andreafioraldi

//===- afl_driver.cpp - a glue between AFL and libFuzzer --------*- C++ -* ===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//===----------------------------------------------------------------------===//

/* This file allows to fuzz libFuzzer-style target functions
 (LLVMFuzzerTestOneInput) with AFL using AFL's persistent (in-process) mode.

andreafioraldi

// -----------------------------------------------------
// Common definitions outside Ghidra
// -----------------------------------------------------

typedef unsigned char byte;
typedef long long longlong;
typedef unsigned char uchar;
typedef unsigned int uint;
typedef unsigned long ulong;

andreafioraldi

var fuzz = require("./frida-fuzzer/fuzz");

fuzz.target_module = "libxml2.so.2";

/* Load libdislocator and hook the PLT of the target module. DO NOT hook the
   symbols in libc otherwise Frida itself will use the dislocator malloc
   and freeze your machine (problably there are memory leaks in the runtime) */ 
var subs = ["malloc", "calloc", "realloc", "free", "memalign", "posix_memalign"];
var disloc = Module.load("/home/andrea/AFLplusplus/libdislocator.so");

andreafioraldi

      ___   ____  ______    __                  
     /   | / __ \/ ___/ |  / /                  
    / /| |/ / / /\__ \| | / /                   
   / ___ / /_/ /___/ /| |/ /                    
  /_/__||||||_//____/ |___/__  _____ __    _ __ 
    / ____/ /_  ___  _____/ /_/ ___// /_  (_) /_
   / /   / __ \/ _ \/ ___/ __/\__ \/ __ \/ / __/
  / /___/ / / /  __/ /__/ /_ ___/ / / / / / /_  
  \____/_/ /_/\___/\___/\__//____/_/ /_/_/\__/  

andreafioraldi

var STALKER_QUEUE_CAP = 100000000;
var STALKER_QUEUE_DRAIN_INT = 1000*1000;

Stalker.trustThreshold = 0;
Stalker.queueCapacity = STALKER_QUEUE_CAP;
Stalker.queueDrainInterval = STALKER_QUEUE_DRAIN_INT;

var TARGET_MODULE = "libnative-lib.so";
var TARGET_FUNCTION = Module.findExportByName(TARGET_MODULE, "target_func");

andreafioraldi

/*
 * Compile with:
 *
 * gcc -static-libgcc -fPIC -shared -m64 -ffunction-sections -fdata-sections -Wall -Os -pipe -g3 afl_frida_gum_test.c -I . -o afl-frida-gum.so -L. -lfrida-gum -lresolv -ldl -lrt -lm -Wl,--gc-sections,-z,noexecstack -pthread
 */

#include "frida-gum.h"

#include <fcntl.h>
#include <unistd.h>

andreafioraldi

function startAFLFollow() {
  Stalker.follow(Process.getCurrentThreadId(), {
    events: {
      call: false,
      ret: false,
      exec: false,
      block: false,
      compile: true
    },

andreafioraldi

diff --git a/linux-user/i386/cpu_loop.c b/linux-user/i386/cpu_loop.c
index 51cfa006..510e4cbf 100644
--- a/linux-user/i386/cpu_loop.c
+++ b/linux-user/i386/cpu_loop.c
@@ -80,6 +80,8 @@ static void set_idt(int n, unsigned int dpl)
 }
 #endif
 
+#include "../patches/afl-qemu-common.h"
+

andreafioraldi

diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c
index d0d44844..d10d51ce 100644
--- a/accel/tcg/tcg-runtime.c
+++ b/accel/tcg/tcg-runtime.c
@@ -167,3 +167,29 @@ void HELPER(exit_atomic)(CPUArchState *env)
 {
     cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC());
 }
+
+

andreafioraldi

This:

  if (*cmd && *inFile) {
      sprintf(cmd,
"strings %s | grep '^[0-9a-fA-F]*$' | awk '{ if (length($1) == 72) print; }'",
              inFile);
      system(cmd);
      exit(0);
  }