appropriate paths. -2. make -3. make install - - -Example of running the tool ---------------------------- +## Example of running the tool Dyninst requires DYNINSTAPI_RT_LIB environment variable to point to the location of libdyninstAPI_RT.so. @@ -111,13 +115,12 @@ Inserting init callback. Saving the instrumented binary to ./rar_ins... All done! Happy fuzzing! -Here we are instrumenting the rar binary with entrypoint at 0x4034c0 +Here we are instrumenting the rar binary with entrypoint at 0x4034c0 (manualy found address of main), skipping the first 100 basic blocks and outputing to rar_ins. -Running AFL on instrumented binary ----------------------------------- +## Running AFL on instrumented binary NOTE: The instrumentation library "libDyninst.so" must be available in the current working directory or LD_LIBRARY_PATH as that is where the instrumented binary will be looking for it. -- cgit 1.4.1