Windows frida support

fuzzers/frida_gdiplus/Cargo.toml

@@ -32,3 +32,4 @@ libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
 libloading = "0.7"
 mimalloc = { version = "*", default-features = false }
 color-backtrace = "0.5"
+env_logger = "0.10.0"

fuzzers/frida_gdiplus/cargo/.config

@@ -0,0 +1,2 @@
+[build]
+target = "x86_64-pc-windows-msvc"

fuzzers/frida_gdiplus/src/fuzzer.rs

@@ -6,7 +6,9 @@
 //! going to make it compilable only for Windows, don't forget to modify the
 //! `scripts/test_all_fuzzers.sh` to opt-out this fuzzer from that test.
 
+#[cfg(unix)]
 use mimalloc::MiMalloc;
+#[cfg(unix)]
 #[global_allocator]
 static GLOBAL: MiMalloc = MiMalloc;
 
@@ -17,8 +19,8 @@ use libafl::{
     corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
     events::{launcher::Launcher, llmp::LlmpRestartingEventManager, EventConfig},
     executors::{inprocess::InProcessExecutor, ExitKind, ShadowExecutor},
-    feedback_or, feedback_or_fast,
-    feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
+    feedback_and_fast, feedback_or, feedback_or_fast,
+    feedbacks::{ConstFeedback, CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     inputs::{BytesInput, HasTargetBytes},
     monitors::MultiMonitor,
@@ -32,8 +34,6 @@ use libafl::{
     state::{HasCorpus, HasMetadata, StdState},
     Error,
 };
-#[cfg(unix)]
-use libafl::{feedback_and_fast, feedbacks::ConstFeedback};
 use libafl_bolts::{
     cli::{parse_args, FuzzerOptions},
     current_nanos,
@@ -42,11 +42,11 @@ use libafl_bolts::{
     tuples::{tuple_list, Merge},
     AsSlice,
 };
-#[cfg(unix)]
-use libafl_frida::asan::asan_rt::AsanRuntime;
-#[cfg(unix)]
-use libafl_frida::asan::errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS};
 use libafl_frida::{
+    asan::{
+        asan_rt::AsanRuntime,
+        errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS},
+    },
     cmplog_rt::CmpLogRuntime,
     coverage_rt::{CoverageRuntime, MAP_SIZE},
     executor::FridaInProcessExecutor,
@@ -56,6 +56,7 @@ use libafl_targets::cmplog::CmpLogObserver;
 
 /// The main fn, usually parsing parameters, and starting the fuzzer
 pub fn main() {
+    env_logger::init();
     color_backtrace::install();
 
     let options = parse_args();
@@ -98,16 +99,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                 let gum = Gum::obtain();
 
                 let coverage = CoverageRuntime::new();
-                #[cfg(unix)]
                 let asan = AsanRuntime::new(&options);
 
-                #[cfg(unix)]
                 let mut frida_helper =
                     FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan));
-                #[cfg(windows)]
-                let mut frida_helper =
-                    FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage));
-
+                //
                 // Create an observation channel using the coverage map
                 let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
                     "edges",
@@ -128,15 +124,12 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                 );
 
                 // Feedbacks to recognize an input as solution
-                #[cfg(unix)]
                 let mut objective = feedback_or_fast!(
                     CrashFeedback::new(),
                     TimeoutFeedback::new(),
                     // true enables the AsanErrorFeedback
                     feedback_and_fast!(ConstFeedback::from(true), AsanErrorsFeedback::new())
                 );
-                #[cfg(windows)]
-                let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
 
                 // If not restarting, create a State from scratch
                 let mut state = state.unwrap_or_else(|| {
@@ -176,14 +169,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                 // A fuzzer with feedbacks and a corpus scheduler
                 let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
 
-                #[cfg(unix)]
                 let observers = tuple_list!(
                     edges_observer,
                     time_observer,
                     AsanErrorsObserver::new(&ASAN_ERRORS)
                 );
-                #[cfg(windows)]
-                let observers = tuple_list!(edges_observer, time_observer);
 
