Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynamoRIO - using drrun.exe with -fuzz_iterations 10 ran only once #319

Closed
ditah22 opened this issue May 5, 2021 · 2 comments
Closed

DynamoRIO - using drrun.exe with -fuzz_iterations 10 ran only once #319

ditah22 opened this issue May 5, 2021 · 2 comments

Comments

@ditah22
Copy link

ditah22 commented May 5, 2021

Hi,
During the last week I started to set up and experiment WinAfl, I started with syzygy static instrumentation but I failed to use instrument.exe (WinAfl instrument.exe ERRORS #193) so I moved to DynamoRIO.

I've created a 32-bit build (I tried both Debug and Release) with DynamoRIO-Windows-8.0.18747 using this set of commands:

mkdir build32
cd build32
cmake -G"Visual Studio 16 2019" -A Win32 .. -DDynamoRIO_DIR=C:\Users\ditah\winafl_tests\DynamoRIO-Windows-8.0.18747\cmake
cmake --build . --config Debug

(I didn't used -DUSE_DRSYMS=1 because I encountered this as well, my Windows version is 1909)

Then I've created in.txt with the single line "test" inside winafl\build32\bin\Debug.
I've downloaded WinDbg to extract the offset of main function (x test!main) build32\bin\Debug\test.exe and ran the cmd below from this dir winafl\build32\bin\Debug:

C:\Users\ditah\winafl_tests\DynamoRIO-Windows-8.0.18747\bin32\drrun.exe -c winafl.dll -debug -target_module test.exe -target_offset 0x00ed1670 -fuzz_iterations 10 -nargs 2 -- test.exe in.txt

which printed this only once (I was expecting it to run 10 times)

in.txt
!!!!!!!!!!OK!!!!!!!!!!
Error reading file

This is the log file afl.test.exe.24412.0000.proc.log that was created:

Module loaded, test.exe
Module loaded, dynamorio.dll
Module loaded, winafl.dll
Module loaded, VCRUNTIME140.dll
Module loaded, drwrap.dll
Module loaded, drmgr.dll
Module loaded, drreg.dll
Module loaded, drx.dll
Module loaded, ucrtbase.dll
Module loaded, KERNELBASE.dll
Module loaded, KERNEL32.dll
Module loaded, ntdll.dll
Module loaded, msvcrt.dll
Module loaded, bcryptPrimitives.dll
Module loaded, CRYPTBASE.dll
Module loaded, SECHOST.dll
Module loaded, SspiCli.dll
Module loaded, RPCRT4.dll
Module loaded, AppCore.dll
WARNING: Target function was never called. Incorrect target_offset?

I did this after the fuzzing of test.exe failed:

afl-fuzz.exe -i in -o out -D "C:\Users\ditah\winafl_tests\DynamoRIO-Windows-8.0.18747\bin32" -t 20000 -- -fuzz_iterations 5000 -target_module test.exe -target_offset 0x00ed1670 -nargs 2 -- test.exe @@

WinAFL 1.16b by <ifratric@google.com>
Based on AFL 2.43b by <lcamtuf@google.com>
[+] You have 8 CPU cores and 0 runnable tasks (utilization: 0%).
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.

[*] Setting up output directories...
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...

[-] The program took more than 20000 ms to process one of the initial test cases.
    In WinAFL, this error could also mean incorrect instrumentation params.
    Please make sure instrumentation runs correctly using the debug mode
    (see the README) before attempting to run afl-fuzz.

[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout
         Location : perform_dry_run(), C:\Users\ditah\winafl_tests\winafl\afl-fuzz.c:3018


C:\Users\ditah\winafl_tests\winafl\build32\bin\Debug>0 processes nudged
nudge operation failed, verify permissions and parameters.

I'm not sure what have I done incorrectly, please advise.

Thanks,
Dor
@ifratric
Copy link
Collaborator

ifratric commented May 5, 2021

As the log says, looks like target_offset is incorrect. Note that offset should be the offset in memory from the start of the module. The address you provided, -target_offset 0x00ed1670 looks like an absolute address rather than the relative offset.

@ditah22
Copy link
Author

ditah22 commented May 9, 2021

Thank you, I missed the fact it should be an offset from the module address.
I succeed to fuzz test_gdiplus.exe using this cmd:

afl-fuzz.exe -i .\in_bmp -o .\out2 -D "C:\Users\ditah\winafl_tests\DynamoRIO-Windows-8.0.18747\bin32" -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x16c0 -nargs 2 -- test_gdiplus.exe @@

and also test.exe worked ( I needed to add this -coverage_module test.exe)

afl-fuzz.exe -i .\in -o .\out -D "C:\Users\ditah\winafl_tests\DynamoRIO-Windows-8.0.18747\bin32" -t 20000 -- -coverage_module test.exe -fuzz_iterations 5000 -target_module test.exe -target_offset 0x1670 -nargs 2 -- test.exe @@

Thanks again!

@ditah22 ditah22 closed this as completed May 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ifratric @ditah22