option -A(attach) is not working

[kismp123]

I'm trying to use -A option (attach) however somewhere called function "destroy_target_process" and changed attach pid

  if (drattach) {
    // reset the attach pid for next round
    drattachpid = 0;
  }

as result ran below code with child_pid == 0 child_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, child_pid);

log is here

WinAFL 1.16b by <ifratric@google.com>
Based on AFL 2.43b by <lcamtuf@google.com>
Loading custom winAFL server library
dll_init is defined.
dll_run_ptr is defined.
dll_run_target isn't defined.
dll_write_to_testcase isn't defined.
dll_mutate_testcase isn't defined.
dll_trim_testcase isn't defined.
dll_mutate_testcase_with_energy isn't defined.
Sucessfully loaded and initalized
[+] You have 8 CPU cores with average utilization of 3%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
Ready to begin fuzzing. Target IP= 127.0.0.1, target port = 39721

[-] PROGRAM ABORT : OpenProcess failed, GLE=87.

         Location : create_target_process(), C:\Users\-\Downloads\winafl\afl-fuzz.c:2557

it's my commands

set AFL_CUSTOM_DLL_ARGS=-p 39721 -a 127.0.0.1 -w 1000

afl-fuzz.exe -A KCaseLib.exe -l custom_net_fuzzer.dll -i in -o out -D C:\Users\-\Downloads\DynamoRIO-Windows-8.0.0-1\bin32 -t 100+ -- -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -- "C:\Program Files (x86)\Ksign\KCase\KCaseLib.exe"

anyone can give me an example to use attach ??

[ifratric]

@OrBenPorath would appreciate if you could take a look.

[OrBenPorath]

When using the attach option, the target is not started, nor is it restarted when it is terminated (which is the expected behaviour in several cases), so one needs to start it externally whenever it is down.

It seems that find_attach_pid did not find a process with this module. The check in module_loaded_to_pid is a case sensitive comparison between the supplied module name, and the name returned from Module32First/Module32Next.

@kismp123 Can you verify that the target process is up when trying to attach, and that the module is loaded with the expected name and case using Module32First,Module32Next.

In any case, it would probably be best to explicitly throw an error if we do not find a target process, and change the module name comparison to be case insensitive.

[kismp123]

I added some print in function "create_target_process" to verify drattachpid

  FUZZ_LOG("drattachpid = %d\n", drattachpid);          <-- added
  if(!OverlappedConnectNamedPipe(pipe_handle, &pipe_overlapped)) {
      FATAL("ConnectNamedPipe failed, GLE=%d.\n", GetLastError());
  }
  FUZZ_LOG("drattachpid = %d\n", drattachpid);          <-- added
  watchdog_enabled = 0;

  if (drattach) {
    child_pid = drattachpid;
    FUZZ_LOG("attach pid -> %d\n", child_pid);          <-- added
    CloseHandle(child_handle);
    child_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, child_pid);
    if (child_handle == NULL)
    {
      FATAL("OpenProcess failed, GLE=%d.\n", GetLastError());
    }

    CloseHandle(child_thread_handle);
    child_thread_handle = NULL;
  }

log is here

drattachpid = 20380
called destroy_target_process()
drattachpid = 0
attach pid -> 0

after called "destroy_target_process", process is still running. found module name and drattachpid had pid until call "OverlappedConnectNamedPipe"

[OrBenPorath]

Great, so we are finding the target properly.

The only reason I can see for this flow:

drattachpid = 20380 called destroy_target_process() drattachpid = 0 attach pid -> 0

is that the watchdog times out before the target connects to the pipe. There are two possible reasons for it from the drrun.exe side:

1. attach takes too long.
2. attach fails.

accordingly, I would suggest:

1. increase the timeout (I doubt it will solve the issue, but worth the shot).
2. run the actual drrun.exe command line from cmd, and see if there are any errors. one possible error is not enough permissions to open the target process with PROCESS_ALL_ACCESS.

