when i test to fuzz clfs ,peafl64 error!

zhefox commented 3 months ago

C:\Users\user\Desktop\fuzz\peafl64>python .\pe_afl.py -l 1 -nt "C:\Windows\System32\ntoskrnl.exe" demo\clfs.sys demo\clfs.sys.dump.json [] Kernel-mode driver is being instrumented [] Preparing new sections [] Added section .text^ [] Added section PAGE^ [] Added section fothk^ [] Added section INIT^ [] Added section .cov [] Expanding relative jumps [] Expanded 5675 of 17283 branches [] Building address map [] Updating relative instructions [] Updating relocations... Traceback (most recent call last): File "C:\Users\user\Desktop\fuzz\peafl64\pe_afl.py", line 137, in main() File "C:\Users\user\Desktop\fuzz\peafl64\pe_afl.py", line 133, in main instrument.run(ida, args, shellcode_for_addr) File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 1377, in run cut_size, append = process_pe(ida, args, injections_dict) File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 1186, in process_pe updated_dynamic_relocs = get_updated_dynamic_relocs() File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 314, in get_updated_dynamic_relocs drt = IMAGE_DYNAMIC_RELOCATION_TABLE.from_pe(pe) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 54, in from_pe reloc = IMAGE_DYNAMIC_RELOCATION.from_bytes(dynamic_reloc_data[idx:]) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 110, in from_bytes reloc = IMAGE_BASE_RELOCATION.from_bytes(reloc_data[idx:]) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 155, in from_bytes struct.unpack('<' + 'H' * base_reloc.num_of_type_offsets, struct.error: unpack requires a buffer of 51512 byte

