使用winafl的post_library

2021-06-22

有时候程序对文件的格式要求比较高，比如png的头部，这时候目标程序会因为格式不对而不会对我们变异的输入进行处理，这时候可以使用post_library来解决这个问题

编写post_library

直接修改官方给的例子一般就足够了：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* Header that must be present at the beginning of every test case: */

#define HEADER "MAGIC_HEADER"

/* The actual postprocessor routine called by afl-fuzz: */
#ifdef __cplusplus
extern "C" {
#endif
#ifdef _MSC_VER
    __declspec(dllexport)
#endif
    const unsigned char* afl_postprocess(const unsigned char* in_buf,
                                         unsigned int* len) {

      static unsigned char* saved_buf;
      unsigned char* new_buf;

      /* Skip execution altogether for buffers shorter than 6 bytes (just to
         show how it's done). We can trust *len to be sane. */

      if (*len < strlen(HEADER)) return NULL;

      /* Do nothing for buffers that already start with the expected header. */

      if (!memcmp(in_buf, HEADER, strlen(HEADER))) return in_buf;

      /* Allocate memory for new buffer, reusing previous allocation if
         possible. */

      new_buf = realloc(saved_buf, *len);

      /* If we're out of memory, the most graceful thing to do is to return the
         original buffer and give up on modifying it. Let AFL handle OOM on its
         own later on. */

      if (!new_buf) return in_buf;
      saved_buf = new_buf;

      /* Copy the original data to the new location. */

      memcpy(new_buf, in_buf, *len);

      /* Insert the new header. */

      memcpy(new_buf, HEADER, strlen(HEADER));

      /* Return modified buffer. No need to update *len in this particular case,
         as we're not changing it. */

      return new_buf;

    }
#ifdef __cplusplus
}
#endif

这里是把头部改成MAGIC_HEADER

编译

和编译afl-fuzz一样，在afl_post_library里创建一个build目录，cd进去

cmake .. -A Win32 # 指定生成win32版本的
cmake –build . # 编译dll

默认生成的是Debug目录，我们的dll也在Debug目录里：

PS G:\winafl\afl_post_library\build_post\Debug> dir


    目录: G:\winafl\afl_post_library\build_post\Debug


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          2021/7/6     17:42         827392 post_library.dll
-a----          2021/7/6     17:42            761 post_library.exp
-a----          2021/7/6     17:42        2753984 post_library.ilk
-a----          2021/7/6     17:42           1872 post_library.lib
-a----          2021/7/6     17:42        6713344 post_library.pdb

使用

在fuzz的时候，设置下环境变量就行：set AFL_POST_LIBRARY=G:\winafl\afl_post_library\build_post\Debug\post_library.dll

效果如下：

$ xxd .cur_input
00000000: 4d41 4749 435f 4845 4144 4552 4948 4452  MAGIC_HEADERIHDR
00000010: 0000 0020 0000 0020 0803 0000 0044 a48a  ... ... .....D..
00000020: c600 0000 1974 4558 7453 6f66 7477 6172  .....tEXtSoftwar
00000030: 6500 2964 6f62 6520 496d 6167 6552 6561  e.)dobe ImageRea
00000040: 6479 71c9 653c 0000 000f 504c 5445 66cc  dyq.e<....PLTEf.
00000050: ccff ffff 0000 0033 9966 99ff cc3e 4caf  .......3.f...>L.
00000060: 1500 0000 6149 4441 5478 dadc 9331 0ec0  ....aIDATx...1..
00000070: 200c 0393 98ff bfb9 3414 09d4 3a61 61a0   .......4...:aa.
00000080: 37b0 f824 0b0b 4413 44d5 026e c10a 47cc  7..$..D.D..n..G.
00000090: 05a1 e0a7 826f 1708 cfba 54a8 2130 1a6f  .....o....T.!0.o
000000a0: 01f0 9356 b43c 107a 4d20 4cf9 b730 e444  ...V.<.zM L..0.D
000000b0: 4896 4422 4c43 eea9 38f6 c9d5 9b51 6ce5  H.D"LC..8....Ql.
000000c0: f326 5c02 0c00 d266 0335 b0d7 cb9a 0000  .&\....f.5......
000000d0: 0000 4945 4e44 ae42 6082                 ..IEND.B`.

可以看到输入的开头变成了我们的MAGIC_HEADER

参考链接

官方文档：https://github.com/googleprojectzero/winafl/blob/master/afl_post_library/post_library.c