Allow the FridaInProcessExecutor to attach Stalker on specific thread (#1256)

* feat: support specify thread id for frida stalker * fix: thread_id type * fix: use official repo for frida-gum * Merged * Added back missing bolts --------- Co-authored-by: Dominik Maier <domenukk@gmail.com>
2023-08-18 01:47:07 +08:00 · 2023-08-18 01:47:07 +08:00 · 0eceafe0c5
commit 0eceafe0c5
parent 35fa881ff0
2 changed files with 43 additions and 9 deletions
--- a/libafl_frida/Cargo.toml
+++ b/libafl_frida/Cargo.toml
@ -9,7 +9,13 @@ readme = "../README.md"
 license = "MIT OR Apache-2.0"
 keywords = ["fuzzing", "frida", "instrumentation"]
 edition = "2021"
-categories = ["development-tools::testing", "emulators", "embedded", "os", "no-std"]
+categories = [
+    "development-tools::testing",
+    "emulators",
+    "embedded",
+    "os",
+    "no-std"
+]

 [features]
 default = ["serdeany_autoreg"]
@ -20,22 +26,45 @@ serdeany_autoreg = ["libafl_bolts/serdeany_autoreg"]
 cc = { version = "1.0", features = ["parallel"] }

 [dependencies]
-libafl = { path = "../libafl", default-features = false, version = "0.10.1", features = ["std", "derive", "frida_cli"] }
-libafl_bolts = { path = "../libafl_bolts", version = "0.10.1", default-features = false, features = ["std", "derive", "frida_cli"] }
-libafl_targets = { path = "../libafl_targets", version = "0.10.1", features = ["std", "sancov_cmplog"] }
+libafl = { path = "../libafl", default-features = false, version = "0.10.1", features = [
+    "std",
+    "derive",
+    "frida_cli",
+] }
+libafl_bolts = { path = "../libafl_bolts", version = "0.10.1", default-features = false, features = [
+    "std",
+    "derive",
+    "frida_cli"
+] }
+libafl_targets = { path = "../libafl_targets", version = "0.10.1", features = [
+    "std",
+    "sancov_cmplog",
+] }

 nix = "0.26"
 libc = "0.2"
 hashbrown = "0.14"
 rangemap = "1.3"
-frida-gum-sys = { version = "0.8.1", features = [ "auto-download", "event-sink", "invocation-listener"] }
-frida-gum = { version = "0.13.2", features = [ "auto-download", "event-sink", "invocation-listener", "module-names"] }
+frida-gum-sys = { version = "0.8.1", features = [
+    "auto-download",
+    "event-sink",
+    "invocation-listener",
+] }
+frida-gum = { version = "0.13.2", features = [
+    "auto-download",
+    "event-sink",
+    "invocation-listener",
+    "module-names",
+] }
 dynasmrt = "2"
 capstone = "0.11.0"
-color-backtrace ={ version = "0.5", features = [ "resolve-modules" ] }
+color-backtrace = { version = "0.5", features = ["resolve-modules"] }
 termcolor = "1.1.3"
 serde = "1.0"
-backtrace = { version = "0.3", default-features = false, features = ["std", "serde"] }
+backtrace = { version = "0.3", default-features = false, features = [
+    "std",
+    "serde",
+] }
 num-traits = "0.2"
 ahash = "0.8"
 paste = "1.0"
--- a/libafl_frida/src/executor.rs
+++ b/libafl_frida/src/executor.rs
@ -34,6 +34,8 @@ where
    'a: 'b,
 {
    base: InProcessExecutor<'a, H, OT, S>,
+    // thread_id for the Stalker
+    thread_id: usize,
    /// Frida's dynamic rewriting engine
    stalker: Stalker<'a>,
    /// User provided callback for instrumentation
@ -85,7 +87,8 @@ where
            } else {
                self.followed = true;
                let transformer = self.helper.transformer();
-                self.stalker.follow_me::<NoneEventSink>(transformer, None);
+                self.stalker
+                    .follow::<NoneEventSink>(self.thread_id, transformer, None);
            }
        }
        let res = self.base.run_target(fuzzer, state, mgr, input);
@ -154,6 +157,7 @@ where
    pub fn new(
        gum: &'a Gum,
        base: InProcessExecutor<'a, H, OT, S>,
+        thread_id: usize,
        helper: &'c mut FridaInstrumentationHelper<'b, RT>,
    ) -> Self {
        let mut stalker = Stalker::new(gum);
@ -187,6 +191,7 @@ where

        Self {
            base,
+            thread_id,
            stalker,
            helper,
            followed: false,