search

AFLplusplus / LibAFL

Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...
Other
1.97k stars 304 forks source link

libafl-frida stalker miss many blocks? #795

Closed icepng closed 1 year ago

icepng commented 1 year ago

I try to fuzz android library based libafl-frida. I write a harness library which uses dlopen to load the target library.

When fuzzing, I use frida to hook one of the functions in target library, and it was hit. However, I print all block addresses in stalker transformer , the addresses in that function are not found.

I try to use javascript interface of stalker based frida-server, and everything seems good. I guessed it's the problem of frida-gum of rust. Anyone encounters the same problem?

s1341 commented 1 year ago

Did you specify that the target library be instrumented using the ‘-l’ flag?

icepng commented 1 year ago

I use the -l flag. I found some functions in target library were hit.

tokatoka commented 1 year ago

do you have a minimal PoC so that we can reproduce?

icepng commented 1 year ago

I test it in samsung phone, the target library needed some libs of the samsung phone. And I found it's not the problem of libafl. The problem is the achievement of frida stalker exclude function (frida-gum), I didn't know the reason why the stalker exclude works fail on my target, and i solved it by commenting on it, and this problem also exists in afl++ frida mode.

tokatoka commented 1 year ago

thanks for the info so you mean these lines?

        for range in ranges.gaps(&(0..usize::MAX)) {
            println!("excluding range: {:x}-{:x}", range.start, range.end);
            stalker.exclude(&MemoryRange::new(
                NativePointer(range.start as *mut c_void),
                range.end - range.start,
            ));
        }
icepng commented 1 year ago

thanks for the info so you mean these lines?

        for range in ranges.gaps(&(0..usize::MAX)) {
            println!("excluding range: {:x}-{:x}", range.start, range.end);
            stalker.exclude(&MemoryRange::new(
                NativePointer(range.start as *mut c_void),
                range.end - range.start,
            ));
        }

Sure, I comment stalker.exclude

tokatoka commented 1 year ago

so it's not our issue, then I'll close this

s1341 commented 1 year ago

This is the result of leaving out some -l arguments. There must be a clear line of execution from every function you want stalked back to the entry point. This is is because of how frida-stalker works.