Winafl学习笔记
最近在跟师傅们学习Winafl,也去搜集了一些资料,有了一些自己的理解,就此记录一下。
Winafl是一个运行时插桩工具,可以提高crash的捕获率。
同时也有自己的遗传算法,可以根据代码覆盖程度进行Fuzz
下载winafl
https://github.com/ivanfratric/winafl
下载DynamoRio
https://github.com/DynamoRIO/dynamorio/wiki/Downloads
winafl包里包含源码和编译好的,可以直接使用编译好的,也可以自己去编译。
编译winafl的步骤
For a 32-bit build:
mkdir build32
cd build32
cmake .. -DDynamoRIO_DIR=..\path\to\DynamoRIO\cmake
cmake --build . --config Release
For a 64-bit build:
mkdir build64
cd build64
cmake -G"Visual Studio 10 Win64" .. -DDynamoRIO_DIR=..\path\to\DynamoRIO\cmake
cmake --build . --config Release
//DDynamoRIO_DIR是你下载的DynamoRio的路径
要运行winafl只需要winafl本体+DynamoRio,其中DynamoRio用于提供动态插桩的支持。
使用方式在github的说明中已经给出。注意的是要保证被fuzz程序的同目录下存在winafl.dll
对于程序的输入来说,需要在-i选项下给出输入的文件。并且要最后附加@@
如果要fuzz 64位程序,则winafl和DynamoRIO也要指定为64位的,反之亦然。
下面是对官方readme的部分翻译
4) Using WinAFL --------------- Note: If you are using pre-built binaries you'll need to download DynamoRIO release 6.1.1-3 from https://github.com/DynamoRIO/dynamorio/wiki/Downloads. If you built WinAFL from source, you can use whatever version of DynamoRIO you used to build WinAFL. The command line for afl-fuzz on Windows is different than on Linux. Instead of %s [ afl options ] -- [instrumentation options] -- it now looks like this afl-fuzz [afl options] -- [instrumentation options] -- target_cmd_line The followin afl-fuzz options are supported: -i dir - input directory with test cases -o dir - output directory for fuzzer findings -D dir - directory containing DynamoRIO binaries (drrun, drconfig) -t msec - timeout for each run -f file - location read by the fuzzed program -M \\ -S id - distributed mode -x dir - optional fuzzer dictionary Please refer to the original AFL documentation for more info on these flags. The following instrumentation options are used -covtype - the type of coverage being recorded. Supported options are bb (basic block, default) or edge. -coverage_module - module for which to record coverage. Multiple module flags are supported. -target_module - module which contains the target function to be fuzzed. Either -target_method or -target_offset need to be specified together with this option. -target_method - name of the method to fuzz in persistent mode. A symbol for the method needs to be exported for this to work. Otherwise use -target_offset instead. -target_offset - offset of the method to fuzz from the start of the module. -fuzz_iterations - Maximum nuber of iterations for the target function to run before restarting the target process. -nargs - Number of arguments the fuzzed method takes. This is used to save/restore the arguments between runs. -debug - Debug mode. Does not try to connect to the server. Outputs a log file containing loaded modules, opened files and coverage infrormation. -logdir - specifies in which directory the log file will be written (only to be used with -debug). In general, you should perform the following steps when fuzzing a new target: 0. Make sure your target is running correctly without instrumentations. 1. Open the target binary in WinDbg and locate the function you want to fuzz. Note the offset of the function from the start of the module. For example, if you want to fuzz the main function and happen to have symbols around, you can use the following windbg command: x test!main 2. Make sure that the target is running correctly under DynamoRIO. For this purpose you can use the standalone debug mode of WinAFL client which does not require connecting to afl-fuzz. Make sure you use the drrun.exe and winafl.dll version which corresponds to your target (32 vs. 64 bit). Example command line path\to\DynamoRIO\bin64\drrun.exe -c winafl.dll -debug -target_module test_gdiplus.exe -target_offset 0x1270 -fuzz_iterations 10 -nargs 2 -- test_gdiplus.exe input.bmp You should see the output corresponding to your target function being run 10 times after which the target executable will exit. A .log file should be created in the current directory. The log file contains useful information such as the files and modules loaded by the target as well as the dump of AFL coverage map. In the log you should see pre_fuzz_handler and post_fuzz_handler being run exactly 10 times as well as your input file being open in each iteration. Note the list of loaded modules for setting the -coverage_module flag. Note that you must use the same values for module names as seen in the log file (case sensitive). 3. Now you should be ready to fuzz the target. First, make sure that both afl-fuzz.exe and winafl.dll are in the current directory. As stated earlier, the command line for afl-fuzz on Windows is afl-fuzz [afl options] -- [instrumentation options] -- target_cmd_line Please refer above for the list of supported AFL and instrumentation options. In AFL options, you must specify the DynamoRIO binaries directory via the new -D option. You need to match the DynamoRIO and winafl.dll build (32 vs. 64 bit) to the target binary. -t (timeout) option is mandatory for winafl as execution time can vary significantly under instrumentation so it’s not a good idea to rely on the auto-determined values. You can use the same winafl options as in step 2 but remember to exclude the -debug flag and you'll probably want to increase the iteration count. Note that, unlike linux AFL, in WinAFL the default coverage mode is basic block. This is because in multithreaded (i.e. most real-world) applications every context switch would be interpreted as new coverage even when no new coverage actually occured. If you are confident that all your coverage modules execute only a single thread at a time you can change this by adding -covtype edge to your instrumentation flags. As in afl-fuzz on Linux you can replace the input file param of the target binary with @@ An example command line would look like afl-fuzz.exe -i in -o out -D C:\work\winafl\DynamoRIO\bin64 -t 20000 -- -coverage_module gdiplus.dll -coverage_module WindowsCodecs.dll -fuzz_iterations 5000 -target_module test_gdiplus.exe -target_offset 0x1270 -nargs 2 -- test_gdiplus.exe @@ That’s it. Happy fuzzing! Let me know if you find any bugs.
- -i 测试样本的输入目录
- -o fuzz结果的输出目录
- -D DynamoRIO所处的目录
- -t 每次的运行时间
- -f 被fuzz的进程要读取的文件
- -x 可选fuzzer目录
使用说明
- 首先找出要fuzz的函数基于模块的地址偏移
- 要保证程序可以正常的跑在DynamoRIO下面,可以通过WinAFL的独立调试模式来测试这一点。独立调试模式不会使用fuzz部分(使用-debug选项)
- 要想正常运行,必须要保证afl-fuzz.exe和winafl.dll在同一目录下
- afl-fuzz [afl options] -- [instrumentation options] -- target_cmd_line
- -D选项是必须启用的,用于指定DynamoRIO所处的目录
- -t选项也是必须启用的,由于不同的选项导致的执行效率不同。所以-t的时间应该灵活设置。
- 默认是支持多线程的程序记录的。如果是单线程程序可以使用-covtype edge选项
instrumentation options
- -covtype 设置记录方式,为多线程和单线程程序所使用。bb/edge
- -coverage_module 设置要记录的模块,支持多个模块的记录
- -target_module fuzz目标函数所处的模块,必须要设置-target_method或-target_offset
- -target_method 只有有符号表的情况下才能用的方法,根据符号名去搞
- -target_offset 要fuzz函数的相对模块头的偏移
- -fuzz_iterations 目标函数的最大迭代次数
- -nargs 被fuzz的函数有几个参数?
- -debug 不会连接fuzzer部分,只会输出一个日志文件。包含加载的模块、打开的文件和输出报告。
- -logdir 只在-debug下可用,输出的log文件的位置