Last active
November 14, 2019 19:39
-
-
Save andreafioraldi/24573aef54909c93797f1c63432fa2fa to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Compile with: | |
| * | |
| * gcc -static-libgcc -fPIC -shared -m64 -ffunction-sections -fdata-sections -Wall -Os -pipe -g3 afl_frida_gum_test.c -I . -o afl-frida-gum.so -L. -lfrida-gum -lresolv -ldl -lrt -lm -Wl,--gc-sections,-z,noexecstack -pthread | |
| */ | |
| #include "frida-gum.h" | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| typedef struct _ExampleListener ExampleListener; | |
| struct _ExampleListener | |
| { | |
| GObject parent; | |
| guint num_calls; | |
| }; | |
| GumInterceptor * interceptor; | |
| GumInvocationListener * listener; | |
| GumStalker * stalker; | |
| static void example_listener_iface_init (gpointer g_iface, gpointer iface_data); | |
| #define EXAMPLE_TYPE_LISTENER (example_listener_get_type ()) | |
| G_DECLARE_FINAL_TYPE (ExampleListener, example_listener, EXAMPLE, LISTENER, GObject) | |
| G_DEFINE_TYPE_EXTENDED (ExampleListener, | |
| example_listener, | |
| G_TYPE_OBJECT, | |
| 0, | |
| G_IMPLEMENT_INTERFACE (GUM_TYPE_INVOCATION_LISTENER, | |
| example_listener_iface_init)) | |
| void __attribute__((constructor)) afl_frida_init (void) { | |
| gum_init_embedded (); | |
| interceptor = gum_interceptor_obtain (); | |
| listener = g_object_new (EXAMPLE_TYPE_LISTENER, NULL); | |
| gum_interceptor_begin_transaction (interceptor); | |
| gum_interceptor_attach (interceptor, | |
| GSIZE_TO_POINTER (0x00000000004011ff), // adress of test.c main | |
| listener, | |
| NULL); | |
| gum_interceptor_end_transaction (interceptor); | |
| g_print("init\n"); | |
| } | |
| void __attribute__((destructor)) afl_frida_exit(void) { | |
| g_object_unref (listener); | |
| g_object_unref (interceptor); | |
| gum_deinit_embedded (); | |
| } | |
| static void afl_maybe_log (GumCpuContext * cpu_context, | |
| gpointer user_data); | |
| void | |
| transform (GumStalkerIterator * iterator, | |
| GumStalkerWriter * output, | |
| gpointer user_data) { | |
| const cs_insn * insn; | |
| gum_stalker_iterator_next (iterator, &insn); | |
| gum_stalker_iterator_put_callout (iterator, afl_maybe_log, | |
| user_data, NULL); | |
| do | |
| gum_stalker_iterator_keep (iterator); | |
| while (gum_stalker_iterator_next (iterator, &insn)); | |
| } | |
| #define MAP_SIZE 65536 | |
| char dummy[MAP_SIZE]; | |
| char* afl_area_ptr = dummy; | |
| static void | |
| afl_maybe_log (GumCpuContext * cpu_context, | |
| gpointer user_data) { | |
| static uintptr_t prev_loc; | |
| uintptr_t cur_loc = (uintptr_t) cpu_context->rip; | |
| cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); | |
| cur_loc &= MAP_SIZE - 1; | |
| afl_area_ptr[cur_loc ^ prev_loc]++; | |
| prev_loc = cur_loc >> 1; | |
| } | |
| static void | |
| example_listener_on_enter (GumInvocationListener * listener, | |
| GumInvocationContext * ic) | |
| { | |
| //ExampleListener * self = EXAMPLE_LISTENER (listener); | |
| g_print("on_enter\n"); | |
| gum_interceptor_detach (interceptor, listener); | |
| GumStalkerTransformer * transformer = gum_stalker_transformer_make_from_callback(transform, NULL, NULL); | |
| stalker = gum_stalker_new(); | |
| g_print("before follow\n"); | |
| gum_stalker_follow_me(stalker, transformer, NULL); // sink NULL is legal? | |
| g_print("never reached (segfault)"); | |
| return; | |
| } | |
| static void | |
| example_listener_on_leave (GumInvocationListener * listener, | |
| GumInvocationContext * ic) | |
| { | |
| } | |
| static void | |
| example_listener_class_init (ExampleListenerClass * klass) | |
| { | |
| (void) EXAMPLE_IS_LISTENER; | |
| (void) glib_autoptr_cleanup_ExampleListener; | |
| } | |
| static void | |
| example_listener_iface_init (gpointer g_iface, | |
| gpointer iface_data) | |
| { | |
| GumInvocationListenerInterface * iface = g_iface; | |
| iface->on_enter = example_listener_on_enter; | |
| iface->on_leave = example_listener_on_leave; | |
| } | |
| static void | |
| example_listener_init (ExampleListener * self) | |
| { | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| int target_func(char* buf, int size){ | |
| printf("buffer:%p, size:%p\n", buf, size); | |
| switch (buf[0]) | |
| { | |
| case 1: | |
| puts("222"); | |
| if(buf[1]=='\x44'){ | |
| puts("aaaaaaaaaaaaaaaaaaaaa"); | |
| *(char*)(0) = 1; | |
| } | |
| break; | |
| case '\xfe': | |
| // assert(0); | |
| if(buf[4]=='\xf0'){ | |
| puts("xxxiiii"); | |
| } | |
| break; | |
| case 0xff: | |
| if(buf[2]=='\xff'){ | |
| if(buf[1]=='\x44'){ | |
| *(char*)(0xdeadbeef) = 1; | |
| }else{ | |
| puts("kkkkkk"); | |
| } | |
| } | |
| puts("xxxx"); | |
| break; | |
| default: | |
| puts("xxxxxxx"); | |
| break; | |
| } | |
| return 1; | |
| } | |
| int main() { | |
| printf("main\n"); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Inject afl-frida-gum.so with LD_PRELOAD