SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

format libafl_frida

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-04-30 15:50:11 +02:00
parent 22b72bac66
commit 9ee427a1fa
2 changed files with 55 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
libafl_frida/src/asan_rt.rs
View File

@ -24,7 +24,7 @@ use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity};
use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi}; use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi};
#[cfg(unix)] #[cfg(unix)]
use gothook::GotHookLibrary; use gothook::GotHookLibrary;
use libc::{_SC_PAGESIZE, getrlimit64, rlimit64, sysconf}; use libc::{getrlimit64, rlimit64, sysconf, _SC_PAGESIZE};
use rangemap::RangeSet; use rangemap::RangeSet;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::{ use std::{
@ -90,7 +90,10 @@ impl Allocator {
addr as *mut c_void, addr as *mut c_void,
page_size, page_size,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_PRIVATE | MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_NORESERVE, MapFlags::MAP_PRIVATE
| MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_NORESERVE,
-1, -1,
0, 0,
) )
@ -110,7 +113,10 @@ impl Allocator {
addr as *mut c_void, addr as *mut c_void,
addr + addr, addr + addr,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_NORESERVE, MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_PRIVATE
| MapFlags::MAP_NORESERVE,
-1, -1,
0, 0,
) )
@ -161,7 +167,8 @@ impl Allocator {
let mut current_size = size; let mut current_size = size;
while current_size <= self.largest_allocation { while current_size <= self.largest_allocation {
if self.allocation_queue.contains_key(&current_size) { if self.allocation_queue.contains_key(&current_size) {
if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop() { if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop()
{
return Some(metadata); return Some(metadata);
} }
} }
@ -184,8 +191,7 @@ impl Allocator {
} }
let rounded_up_size = self.round_up_to_page(size); let rounded_up_size = self.round_up_to_page(size);
let metadata = if let Some(mut metadata) = self.find_smallest_fit(rounded_up_size) let metadata = if let Some(mut metadata) = self.find_smallest_fit(rounded_up_size) {
{
//println!("reusing allocation at {:x}, (actual mapping starts at {:x}) size {:x}", metadata.address, metadata.address - self.page_size, size); //println!("reusing allocation at {:x}, (actual mapping starts at {:x}) size {:x}", metadata.address, metadata.address - self.page_size, size);
metadata.is_malloc_zero = is_malloc_zero; metadata.is_malloc_zero = is_malloc_zero;
metadata.size = size; metadata.size = size;
@ -214,11 +220,7 @@ impl Allocator {
} }
}; };
self.map_shadow_for_region( self.map_shadow_for_region(mapping, mapping + rounded_up_size, false);
mapping,
mapping + rounded_up_size,
false,
);
let mut metadata = AllocationMetadata { let mut metadata = AllocationMetadata {
address: mapping, address: mapping,
@ -803,8 +805,11 @@ impl AsanRuntime {
let stack_address = &stack_var as *const _ as *const c_void as usize; let stack_address = &stack_var as *const _ as *const c_void as usize;
let (start, end, _, _) = find_mapping_for_address(stack_address).unwrap(); let (start, end, _, _) = find_mapping_for_address(stack_address).unwrap();
let mut stack_rlimit = rlimit64 { rlim_cur: 0, rlim_max: 0 }; let mut stack_rlimit = rlimit64 {
assert!(unsafe { getrlimit64(3, &mut stack_rlimit as *mut rlimit64 ) } == 0); rlim_cur: 0,
rlim_max: 0,
};
assert!(unsafe { getrlimit64(3, &mut stack_rlimit as *mut rlimit64) } == 0);
println!("stack_rlimit: {:?}", stack_rlimit); println!("stack_rlimit: {:?}", stack_rlimit);
@ -816,7 +821,10 @@ impl AsanRuntime {
max_start as *mut c_void, max_start as *mut c_void,
start - max_start, start - max_start,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_STACK, MapFlags::MAP_ANONYMOUS
| MapFlags::MAP_FIXED
| MapFlags::MAP_PRIVATE
| MapFlags::MAP_STACK,
-1, -1,
0, 0,
) )

