sslab-gatech / winnie Goto Github PK
View Code? Open in Web Editor NEWWinnie is an end-to-end system that makes fuzzing Windows applications easy
License: MIT License
Winnie is an end-to-end system that makes fuzzing Windows applications easy
License: MIT License
While running the gen_csrss_offsets.py
script, I am running into a KeyError
for RtlpEnvironLookupTable
. I'm not sure why I get this error since the PDBs from Microsoft server were downloaded correctly.
My configuration are:
Python version - 2.7.18 - 64 bit
Windows Build version - 21343.1000
Hi
Thanks a lot for your source code, really good project
It can beat dynamorio and ...
but when will the harness generator be released?
I'm new to fuzzing and was trying to understand how your fuzzer works. When I try to Fuzz the 7z (trying to recreate on of the applications mentioned in the paper and I'm getting this error. Can you help me with it?
Also what did you put in the in folder? I tried using a location and a file I know exists should I be doing something else?
Hello stong, I found std io stream not work in harness(forkserver's child process), I don't know if it is my fault.
Given the module AFL<->Forkserver<->Harness
, std io stream is work on the AFL console and Forkserver console, but after the FreeConsole();AllocConsole();
instructions in fork.cpp
, nothing appears in the new console. No matter the printf("I'm the child\n");
in function fork
or the printf()
in function fuzz_me
.
If can't see anything print, it's difficult to debug harness. So how to get the right output and input FILE descriptor in harness's console? Or it is only my fault?
Thank you. Hope to get your hint.
---- ADD ----
Sorry to disturb, It's actually my fault. lol
There is an argument -sample in synthether.py. If this argument is not included, the encoding below will result in a NoneType judgment and processing will stop when running synthesizer.py (this).
winnie/harnessgen/synthesizer.py
Lines 115 to 117 in b046bce
Lines 650 to 652 in b046bce
I'm trying to fuzz open source JSON parser jq, and the fuzzer will run without crashing, but I get no coverage (new paths). Upon further inspection, I noticed that running a debug build with -debug produces different behavior - the fuzzer crashes shortly after starting, and produces this output:
Forkserver loaded - forkserver mode
Forkserver PID: 6400
afl_pipe: \\.\pipe\afl-forkserver-6400
Timeout: 100000ms
Minidumps (WER): enabled
Processor affinity: 0x600000001 (2027918607 cores)
Will look for minidumps in C:\Users\Leo\AppData\Local\CrashDumps
Loading harness: jq\jq_harness.dll
Waiting for the harness...
Target address: 0x0046BBA0 | Iter address: 0x0046BBA0
Early hooking critical functions...
inlinehook 1
inlinehook 2
will copy 191119464782102528 bytes
stolenCount = 191119482006470180
inlinehook 3
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 02A6FB00, 00000005, 00000020, 02A6FBF0)
inlinehook done
inlinehook 1
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 02A6FB00, 00000005, 00000040, 02A6FC2C)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 02A6FB00, 00000005, 00000040, 02A6FBF0)
inlinehook 2
will copy 191119464782102528 bytes
stolenCount = 191119482006470180
inlinehook 3
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 02A6FB00, 00000005, 00000040, 02A6FC2C)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 02A6FB00, 00000005, 00000020, 02A6FBF0)
inlinehook done
-> OK!
Connecting to AFL and returning control to main binary!
WOW!!! GUARD_PAGE!!! ExceptionAddress=0046BBA0 ExceptionInformation=0046BBA0
unpacked?
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F6C4, 00000001, 00000040, 0087F7F0)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F6C4, 00000001, 00000020, 0087F7B4)
WOW!!! Early breakpoint!!! 0046BBA0
Reached our target address breakpoint
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F6C4, 00000001, 00000040, 0087F7F0)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F6C4, 00000001, 00000020, 0087F7B4)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F5D0, 00000005, 00000040, 0087F6FC)
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087F5D0, 00000005, 00000020, 0087F6C0)
Target hook reached!
Unhooking early critical functions...
Intercepted call to NtProtectVirtualMemory(FFFFFFFF, 0087EBE0, 00000005, 00000040, 0087ED0C)
inlineunhook done
inlineunhook done
-> OK!
