-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
flac binary instrumentation problem #77
Comments
Hi, thanks for the detailed report. Could you first check if any of the following flags make a difference (I suggest trying them separately, not all together):
|
Thanks for your response. I've tested these flags and found that using |
Please see https://github.com/googleprojectzero/TinyInst?tab=readme-ov-file#return-address-patching for more details. Your case is unusual in the sense that, most of the time, when return addresses are an issue, it's because of C++ exceptions, but in that case Are you using a 32- or 64- bit build of flac? You could try switching to the other build to potentially avoid |
I am using a 32-bit build of flac. Additionally, this issue(run normal using DynamoRIO) also occurred when I fuzzed jp2klib.dll. I used these three flags, but the problem still be there. Detailed description follows. Now I have bundled the harness program, DLL file, and test cases for both flac and jp2k in the reply.
|
For the flac issue:
That is reading the return address from the stack and doing stuff with it, so in this case using For jp2klib.dll, I haven't looked into that yet, but note that I can't run your binaries. Can you provide me with a source code for your harness? |
And I believe I know what the issue with jp2klib.dll is: The harness uses Microsoft Detours, which is another instrumentation/hooking library. TinyInst does not support running alongside other instrumentation/hooking libraries, however TinyInst has its own Hook API (see https://github.com/googleprojectzero/TinyInst/blob/master/hook.md) that you could potentially use instead, which will avoid incompatibilities. Specifically, in this case:
|
With the latest TinyInst commit and using this harness from https://github.com/ronwai/jp2k_fuzz it seems to work, at least on a simple example, but only if target_method gets called after all the DetourAttach/DetourTransactionCommit calls as explained above. Example command line:
|
For the jp2klib.dll issue, i believe the reason causing the issue is Detours. But I rebuilt the harness(also from https://github.com/ronwai/jp2k_fuzz) and winafl(with latest TinyInst commit), both using 32 bit build. In this case, i still encountered the crash issue as follow.
|
Probably TinyInst version that WinAFL uses needs to be updated. The version you are running does not include the patch from yesterday (the latest version doesn't print the "Relative jump to a differen module in bb" warnings, see 2d9472e |
WinAFL just got updated with the latest TinyInst |
description: When I use the following prompt to perform DynamoRIO instrumentation, everything works fine, but when using TinyInst as the instrumentation mode, there is a crash issue (no crash occurs when executing the seed directly). All information is listed below.
Env
prompt:
litecov.exe -instrument_module flac.exe -target_module flac.exe -target_offset 0xdf70 -nargs 3 -iterations 1 -persist -loop -trace_debug_events -- flac.exe in\sample.flac --force
output:
The text was updated successfully, but these errors were encountered: