winafl
winafl copied to clipboard
googleprojectzero
[-] PROGRAM ABORT : Error opening pidfile.txt
Dear!
I was doing some tests with a line to fuzzing firefox.
I wanted to try it and I also wanted to try doing a brute force of offset, the question that I tried with everyone and always gives me the same error, do you know why it is?
Error:
[-] PROGRAM ABORT : Error opening pidfile.txt Location : create_target_process(), c:\work\winafl\source\afl-fuzz.c:2361
Line :
afl-fuzz.exe -i in -o out -D C:\winafl-master\dyno\bin64 -t 100 -- -coverage_module mozglue.dll -coverage_module firefox.exe -fuzz_iterations 100 -target_module lgpllibs.dll -target_offset 0xB1D1 -nargs 2 -- C:\Program Files\Mozilla Firefox\firefox.exe @@
First time I see this error, but in general, the pid file is created in https://github.com/googleprojectzero/winafl/blob/master/afl-fuzz.c#L2302 with -pidfile dynamorio flag. Perhaps instrumentation fails for some reason. These issues can be debugged by running the target in DynamoRIO directly (see the -debug mode in Readme). Looking at the command line, the most likely reason I can see for instrumentation failing is the target path containing spaces, and not being quoted. It should probably be "C:\Program Files\Mozilla Firefox\firefox.exe" instead of C:\Program Files\Mozilla Firefox\firefox.exe
Also, I would be really surprised if you could fuzz the whole of firefox (rather than a specific part) in this way and also if you could bruteforce a (meaningful) target_offset.
Hi, I also meet the same issue. I just test a very simple C program to make sure it works. The program simply reads from a file to check if it's 'bad!'. If so, then crashes. When I run WinAFL with static instrumentation mode -Y, it also shows "All programs time out." issue.
Line: afl-fuzz.exe -i D:\Workspaces\winafl\testcase -o D:\Workspaces\winafl\findings -D D:\Software\DynamoRIO\bin64 -t 20000 -- -coverage_module testprog.exe -- D:\Workspaces\winafl\programs\testprog.exe @@
I'm not sure if this is related to this issue but your command line seems to be missing some required instrumentation flags (such as target module/function, number of function arguments and number of iterations). You should always run the debug mode first (see https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md) and only run afl-fuzz if the debug log looks good.
@yuexizhumeng
The solution is change D:\Workspaces\winafl\programs\testprog.exe to "D:\Workspaces\winafl\programs\testprog.exe" like says @xinali
I was receiving the same error. I was mistakenly using DynamoRio bin32 executable instead of bin64.
I have encountered the same problem. Have you solved this problem? The following is my command parameters and error message
C:\Users\luna\Desktop\winafl-master\bin64>afl-fuzz.exe -i C:\Users\luna\Desktop\
input -o C:\Users\luna\Desktop\out -D C:\Users\luna\Desktop\DynamoRIO-Windows-7.
1.0-1\bin64 -t 20000 -- -coverage_module test.exe -coverage_module
test.dll -fuzz_iterations 5000 -target_module test.exe -target
_method wWinMain -nargs 2 -- E:\testforwinafl\test.exe @@
WinAFL 1.16b by <[email protected]>
Based on AFL 2.43b by <[email protected]>
[+] You have 1 CPU cores and 0 runnable tasks (utilization: 0%).
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'C:\Users\luna\Desktop\input'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
[-] PROGRAM ABORT : Error opening pidfile.txt
Location : create_target_process(), c:\work\winafl\source\afl-fuzz.c:2357
Below is the feedback of debugging mode, I did not see the relevant debugging file generated, if I did not use the error
C:\Users\luna\Desktop\winafl-master\bin64>C:\Users\luna\Desktop\DynamoRIO-Window
s-7.1.0-1\bin64\drrun.exe -c winafl.dll -debug -coverage_module test.dll -tar
get_module test.exe -target_offset 0x0 -fuzz_iterations 10 -nargs
2 -- "E:testforwinafl\test.exe @@"
C:\Users\luna\Desktop\input\alphatrans.png
ERROR: Target process E:testforwinafl\test.exe is for the wrong architecture
I have tested the above methods. I have received the same results on both windows7 x86 and x64, and I started cmd.exe with Administartor.
Hi Taolaw,
As @anshuman-goel mentioned earlier, and because I lost a few minutes trying to figure out what's wrong, you are using wrong architecture for the DynamoRIO. If it's x86 make sure you use the bin32\drrun.exe and bin32\afl-fuzz.exe, and consequently if it's x64 use bin64\drrun.exe and bin64\afl-fuzz.exe.
From your command line above, it looks like you have compiled for x86 architecture.
Hope that helps, Symeon
I am getting this same problem regardless of the combination of dynamoRIO and winafl that I use. I'm starting to wonder if the problem isn't deeper than that, but digging into the .c file doesn't illuminate the situation much.
I had a similar problem (pidfile error) with a command of the form
afl-fuzz.exe … -- -coverage_module … -- path\to\app.exe someArg path\to\some\other\file @@
I had to wrap each whitespace-separated part after the second -- in quotes, like so:
afl-fuzz.exe … -- -coverage_module … -- "path\to\app.exe" "someArg" "path\to\some\other\file" @@
It took me a while to figure it out because someArg was a simple number like 1000, so I had not expected to have to wrap it in quotes.
I met a similar problem (pidfile opening error) when I try to fuzz my application with below command: afl-fuzz.exe -i in -o out -D "D:\winafl\DynamoRIO-Windows-8.0.0-1\bin64" -t 20000 -- -coverage_module "path\to*.dll" -coverage_module "path\to\myapp.exe" -fuzz_iterations 10 -target_module "path\to\myapp.exe" -target_offset 0x16e0 -nargs 2 -- "path\to\myapp.exe" "-i" @@
myapp.exe also has a parameter "-i" to run it.
Don't know why it does not work.
how to
I met a similar problem (pidfile opening error) when I try to fuzz my application with below command: afl-fuzz.exe -i in -o out -D "D:\winafl\DynamoRIO-Windows-8.0.0-1\bin64" -t 20000 -- -coverage_module "path\to*.dll" -coverage_module "path\to\myapp.exe" -fuzz_iterations 10 -target_module "path\to\myapp.exe" -target_offset 0x16e0 -nargs 2 -- "path\to\myapp.exe" "-i" @@
myapp.exe also has a parameter "-i" to run it.
Don't know why it does not work.
how to get target_offset value
how to get target_offset value
Using a disassembler (Ghidra or Ida Pro). Find the target function and see what its address is. Then find the base address (most often it is 0x400000) and subtract it from the function address. This will be the target_offset.