Installing 12003 breakpoints, this might take a while.....
Installed 12003 breakpoints
Okay, spinning up the forkserver now.
TRACE: Fuzzer asked me to create new child
Child pid: 2068
TRACE: Fuzzer asked me to resume the child
Unexpected suspend count 2: 997
Press enter to exit
It looks like something is causing the value of stolenCount to be incorrect. I've attached the binary, harness, input, and basic block list. This bug also appears to happen with two other binaries (smpdf and IrFanView - I can provide harnesses and bbfiles for those too if needed).
jq.zip
The command line I'm using is:
afl-fuzz.exe -d -i jq\in -o ..\results\jq\winnie -t 100000 -I 100000 -- -bbfile jq\bblist_jq.bb -- -harness jq\jq_harness.dll -debug -- jq\jq.exe . @@
PS D:\2022\final\Winnie\winnie\harnessgen\lib\pin> .\pin.exe -t D:\2022\final\Winnie\winnie\harnessgen\lib\pin\source\tools\Tracer\Release\Tracer.dll -logdir "cor1_1" -trace_mode "all" -only_to_target "toy_example.exe" -only_to_lib "example_library.dll" -- D:\2022\final\Winnie\winnie\samples\toy_example\Release\toy_example.exe input.txt
example_library loaded at 545F0000
msg:hello world
Error 1
Result: 0
Is this the final version of the code? I took a rough look at the code and didn't find where some functions are implemented, such as
And I don't understand how the LCA results are used to guide the generation of the harness, and how to pass the seed when the APIs parameters do not contain the sample name. Maybe some complete examples would be very helpful :)
By the way, although "WINNIE's harness generator focuses testing shared libraries", many of the 59 harnesses target the executable. I am very interested in how to apply harnessgen to the main executable.
You should use pip2.7.exe install construct pefile==2018.8.8
. Otherwise following error happens
ERROR: Command errored out with exit status 1:
command: 'c:\python27\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'c:\\users\\synsyn\\appdata\\local\\temp\\pip-install-n0hm2c\\pefile\\setup.py'"'"'; __file__='"'"'c:\\users\\synsyn\\appdata\\local\\temp\\pip-install-n0hm2c\\pefile\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base 'c:\users\synsyn\appdata\local\temp\pip-pip-egg-info-ieylya'
cwd: c:\users\synsyn\appdata\local\temp\pip-install-n0hm2c\pefile\
Complete output (12 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "c:\users\synsyn\appdata\local\temp\pip-install-n0hm2c\pefile\setup.py", line 86, in <module>
long_description = "\n".join(_read_doc().split('\n')),
File "c:\users\synsyn\appdata\local\temp\pip-install-n0hm2c\pefile\setup.py", line 30, in _read_doc
tree = ast.parse(f.read())
File "c:\python27\lib\ast.py", line 37, in parse
return compile(source, filename, mode, PyCF_ONLY_AST)
File "<unknown>", line 3789
f'Export directory contains more than 10 repeated entries '
^
SyntaxError: invalid syntax
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
Hello,
there is a suggestion to add some modern emulators Unicorn 2.0 and Bochs Emulator. A couple of examples of available projects can be found here:
https://github.com/nccgroup/TriforceAFL
https://github.com/tigerpuma/Afl_unicorn
https://github.com/AFLplusplus/AFLplusplus
Thanks!
Regards
hi thanks for sharing this cooool fuzzer.
by the way, i got an error while running toy_example.
Winnie 1.00 -- Forkserver-based Windows fuzzer
Based on WinAFL 1.16b and AFL 2.43b
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 13%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Using fullspeed (fault-based) instrumentation.
[*] Attempting dry run with 'id_000000'...
[*] Debug mode enabled
cmd: toy_example.exe out\.cur_input
PEB=0x00000000002FD000, Base address=0x0000000140000000
Binname: toy_example.exe, OEP: 000000000000100F
Entrypoint = 000000014000100F
Entrypoint trap hit, injecting the dll now!
