LibAFL
LibAFL copied to clipboard
AFLplusplus
Pthread introspection hook
Nice. Didn't know about this api. I would have done it using regular hooks, but this is better I think. Still needs to be wired up so that we start stalking on the new threads...
Uh. Now I see it is apple-only. Maybe it is better to use regular hooks which will be more portable?
Well there are basically two things we could do:
- use Frida Interceptor hooks. These work across threads, as they patch the function prologue. It's a bit of a hassle to make these work once a Stalker is active, and decreasing the trustlevel comes at a performance cost.
- use Frida Stalker to emit code on the pthread functions. However, that could end up being a chicken-egg problem, as the stalker needs to be active on the thread that starts the new thread first. When attaching to a multithreaded target, this may be a problem.
I've tried to keep the external API's of the module clean from any apple pthread_introspection internals, so that it would be easy to make a drop-in replacement on other platforms.
I think the frida Interceptor hooks are the way to go. I am using them successfully in ASAN. You can see what I did there. There is no need to decrease the trustlevel if you apply the hooks before you start stalking.
Also, looking at different libc's and their pthread implementations, it isn't really clear to me where to hook for each of them, especially at places where the stack size and location is already known. I doubt function call hooks suffice there; ideally that would be the clone/clone3 syscall on linux. But at least glibc's __clone_internal which is called from pthread_create doesn't seem to have symbols.
Hey @fabianfreyer , what's the state of this PR? libafl_frida is under refactor, you will get some conflicts once we merge the other PRs
Instead of lazy_static, maybe take a look at https://crates.io/crates/static_init
