winafl
winafl copied to clipboard
googleprojectzero
IPT Tracing Error
I compiled my WinAFL binaries using the intel PT flag and im trying to use the example in the docs but I cannot seem to get it to work, I keep getting:
C:\WinAFL\winafl\build64\bin\Release>afl-fuzz.exe -i ..\..\..\testcases\others\elf -o ..\..\out -P -t 20000 -- -coverage_module test_gdiplus.exe -target_module test_gdiplus.exe -target_method main -nargs 2 -- test_gdiplus.exe @@
WinAFL 1.16b by <[email protected]>
Based on AFL 2.43b by <[email protected]>
IPT service enebled
[+] You have 8 CPU cores and 0 runnable tasks (utilization: 0%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '..\..\..\testcases\others\elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
[-] PROGRAM ABORT : ipt tracing error
Location : run_target_pt(), c:\winafl\winafl\winaflpt.c:1455
Which Windows version, which CPU and are you running inside a VM?
btw, what is architecturally preventing it from running inside of a VM?
I had to resort to using Intel PT because apparently dynamoRIO doesn’t work on 16Gbs of RAM. I guess even that’s not enough. But now PT doesn’t even work. I’m so lost on how some folks get AFL to work
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 9, GenuineIntel
Processor Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz, 2901 Mhz, 4 Core(s), 8 Logical Processors
Dynamo rio works fine on 16gb ram. Why it’s not working for you?
On Sat, 18 Apr 2020 at 11:49 PM, ryancor [email protected] wrote:
PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 9, GenuineIntel
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/googleprojectzero/winafl/issues/244#issuecomment-615919095, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFL3IMETRD7ZQLJMGR2HRBTRNHVKRANCNFSM4MLC5QPQ .
-- -Hardik Shah
I’m using the exact example command using gdi_plus.exe as the Target binary. I’m constantly getting either “Test case timed out” even using the -t (+) option or I’m getting “Program out of memory”.
Regarding Intel PT:
Intel PT support in WinAFL is based on https://github.com/ionescu007/winipt, can you compile that and check if it works for you? You didn't write which version of Windows 10 you were using, note that Intel PT driver is only present on 1809 and up.
@expend20 I can only tell you that the VM software must explicitly support Intel PT, but don't know the low level details, which I assume is what you're interested in, sorry!
Regarding DR:
"Test case timed out" can mean different things in WinAFL if the setup is incorrect, this is why you should always run the debug mode as described in https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md and check your debug log before trying to run a fuzzing session. 16gb should definitely not be a problem for test_gdiplus.exe.
PT: And can you also check if the WinAFL precompiled binaries work for you? I didn't compile it anew, but I just confirmed that precompiled binaries still work correctly on 1909.
C:\WinAFL\winafl\build64\bin\Release>afl-fuzz.exe -i ..\..\..\testcases\images\gif -o out -D C:\WinAFL\DynamoRIO\bin64 -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_method main -nargs 2 -- test_gdiplus.exe @@
WinAFL 1.16b by <[email protected]>
Based on AFL 2.43b by <[email protected]>
[+] You have 8 CPU cores and 0 runnable tasks (utilization: 0%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[*] Scanning '..\..\..\testcases\images\gif'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
[-] The program took more than 20000 ms to process one of the initial test cases.
Usually, the right thing to do is to relax the -t option - or to delete it
altogether and allow the fuzzer to auto-calibrate. That said, if you know
what you are doing and want to simply skip the unruly test cases, append
'+' at the end of the value passed to -t ('-t 20000+').
[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout @ifratric
Location : perform_dry_run(), c:\winafl\winafl\afl-fuzz.c:3005
Dynamo does not work for me and I built AFL with the version I have. Now I will attempt to show my use of Dr.Run using the debug flag
C:\WinAFL\winafl\build64\bin\Release>C:\WinAFL\DynamoRIO\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_method main -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe ..\..\..\testcases\images\gif\not_kitty.gif
<Out of memory. Program aborted.>
Here is my windows build information Version 1803 (OS Build 17134.1246)
Hmm well the Windows version explains why Intel PT isn't working, but this is the first time I'm seeing an out-of-memory error on a small example like that. Which DR version are you using? You can also try to disable any antivirus/antimalware software you are running as it can interfere with DR.
I'm currently updating my Windows OS build to 1903, so I will check back on that once that is done. I have disabled all my AV's, how do i check which DR version I have?
Update on Intel PT, its running now fine on windows build 1903, but still can't get dynamo to work properly
You should use DynamoRio 8.0 if you have Windows 10 1809 and newer (as you have after update). Precompiled binaries seem to have DynamoRio release 7.1.0-1 (according to the readme_dr.md).
Have you tried to download DynamoRio 8.0 from Download page and compile WinAFL with it?
