winafl icon indicating copy to clipboard operation
winafl copied to clipboard
verified publisher icon googleprojectzero

DynamoRIO possible incompatibility

Open MakotoE opened this issue 1 month ago • 3 comments

I tried to compile winafl, but it failed, and I think it is due to incompatibility with DynamoRIO.

PS C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64> cmake -G"Visual Studio 17 2022" -A x64 .. -DDynamoRIO_DIR=C:\Users\MakotoEmura\Documents\fuzz-test\DynamoRIO-Windows-11.90.20395\cmake -DUSE_COLOR=1
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.


-- Selecting Windows SDK version 10.0.26100.0 to target Windows 6.2.9200.
-- The C compiler identification is MSVC 19.44.35220.0
-- The CXX compiler identification is MSVC 19.44.35220.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/Microsoft Visual Studio/2022/Community/VC/Tools/MSVC/14.44.35207/bin/Hostx64/x64/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/Microsoft Visual Studio/2022/Community/VC/Tools/MSVC/14.44.35207/bin/Hostx64/x64/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (3.5s)
-- Generating done (0.0s)
-- Build files have been written to: C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64

PS C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64> cmake --build . --config Release
MSBuild version 17.14.23+b0019275e for .NET Framework

  1>Checking Build System
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-analyze.c
  afl-analyze.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-analyze.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-fuzz.c
  afl-fuzz.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-fuzz.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-showmap.c
  afl-showmap.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-showmap.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-tmin.c
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\afl-tmin.c(493,23): warning C4090: '=': different 'const' qualifiers [C
:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\afl-tmin.vcxproj]
  afl-tmin.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-tmin.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  custom_net_fuzzer.c
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_net_fuzzer.lib and object
  C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_net_fuzzer.exp
  custom_net_fuzzer.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\custom_net_fuzzer.dl
  l
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  custom_winafl_server.c
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_winafl_server.lib and obje
  ct C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_winafl_server.exp
  custom_winafl_server.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\custom_winafl_ser
  ver.dll
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test.cpp
  test.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  gdiplus.cpp
  test_gdiplus.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_gdiplus.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test_netmode.cpp
  test_netmode.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_netmode.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test_simple_winsock_client.cpp
  test_servermode.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_servermode.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  winafl.c
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(641,21): warning C4311: 'type cast': pointer truncation from '
void *' to 'DWORD' [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(642,18): warning C4312: 'type cast': conversion from 'DWORD' t
o 'void *' of greater size [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(648,21): warning C4311: 'type cast': pointer truncation from '
void *' to 'DWORD' [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(1000,5): warning C4013: 'DO_NOT_USE_exit_event_USE_drmgr_event
s_instead' undefined; assuming extern returning int [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcx
proj]
  modules.c
  Generating Code...
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/winafl.lib and object C:/Users/Ma
  kotoEmura/Documents/fuzz-test/winafl/build64/Release/winafl.exp
winafl.obj : error LNK2019: unresolved external symbol DO_NOT_USE_exit_event_USE_drmgr_events_instead referenced in fun
ction dr_client_main [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\winafl.dll : fatal error LNK1120: 1 unresolved exte
rnals [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]

Here is where DO_NOT_USE_exit_event_USE_drmgr_events_instead is defined. Without knowing how exactly their source code works, my best guess is that dr_unregister_exit_event has been deprecated and it can't be used.

winafl commit: 92311a1df0a8f73d5e5b84a9f3953f281bf4c641 DynamoRIO version: 11.90.20395

Here is winafl.c(1000)

MakotoE avatar Nov 12 '25 00:11 MakotoE

Does it work if you replace dr_register_exit_event with drmgr_register_exit_event here: https://github.com/googleprojectzero/winafl/blob/master/winafl.c#L1000

ifratric avatar Nov 12 '25 08:11 ifratric

Thank you, this replacement fixed the compilation issue. I was able to run drrun.exe -debug with no issue. (Outputs Everything appears to be running normally.) However, doing the following results in an error:

. "C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-fuzz.exe" `
	-i input `
	-o output `
	-t 1000 `
	-D "C:\Users\MakotoEmura\Documents\fuzz-test\DynamoRIO-Windows-11.90.20418\bin64" `
	-w "C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\winafl.dll" `
	-M fuzz00 `
	-- `
	-target_module eesimdFuzz.exe `
	-target_method Fuzz `
	-nargs 1 `
	-coverage_module eesimdFuzz.exe `
	-fuzz_iterations 1000000 `
	-- '..\x64\Release\eesimdFuzz.exe' `@`@

[+] You have 32 CPU cores with average utilization of 3%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'input'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...

[-] PROGRAM ABORT : Unexpected result from pipe! expected 'P', instead received 'C'

         Location : run_target(), C:\Users\MakotoEmura\Documents\fuzz-test\winafl\afl-fuzz.c:2920

I'm not sure it this is related to the original issue. I wanted to put that here just in case it is related.

MakotoE avatar Dec 05 '25 03:12 MakotoE

You are most likely encountering a know issue with DynamoRIO instrumentation on Windows 11 after 24H2, see https://github.com/DynamoRIO/dynamorio/issues/7487. Unfortunately little can be done on the WinAFL end until either the DynamoRIO issue is fixed or another workaround is found.

In the meantime, you can use TinyInst instrumentation instead, see https://github.com/googleprojectzero/winafl/blob/master/readme_tinyinst.md for more info. It should work on Windows 11. Note that some flags are slightly different than in DynamoRIO mode.

ifratric avatar Dec 05 '25 16:12 ifratric

You can try this fix https://github.com/DynamoRIO/dynamorio/commit/7241a60cf919f9c9f443fac449e7789107c8b7e2 from @x9090 , I've tested it, it works on my enviroment.

4B5F5F4B avatar Dec 13 '25 09:12 4B5F5F4B