googleprojectzero
Why test cases time out?
I used the instrument.exe in the bin32 folder to generate p1.instr.exe and p1.instr.exe.pdb for the program Project1.exe I wrote, and then used afl-fuzz.exe to fuzz p1.instr.exe , But it told me that all test cases time out. How to solve this?
I want to fuzz the sample executable test_gdiplus.exe. I confirmed that it runs in debug mode as well, but I get a test case results in a timeout message. The log looks like this:
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe
Usage: test_gdiplus.exe
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe in\not_kitty.bmp
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>afl-fuzz.exe -i in -o out -t 10000+ -D "D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32" -- -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe @@ WinAFL 1.16b by [email protected] Based on AFL 2.43b by [email protected] [+] You have 6 CPU cores and 0 runnable tasks (utilization: 0%). [+] Try parallel jobs - see docs\parallel_fuzzing.txt. [*] Checking CPU core loadout... [+] Found a free CPU core, binding to #0. [+] Process affinity is set to 1.
[] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Scanning 'in'... [+] No auto-generated dictionary tokens to reuse. [] Creating hard links for all input files... [*] Attempting dry run with 'id_000000'... [!] WARNING: Test case results in a timeout (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up! Location : perform_dry_run(), D:\myProject\07_Fuzzing\winafl-master\afl-fuzz.c:3103
0 processes nudged nudge operation failed, verify permissions and parameters.
I want to fuzz the sample executable test_gdiplus.exe. I confirmed that it runs in debug mode as well, but I get a test case results in a timeout message. The log looks like this:
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe Usage: test_gdiplus.exe
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe in\not_kitty.bmp
D:\myProject\07_Fuzzing\winafl-master\build32_4\bin\Release>afl-fuzz.exe -i in -o out -t 10000+ -D "D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32" -- -target_module test_gdiplus.exe -target_offset 0x2000 -- test_gdiplus.exe @@ WinAFL 1.16b by [email protected] Based on AFL 2.43b by [email protected] [+] You have 6 CPU cores and 0 runnable tasks (utilization: 0%). [+] Try parallel jobs - see docs\parallel_fuzzing.txt. [*] Checking CPU core loadout... [+] Found a free CPU core, binding to #0. [+] Process affinity is set to 1.
[] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Scanning 'in'... [+] No auto-generated dictionary tokens to reuse. [] Creating hard links for all input files... [*] Attempting dry run with 'id_000000'... [!] WARNING: Test case results in a timeout (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up! Location : perform_dry_run(), D:\myProject\07_Fuzzing\winafl-master\afl-fuzz.c:3103
0 processes nudged nudge operation failed, verify permissions and parameters.
Have you tried fuzzing under the Debug folder instead of the Release?
Me too. I encounted the same time out problem.
I have read https://github.com/googleprojectzero/winafl/blob/master/README.md and https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md.
Here are my steps:
D:\WinAFL\winafl\newbuild32\bin\Debug>D:\WinAFL\dynamorio\build32\bin32\drrun.exe -c winafl.dll -debug -coverage_module test_gdiplus.exe -target_module test_gdiplus.exe -target_offset 0x2095 -fuzz_iterations 10 -nargs 2 -debug -- test_gdiplus.exe in\fuzz.bmp
A log generated:
Module loaded, test_gdiplus.exe
Module loaded, dynamorio.dll
Module loaded, drwrap.dll
Module loaded, drmgr.dll
Module loaded, drreg.dll
Module loaded, drx.dll
Module loaded, winafl.dll
Module loaded, VCRUNTIME140.dll
Module loaded, gdiplus.dll
Module loaded, CRYPTBASE.dll
Module loaded, SspiCli.dll
Module loaded, GDI32.dll
Module loaded, RPCRT4.dll
Module loaded, SECHOST.dll
Module loaded, USER32.dll
Module loaded, gdi32full.dll
Module loaded, IMM32.dll
Module loaded, KERNELBASE.dll
Module loaded, bcryptPrimitives.dll
Module loaded, combase.dll
Module loaded, win32u.dll
Module loaded, KERNEL32.dll
Module loaded, ucrtbase.dll
Module loaded, msvcrt.dll
Module loaded, msvcp_win.dll
Module loaded, ntdll.dll
Instrumenting test_gdiplus.exe with the 'bb' mode
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
Everything appears to be running normally.
Coverage map follows:
And Then I tried afl-fuzz.exe
D:\WinAFL\winafl\newbuild32\bin\Debug>afl-fuzz.exe -i in -o out2 -t 2000+ -D D:\WinAFL\dynamorio\build32\bin32 -- -coverage_module test_gdiplus.exe -target_module test_gdiplus.exe -target_offset 0x2095 -fuzz_iterations 10 -debug -- test_gdiplus.exe @@
WinAFL 1.16b by <[email protected]>
Based on AFL 2.43b by <[email protected]>
[+] You have 8 CPU cores and 0 runnable tasks (utilization: 0%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #6.