PID is 1520
Pipe name: \\.\pipe\afl-forkserver-1520
Injecting E:\winnie\run\forkserver.dll
TRACE: LoadLibraryA = 0x00007FFE18BDEB60
Forkserver dll injected, base address = 00007FFDDB420000
fuzzer_settings offset = 002a7190, call_target offset = 000bc6ec
fuzzer_settings = 00007FFDDB6C7190, forkserver_state = 00007FFDDB6C73C0, call target = 00007FFDDB4DC6EC
Found module: [example_library.dll]
Total: 262, visited; 0
Connecting to forkserver...
Connected to forkserver
Ok, the forkserver is ready. Resuming the main thread now.
Entrypoint: 000000014000100F | OEP stolen bytes: e9 b8
VirtualProtectEx : temporarily removed guard page on entrypoint
[!] WARNING: Lost connection to the forkserver (broken pipe), failed to read forkserver result
[-] PROGRAM ABORT : Unable to execute target application ('toy_example.exe')
Location : perform_dry_run(), E:\winnie\afl-fuzz\afl-fuzz.c:2663
NULL
The harness example included in the README is as follows:
#include <stdio.h>
...
typedef int (__stdcall *IDP_Init_func_t)(int);
typedef int (__stdcall *IDP_GetPlugInInfo_func_t)(int);
...
void fuzz_me(char* filename){
IDP_Init_func_t IDP_Init_func;
IDP_GetPlugInInfo_func_t IDP_GetPlugInInfo_func;
...
/* Harness function #0 */
int* c0_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_Init);
int IDP_Init_ret = IDP_Init_func(&c0_a0);
dbg_printf("IDP_Init, ret = %d\n", IDP_Init_ret);
/* Harness function #1 */
int* c1_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_GetPlugInInfo);
int IDP_GetPlugInInfo_ret = IDP_GetPlugInInfo_func(&c1_a0);
dbg_printf("IDP_GetPlugInInfo, ret = %d\n", IDP_GetPlugInInfo_ret);
...
/* Harness function #66 */
int* c66_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_CloseImage);
int IDP_CloseImage_ret = IDP_CloseImage_func(&c66_a0);
dbg_printf("IDP_CloseImage, ret = %d\n", IDP_CloseImage_ret);
}
int main(int argc, char ** argv)
{
if (argc < 2) {
printf("Usage %s: <input file>\n", argv[0]);
printf(" e.g., harness.exe input\n");
exit(1);
}
dlllib = LoadLibraryA("%s");
if (dlllib == NULL){
dbg_printf("failed to load library, gle = %d\n", GetLastError());
exit(1);
}
char * filename = argv[1];
fuzz_me(filename);
return 0;
}
Questions:
LoadLibraryA
call does not accept any DLL name as input. Then how would the corresponding library be loaed?filename
passed to the fuzz_me
method in never read. Then how would it feed input to the API calls? The broader question is how the input read from the file flows to the APIs.IDP_Init
method accepts an int
argument. However, a pointer to an integer array was passed during invocation. Is that intended?afl-fuzz
expects a DLL as harness (-harness harness.dll
), while the example above is likely to generate a standalone executable that does not even conform the harness API. Can you explain?When call the serialize
method, each function decided on stdcall
or cdecl
as the calling convention.
I think there are fastcall
other than stdcall
and cdecel
, for example, but what is the intention?
winnie/harnessgen/util/ida_func_type.py
Line 20 in b046bce
Thanks
Is there anybody who can point me how to corectly use IDAPython script scripts/ida_basic_blocks.py or scripts for Ghidra to generate basicblocks.bb file?or give me a sample what is inside basic blocks file?
Hello, stong.
Thank you for your sharing.
In your paper, you said you enumerate all relevant handles and manually mark
them inheritable. And in your code, there is function MarkAllHandles()
. But there seems no function called MarkAllHandles()
to mark all relevant handles inheritable.
On the other hand, in function NtCreateUserProcess
, there is a flag PROCESS_CREATE_FLAGS_INHERIT_HANDLES
. Can I regard that this flag will make the child process inherit handles automatically?
While using "Harness Generator", the synthesizer.py
script needs an START_FUNCTION
parameter. Where to find this function , dose it was automatic generated or needs manual efforts?
Hello, since I am new to fuzz, can you give me more details about harness generation? And I don't know how can I get the harness.dll?
{afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- toy_example.exe @@
)
Thank you very much!
Hi, i want to use winnie but i have to fuzz my own application (C#)
CMD Used: afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- E2E ATM Applications Launcher.exe @@
-debug option returns:
Microsoft Windows [Version 10.0.19045.3324]
(c) Microsoft Corporation. All rights reserved.
C:\Users\shehroz.munir\Desktop\Testing\winnie-master\x64\Release>afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -- E2E ATM Applications Launcher.exe @@
Winnie 1.00 -- Forkserver-based Windows fuzzer
Based on WinAFL 1.16b and AFL 2.43b
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[] Checking CPU core loadout...
[+] Found a free CPU core, binding to #7.
[] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[] Creating hard links for all input files...
[] Using fullspeed (fault-based) instrumentation.
[*] Attempting dry run with 'id_000000'...
[-] PROGRAM ABORT : Invalid handle when map PE file
Location : map_pe_file(), C:\Users\shehroz.munir\Desktop\Testing\winnie-master\afl-fuzz\process.c:162
I have been able to generate a harness for the samples\toy_example
, which looks similar to the harness in the example. However, in addition to the issues pointed out in #56, the generated harness is not compilable, and does not quite make sense (to me). The relevant part of the code is follows:
typedef __int64 (__cdecl *test_func_t)(void *);
void fuzz_me(char* filename){
test_func_t test_func;
/* Harness function #0 */
void c0_a0 = 0x4424b0;
LOAD_FUNC(dlllib, test);
__int64 test_ret = test_func(&c0_a0);
dbg_printf("test, ret = %d\n", test_ret);
}
It is apparent from the signature that the test
method accepts a void pointer, which should point to a valid/allocated/initialized buffer (bag of bytes). During invocation, the harness tries to set c0_a0
to the integer 0x4424b0
, which the compiler refuses to compile. I can cast (hand-fix) it as follows: void* c0_a0 = (void*) 0x4424b0;
, which shuts up the compiler. However, in that case, we end up passing an uninitialized pointer, which, I believe, not what we would like to do. Any insights would be appreciated.
I'm trying to use harnessgen. But if I use pin.exe with "all" opiton it can't make memdump even if Administrator permission. Do you know the general reason for this problem?
Hey guys, looking for help with the harness generator. I was able to git pin.exe to do all the tracing and give dumps, but when I go to run synthesizer.py I get the below. The example doc shows a -s requires a start function parameter, but both memory addresses and function names seem to fail. One address I gave it moved execution to a different spot (Second trace) but that also failed. Any idea if it's a code problem or a user error?
Command Line is: python .\synthesizer.py harness -t C:\Users\Guardian\Downloads\pin-3.13-98189-g60a6ef199-msvc-windows\cor1_1\drltrace.25380.log -d C:\Users\Guardian\Downloads\pin-3.13-98189-g60a6ef199-msvc-windows\cor1_1\memdump
Traceback (most recent call last):
File "C:\Users\Guardian\winnie\harnessgen\synthesizer.py", line 147, in
main()
File "C:\Users\Guardian\winnie\harnessgen\synthesizer.py", line 135, in main
syn = SingleSynthesizer(args.trace_file, args.dump_dir,
File "C:\Users\Guardian\winnie\harnessgen\common.py", line 480, in init
self.defined_types, self.defined_funcs = self.typedef()
File "C:\Users\Guardian\winnie\harnessgen\common.py", line 513, in typedef
assert mod
AssertionError
Traceback (most recent call last):
File "C:\Users\Guardian\winnie\harnessgen\synthesizer.py", line 147, in
main()
File "C:\Users\Guardian\winnie\harnessgen\synthesizer.py", line 135, in main
syn = SingleSynthesizer(args.trace_file, args.dump_dir,
File "C:\Users\Guardian\winnie\harnessgen\common.py", line 474, in init
self.start_cid, self.trace_tid = ret_start_point(self.trace_pn, self.start_func.encode())
File "C:\Users\Guardian\winnie\harnessgen\common.py", line 37, in ret_start_point
raise Exception("Cannot find the starting function from the trace file")
Exception: Cannot find the starting function from the trace file
first, thank you for your hard work for making this tool! it will help a lot and saves a lot of time for others :)
second, i'm a newbie into fuzzing and i would like to learn more to use winnie, i did read the walkthrough and papers but i'm having trouble compiling the project from the sources,
is it possible to give the steps on how to do it? because it's my first time using visual studio so i'm not used to it and i'm doing my best to learn.
again thank you for the hard work! and i hope to see videos in the future for this tool :)
I am trying to figure out why my target program crashes when running with winnie. I would like to debug winnie using visual studio but it fails to inject the forkserver dll when doing so. I set afl-fuzz as the startup project.
