googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.36k stars 533 forks source link

"Everything appears to be running normally" in afl-fuzz debug mode but fails to fuzz #282

Open 5n1p3r0010 opened 3 years ago

5n1p3r0010 commented 3 years ago

Hi,

I currently fuzzing the windows icm module with winafl,with the following command line afl-fuzz.exe -M fuzzer01 -t 2000+ -D .\DynamoRIO-Windows-8.0.0-1\bin64\ -i .\icm -o Z:\R\Temp\icm -- -coverage_module icm32.dll -target_module icm.exe -target_method fuzzme -nargs 1 -- icm.exe @@

DynamoRIO version:8.0.0-1 OS version:windows 10 20H2 19042.685 icm.exe is the harness app to open the icm file and translate it,which is written like follow: ''' int wmain(int argc, wchar_t argv[]) { LoadLibraryA((LPCSTR)"MSCTF.dll"); LoadLibraryA((LPCSTR)"sechost.dll"); fuzzme(argv[1]); return 0; } extern "C" __declspec(dllexport) int fuzzme(wchar_t file) { /do something with the file and return/ } '''

I manully load the MSCTF.dll and sechost.dll here since windows seems to get icm32.dll's function address in these two modules,if don't do so the debug log like follow: ''' Instrumenting ICM32.dll with the 'bb' mode In pre_fuzz_handler In post_fuzz_handler Module loaded, MSCTF.dll Module loaded, sechost.dll Everything appears to be running normally. ''' I suspect that when DynamoRIO Instrumenting we can't load other module,so I load it previously manully,but it still doesn't work normally.

When running with winafl debug mode like follow: ''' afl-fuzz.exe -M fuzzer01 -t 2000+ -D .\DynamoRIO-Windows-8.0.0-1\bin64\ -m 1024 -i .\icm -o Z:\R\Temp\icm -- -debug -coverage_module icm32.dll -target_module icm.exe -target_method fuzzme -nargs 1 -- icm.exe @@ '''

I can get the following log: ''' Module loaded, ICM32.dll Instrumenting ICM32.dll with the 'bb' mode In post_fuzz_handler In pre_fuzz_handler Everything appears to be running normally. '''

But when we fuzz it with administrators privilege like follow afl-fuzz.exe -M fuzzer01 -t 2000+ -D .\DynamoRIO-Windows-8.0.0-1\bin64\ -i .\icm -o Z:\R\Temp\icm -- -coverage_module icm32.dll -target_module icm.exe -target_method fuzzme -nargs 1 -- icm.exe @@ winafl just shows the following log: ''' [] Setting up output directories... [+] Output directory exists, will attempt session resume. [] Deleting old session data... [+] Output dir cleanup successful. [] Scanning 'R:\Temp\GdipConvertToEmfPlus\fuzzer01_resume'... [+] No auto-generated dictionary tokens to reuse. [] Creating hard links for all input files... [*] Attempting dry run with 'id_000000'... 成功: 已终止 PID 为 32048 的进程。 1 processes nudged 成功: 已终止 PID 为 29272 的进程。 1 processes nudged 成功: 已终止 PID 为 32372 的进程。 1 processes nudged '''

I just can't figure out what went wrong with this issue,I appreciate it if you could offer some help,thanks.

ifratric commented 3 years ago

Two thoughts here:

5n1p3r0010 commented 3 years ago

So happy that my worshiper replies me personally,it still can't work when set -fuzz_iterations ,and for the test usage,there is actually only one corups in the input directory.If you are interested to fix this,I'd like to send the harness code through email.

However,the very same harness code works fine with the newly released Jackalope,maybe it's time to try that tool.

Thanks for the excellent project Winafl and Jackalope.

ifratric commented 3 years ago

If it works in Jackalope, then perhaps it's an issue with DynamoRIO, you could try getting a more recent DR version from https://github.com/DynamoRIO/dynamorio/releases and rebuild WinAFL with it.