winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

drrun gets exception c0000005

Open freetom opened this issue 5 years ago • 2 comments

Hey,

I built DynamoRIO checking out the latest source and then built winafl by pointing at the previous. However when I try to TCP fuzz a binary with this command line:

"..\Downloads\winafl\build32\bin\Release\afl-fuzz.exe" -i .\input -o .\output -t 25000 -D "..\Downloads\dynamorio\build\bin32" -l "..\Downloads\winafl\build32\bin\Release\custom_net_fuzzer.dll" --  -target_module binary.exe -coverage_module binary.exe -target_offset 0x004204e0 -fuzz_iterations 10 -nargs 1 -- "C:\binary.exe"

I get a connection error:

[-] PROGRAM ABORT : connect() failed with error code : 10061
         Location : send_data_tcp(), c:\users\name\downloads\winafl\custom_net_fuzzer.c:66

So to troubleshoot I run drrun in debug mode:

"..\Downloads\dynamorio\build\bin32\drrun.exe" -c winafl.dll -debug -target_module binary.exe -coverage_module binary.exe -target_offset 0x004204e0 -fuzz_iterations 10 -nargs 1 -- "C:\binary.exe"

But the program doesn't run.. the afl.binary.exe.0xxxx.0000.proc.log log says:

[...]
Exception caught: c0000005
crashed
WARNING: Target function was never called. Incorrect target_offset?
Coverage map follows:
[...]

Windows version: 10.0.18363

Any idea what could be causing the access violation?

freetom avatar May 06 '20 09:05 freetom

Maybe the argument -target_offset 0x004204e0 is not correct. The loading base of binary is normally 0x400000, so the argument -target_offset should be 0x000204e0. You can try -target_offset 0x0204e0.

datadancer avatar Aug 20 '20 07:08 datadancer

Possibly related to: https://github.com/DynamoRIO/dynamorio/issues/5198

eranzim avatar Nov 11 '21 11:11 eranzim