search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.36k stars 533 forks source link

Is dumb mode (-n) currently implemented? #438

Closed rxt30 closed 7 months ago

rxt30 commented 7 months ago

There is currently no clear indication if dumb mode is implemented and usable.

While https://github.com/googleprojectzero/winafl/issues/234 mentions that dumb mode is currently not implemented (as of March 2020), commit https://github.com/googleprojectzero/winafl/commit/3b18e9a4ba2d02e0c178c784194670ddbd2df4b9 in August 2020 actually added the dumb mode option in the Readme and in afl-fuzz.c.

However, invoking dumb mode with afl-fuzz.exe -i path\to\input -o path\to\outpt -D path\to\DynamoRIO -- -n -- path\to\target @@ throws an "Invalid option" assert failure.

If dumb mode is still not supported, the Readme should at least mention this or the option should be removed from the Readme.

ifratric commented 7 months ago

The dumb mode is (still) not supported by WinAFL. While some code for it exists as a leftover from the original afl-fuzz code, WinAFL currently does not support running without any instrumentation.

However, it might be possible to run in TinyInst mode and not set any -instrument_module options, which should behave more or less like a dumb mode. Perhaps that will work in combination with -n, but I have not tried this.

Also note that your command line above is incorrect in the sense that -n is afl-fuzz flag, not the instrumentation flag so it should come in front of the first --.

rxt30 commented 7 months ago

Alright, thanks for the update. I will try it with TinyInst and give some updates on this issue if it behaves like dumb mode.

rxt30 commented 7 months ago

Blackbox Fuzzing works by using afl-fuzz.exe -y -i path\to\input -o path\to\output -timeout 2000 -n -- -- <target_filename> @@, no reverse engineering required.

However, one must be sure that the application exits with exitcode 0, or else winafl will fail.

It may also be noted that the fuzzing process is, as expected, really slow in comparison.

Should i put this info into the Readme or is this issue enough information?

ifratric commented 6 months ago

I don't know why exitcode 0 would be a requirement, AFAIK TinyInst is not providing the process exit code to WinAFL anywhere, https://github.com/googleprojectzero/winafl/blob/master/tinyinst_afl.cpp. It's returning whether process crashed or hanged, but that's different from the exit code.

It may also be noted that the fuzzing process is, as expected, really slow in comparison. With TinyInst it is still possible to use persistent mode (via -target_module ... -target_method ... -nargs ... -iterations ... -persist -loop flag combination) even if no modules are getting instrumented. This will significantly improve the fuzzing speed.

Should i put this info into the Readme or is this issue enough information? Yes, pull request are very much appreciated :)