Not sure if related but FindModule in process.c does not seem to receive a valid process handle.
BOOL ok = GetProcessImageFileNameA(hProcess, processName, 256);
fprintf(stderr, "%s", processName);
I added this piece of code in FindModule and it works fine when running afl-fuzz, but not under a debugger.
Any advice on how to debug winnie?
Or on how to debug a target process that crashes only under winnie?
Hi, i want to use winnie but i have an error following the walkthrough for the toy_example sample.
CMD Used: afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -debug -- toy_example.exe @@
-debug option returns:
Winnie 1.00 -- Forkserver-based Windows fuzzer
Based on WinAFL 1.16b and AFL 2.43b
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Using fullspeed (fault-based) instrumentation.
[*] Attempting dry run with 'id_000000'...
[*] Debug mode enabled
cmd: toy_example.exe out\.cur_input
PEB=0x000000000021D000, Base address=0x0000000000030000
Binname: toy_example.exe, OEP: 0000000000001435
Entrypoint = 0000000000031435
[-] PROGRAM ABORT : Entrypoint trap trimed out: the forkserver injection failed, or the target process never reached its entrypoint.
Location : spawn_child_with_injection(), D:\WORK\codes\winnie\afl-fuzz\forkserver.c:448
BB File generated with IDA Pro 7.5 using the script provided
Compilation of Winnie and the toy example:
Windows 10 19044.1526
CSRSS Offsets generated successfully
Used Visual Studio 2019
Used SDK 10.0.22000
Used MSVC v142
No errors during compilation
I've tried to disable windows binary protections from settings but nothing.
Thanks and Regards!
The project is amazing!
Are there any examples from HarnessGen?
For those of you using Windows 11, it seems that @khang06 has a fork where he's added support for Windows 11.
https://github.com/khang06/winnie
Note that this is a separate fork, which me and Jinho (the original authors) do not maintain, but I'm putting it here in case anyone finds it helpful. Also note that I haven't tested his fork at all.
I currently do not have a Windows 11 machine to test on, but should there be enough interest in this, (or if a PR is submitted), I'll set one up and review.
Hello,
I'm trying to get your project working with full-speed instrumentation, but I don't have an IDA license, so I wrote my own script using the Ghidra API to generate a list of basic blocks. I believe my script works correctly (I can see in a debugger that the 0xCCs appear to be in the right places while the fuzzer is running), but for some reason I'm not getting any crashes or new paths after following the directions for toy_example.exe. My script, toy_example binary, and script output are attached. I would be interested to see what output the original IDA script produces for my binary.
ghidra_bb_example.zip
Hi
I tried to run one-trace against toy_example.exe
.
(In the following script, absolute paths were used in practice.)
ref. https://github.com/sslab-gatech/winnie/tree/master/harnessgen#one-trace
$ pin.exe -t \path\to\tools\Tracer\x64\Debug\Tracer.dll -logfile "\path\to\cor1_1" -trace_mode "all" -only_to_target "\path\to\toy_example.exe " -only_to_lib "\path\to\example_library.dll " -- path\to\toy_example.exe "test.txt"
example_library loaded at 00007FFE21880000
msg:Hello, World!
Error 1
Result: 0
The contents of the test.txt
are as follows
Hello, World!
In this case, this script don't emit memdump. So I make empty memdump
file.
$ touch memdump
The contents of the drltrace.PID.log
are as follows
CHECKING MODULE...
