* WIP: windows frida
* frida-windows: fix hooks not present on windows
* windows: allow building using cargo xwin
* frida-windows: fmrt
* frida-windows: cleanup and allow asan/drcov on windows
* frida-windows: fmt
* frida-windows: fix clippy
* frida-windows: handle unknown exceptions gracefully
* frida-windows: rework shadow mapping algo
* frida-windows: add hook functions
* frida-windows: hook functions; fix stack register
* minibsod: enable for windows
* check_shadow: fix edge casees
* asan_rt: rework and add hooks for windows
* inprocess: add minibsod on windows
* Fix warnings
* minibsod: disable test on windows
* WIP: HookRuntime
* Cleanup after merge
* Bump frida-gum version
* Fix conflict marker; update frida
* Make winsafe windows-specific
* Fmt
* Format
* Better detection of clang++ (using cc)
* Make AsanErrors crate public so we can use it in tests
* Add helper to get immediate of operand
* Use HookRuntime to hook asan functions
Tests now passing
* fmt
* Implement recurisve jmp resolve
* Fix reversed logic
* windows_hooks: Don't die if functions are already replaced
* Allow utils to work on windows
* Enable allocator hooking on windows
* Warnings; add trace to free
* Make ASAN tests run windows (with cargo xwin compilation)
* Fmt
* clang-format
* clang-format
* Add more tests
* Fix partial range access bug in unpoisoning/shadow_check
* Merge main
* Fix check_shadow and implement unit tests
* Fix hooking and PC retrieval
* WIP: Working gdiplus fuzzing with frida-ASAN, no false positives
* LibAFL Frida asan_rt and hook_rt fixes for frida_windows (#2095)
* Introduce aarch64
* MacOS fix - MemoryAreas is broken on MacOS and just loops
* Introduce working aarch64 ASAN check
* Implement large blob
* Fix hook_rt for arm64
* Fix poison/unpoison
* Fix shadow check
* Update x86-64
* Fix aarch64 unused import
* Remove extraneous println statement
* merge main
* Fixes
* alloc: add tests, pass the tests
* HookRuntime before AsanRuntime, and don't Asan if Hooked
* hook_rt: Fixes
* Frida windows check shadow fix (#2159)
* Fix check_shadow and add additional tests
* add some additional documentation
* Revert to Interceptor based hooks
* fixes
* format
* Get rid of hook_rt; fixes
* clang-format
* clang-format
* Fix with_threshold
* fixes
* fix build.rs
* fmt
* Fix offset to RDI on stack
* Fix clippy
* Fix build.rs
* clippy
* hook MapViewOfFile
* fmt
* fix
* clippy
* clippy
* Missing brace
* fix
* Clippy
* fomrrat
* fix i64 cast
* clippy exclude
* too many lines
* Undo merge fails
* fmt
* move debug print
* Fix some frida things
* Remove unused frida_to_cs fn for aarch64
* name
* Don't touch libafl_qemu
---------
Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
Co-authored-by: Sharad Khanna <sharad@mineo333.dev>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: Dominik Maier <dmnk@google.com>
* First draft of a Asan tests. As of now, unix-only. This is a WIP, as 1) destroying Gum causes segmentation fault and thus a single test is supported by using a static Gum object. Ideally, this should be fixed and a new Gum instance would be created for each test. 2) 70 identical errors are reported by Asan instead of a a single one. Apart from that, the draft fixes a number of errors found in Asan
* Fmt fixes
* PR comments addressed
* Not crashing upon Asan errors while testing
* More PR comments: removing env_logger, renaming harness to test_harness
* Revert "More PR comments: removing env_logger, renaming harness to test_harness"
This reverts commit 2d3494b3f56e0a5ef23566cb9a884e8c57867b57.
* More PR comments: removing env_logger, renaming harness to test_harness
* Checking for clang presence and failing the test if harness not found
* Fmt
* Running multiple Asan tests
* Cpp Fmt
* clang-format
* More clippy complaints and Apple compilation
* Last clippy complaints (ran scripts/clippy.sh)
* Fixing unused MacOS function
* Fixing unused MacOS imports
* Move from gothook to frida-based hooks
* Force link against libc++
* Clippy + cleanup prints
* exclude ranges
* Add back guard pages; Implement libc hooks
* Bump frida-rust version
* Add hooks for mmap/munmap, as per issue #105
* Refactor to get rid of global allocator singleton
* Cleanup imports; Fix free out-of-range; Move to fixed addresses for asan allocatoins
* use frida-rust from crates.io now that it has caught up
* cargo fmt
* Clippy fixes
* Better clippy fix
* More clippy fix
* Formatting
* Review changes
* frida_asan: Implemented initial asan runtime library
* frida_asan: Switch to hashbrown
* Implemented GOT-based hooking to isolate the hooking of the memory functions. Implemented initial ASAN instrumentation
* WIP: Shadowing all used memory. Currently tracking pages using a BTreeSet. Slow AF!