                 // Create the executor for an in-process function with just one observer for edge coverage
                 let mut executor = FridaInProcessExecutor::new(
@@ -243,14 +233,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                     TimeFeedback::with_observer(&time_observer)
                 );
 
-                #[cfg(unix)]
                 let mut objective = feedback_or_fast!(
                     CrashFeedback::new(),
                     TimeoutFeedback::new(),
                     feedback_and_fast!(ConstFeedback::from(false), AsanErrorsFeedback::new())
                 );
-                #[cfg(windows)]
-                let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
 
                 // If not restarting, create a State from scratch
                 let mut state = state.unwrap_or_else(|| {
@@ -291,14 +278,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                 // A fuzzer with feedbacks and a corpus scheduler
                 let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
 
-                #[cfg(unix)]
                 let observers = tuple_list!(
                     edges_observer,
                     time_observer,
                     AsanErrorsObserver::new(&ASAN_ERRORS)
                 );
-                #[cfg(windows)]
-                let observers = tuple_list!(edges_observer, time_observer,);
 
                 // Create the executor for an in-process function with just one observer for edge coverage
                 let mut executor = FridaInProcessExecutor::new(
@@ -373,14 +357,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                     TimeFeedback::with_observer(&time_observer)
                 );
 
-                #[cfg(unix)]
                 let mut objective = feedback_or_fast!(
                     CrashFeedback::new(),
                     TimeoutFeedback::new(),
                     feedback_and_fast!(ConstFeedback::from(false), AsanErrorsFeedback::new())
                 );
-                #[cfg(windows)]
-                let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
 
                 // If not restarting, create a State from scratch
                 let mut state = state.unwrap_or_else(|| {
@@ -421,14 +402,11 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
                 // A fuzzer with feedbacks and a corpus scheduler
                 let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
 
-                #[cfg(unix)]
                 let observers = tuple_list!(
                     edges_observer,
                     time_observer,
                     AsanErrorsObserver::new(&ASAN_ERRORS)
                 );
-                #[cfg(windows)]
-                let observers = tuple_list!(edges_observer, time_observer,);
 
                 // Create the executor for an in-process function with just one observer for edge coverage
                 let mut executor = FridaInProcessExecutor::new(

fuzzers/frida_libpng/Cargo.toml

@@ -26,11 +26,17 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
 
 
 [dependencies]
-libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #,  "llmp_small_maps", "llmp_debug"]}
+libafl = { path = "../../libafl/", features = [ "std", "llmp_compression",
+    "llmp_bind_public", "frida_cli", "errors_backtrace" ] } #,  "llmp_small_maps", "llmp_debug"]}
 libafl_bolts = { path = "../../libafl_bolts/" }
 frida-gum = { version = "0.13.2", features = [ "auto-download", "event-sink", "invocation-listener"] }
 libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
 libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
 libloading = "0.7"
 mimalloc = { version = "*", default-features = false }
 color-backtrace = "0.5"
+<<<<<<< Updated upstream
+=======
+log = "0.4.20"
+>>>>>>> Stashed changes
+env_logger = "0.10.0"

fuzzers/frida_libpng/harness.cc

@@ -88,7 +88,7 @@ static char *allocation = NULL;
 __attribute__((noinline)) void func3(char *alloc) {
 // printf("func3\n");
 #ifdef _WIN32
-  if (rand() == 0) {
+  if ((rand() % 2) == 0) {
     alloc[0x1ff] = 0xde;
     printf("alloc[0x200]: %d\n", alloc[0x200]);
   }

fuzzers/frida_libpng/src/fuzzer.rs

@@ -51,7 +51,9 @@ use libafl_targets::cmplog::CmpLogObserver;
 
 /// The main fn, usually parsing parameters, and starting the fuzzer
 pub fn main() {
+    env_logger::init();
     color_backtrace::install();
+    log::info!("hello!");
 
     let options = parse_args();
 
