winafl icon indicating copy to clipboard operation
winafl copied to clipboard

Published 20 hours ago verified publisher icon googleprojectzero

hang while dry run

Open jhjeong92 opened this issue 6 years ago • 7 comments

afl-fuzz.exe -i in -o out -D C:\work\winafl\DynamoRIO\bin64 -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x1270 -nargs 2 -- test_gdiplus.exe @@

I followed above command, but it seems to hang. It just hang after following log.

[] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Scanning 'input'... [+] No auto-generated dictionary tokens to reuse. [] Creating hard links for all input files... [*] Attempting dry run with 'id_000000'...

Specifically, it hangs in ConnectNamedPipe (afl-fuzz.c:2138). I apparently check drrun alone works well, but it seems there's some problem in connecting pipe to DR Any help would be appreciated.

jhjeong92 avatar Mar 20 '18 07:03 jhjeong92

Could you share more details? OS version? DynamoRIO version? and if possible share your main binary too.

yoava333 avatar Mar 20 '18 14:03 yoava333

OS : Windows 10 Pro, version 1709 (build version 16299.309) DynamoRIO : 6.2.0-2 binary : test_gdiplus (use bin64/test_gdiplus prebuilt one) test_gdiplus.txt (can't attach binary directly, so I just changed extension to txt)

I also found that prebuilt afl-fuzz (under bin64/) work well but when I build afl-fuzz myself, it doesn't work

jhjeong92 avatar Mar 21 '18 00:03 jhjeong92

Might be that the target offset got changed when you recompiled test_gdiplus.exe. Try it against the prebuilt test_gdiplus.exe from bin64/.

ivanfratric avatar Mar 21 '18 10:03 ivanfratric

@jhjeong92 Did you manage to run WinAFL?

yoava333 avatar Mar 24 '18 19:03 yoava333

Sorry to revive an issue but encountered the exact same problem again on Windows 10. The following is my setup and what I've tried:

Windows 10 Home x64 v1903 Build 10.0.18362.267
Visual Studio 2019 Community
SDK -> 10.0.18362.0

WinAFL Version: 1.16b
DynamRIO Version: 7.91.18109-0 and 7.1.0-1

Compilation of my own version of WinAFL using DynamRIO version 7.91.18109-0 works fine, however when running it using the settings mentioned above I am also running into the same error:

C:\Users\tekwizz123\Downloads\winafl\build64\bin\Release>afl-fuzz.exe -i in -o out -D "C:\Users\tekwizz123\Downloads\DynamoRIO-Windows-7.91.18109-0\bin64" -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -debug -target_module test_gdiplus.exe -target_offset 0x16e0 -nargs 2 -- test gdiplus.exe @@
WinAFL 1.16b by <[email protected]>
Based on AFL 2.43b by <[email protected]>
[+] You have 8 CPU cores and 0 runnable tasks (utilization: 0%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.

[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...

[-] The program took more than 20000 ms to process one of the initial test cases.
    Usually, the right thing to do is to relax the -t option - or to delete it
    altogether and allow the fuzzer to auto-calibrate. That said, if you know
    what you are doing and want to simply skip the unruly test cases, append
    '+' at the end of the value passed to -t ('-t 20000+').

[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout
         Location : perform_dry_run(), C:\Users\tekwizz123\Downloads\winafl\afl-fuzz.c:2972


C:\Users\tekwizz123\Downloads\winafl\build64\bin\Release>

Tried going back to simple tests too but no luck:

C:\Users\tekwizz123\Downloads\winafl\build64\bin\Release>C:\Users\tekwizz123\Downloads\DynamoRIO-Windows-7.91.18109-0\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x16e0 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe "C:\Users\tekwizz123\Downloads\LAND.bmp"

C:\Users\tekwizz123\Downloads\winafl\build64\bin\Release>

Same with prebuilt versions:

C:\Users\tekwizz123\Downloads\winafl\bin64>C:\Users\tekwizz123\Downloads\DynamoRIO-Windows-7.1.0-1\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x16e0 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe "C:\Users\tekwizz123\Downloads\LAND.bmp"

C:\Users\tekwizz123\Downloads\winafl\bin64>

Note that as expected trying to run the precompiled versions with something other than DynamoRIO 7.1.0-1 doesn't work and trying to run the versions I compiled without DynamoRIO version 7.91.18109-0 won't work. Both cases will result in DynamoRIO throwing an incompatible API error, so at least I know that that part is working as expected.

tekwizz123 avatar Aug 03 '19 07:08 tekwizz123

I'm seeing the exact same behavior - loading up the afl-fuzz binary in visual studio and putting in a breakpoint (needed to generate /ZI pdbs too), I think it's hanging in OverlappedConnectNamedPipe, specifically on

WaitForSingleObject(overlapped->hEvent, INFINITE)

tjrileywisc avatar May 04 '20 02:05 tjrileywisc

Missed the note about Windows versions on this page when downloading DynamoRIO. Rebuilding with the 8.0.0-1 source on Win 10 1909 and now I can run the test_gdiplus example.

tjrileywisc avatar May 05 '20 02:05 tjrileywisc