search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.36k stars 533 forks source link

Out Of Memory - drrun.exe #355

Open David-Fadida opened 2 years ago

David-Fadida commented 2 years ago

When running drrun.exe with WinAFL DLL I get this error and no log file is generated:

Application C:\Storage\WinAFL\POC\WinAFL_POC.exe (2104). Out of memory. Program aborted. Source I, type 0x0000000000000001, code 0x00000000c000001c.

Need your help..

eranzim commented 2 years ago

Can you show the command line you used? Are you using the latest versions of everything (DynamoRIO, winafl)? What OS? Does running it without drrun.exe work, or also crash? Does your program use up a lot of memory? Did you enable PageHeap? Lastly - is there anything interesting in the event log (eventvwr.exe) about the crash?

David-Fadida commented 2 years ago

The command is:

C:\Storage\WinAFL\POC> ..\DynamoRIO\bin64\drrun.exe -msgbox_mask 0x0 -c ..\build64\bin\Release\winafl.dll -debug -target_module WinAFL_POC.exe -coverage_module SketchUpAPI.dll -target_method fuzz -fuzz_iterations 100 -nargs 2 -- WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg"

Yes I took the latest version of both tools.

I didn't try executing winafle.exe yet, I want to try the harness I wrote first.

The harness load simple DLL and use exported function as target (DLL is 64bit, OS is Win64), it is very simple executable so I guess it is not consuming a lot of memory..

eranzim commented 2 years ago

I meant you should try running it directly without drrun OR winafl, i.e.: C:\Storage\WinAFL\POC> WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg". Does that work fine? crash? You can also try echo %errorlevel% to see if it returned a success return code. eventvwr.exe's Application tab might also provide useful info and show if there was a crash and if so - why (and possibly the offending module, etc.).

Another attempt worth trying is to run it with drrun only, i.e.: C:\Storage\WinAFL\POC> ..\DynamoRIO\bin64\drrun.exe -- WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg"

Also, not sure if this is strictly necessary, but I had some trouble in the past with passing a path in the -c param - I now run it only from the folder containing winafl.dll, and specify -c winafl.dll. This could be due to something else I got wrong or just random voodoo, but worth a shot ¯\_(ツ)_/¯

David-Fadida commented 2 years ago

Thanks! I see an error using the Event Viewer.

David-Fadida commented 2 years ago

I solved the error in the harness, but I still get the same failure in drrun.exe.

eranzim commented 2 years ago

So this works without crash/error/failure/event log? C:\Storage\WinAFL\POC> WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg"

And what about this: C:\Storage\WinAFL\POC> ..\DynamoRIO\bin64\drrun.exe -- WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg"?

And the original command line shows the exact same error? Or did something change? Also, could you please share the contents of the event log that shows the crash?

David-Fadida commented 2 years ago

C:\Storage\WinAFL\POC> WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg" - works fine, (DLL function returns with no errors or crashes.

C:\Storage\WinAFL\POC> ..\DynamoRIO\bin64\drrun.exe -- WinAFL_POC.exe "Files\id_000082,src_000000,op_flip1,pos_179,+cov.jpg" - SAME error. (Out of memory. Program aborted. Source I, type 0x0000000000000001, code 0x00000000c000001c.)

And the original command line shows the exact same error? Or did something change? - SAME

Also, could you please share the contents of the event log that shows the crash? - the crash was irrelevant, bad use of the DLL exported function.

David-Fadida commented 2 years ago

I saw this answer for the exactly same problem:

It seems that your error is due to failure to reserve memory at init time. The code (0x00000000c000001c) is a bit weird though, but it seems to be for unreachable special heap and stack. Try using a lower init value for settings like vm_heap, stack_size and prof_pcs_heap_size (which uses special heap) at https://github.com/DynamoRIO/dynamorio/blob/89841a1463ee5348d34ed6d0b6bb296b868da630/core/optionsx.h#L1582.

It suggests to change some memory settings which I didn't see any documentation about.

eranzim commented 2 years ago

Since ..\DynamoRIO\bin64\drrun.exe -- WinAFL_POC.exe doesn't work, unless you managed to fix it with the answer you found, I would advise to ask in DynamoRIO repo, because it seems the problem is reproduced without winafl.