afl icon indicating copy to clipboard operation
afl copied to clipboard

Published 20 hours ago verified publisher icon abiondo

How to use AFL to record program trace?

Open Stab1el opened this issue 6 years ago • 2 comments

Hi, I have noticed your improvement to AFL and I am really interested in it. I want to use qemu user mode to record the program trace, which means the pc of each basic block. But I find that the repeated are not recorded by qemu, for example, if the executable path is a-b-c-a-b-d-a-b-e, the result I get could be a-b-c-d-e. Since qemu does not translate the translated chain, I cannot obtain the full path. And I think your instrument method may solve this problem. If I want to obtain the full executable order of translation blocks, could you offer me the location for instrument?

The sample target programs I use is as follows.


#include <stdio.h>

int func1(int a)
{
	printf("a is %d\n",a);
	return a;
}

int func2(int a)
{
	printf("b is %d\n",a);
	return a;
}
int main(void)
{
	int l,a;
	FILE *f=fopen("source.txt","r");
	fscanf(f,"%d",&a);
	fclose(f);
	for (l=a;l<=10;l++){		
	if (l<=5){
		func1(a);	
	}
	else{
		func2(a);
	}
	}
	return 0;
}

Stab1el avatar Jan 21 '19 08:01 Stab1el

I think the qemu_log piece of qemu-user can help: qemu-arm -d in_asm,nochain -L $(pwd) <Path_To_File>

You will end up with a trace like:

IN: 0xff774ff0: e8bd8070 pop {r4, r5, r6, pc}

IN: 0xff78c87c: e1a00004 mov r0, r4 0xff78c880: ebff2ec2 bl #0xff758390

IN: 0xff758390: e59fc048 ldr ip, [pc, #0x48] 0xff758394: ee1d3f70 mrc p15, #0, r3, c13, c0, #3 0xff758398: e59f1044 ldr r1, [pc, #0x44] 0xff75839c: e1a02000 mov r2, r0 0xff7583a0: e92d4080 push {r7, lr} 0xff7583a4: e1a00002 mov r0, r2 0xff7583a8: e3a070f8 mov r7, #0xf8 0xff7583ac: ef000000 svc #0

ChrisTheCoolHut avatar Jan 22 '19 00:01 ChrisTheCoolHut

I compile qemu with x86_64 platform and I try your method with ./qemu-x86_64 -d in_asm,nochain hello , but the result still connot record the repeated TBs. For example, the main function calls the func 2 for 5 times, but only the first time that TB could be recorded. I try ./qemu-x86_64 -d in_asm hello, and there is no difference between these two output results.

 ----------------

IN: main
0x00000000004006d0:  mov    -0x10(%rbp),%eax
0x00000000004006d3:  mov    %eax,%edi
0x00000000004006d5:  callq  0x400651
---------------
IN: func2
0x0000000000400651:  push   %rbp
0x0000000000400652:  mov    %rsp,%rbp
0x0000000000400655:  sub    $0x10,%rsp
0x0000000000400659:  mov    %edi,-0x4(%rbp)
0x000000000040065c:  mov    -0x4(%rbp),%eax
0x000000000040065f:  mov    %eax,%esi
0x0000000000400661:  mov    $0x40077d,%edi
0x0000000000400666:  mov    $0x0,%eax
0x000000000040066b:  callq  0x400500

b is 3
----------------

IN: func2
0x0000000000400670:  mov    -0x4(%rbp),%eax
0x0000000000400673:  leaveq 
0x0000000000400674:  retq   

b is 3
b is 3
b is 3
b is 3
---------------

IN: main
0x00000000004006e4:  mov    $0x0,%eax
0x00000000004006e9:  leaveq 
0x00000000004006ea:  retq

Stab1el avatar Jan 22 '19 08:01 Stab1el