@@ -98,7 +100,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
 
                 #[cfg(unix)]
                 let mut frida_helper =
-                    FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan));
+                    FridaInstrumentationHelper::new(&gum, options, tuple_list!(asan, coverage));
                 #[cfg(windows)]
                 let mut frida_helper =
                     FridaInstrumentationHelper::new(&gum, &options, tuple_list!(coverage));

libafl/src/executors/inprocess.rs

@@ -385,8 +385,8 @@ impl InProcessHandlers {
     {
         unsafe {
             let data = &mut GLOBAL_STATE;
-            #[cfg(feature = "std")]
-            windows_exception_handler::setup_panic_hook::<E, EM, OF, Z>();
+            //#[cfg(feature = "std")]
+            //windows_exception_handler::setup_panic_hook::<E, EM, OF, Z>();
             setup_exception_handler(data)?;
             compiler_fence(Ordering::SeqCst);
 
@@ -1029,7 +1029,7 @@ pub mod windows_exception_handler {
         sync::atomic::{compiler_fence, Ordering},
     };
     #[cfg(feature = "std")]
-    use std::panic;
+    use std::{io::Write, panic};
 
     use libafl_bolts::os::windows_exceptions::{
         ExceptionCode, Handler, CRASH_EXCEPTIONS, EXCEPTION_HANDLERS_SIZE, EXCEPTION_POINTERS,
@@ -1261,6 +1261,17 @@ pub mod windows_exception_handler {
             let exception_list = data.exceptions();
             if exception_list.contains(&code) {
                 log::error!("Crashed with {code}");
+                #[cfg(all(feature = "std"))]
+                {
+                    let mut bsod = Vec::new();
+                    {
+                        let mut writer = std::io::BufWriter::new(&mut bsod);
+                        libafl_bolts::minibsod::generate_minibsod(&mut writer, exception_pointers)
+                            .unwrap();
+                        writer.flush().unwrap();
+                    }
+                    log::error!("{}", std::str::from_utf8(&bsod).unwrap());
+                }
             } else {
                 // log::trace!("Exception code received, but {code} is not in CRASH_EXCEPTIONS");
                 is_crash = false;

libafl_bolts/src/lib.rs

@@ -119,7 +119,7 @@ pub mod fs;
 #[cfg(feature = "alloc")]
 pub mod llmp;
 pub mod math;
-#[cfg(all(feature = "std", unix))]
+#[cfg(feature = "std")]
 pub mod minibsod;
 pub mod os;
 #[cfg(feature = "alloc")]

libafl_bolts/src/minibsod.rs

@@ -7,8 +7,12 @@ use std::io::{BufWriter, Write};
 #[cfg(any(target_os = "solaris", target_os = "illumos"))]
 use std::process::Command;
 
+#[cfg(unix)]
 use libc::siginfo_t;
+#[cfg(windows)]
+use windows::Win32::System::Diagnostics::Debug::{CONTEXT, EXCEPTION_POINTERS};
 
+#[cfg(unix)]
 use crate::os::unix_signals::{ucontext_t, Signal};
 
 /// Write the content of all important registers
@@ -353,7 +357,7 @@ pub fn dump_registers<W: Write>(
     write!(writer, "cs : {:#016x}, ", ucontext.sc_cs)?;
     Ok(())
 }
-///
+
 /// Write the content of all important registers
 #[cfg(all(
     any(target_os = "solaris", target_os = "illumos"),
@@ -393,6 +397,35 @@ pub fn dump_registers<W: Write>(
     Ok(())
 }
 
