Jackalope icon indicating copy to clipboard operation
Jackalope copied to clipboard
verified publisher icon googleprojectzero

"process dead" issue that is not occured by WinAFL or other Fuzzer

Open hyjun0407 opened this issue 1 year ago • 9 comments

Hello, I'm trying to use Jackalope, and I have a 'process death' issue that doesn't happen with winAFL or kAFL. The fuzzer should be executed on the assumption that it is repeated and executed within the function fuzzme(), where Jackalope does not loop and the process 'dead'. It actually crash target process (WerFault.exe) and the target process dies. What I suspect is that dlls that are targeting fuzzing will generate C++ exceptions (CPPEH), which JackAlpope does not seem to send to the original exception handler. I'm flustered that this problem hasn't happened with DynamicRIO or Host. What should I do in this case?

hyjun0407 avatar Feb 04 '24 09:02 hyjun0407

I already Tried with: -generate_unwind -patch_return_addresses

hyjun0407 avatar Feb 04 '24 09:02 hyjun0407

Of course, after the target process dies, the program is start again, but the program I'm targeting should be Loopable because the initial initial process takes too long.

hyjun0407 avatar Feb 04 '24 09:02 hyjun0407

Hi, could you share the output you're getting from Jackalope?

Does the test program work correctly for you: fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module test.exe -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- test.exe -m @@

ifratric avatar Feb 05 '24 08:02 ifratric

YES. I got everything ok with other things(original test.cpp) but, my harness's DLL make some Exception(C++ EH exception, in normal situation, it will be handle by program's handler) but It handle by Jackalope and Program died so I cant loop. And I can't understand what do you mean for "output from jackalope"

hyjun0407 avatar Feb 05 '24 09:02 hyjun0407

By "output from jackalope", I mean what Jackalope prints. It's difficult to diagnose the issue without knowing more about your target, but if it was due to C++ exceptions, then -generate_unwind or patch_return_addresses should have fixed it. One other thing you can try is -stack_offset 1024.

ifratric avatar Feb 05 '24 10:02 ifratric

Jackalope doesn't export any error messages. But, EXEC/s is zero, and only runs(exec increase) once every 10 seconds. (I can infer that it runs once and the process dies because the time for the first initialization is about 10 seconds, and when I look at it in Process Explorer, it's actually dying.) I'll try additional solutions and let you know the results right away.

hyjun0407 avatar Feb 05 '24 10:02 hyjun0407