* Add SigTrap to unix_signals and inprocess
* Working frida-asan, almost no speed degradation.
Currently the shadow check is reversed, so it checks only that the shadow is not 0.
We need to implement sub-8-byte checking.
* Format
* Cleanup and formatting
* Sub-qword and 16-byte checks implemented; Fixed unaligned access to QWORD
* Pass the ucontext_t to signal handlers. Initial regdump on crash
* Fix typo
* Make the context argument a mut ref
* Add missing files; Implement initial reporting
* Refactor out gothook; Move safety checkers to dynasm
* Get rid of const assembly blobs no longer needed
* Move to a handler function instead of using SIGTRAP.
This bloats the transformed code, but doesn't seem to have a major impact on performance.
Also, implemented pretty backtraces and assembly output.
* Formatting
* Get rid of all the pinning crap I wasted my day on, We don't need it
* windows fixes
* ashmem
* ashmem_service: server side ready
* ashmem_service: client side ready. Ready for integration
* ashmem_service: changes to UnixShMem to make it 'threadable'
* ashmem_service: format
* ashmem_service: Undo changes to UnixShMem, make the thread own the AshmemService instead; Fix protocol bug
* ashmem_service: working ashmem service. Fix merge issues
* use the newly released capston e 0.8.0; Fix a nasty bug where the afl_area an pc_pointer were reversed. Changed Vectors to Boxed [u8]
* Implement type detection for reporting; Implement double-free/unallocated free checking
* fmt
* Cleanup code a little
* frida-asan: This is an omnibus commit. Should probably have been a bunch of small commits, but I don't have the time/patience.
- Implemented DrCov support in order to debug a failing harness. This is actually
generic and should be moved out of libafl_frida.
- Implemented LIBAFL_FRIDA_OPTIONS env var to pass options to the frida helper,
to dynamically enable/disable asan and drcov.
- Implemented memory reuse - after each test case the used pages are recycled and
can be reused in the next test case.
- Implemented and tested vectorized instruction instrumentation.
- Implemented not instrumenting atomic load/store instructions. The cost of
trying to emulate their behaviour is too high at the moment.
- Implemented probing of shadow bit to determine the best match for the current
system.
- Implemented shadow memory pre-mapping where it is available. We probe for this
too.
- Implemented ability to specify a list of modules to instrument on the command
line. This allows fine-grained control of which modules are instrumented for
coverage/asan/drcov.
- Implemented unpoisoning of the Input target_bytes in a pre_exec hook.
- Added support for zero-sized allocations. We return 0x10 bytes at the moment.
- Added all known operator new/delete functions to hooks.
- Added workaround for frida_gum_allocate_near bug.
- Cleaned up reporting, added reporting for different error types.
* frida-asan: Implement leak detection
* Fix merge issues
* Rebased on dev to get llmp/shmem changes; Clippy fixes
* Add FridaOptions struct
* Add the Custom ExitKind; Get rid of Clone/PartialEq on ExitKind
* Make it possible to recover from an ASAN error
* Add SIGTRAP to crashing signals
* Add back (conditional) crashing on Asan errors.
* Fix too-large immediates in add instruction
* Implement RcShMemProvider, finally fix the EOP bug
* Clear ASAN_ERRORS before each test
* Fix warnings; Fix review issues
* Cleanup prints
* Add timeout to Frida mode
* Make allocation-/free-site backtraces optional
* CPU Context and backtrace (on android/aarch64 atm) on crash
* Make stalker conditional
* Add metadata to solution, and write metadata files
* Add addresses to backtrace; Add reporting of ASAN stack errors; Fix ASAN reporting bugs
* Remove meaningless backtrace on crash
* Fix the x0, x1 load in report
* use upstream color-backtrace
* use __builtin_thread_pointer instead of custom asm
* Don't unwrap ASAN_ERRORS if it isn't some
* Fix bug where we weren't clearing the drcov basicblocks after each run
* Fix bug where we were dropping an ashmem too soon
* Fix OwnedPtr instead of CPtr
* Fix gettls for all archs
* cfg guards for target arch, disabling Frida-ASAN/-DrCov if not on aarch64
* Cargo fmt
* Only panic in options when asan/drcov are turned on; Merge fixes
* gothook only supported on unix
* Fix gettls on msvc
* Another attempt to fix MSVC gettls
* Fix backtrace use
* nostd fixes; warning fixes
* formatting
* Migrate FridaEdgeCoverageHelper into libafl_frida, and rename to FridaInstrumentationHelper
* Clean up uses
* Move DrCovWriter to libafl_targets
* Refactor DrCovWriter to get a vec of DrCovBasicBlocks; formatting
* Update to newer backtrace which supports android with gimli
* windows fixes
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: andreafioraldi <andreafioraldi@gmail.com>
