search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.31k stars 530 forks source link

The application crashes when I try to make sure that the target is working correctly under DynamoRIO with -c WinAFL.dll client module. #209

Open JeySamir opened 4 years ago

JeySamir commented 4 years ago

Hello. The application crashes when I try to make sure that the target is working correctly under DynamoRIO with -c WinAFL.dll client module. I try this: D:/.../DynamoRIO-Windows-7.91.18151-0/bin64/drrun.exe -c winafl.dll -debug -target_module UnityPlayer.dll -target_offset 0x87DB90 -coverage_module UnityPlayer.dll -fuzz_iterations 10 -nargs 1 -- SCPSL.exe -batchmode -nographics

By running the same thing and connecting the debugger to the application, I get an exception in different places where there is an attempt to write some data to a segment that does not have write permissions: 00007FF7752195D0 movaps xmmword ptr [**rcx**-10h], xmm0 <==== Exception here 

WINDBG>r
rax=00000203b256ec20 rbx=00000203b50bc020 **rcx=00000203b256ec30**
rdx=0000000002fc5470 rsi=0000000000000000 rdi=00000203b256ec20
rip=00007ff7752195d0 rsp=00000021b34fea38 rbp=00000203b551c110
 r8=0000000000000474  r9=0000000000000008 r10=00000203b5534090
r11=00000203b256ec20 r12=00000203af8e2d20 r13=00000203b4f288a8
r14=0000000000000000 r15=00000203b046dbf0
iopl=0         nv up ei pl nz na pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
00007ff7`752195d0 0f2941f0        movaps  xmmword ptr [rcx-10h],xmm0 ds:00000203`b256ec20=00000000000000000000000000000000

Address 0x203B256EC30 belongs to a segment with a base address of 0x203b2560000, which doesn't have write permission.

   BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage
--------------------------------------------------------------------------------------------------------------------------
...
+      203`b2560000      203`b2570000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unknown>  [UH..H..PH.u.H...]  <=========== Address 0x203B256EC30 belong to this segment, which doesn't have write permission.
+      203`b2570000      203`b25b0000        0`00040000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  [H...............]
...

As a result, I get exception code c0000005 (ACCESS VIOLATION).

