search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.36k stars 533 forks source link

ASSERT FAILURE: winafl\winafl.c:969: (0) (invalid option) #366

Closed donghyunlee00 closed 2 years ago

donghyunlee00 commented 2 years ago

Background

After reading this article, I tried to fuzz the UNACEV2.DLL of WinRAR 3.20.

I created a test harness for UNACEV2.DLL as below.

WinRARHarness.cpp

#include <Windows.h>
#include <iostream>
#include "STRUCS.H"
#include "CALLBACK.H"
#include "UNACEFNC.H"
#include "ACEFNC.H"

typedef int (*ACEInitDll_t)(pACEExtractStruc);
typedef int (*ACEExtract_t)(LPSTR, pACEExtractStruc);
ACEInitDll_t ACEInitDll_handle;
ACEExtract_t ACEExtract_handle;

extern "C" __declspec(dllexport) __declspec(noinline) void fuzzme(char* path)
{
    printf("%s\n", path);
}

int main(int argc, char** argv)
{
    SetDllDirectoryA("C:\\Program Files (x86)\\WinRAR\\Formats\\");
    HMODULE UNACEV2_dll_handle = LoadLibraryA("UNACEV2.DLL");
    if (UNACEV2_dll_handle == NULL)
    {
        printf("Failed to load UNACEV2.DLL\n");
        return 1;
    }

    ACEInitDll_handle = (ACEInitDll_t)(GetProcAddress(UNACEV2_dll_handle, "ACEInitDll"));
    if (ACEInitDll_handle == NULL) {
        printf("Failed to get address for ACEInitDll\n");
        return 1;
    }

    ACEExtract_handle = (ACEExtract_t)(GetProcAddress(UNACEV2_dll_handle, "ACEExtract"));
    if (ACEExtract_handle == NULL) {
        printf("Failed to get address for ACEExtract\n");
        return 1;
    }

    fuzzme(argv[1]);
}

When I tested it with drrun.exe, it seemed to work well.

C:\Users\donghyunlee00\Desktop\DynamoRIO-Windows-9.0.19012\bin32\drrun.exe -c "C:\Users\donghyunlee00\Desktop\winafl\build32\bin\Release\winafl.dll" -debug -target_module WinRARHarness.exe -coverage_module "C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL" -target_method fuzzme -fuzz_iterations 10 -nargs 1 -- "C:\Users\donghyunlee00\source\repos\WinRARHarness\Debug\WinRARHarness.exe" "C:\Users\donghyunlee00\Desktop\in\test.ace"

Screen Shot 2022-01-23 at 8 29 00 PM

Screen Shot 2022-01-23 at 8 30 03 PM

Problem

When I run afl-fuzz.exe, the following error message appears and fuzzing does not proceed.

.\afl-fuzz.exe -i C:\Users\donghyunlee00\Desktop\in -o C:\Users\donghyunlee00\Desktop\out -t 10000 -D C:\Users\donghyunlee00\Desktop\DynamoRIO-Windows-9.0.19012\bin32 -- -fuzz_iterations 5000 -coverage_module "C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL" -target_module WinRARHarness.exe -target_method fuzzme -nargs 1 -- "C:\Users\donghyunlee00\source\repos\WinRARHarness\Debug\WinRARHarness.exe" "@@"

image

Version

ifratric commented 2 years ago

in -coverage_module, you should just put the name of the dll, not the full path. Not sure if that's the only error though.

donghyunlee00 commented 2 years ago

It works with this command, thanks!!

.\afl-fuzz.exe -i C:\Users\donghyunlee00\Desktop\in -o C:\Users\donghyunlee00\Desktop\out -t 10000 -D C:\Users\donghyunlee00\Desktop\DynamoRIO-Windows-9.0.19012\bin32 -- -fuzz_iterations 5000 -coverage_module WinRARHarness.exe -coverage_module UNACEV2.DLL -target_module WinRARHarness.exe -target_method fuzzme -nargs 1 -- "C:\Users\donghyunlee00\source\repos\WinRARHarness\Debug\WinRARHarness.exe" "@@"