46
libafl_frida/src/helper.rs
View File

@ -9,7 +9,10 @@ use libafl::utils::find_mapping_for_path;
use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter}; use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter};
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
use capstone::arch::{arm64::{Arm64OperandType, Arm64Extender, Arm64Shift}, ArchOperand::Arm64Operand}; use capstone::arch::{
arm64::{Arm64Extender, Arm64OperandType, Arm64Shift},
ArchOperand::Arm64Operand,
};
use capstone::{ use capstone::{
arch::{self, BuildsCapstone}, arch::{self, BuildsCapstone},
Capstone, Insn, Capstone, Insn,
@ -88,10 +91,7 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> {
let mut hasher = AHasher::new_with_keys(0, 0); let mut hasher = AHasher::new_with_keys(0, 0);
hasher.write(input.target_bytes().as_slice()); hasher.write(input.target_bytes().as_slice());
let filename = format!( let filename = format!("./coverage/{:016x}.drcov", hasher.finish(),);
"./coverage/{:016x}.drcov",
hasher.finish(),
);
DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write(); DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write();
} }
@ -221,10 +221,14 @@ impl<'a> FridaInstrumentationHelper<'a> {
if options.stalker_enabled() { if options.stalker_enabled() {
for (id, module_name) in modules_to_instrument.iter().enumerate() { for (id, module_name) in modules_to_instrument.iter().enumerate() {
let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap()); let (lib_start, lib_end) = find_mapping_for_path(module_name.to_str().unwrap());
println!("including range {:x}-{:x} for {:?}", lib_start, lib_end, module_name); println!(
helper "including range {:x}-{:x} for {:?}",
.ranges lib_start, lib_end, module_name
.insert(lib_start..lib_end, (id as u16, module_name.to_str().unwrap())); );
helper.ranges.insert(
lib_start..lib_end,
(id as u16, module_name.to_str().unwrap()),
);
} }
if helper.options.drcov_enabled() { if helper.options.drcov_enabled() {
@ -401,14 +405,18 @@ impl<'a> FridaInstrumentationHelper<'a> {
if extender_encoding != -1 && shift_amount < 0b1000 { if extender_encoding != -1 && shift_amount < 0b1000 {
// emit add extended register: https://developer.arm.com/documentation/ddi0602/latest/Base-Instructions/ADD--extended-register---Add--extended-register-- // emit add extended register: https://developer.arm.com/documentation/ddi0602/latest/Base-Instructions/ADD--extended-register---Add--extended-register--
writer.put_bytes(&(0x8b210000 | ((extender_encoding as u32) << 13) | (shift_amount << 10)).to_le_bytes()); writer.put_bytes(
&(0x8b210000 | ((extender_encoding as u32) << 13) | (shift_amount << 10))
.to_le_bytes(),
);
} else if shift_encoding != -1 { } else if shift_encoding != -1 {
writer.put_bytes(&(0x8b010000 | ((shift_encoding as u32) << 22) | (shift_amount << 10)).to_le_bytes()); writer.put_bytes(
&(0x8b010000 | ((shift_encoding as u32) << 22) | (shift_amount << 10))
.to_le_bytes(),
);
} else { } else {
panic!("extender: {:?}, shift: {:?}", extender, shift); panic!("extender: {:?}, shift: {:?}", extender, shift);
} }
}; };
} }
@ -554,7 +562,17 @@ impl<'a> FridaInstrumentationHelper<'a> {
&self, &self,
_address: u64, _address: u64,
instr: &Insn, instr: &Insn,
) -> Result<(capstone::RegId, capstone::RegId, i32, u32, Arm64Shift, Arm64Extender), ()> { ) -> Result<
(
capstone::RegId,
capstone::RegId,
i32,
u32,
Arm64Shift,
Arm64Extender,
),
(),
> {
// We have to ignore these instructions. Simulating them with their side effects is // We have to ignore these instructions. Simulating them with their side effects is
// complex, to say the least. // complex, to say the least.
match instr.mnemonic().unwrap() { match instr.mnemonic().unwrap() {