search

angr / tracer

Utilities for generating dynamic traces
BSD 2-Clause "Simplified" License
88 stars 28 forks source link

shellphish-qemu-linux-x86_64 doesn't print any trace logs #75

Closed hooki closed 5 years ago

hooki commented 5 years ago

When running the example below, I found that the shellphish-qemu-linux-x86_64 doesn't print any trace logs.

[ buggy.c ]

#include <stdio.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  char buffer[6] = {0};
  int i;
  int *null = 0;

  read(0, buffer, 6);
  if (buffer[0] == '7' && buffer[1] == '/' && buffer[2] == '4'
      && buffer[3] == '2' && buffer[4] == 'a' && buffer[5] == '8') {
    i = *null;
  }

  puts("No problem");
}

[ TEST ]

(angr) root@5c0d51f37484:~/driller# echo /42a8 | /root/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-x86_64 -C log1 -E LD_BIND_NOW=1 -D log2 ./buggy
No problem
(angr) root@5c0d51f37484:~/driller# ls
afl-2.52b  afl-latest.tgz  buggy  buggy.c  run_driller.py  workdir
hooki commented 5 years ago

The -d option does not seem to work.

[ TEST ]

# echo 7/47 | /root/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-x86_64 -C log1 -E LD_BIND_NOW=1 -d exec,nochain,page -D log2 --trace ./buggy
Log items (comma separated):
out_asm    show generated host assembly code for each compiled TB
in_asm     show target assembly code for each compiled TB
op         show micro ops for each compiled TB
op_opt     show micro ops (x86 only: before eflags optimization) and
after liveness analysis
int        show interrupts/exceptions in short format
exec       show trace before each executed TB (lots of logs)
cpu        show CPU state before block translation
mmu        log MMU-related activities
pcall      x86 only: show protected mode far calls/returns/exceptions
cpu_reset  show CPU state before CPU resets
ioport     show all i/o ports accesses
unimp      log unimplemented functionality
guest_errors log when the guest OS does something invalid (eg accessing a
non-existent register)
rhelmot commented 5 years ago

The shellphish-qemu from pypi is a little old. You should try using the one from https://github.com/angr/wheels. I’ll close this issue when I update it on pypi.

On Thu, Jun 27, 2019 at 8:21 AM jeongun.baek notifications@github.com wrote:

The -d option does not seem to work.

[ TEST ]

echo 7/47 | /root/.virtualenvs/angr/lib/python3.5/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-x86_64 -C log1 -E LD_BIND_NOW=1 -d exec,nochain,page -D log2 --trace ./buggy

Log items (comma separated): out_asm show generated host assembly code for each compiled TB in_asm show target assembly code for each compiled TB op show micro ops for each compiled TB op_opt show micro ops (x86 only: before eflags optimization) and after liveness analysis int show interrupts/exceptions in short format exec show trace before each executed TB (lots of logs) cpu show CPU state before block translation mmu log MMU-related activities pcall x86 only: show protected mode far calls/returns/exceptions cpu_reset show CPU state before CPU resets ioport show all i/o ports accesses unimp log unimplemented functionality guest_errors log when the guest OS does something invalid (eg accessing a non-existent register)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/angr/tracer/issues/75?email_source=notifications&email_token=AATCB5MOEZY2ZHNY6B2QUATP4TLINA5CNFSM4H34A6L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYXO2JI#issuecomment-506391845, or mute the thread https://github.com/notifications/unsubscribe-auth/AATCB5KY5WFIFXCQLNZSOMLP4TLINANCNFSM4H34A6LQ .

rhelmot commented 5 years ago

Updated.