winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

Persistent mode fuzzing with Intel-PT coverage

Open Lopierdis opened this issue 4 years ago • 3 comments

Hello,

I tried creating a project to fuzz in persistent mode (in_app persistent mode) using intel-pt for coverage.

It seems like this is not supported, I added while (__afl_persistent_loop()) to my harness and things seem to go astray.

Here some some details and examples:

This is an example for an harness:

#include "winafl/afl-staticinstr.h"
#include <stdio.h>
#include "Windows.h"

#pragma comment(lib, "user32.lib")

void write_to_log(const char *format, ...)
{
    va_list argptr;
    va_start(argptr, format);
    char output[0x100];
    HANDLE hFile = CreateFile("output.txt", FILE_APPEND_DATA, 0x0, NULL,
                              OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

    DWORD dwBytesWritten = 0;
    vsprintf(output, format, argptr);
    WriteFile(hFile, output, strlen(output), &dwBytesWritten, NULL);
    CloseHandle(hFile);
    va_end(argptr);
}

typedef struct PACKET_INFO
{
    int a;
    int b;
    int c;
} PACKET_INFO;

void process_packet(PACKET_INFO *packet_info)
{
    write_to_log("Processing packet\n");
    return;
}

void main()
{
    PACKET_INFO packet_info;
    char input[sizeof(packet_info)];

    write_to_log("Harness started\n");
    while (__afl_persistent_loop())
    {
        scanf("%s", input);
        write_to_log("Recevied input: %s\n", input);
        process_packet(&packet_info);
    }
    write_to_log("Harness exiting\n");
}

And this is how I run the fuzzer: afl-fuzz.exe -t 1000+ -i testcases -o findings -P -persistence_mode in_app -- -covtype bb -coverage_module harness.exe -target_module harness.exe -target_method process_packet -fuzz_iterations 10 -- harness.exe I've also tried like this: afl-fuzz.exe -t 1000+ -i testcases -o findings -P -persistence_mode in_app -- -covtype bb -coverage_module harness.exe -target_module harness.exe -target_method main -fuzz_iterations 10 -- harness.exe

I see 2 things happening:

  1. The fuzzer yells cant't sync (The typo is in the fuzzer intself BTW)
  2. The harness is constantly starting and exiting, only receiving input once every 10 iterations.

Lopierdis avatar Mar 15 '21 15:03 Lopierdis

in_app persistent mode is currently not supported with the Intel-PT coverage

ifratric avatar Mar 15 '21 15:03 ifratric

in_app persistent mode is currently not supported with the Intel-PT coverage

So my only options for in app persistent mode coverage guided fuzzing would be with either syzygy or DR?

Lopierdis avatar Mar 15 '21 19:03 Lopierdis

Well, you could also add the support for in app persistent mode in winaflpt.c :-)

ifratric avatar Mar 16 '21 11:03 ifratric