TARGET MODULE START ADDR:0x140000000
TARGET MODULE END ADDR: 0x14000f000 ? ??:0
==
Module Table: version 4, count 14
0 , 0 , 0x40000000, 0x4000f000, 0x80001145, 0000000000000000, 0x00000000, 0x00000000, C:\path\to\winnie\harnessgen\lib\pin\toy_example.exe
1 , 1 , 0x2d5f0000, 0x2d8b8000, 0x5abf0710, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\KERNELBASE.dll
2 , 2 , 0x2f980000, 0x2fa3e000, 0x5f3170d0, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\KERNEL32.DLL
3 , 3 , 0x2fc30000, 0x2fe25000, 0x2fc30000, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\SYSTEM32\ntdll.dll
4 , 4 , 0x2d8c0000, 0x2d9c0000, 0x5b196110, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\ucrtbase.dll
5 , 5 , 0x204b0000, 0x204cb000, 0x4096fe30, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\SYSTEM32\VCRUNTIME140.dll
6 , 6 , 0x00000000, 0x00085000, 0x0003f6bc, 0000000000000000, 0x00000000, 0x00000000, C:\vendor\conemu-maximus5\ConEmu\ConEmuHk64.dll
7 , 7 , 0x2e7b0000, 0x2e950000, 0x5cf77f30, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\USER32.dll
8 , 8 , 0x2d9c0000, 0x2d9e2000, 0x2d9c0000, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\win32u.dll
9 , 9 , 0x2f950000, 0x2f97b000, 0x5f2a48d0, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\GDI32.dll
10 , 10 , 0x2da90000, 0x2db9d000, 0x5b550af0, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\gdi32full.dll
11 , 11 , 0x2d9f0000, 0x2da8d000, 0x5b3f5390, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\msvcp_win.dll
12 , 12 , 0x2f1e0000, 0x2f210000, 0x5e3c14d0, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\IMM32.DLL
13 , 13 , 0x21880000, 0x21888000, 0x43101540, 0000000000000000, 0x00000000, 0x00000000, C:\path\to\winnie\harnessgen\lib\pin\example_library.dll
The following is the result of running the synthesizer.py
against "C:\Windows\System32\KERNELBASE.dll" .
$ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "C:\Windows\System32\KERNELBASE.dll"
Traceback (most recent call last):
File "C:\path\to\winnie\harnessgen\synthesizer.py", line 147, in <module>
main()
File "C:\path\to\winnie\harnessgen\synthesizer.py", line 135, in main
syn = SingleSynthesizer(args.trace_file, args.dump_dir,
File "C:\path\to\winnie\harnessgen\common.py", line 472, in __init__
self.start_cid, self.trace_tid = ret_start_point(self.trace_pn, self.start_func.encode())
File "C:\path\to\winnie\harnessgen\common.py", line 33, in ret_start_point
cid = int(line.split(b"CALLID[")[1].split(b"]")[0])
IndexError: list index out of range
exit status 1
Lines 23 to 37 in b046bce
The ret_start_point
method should return cid and tid, but where are the cid and tid in this drltrace.PID.log?
1 , 1 , 0x2d5f0000, 0x2d8b8000, 0x5abf0710, 0000000000000000, 0x00000000, 0x00000000, C:\Windows\System32\KERNELBASE.dll
If there is any incorrect use of the above, please let us know.
Thanks.
synthesizer.py unable to find START_FUNCTION from the generated trace file, what is the best possible solution, where could be the error in implementation??
First of all: awesome project!
I just hacked a PDF library with 280k BPs into the harness. Seems to work, i get increasing coverage for the fuzz cases. But everytime after around 260-280 executions the Pipe crashes at
Line 637 in 8d71e91
GetLastError()
returns 0x06, which indicates that the handle to the named pipe is no longer valid.
Output with -debug
for the afl-fuzz process during init:
[*] Attempting dry run with 'id_000002'...
[*] Debug mode enabled
cmd: toy_example.exe C:\Users\localadmin\Downloads\winnie\Win32\Release\current.pdf
PEB=0x003AD000, Base address=0x00400000
Binname: toy_example.exe, OEP: 00001428
Entrypoint = 00401428
Entrypoint trap hit, injecting the dll now!