[+] Process affinity is set to 40.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...
[!] WARNING: Test case results in a timeout (skipping)
[-] PROGRAM ABORT : All test cases time out, giving up!
Location : perform_dry_run(), D:\WinAFL\winafl\afl-fuzz.c:3111
Also a log generated:
Module loaded, test_gdiplus.exe
Module loaded, dynamorio.dll
Module loaded, drwrap.dll
Module loaded, drmgr.dll
Module loaded, drreg.dll
Module loaded, drx.dll
Module loaded, winafl.dll
Module loaded, VCRUNTIME140.dll
Module loaded, gdiplus.dll
Module loaded, CRYPTBASE.dll
Module loaded, SspiCli.dll
Module loaded, GDI32.dll
Module loaded, RPCRT4.dll
Module loaded, SECHOST.dll
Module loaded, USER32.dll
Module loaded, gdi32full.dll
Module loaded, IMM32.dll
Module loaded, KERNELBASE.dll
Module loaded, bcryptPrimitives.dll
Module loaded, combase.dll
Module loaded, win32u.dll
Module loaded, KERNEL32.dll
Module loaded, ucrtbase.dll
Module loaded, msvcrt.dll
Module loaded, msvcp_win.dll
Module loaded, ntdll.dll
Instrumenting test_gdiplus.exe with the 'bb' mode
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
Everything appears to be running normally.
Coverage map follows:
So the drrun.exe report it normally, but afl-fuzz.exe report it time out. Can you help me? Thanks a lot.
I can fuzz test_gdiplus.exe through DynamoRIO and winafl normally on my computer,I have succeeded under both windows10 and windows7, the steps are as follows:
- First, enter the winafl folder and execute the following commands. You need modify the third command according to your Visual Studio version, and the fourth command is “Debug” at the end, not “Release” mentioned in the official document
mkdir build64
cd build64
cmake -G"Visual Studio 16 2019" .. -DDynamoRIO_DIR=C:\Users\Radon\Desktop\FuzzTools\DynamoRIO\cmake -DINTELPT=1
cmake --build . --config Debug
-
Then you will find that the Debug folder is newly generated under winafl\build64\bin, and there are test_gdiplus.exe, test_gdiplus.ilk and test_gdiplus.pdb under the Debug folder
-
Then execute the following command in the Debug folder, you need to open test_gdiplus.exe with IDA to view the value of main and ImageBase, so as to determine the value after target_offset. After the command is executed, a log file will be generated, and the ending is "Everything appears to be running normally."
C:\Users\Radon\Desktop\FuzzTools\DynamoRIO\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x16C0 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe input.bmp -
Finally, create a folder called “in” under the Debug folder, put a test case, and execute the following command to perform fuzzing. I put a txt file in the “in” folder.
afl-fuzz.exe -i in -o out -D C:\Users\Radon\Desktop\FuzzTools\DynamoRIO\bin64 -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x16C0 -nargs 2 -- test_gdiplus.exe @@
Now I want to know how to use instrument.exe in the winafl\bin32 folder to instrument test_static.exe. :(
@datadancer I haven't solved it yet.
@Radon10043 I tried the procedure you guided, but it didn't work. I have tried building both with 32bit and 64bit environment. My procedure is as follows: -- 32 bit build --
mkdir build32
cd build32
cmake -G"Visual Studio 15 2017" .. -DDynamoRIO_DIR=D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\cmake -DINTELPT=1
cmake --build . --config Debug
go into the created Debug folder.
D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x8000 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe in\not_kitty.bmp
afl-fuzz.exe -i in -o out -P -D D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin32 -t 20000+ -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x8000 -nargs 2 -- test_gdiplus.exe @@
As a result, test case results in a timeout (skipping) occurred.
-- 64 bit build --
mkdir build64
cd build64
cmake -G"Visual Studio 15 2017 Win64" .. -DDynamoRIO_DIR=D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\cmake -DINTELPT=1
cmake --build . --config Debug
go into the created Debug folder.
D:\myProject\07_Fuzzing\DynamoRIO-Windows-8.0.0-1\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0xB000 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe input.bmp
As a result, invalid memory access (0xFFFFFFFFFFFFFFFF) occurred.
The same result occurs even if the -DINTELPT=1 option is removed. I'm using the Wondows 10 2016 LTSB version and I'm trying it on a desktop PC, not a Virtual Machine. Thank you for helping me.
@Radon10043 Thanks to your detailed steps, I can fuzz test_gdiplus.exe now.
@ambitihyun
I think the most possible problem is that you stetted wrong arguments. Please check the argument -target_offset 0x8000 and -target_offset 0xB000 . It seems too large.