+/// Write the content of all important registers
+#[cfg(windows)]
+#[allow(clippy::similar_names)]
+pub fn dump_registers<W: Write>(
+    writer: &mut BufWriter<W>,
+    context: &CONTEXT,
+) -> Result<(), std::io::Error> {
+    write!(writer, "r8 : {:#016x}, ", context.R8)?;
+    write!(writer, "r9 : {:#016x}, ", context.R9)?;
+    write!(writer, "r10: {:#016x}, ", context.R10)?;
+    writeln!(writer, "r11: {:#016x}, ", context.R11)?;
+    write!(writer, "r12: {:#016x}, ", context.R12)?;
+    write!(writer, "r13: {:#016x}, ", context.R13)?;
+    write!(writer, "r14: {:#016x}, ", context.R14)?;
+    writeln!(writer, "r15: {:#016x}, ", context.R15)?;
+    write!(writer, "rdi: {:#016x}, ", context.Rdi)?;
+    write!(writer, "rsi: {:#016x}, ", context.Rsi)?;
+    write!(writer, "rbp: {:#016x}, ", context.Rbp)?;
+    writeln!(writer, "rbx: {:#016x}, ", context.Rbx)?;
+    write!(writer, "rdx: {:#016x}, ", context.Rdx)?;
+    write!(writer, "rax: {:#016x}, ", context.Rax)?;
+    write!(writer, "rcx: {:#016x}, ", context.Rcx)?;
+    writeln!(writer, "rsp: {:#016x}, ", context.Rsp)?;
+    write!(writer, "rip: {:#016x}, ", context.Rip)?;
+    writeln!(writer, "efl: {:#016x}, ", context.EFlags)?;
+
+    Ok(())
+}
+
 #[allow(clippy::unnecessary_wraps)]
 #[cfg(not(any(
     target_vendor = "apple",
@@ -402,6 +435,7 @@ pub fn dump_registers<W: Write>(
     target_os = "dragonfly",
     target_os = "netbsd",
     target_os = "openbsd",
+    windows,
     any(target_os = "solaris", target_os = "illumos"),
 )))]
 fn dump_registers<W: Write>(
@@ -615,6 +649,7 @@ fn write_crash<W: Write>(
     target_os = "dragonfly",
     target_os = "openbsd",
     target_os = "netbsd",
+    windows,
     any(target_os = "solaris", target_os = "illumos"),
 )))]
 fn write_crash<W: Write>(
@@ -628,6 +663,33 @@ fn write_crash<W: Write>(
     Ok(())
 }
 
+#[cfg(windows)]
+fn write_crash<W: Write>(
+    writer: &mut BufWriter<W>,
+    exception_pointers: *mut EXCEPTION_POINTERS,
+) -> Result<(), std::io::Error> {
+    // TODO add fault addr for other platforms.
+    unsafe {
+        writeln!(
+            writer,
+            "Received exception {:0x} at address {:x}",
+            (*exception_pointers)
+                .ExceptionRecord
+                .as_mut()
+                .unwrap()
+                .ExceptionCode
+                .0,
+            (*exception_pointers)
+                .ExceptionRecord
+                .as_mut()
+                .unwrap()
+                .ExceptionAddress as usize
+        )
+    }?;
+
+    Ok(())
+}
+
 #[cfg(any(target_os = "linux", target_os = "android"))]
 fn write_minibsod<W: Write>(writer: &mut BufWriter<W>) -> Result<(), std::io::Error> {
     match std::fs::read_to_string("/proc/self/maps") {
@@ -853,6 +915,26 @@ pub fn generate_minibsod<W: Write>(
     write_minibsod(writer)
 }
 
+/// Generates a mini-BSOD given an EXCEPTION_POINTERS structure.
+#[cfg(windows)]
+#[allow(clippy::non_ascii_literal, clippy::too_many_lines)]
+pub fn generate_minibsod<W: Write>(
+    writer: &mut BufWriter<W>,
+    exception_pointers: *mut EXCEPTION_POINTERS,
+) -> Result<(), std::io::Error> {
+    writeln!(writer, "{:━^100}", " CRASH ")?;
+    write_crash(writer, exception_pointers)?;
+    writeln!(writer, "{:━^100}", " REGISTERS ")?;
+    dump_registers(writer, unsafe {
+        (*exception_pointers).ContextRecord.as_mut().unwrap()
+    })?;
+    writeln!(writer, "{:━^100}", " BACKTRACE ")?;
+    writeln!(writer, "{:?}", backtrace::Backtrace::new())?;
+    writeln!(writer, "{:━^100}", " MAPS ")?;
+    write_minibsod(writer)
+}
+
+#[cfg(unix)]
 #[cfg(test)]
 mod tests {