afl.SCPSL.exe.17084.0000.proc.log

Module loaded, dynamorio.dll
Module loaded, UnityPlayer.dll
Module loaded, winafl.dll
Module loaded, drx.dll
Module loaded, drreg.dll
Module loaded, drmgr.dll
Module loaded, drwrap.dll
Module loaded, SCPSL.exe
Module loaded, AcGenral.dll
Module loaded, OPENGL32.dll
Module loaded, GLU32.dll
Module loaded, WINHTTP.dll
Module loaded, WindowsCodecs.dll
Module loaded, VERSION.dll
Module loaded, MPR.dll
Module loaded, WINMMBASE.dll
Module loaded, WINMM.dll
Module loaded, apphelp.dll
Module loaded, HID.DLL
Module loaded, dxcore.dll
Module loaded, SspiCli.dll
Module loaded, USERENV.dll
Module loaded, UMPDC.dll
Module loaded, POWRPROF.dll
Module loaded, AppCore.dll
Module loaded, MSASN1.dll
Module loaded, profapi.dll
Module loaded, bcrypt.dll
Module loaded, Windows.Storage.dll
Module loaded, ucrtbase.dll
Module loaded, CRYPT32.dll
Module loaded, CRYPTSP.dll
Module loaded, CFGMGR32.dll
Module loaded, msvcp_win.dll
Module loaded, win32u.dll
Module loaded, bcryptPrimitives.dll
Module loaded, gdi32full.dll
Module loaded, KERNELBASE.dll
Module loaded, SECHOST.dll
Module loaded, KERNEL32.dll
Module loaded, WS2_32.dll
Module loaded, ADVAPI32.dll
Module loaded, IMM32.dll
Module loaded, combase.dll
Module loaded, msvcrt.dll
Module loaded, OLEAUT32.dll
Module loaded, RPCRT4.dll
Module loaded, SHLWAPI.dll
Module loaded, SHELL32.dll
Module loaded, SETUPAPI.dll
Module loaded, GDI32.dll
Module loaded, SHCORE.dll
Module loaded, USER32.dll
Module loaded, ole32.dll
Module loaded, ntdll.dll
Instrumenting UnityPlayer.dll with the 'bb' mode
Module loaded, UxTheme.dll
In OpenFileW, reading D:/Steam/steamapps/common/SCP Secret Laboratory/SCPSL_Data/boot.config
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\app.info
Module loaded, MSWSOCK.dll
Module loaded, PSAPI.DLL
Module loaded, CRYPTBASE.dll
Module loaded, mono-2.0-bdwgc.dll
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\mscorlib.dll
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\mscorlib.dll.dll.la
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed/mono/aot-cache/amd64/mscorlib.dll.dll.la
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\mscorlib.dll.config
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\MonoBleedingEdge\etc\mono\assemblies\mscorlib\mscorlib.config
In OpenFileW, reading C:\Users\User0\.mono\assemblies\mscorlib\mscorlib.config
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\MonoBleedingEdge\etc\mono\config
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\globalgamemanagers
Module loaded, AudioPluginDissonance.dll
Module loaded, MSCTF.dll
In OpenFileW, reading C:\Users\User0\AppData\LocalLow\Hubert Moszka\SCPSL\output_log.txt
In OpenFileW, reading C:\Users\User0\AppData\LocalLow\Hubert Moszka\SCPSL\output_log.txt
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Resources\unity default resources
Module loaded, CLBCatQ.DLL
Module loaded, DEVOBJ.dll
Module loaded, MMDevAPI.DLL
Module loaded, WinTypes.dll
Module loaded, AudioSes.DLL
Module loaded, ResourcePolicyClient.dll
Module loaded, AVRT.dll
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\UnityEngine.dll
...
Module loaded, discord-rpc.dll
In OpenFileW, reading \\?\pipe\discord-ipc-0
In OpenFileW, reading \\?\pipe\discord-ipc-1
In OpenFileW, reading \\?\pipe\discord-ipc-2
In OpenFileW, reading \\?\pipe\discord-ipc-3
In OpenFileW, reading \\?\pipe\discord-ipc-4
In OpenFileW, reading \\?\pipe\discord-ipc-5
In OpenFileW, reading \\?\pipe\discord-ipc-6
In OpenFileW, reading \\?\pipe\discord-ipc-7
In OpenFileW, reading \\?\pipe\discord-ipc-8
In OpenFileW, reading \\?\pipe\discord-ipc-9
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\advapi32.dll.la
In OpenFileW, reading D:\Steam\steamapps\common\SCP Secret Laboratory\SCPSL_Data\Managed\advapi32.dll.la
In OpenFileW, reading \\?\pipe\discord-ipc-0
In OpenFileW, reading \\?\pipe\discord-ipc-1
In OpenFileW, reading \\?\pipe\discord-ipc-2
In OpenFileW, reading \\?\pipe\discord-ipc-3
In OpenFileW, reading \\?\pipe\discord-ipc-4
In OpenFileW, reading \\?\pipe\discord-ipc-5
In OpenFileW, reading \\?\pipe\discord-ipc-6
In OpenFileW, reading \\?\pipe\discord-ipc-7
In OpenFileW, reading \\?\pipe\discord-ipc-8
In OpenFileW, reading \\?\pipe\discord-ipc-9
Exception caught: c0000005
crashed
WARNING: Target function was never called. Incorrect target_offset?
Coverage map follows:

I don't get any crash when I try this: D:/0my/src/DynamoRIO-Windows-7.91.18151-0/bin64/drrun.exe -- SCPSL.exe -batchmode -nographics

Not sure if the problem is WinAFL, DynamoRIO or something else.

Versions:

Windows 10 Pro version 10.0.18362 build 18362 DynamoRIO-Windows-7.91.18151-0 MSVC 10.0.18362.0

BiTOk commented 4 years ago

I had the same problem with another application. This is due to this line in afl client: https://github.com/googleprojectzero/winafl/blob/a3200244a03cbcf9cd696bf9fbacb2c0c4953313/winafl.c#L230. Try to comment it out and rebuild winafl. By now I don't understand why this line is here.