zhefox commented 3 months ago

C:\Users\user\Desktop\fuzz\peafl64>python .\pe_afl.py -l 1 -nt "C:\Windows\System32\ntoskrnl.exe" demo\clfs.sys demo\clfs.sys.dump.json [] Kernel-mode driver is being instrumented [] Preparing new sections [] Added section .text^ [] Added section PAGE^ [] Added section fothk^ [] Added section INIT^ [] Added section .cov [] Expanding relative jumps [] Expanded 5675 of 17283 branches [] Building address map [] Updating relative instructions [] Updating relocations... Number of type offsets: 52 Number of type offsets: 56 Number of type offsets: 30 Number of type offsets: 26 Number of type offsets: 54 Number of type offsets: 28 Number of type offsets: 26 Number of type offsets: 70 Number of type offsets: 38 Number of type offsets: 72 Number of type offsets: 6 Number of type offsets: 2 Number of type offsets: 60 Number of type offsets: 72 Number of type offsets: 30 Number of type offsets: 36 Number of type offsets: 42 Number of type offsets: 14 Number of type offsets: 32 Number of type offsets: 36 Number of type offsets: 58 Number of type offsets: 42 Number of type offsets: 38 Number of type offsets: 58 Number of type offsets: 80 Number of type offsets: 38 Number of type offsets: 34 Number of type offsets: 42 Number of type offsets: 18 Number of type offsets: 30 Number of type offsets: 18 Number of type offsets: 50 Number of type offsets: 50 Number of type offsets: 70 Number of type offsets: 60 Number of type offsets: 74 Number of type offsets: 30 Number of type offsets: 46 Number of type offsets: 46 Number of type offsets: 38 Number of type offsets: 38 Number of type offsets: 88 Number of type offsets: 46 Number of type offsets: 54 Number of type offsets: 44 Number of type offsets: 48 Number of type offsets: 38 Number of type offsets: 108 Number of type offsets: 92 Number of type offsets: 104 Number of type offsets: 60 Number of type offsets: 54 Number of type offsets: 10 Number of type offsets: 32 Number of type offsets: 64 Number of type offsets: 82 Number of type offsets: 68 Number of type offsets: 122 Number of type offsets: 64 Number of type offsets: 70 Number of type offsets: 54 Number of type offsets: 42 Number of type offsets: 50 Number of type offsets: 36 Number of type offsets: 32 Number of type offsets: 26 Number of type offsets: 26 Number of type offsets: 42 Number of type offsets: 56 Number of type offsets: 58 Number of type offsets: 32 Number of type offsets: 24 Number of type offsets: 20 Number of type offsets: 26 Number of type offsets: 40 Number of type offsets: 40 Number of type offsets: 34 Number of type offsets: 32 Number of type offsets: 68 Number of type offsets: 74 Number of type offsets: 40 Number of type offsets: 4 Buffer length: 11616 bytes Number of type offsets: 8 Number of type offsets: 22 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 10 Number of type offsets: 18 Number of type offsets: 12 Number of type offsets: 10 Number of type offsets: 16 Number of type offsets: 30 Number of type offsets: 12 Number of type offsets: 6 Number of type offsets: 18 Number of type offsets: 18 Number of type offsets: 16 Number of type offsets: 38 Number of type offsets: 32 Number of type offsets: 8 Number of type offsets: 10 Number of type offsets: 4 Number of type offsets: 10 Number of type offsets: 18 Number of type offsets: 4 Number of type offsets: 18 Number of type offsets: 4 Number of type offsets: 14 Number of type offsets: 6 Number of type offsets: 2 Number of type offsets: 10 Number of type offsets: 20 Number of type offsets: 4 Number of type offsets: 2 Number of type offsets: 4 Number of type offsets: 12 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 6 Number of type offsets: 8 Number of type offsets: 2 Number of type offsets: 6 Number of type offsets: 14 Number of type offsets: 28 Number of type offsets: 18 Number of type offsets: 22 Number of type offsets: 6 Number of type offsets: 22 Number of type offsets: 18 Number of type offsets: 4 Number of type offsets: 8 Number of type offsets: 6 Number of type offsets: 8 Number of type offsets: 16 Number of type offsets: 4 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 12 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 28 Number of type offsets: 30 Number of type offsets: 24 Number of type offsets: 18 Number of type offsets: 20 Number of type offsets: 24 Number of type offsets: 14 Number of type offsets: 18 Number of type offsets: 2 Number of type offsets: 16 Number of type offsets: 6 Number of type offsets: 12 Number of type offsets: 14 Number of type offsets: 14 Number of type offsets: 24 Number of type offsets: 6 Number of type offsets: 22 Buffer length: 11616 bytes Number of type offsets: 25756 Traceback (most recent call last): File "C:\Users\user\Desktop\fuzz\peafl64\pe_afl.py", line 137, in main() File "C:\Users\user\Desktop\fuzz\peafl64\pe_afl.py", line 133, in main instrument.run(ida, args, shellcode_for_addr) File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 1377, in run cut_size, append = process_pe(ida, args, injections_dict) File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 1186, in process_pe updated_dynamic_relocs = get_updated_dynamic_relocs() File "C:\Users\user\Desktop\fuzz\peafl64\instrument.py", line 314, in get_updated_dynamic_relocs drt = IMAGE_DYNAMIC_RELOCATION_TABLE.from_pe(pe) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 54, in from_pe reloc = IMAGE_DYNAMIC_RELOCATION.from_bytes(dynamic_reloc_data[idx:]) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 111, in from_bytes reloc = IMAGE_BASE_RELOCATION.from_bytes(reloc_data[idx:]) File "C:\Users\user\Desktop\fuzz\peafl64\drt.py", line 159, in from_bytes struct.unpack('<' + 'H' * base_reloc.num_of_type_offsets, struct.error: unpack requires a buffer of 51512 bytes

Kristal-g commented 3 months ago

Hi, I see it failed inside the Dynamic Value Relocation Table parsing stage. The usage of DVRT is expanded from time to time by Microsoft, for example for their new function override feature. So it's either that, or that there's a bug in the code (sounds probable).

If you can share the file with me (here or by a direct message) I would be able to help debug the issue. Otherwise, you can try and add this to between lines 108-109:

if dynamic_reloc.symbol in (1,2,6,7):
    return dynamic_reloc

zhefox commented 3 months ago

I added the patch code you gave, it is correct, now I successfully fixed the problem

Kristal-g commented 3 months ago

Unfortunately, if that worked it probably means you have the function override feature in the binary and that could break the instrumentation (it will cause the OS to use uninstrumented functions and then it'll crash).

peafl64 should edit the function override blocks as well to point to the instrumented functions

zhefox commented 3 months ago

This is a really bad question, very sad.

Kristal-g commented 3 months ago

@zhefox I opened a PR that fixes it. You can try it while I work on merging it

zhefox commented 3 months ago

thank u,I'll try it

zhefox commented 3 months ago

I think this problem has been solved, you are awesome!

Sentinel-One / peafl64

when i test to fuzz clfs ,peafl64 error! #9