search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.36k stars 533 forks source link

Persistent mode fuzzing with Intel-PT coverage #299

Open Lopierdis opened 3 years ago

Lopierdis commented 3 years ago

Hello,

I tried creating a project to fuzz in persistent mode (in_app persistent mode) using intel-pt for coverage.

It seems like this is not supported, I added while (__afl_persistent_loop()) to my harness and things seem to go astray.

Here some some details and examples:

This is an example for an harness:

#include "winafl/afl-staticinstr.h"
#include <stdio.h>
#include "Windows.h"

#pragma comment(lib, "user32.lib")

void write_to_log(const char *format, ...)
{
    va_list argptr;
    va_start(argptr, format);
    char output[0x100];
    HANDLE hFile = CreateFile("output.txt", FILE_APPEND_DATA, 0x0, NULL,
                              OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

    DWORD dwBytesWritten = 0;
    vsprintf(output, format, argptr);
    WriteFile(hFile, output, strlen(output), &dwBytesWritten, NULL);
    CloseHandle(hFile);
    va_end(argptr);
}

typedef struct PACKET_INFO
{
    int a;
    int b;
    int c;
} PACKET_INFO;

void process_packet(PACKET_INFO *packet_info)
{
    write_to_log("Processing packet\n");
    return;
}

void main()
{
    PACKET_INFO packet_info;
    char input[sizeof(packet_info)];

    write_to_log("Harness started\n");
    while (__afl_persistent_loop())
    {
        scanf("%s", input);
        write_to_log("Recevied input: %s\n", input);
        process_packet(&packet_info);
    }
    write_to_log("Harness exiting\n");
}

And this is how I run the fuzzer: afl-fuzz.exe -t 1000+ -i testcases -o findings -P -persistence_mode in_app -- -covtype bb -coverage_module harness.exe -target_module harness.exe -target_method process_packet -fuzz_iterations 10 -- harness.exe I've also tried like this: afl-fuzz.exe -t 1000+ -i testcases -o findings -P -persistence_mode in_app -- -covtype bb -coverage_module harness.exe -target_module harness.exe -target_method main -fuzz_iterations 10 -- harness.exe

I see 2 things happening:

  1. The fuzzer yells cant't sync (The typo is in the fuzzer intself BTW)
  2. The harness is constantly starting and exiting, only receiving input once every 10 iterations.
ifratric commented 3 years ago

in_app persistent mode is currently not supported with the Intel-PT coverage

Lopierdis commented 3 years ago

in_app persistent mode is currently not supported with the Intel-PT coverage

So my only options for in app persistent mode coverage guided fuzzing would be with either syzygy or DR?

ifratric commented 3 years ago

Well, you could also add the support for in app persistent mode in winaflpt.c :-)