winafl
winafl copied to clipboard
googleprojectzero
Post-Fuzz Handler was Never Reached
I am trying to run the Dynamorio test as suggested by https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md
I use an invocation similar to:
"C:\Users\John\Downloads\DynamoRIO-Windows-7.1.0-1\DynamoRIO-Windows-7.1.0-1\bin64\drrun.exe" -c winafl.dll -debug -target_module myexe.exe -target_offset 0xAADC -fuzz_iterations 10 -nargs 2 -- "C:\Program Files\myexe\myexe.exe" -f "C:\Users\John\Documents\fuzzing\testcases\testcase.case"
My intention is to do mutational fuzzing on the input. I don't want to give it a big list of targeted functions, so I gave it the address of main. In my case, I found main with IDA Pro, and confirmed that the address was consistent with what a debugger was giving me.
However, it only runs the function once and gives me the following output:
In pre_fuzz_handler
In pre_fuzz_handler
In OpenFileW, reading C:\Users\John\fuzzing\testcases\testcase.case
In pre_fuzz_handler
WARNING: Post-fuzz handler was never reached. Did the target function return normally?
Coverage map follows:
With an empty coverage map. Is this because I am trying to use dynamorio on main? How do I fix this? How do I debug this?
The documentation I linked to suggests that fuzzing main is appropriate for my use case. Is there something you could suggest trying to get this working?
Edit: Also I should add that the target binary doesn't have symbols.
Does that mean that the main function legitimately is incompatible with Dynamorio? What would cause this issue from a source perspective? How would I go on fuzzing main with winafl if this happening?
One thing that wold cause this is the target function "returning" via exit() or similar (instead of return). Or another function within the binary terminating the process before the main function returns cleanly. Possibly you can get around this by selecting a function deeper into the binary. Pretty difficult to tell anything more without knowing the specifics of your target.
