SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

format libafl_frida

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-04-30 15:50:11 +02:00
parent 22b72bac66
commit 9ee427a1fa
2 changed files with 55 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
libafl_frida/src/asan_rt.rs
View File

@ -24,7 +24,7 @@ use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity};
use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi};
#[cfg(unix)]
use gothook::GotHookLibrary;
use libc::{_SC_PAGESIZE, getrlimit64, rlimit64, sysconf};
use libc::{getrlimit64, rlimit64, sysconf, _SC_PAGESIZE};
use rangemap::RangeSet;
use serde::{Deserialize, Serialize};
use std::{
@ -90,7 +90,10 @@ impl Allocator {
addr as *mut c_void,
page_size,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_PRIVATE | MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_NORESERVE,
MapFlags::MAP_PRIVATE
| MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_NORESERVE,
-1,
0,
)
@ -110,7 +113,10 @@ impl Allocator {
addr as *mut c_void,
addr + addr,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_NORESERVE,
MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_PRIVATE
| MapFlags::MAP_NORESERVE,
-1,
0,
)
@ -161,7 +167,8 @@ impl Allocator {
let mut current_size = size;
while current_size <= self.largest_allocation {
if self.allocation_queue.contains_key(&current_size) {
if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop() {
if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop()
{
return Some(metadata);
}
}
@ -184,8 +191,7 @@ impl Allocator {
}
let rounded_up_size = self.round_up_to_page(size);
let metadata = if let Some(mut metadata) = self.find_smallest_fit(rounded_up_size)
{
let metadata = if let Some(mut metadata) = self.find_smallest_fit(rounded_up_size) {
//println!("reusing allocation at {:x}, (actual mapping starts at {:x}) size {:x}", metadata.address, metadata.address - self.page_size, size);
metadata.is_malloc_zero = is_malloc_zero;
metadata.size = size;
@ -214,11 +220,7 @@ impl Allocator {
}
};
self.map_shadow_for_region(
mapping,
mapping + rounded_up_size,
false,
);
self.map_shadow_for_region(mapping, mapping + rounded_up_size, false);
let mut metadata = AllocationMetadata {
address: mapping,
@ -803,8 +805,11 @@ impl AsanRuntime {
let stack_address = &stack_var as *const _ as *const c_void as usize;
let (start, end, _, _) = find_mapping_for_address(stack_address).unwrap();
let mut stack_rlimit = rlimit64 { rlim_cur: 0, rlim_max: 0 };
assert!(unsafe { getrlimit64(3, &mut stack_rlimit as *mut rlimit64 ) } == 0);
let mut stack_rlimit = rlimit64 {
rlim_cur: 0,
rlim_max: 0,
};
assert!(unsafe { getrlimit64(3, &mut stack_rlimit as *mut rlimit64) } == 0);
println!("stack_rlimit: {:?}", stack_rlimit);
@ -816,7 +821,10 @@ impl AsanRuntime {
max_start as *mut c_void,
start - max_start,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_STACK,
MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_PRIVATE
| MapFlags::MAP_STACK,
-1,
0,
)
@ -831,7 +839,7 @@ impl AsanRuntime {
let tls_address = unsafe { get_tls_ptr() } as usize;
// we need to mask off the highest byte, due to 'High Byte Ignore"
#[cfg(target_os = "android")]
let tls_address = tls_address & 0xffffffffffffff;
let tls_address = tls_address & 0xffffffffffffff;
let (start, end, _, _) = find_mapping_for_address(tls_address).unwrap();
(start, end)

46
libafl_frida/src/helper.rs
View File

@ -9,7 +9,10 @@ use libafl::utils::find_mapping_for_path;
use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter};
#[cfg(target_arch = "aarch64")]
use capstone::arch::{arm64::{Arm64OperandType, Arm64Extender, Arm64Shift}, ArchOperand::Arm64Operand};
use capstone::arch::{
arm64::{Arm64Extender, Arm64OperandType, Arm64Shift},
ArchOperand::Arm64Operand,
};
use capstone::{
arch::{self, BuildsCapstone},
Capstone, Insn,
@ -88,10 +91,7 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> {
let mut hasher = AHasher::new_with_keys(0, 0);
hasher.write(input.target_bytes().as_slice());
let filename = format!(
"./coverage/{:016x}.drcov",
hasher.finish(),
);
let filename = format!("./coverage/{:016x}.drcov", hasher.finish(),);
DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write();
}
@ -221,10 +221,14 @@ impl<'a> FridaInstrumentationHelper<'a> {
if options.stalker_enabled() {
for (id, module_name) in modules_to_instrument.iter().enumerate() {
let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap());
println!("including range {:x}-{:x} for {:?}", lib_start, lib_end, module_name);
helper
.ranges
.insert(lib_start..lib_end, (id as u16, module_name.to_str().unwrap()));
println!(
"including range {:x}-{:x} for {:?}",
lib_start, lib_end, module_name
);
helper.ranges.insert(
lib_start..lib_end,
(id as u16, module_name.to_str().unwrap()),
);
}
if helper.options.drcov_enabled() {
@ -401,14 +405,18 @@ impl<'a> FridaInstrumentationHelper<'a> {
if extender_encoding != -1 && shift_amount < 0b1000 {
// emit add extended register: https://developer.arm.com/documentation/ddi0602/latest/Base-Instructions/ADD--extended-register---Add--extended-register--
writer.put_bytes(&(0x8b210000 | ((extender_encoding as u32) << 13) | (shift_amount << 10)).to_le_bytes());
writer.put_bytes(
&(0x8b210000 | ((extender_encoding as u32) << 13) | (shift_amount << 10))
.to_le_bytes(),
);
} else if shift_encoding != -1 {
writer.put_bytes(&(0x8b010000 | ((shift_encoding as u32) << 22) | (shift_amount << 10)).to_le_bytes());
writer.put_bytes(
&(0x8b010000 | ((shift_encoding as u32) << 22) | (shift_amount << 10))
.to_le_bytes(),
);
} else {
panic!("extender: {:?}, shift: {:?}", extender, shift);
}
};
}
@ -554,7 +562,17 @@ impl<'a> FridaInstrumentationHelper<'a> {
&self,
_address: u64,
instr: &Insn,
) -> Result<(capstone::RegId, capstone::RegId, i32, u32, Arm64Shift, Arm64Extender), ()> {
) -> Result<
(
capstone::RegId,
capstone::RegId,
i32,
u32,
Arm64Shift,
Arm64Extender,
),
(),
> {
// We have to ignore these instructions. Simulating them with their side effects is
// complex, to say the least.
match instr.mnemonic().unwrap() {