[kismp123]

I logged again

[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
Ready to begin fuzzing. Target IP= 127.0.0.1, target port = 39721
C:\Users\-\Downloads\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -attach 7804 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 75028911141b71ef
drattachpid = 7804
drattachpid = 7804
destory_target_process()
drattachpid = 0
attach pid -> 0

I got C:\Users\-\Downloads\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -attach 7804 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 75028911141b71ef

and I ran this command

C:\Users\-\Downloads\winafl\build32\bin\Release>C:\Users\-\Downloads\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -attach 7804 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 75028911141b71ef
ERROR: no app specified

USAGE: drrun [options] <app and args to run>
   or: drrun [options] -- <app and args to run>
   or: drrun [options] [DR options] -- <app and args to run>
   or: drrun [options] [DR options] -c <client> [client options] -- <app and args to run>
   or: drrun [options] [DR options] -t <tool> [tool options] -- <app and args to run>
       available tools include: drcachesim, drcov, drcpusim, drmemory, drmemory_light, handle_leaks, drstrace
Run with -help to see drrun option list

[OrBenPorath]

In that case, I think the error is much simpler: DynamoRIO 8.0.0 does not support attach. Try to run it with the latest DR release.

Also, the bitness of drrun and the target must be the same. Is the target also 32 bit?

The minimal required DR version should probably be documented (maybe after v9 is released, the documentation should just require v9).

[kismp123]

yes target is 32bit. https://github.com/DynamoRIO/dynamorio/releases

[*] Attempting dry run with 'id_000000'...
Ready to begin fuzzing. Target IP= 127.0.0.1, target port = 39721
C:\Users\-\Downloads\DynamoRIO-Windows-8.0.18962\bin32\drrun.exe -attach 14476 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 2e1468b9d16ccc82
drattachpid = 14476
drattachpid = 14476
destory_target_process()0 processes nudged
nudge operation failed, verify permissions and parameters.
drattachpid = 0
attach pid -> 0

[-] PROGRAM ABORT : OpenProcess failed, GLE=87.

         Location : create_target_process(), C:\Users\-\Downloads\winafl\afl-fuzz.c:2557

8.0.18962 drrun works for attaching but same error.

[OrBenPorath]

Yes, DR v9 is not out yet, but latest minor version should have attach functionality.

Same error in afl-fuzz? What about the drrun command? Same error?

[kismp123]

same error in afl-fuzz

when I do drrun command, there is no output. however when I sent packet I got this message.

---------------------------
WinAFL Notice: C:\Program Files (x86)\KSIGN\KCase\KCaseLib.exe(6180)
---------------------------
ASSERT FAILURE: C:\Users\-\Downloads\winafl\winafl.c:486: false (unrecognized command received over pipe:)
---------------------------
확인   
---------------------------

[OrBenPorath]

So it seems that attach succeeds now (as winafl.dll was loaded to the target). You can verify the target is running under DR using drview.exe.

Can you try to use a significantly larger timeout value, and print the time/tickcount as well?

[kismp123]

I think it works I need to change my test cases haha ty :D

[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
Ready to begin fuzzing. Target IP= 127.0.0.1, target port = 39721
destory_target_process()C:\Users\-\Downloads\DynamoRIO-Windows-8.0.18962\bin32\drrun.exe -attach 17792 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 6c710d71529e45f9
drattachpid = 17792
drattachpid = 17792
drattachpid = 17792
attach pid -> 17792
destory_target_process()1 processes nudged
[!] WARNING: Test case results in a timeout (skipping)
[*] Attempting dry run with 'id_000001'...
destory_target_process()C:\Users\-\Downloads\DynamoRIO-Windows-8.0.18962\bin32\drrun.exe -attach 0 -no_follow_children -c winafl.dll -coverage_module KcaseCms.dll -coverage_module KcaseCommon.dll -coverage_module KcaseCrypto.dll -fuzz_iterations 5000 -target_module KCaseLib.exe -target_offset 0x22620 -persistence_mode in_app -fuzzer_id 6c710d71529e45f9
drattachpid = 0
drattachpid = 0
destory_target_process()drattachpid = 0
attach pid -> 0

[-] PROGRAM ABORT : OpenProcess failed, GLE=87.

         Location : create_target_process(), C:\Users\-\Downloads\winafl\afl-fuzz.c:2557