PID is 4716
Pipe name: \\.\pipe\afl-forkserver-4716
Injecting c:\Users\localadmin\Downloads\winnie\Win32\Release\forkserver.dll
Forkserver dll injected, base address = 6E680000
fuzzer_settings offset = 00047ca0, call_target offset = 00003520
fuzzer_settings = 6E6C7CA0, forkserver_state = 6E6C7C9C, call target = 6E683520
Found module: [pdf2dl.dll]
Total: 282460, visited; 12371
Connecting to forkserver...
Connected to forkserver
Ok, the forkserver is ready. Resuming the main thread now.
Entrypoint: 00401428 | OEP stolen bytes: e8 c4
VirtualProtectEx : temporarily removed guard page on entrypoint
Child result 0
len = 16388, map size = 533, exec speed = 10719841 us
[+] All test cases processed.
Output with AFL_SAME_CONSOLE
set:
Winnie 1.00 (WinAFL 1.16b, AFL 2.43b) (toy_example.exe)
+- process timing -------------------------------------+- overall results ----+
| run time : 0 days, 0 hrs, 2 min, 33 sec | cycles done : 0 |
| last new path : none seen yet | total paths : 3 |
| last uniq crash : none seen yet | uniq crashes : 0 |
| last uniq hang : none seen yet | uniq hangs : 0 |
+- cycle progress --------------------+- map coverage -+----------------------+
| now processing : 0 (0.00%) | map density : 2.21% / 2.53% |
| paths timed out : 0 (0.00%) | count coverage : 16689/282460 bbs hit |
+- stage progress --------------------+ findings in depth --------------------+
| now trying : trim 64\64 | favored paths : 3 (100.00%) |
| stage execs : 44/244 (18.03%) | new edges on : 3 (100.00%) |
| total execs : 276 | total crashes : 0 (0 unique) |
| exec speed : 11.81/sec (zzzz...) | total tmouts : 0 (0 unique) |
+- fuzzing strategy yields -----------+---------------+- path geometry -------+
| bit flips : 0/0, 0/0, 0/0 | levels : 1 |
| byte flips : 0/0, 0/0, 0/0 | pending : 3 |
| arithmetics : 0/0, 0/0, 0/0 | pend fav : 3 |
| known ints : 0/0, 0/0, 0/0 | own finds : 0 |
| dictionary : 0/0, 0/0, 0/0 | imported : n/a |
| havoc : 0/0, 0/0 | stability : 100.00% |
| trim : n/a, n/a +-----------------------+
Child pid: 10044--------------------------------------+ [cpu: 66%]
Child result: 1
Child fate: 1
Child pid: 4372
Child result: 1
Child fate: 1
Child pid: 10132
Child result: 1
Child fate: 1
Child pid: 10124
Child result: 1
Child fate: 1
Child pid: 2340
Child result: 1
Child fate: 1
Child pid: 10148
Child result: 1
Child fate: 1
Child pid: 10184
Child result: 1
Child fate: 1
Child pid: 10172
Child has new coverage: 5d1517ee
* pdf2dl.dll+001117EE
Child has new coverage: 5d151803
* pdf2dl.dll+00111803
Child has new coverage: 5d151805
* pdf2dl.dll+00111805
Child has new coverage: 5d15181c
* pdf2dl.dll+0011181C
Child has new coverage: 5d1b813f
* pdf2dl.dll+0017813F
Child has new coverage: 5d1b6a1a
* pdf2dl.dll+00176A1A
Child result: 1
Child fate: 1
[!] WARNING: Broken forkserver pipe, WriteFile. nWritten: 0 sizeof(forkserverRequest): 8 LastError: 6
[-] PROGRAM ABORT : Unable to execute target application
Location : fuzz_one(), c:\Users\localadmin\Downloads\winnie\afl-fuzz\afl-fuzz.c:4857
Any idea how to debug this issue further?
EDIT: Command line in case it helps:
afl-fuzz -f C:\Users\localadmin\Downloads\winnie\Win32\Release\current.pdf -i inpdf -o out -t 1000 -I 100000 -- -bbfile basicblocks_pdf2dl.bb -- -harness harness.dll -debug -- toy_example.exe @@
when your source code will be released?
I am looking forward to see your winnie fuzzer in detail.
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.