No expected output when using standalone debug mode of WinAFL client

28 views
Skip to first unread message

steppanovva

unread,
Jun 5, 2024, 12:19:40 PMJun 5
to DynamoRIO Users

Greetings,

Ran into a problem and unfortunately have no idea what the error is. Any help to resolve this issue would be greatly appreciated.

I am attaching test.cpp source code and afl.target.exe.22576.0000.proc log file. Found requiered target_offset using WinDbg.

1. Description

  1.  DynamoRIO version: DynamoRIO-Windows-10.0.0 (x64)
  2. System: Windows 10-2009 x64
  3. WinAFL version: 1.17 based on AFL 2.43b
  4. Application: simple programm that reads a number from a file, creates an array with size equal to that number and prints it.
  5. Steps to reproduce:
    • Download and extract DynamoRIO
    • Compile target program: g++ test.cpp -o target
      g++ version is 12.2.0
    • Run command
      C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -c ..\winafl.dll -debug -target_module target.exe -target_offset 0x1a60 -fuzz_iterations 10 -nargs 2 -- target.exe .\input\1

 

2. Output

None

3. Expected output - 10 times text below (due to fuzz_iterations option = 10):

call target_function

File is open

File is closed

Size is read: 4

Array is filled

0 1 2 3

Array should be printed here

Array deleted

 

4. Log file output afl.target.exe.22576.0000.proc

Module loaded, dynamorio.dll

Module loaded, winafl.dll

Module loaded, drx.dll

Module loaded, drreg.dll

Module loaded, drmgr.dll

Module loaded, drwrap.dll

Module loaded, target.exe

Module loaded, libstdc++-6.dll

Module loaded, libgcc_s_seh-1.dll

Module loaded, libwinpthread-1.dll

Module loaded, KERNELBASE.dll

Module loaded, ucrtbase.dll

Module loaded, KERNEL32.dll

Module loaded, ntdll.dll

Module loaded, msvcrt.dll

Module loaded, RPCRT4.dll

Module loaded, bcrypt.dll

Module loaded, SECHOST.dll

Module loaded, ADVAPI32.dll

Module loaded, WTSAPI32.dll

Module loaded, siph64.dll

Module loaded, AppCore.dll

Module loaded, PluginAPI64.dll

Module loaded, SIHLib64.dll

In OpenFileW, reading \\.\{6BBFB4A2-B809-4194-8ED1-C0DA5D6B7429}

Module loaded, msvcp_win.dll

Module loaded, combase.dll

Module loaded, OLEAUT32.dll

Module loaded, WS2_32.dll

Module loaded, HdeSvc_p64.dll

Module loaded, WINSTA.dll

Module loaded, IPHLPAPI.DLL

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

In pre_fuzz_handler

In post_fuzz_handler

Everything appears to be running normally.

Coverage map follows:

 

Handlers are called 10 times but no console output and an empty coverage map.

 

5. To be mentioned

5.1 Target is running correctly without instrumentation.

Command: target .\input\1

Output:

call target_function

File is open

File is closed

Size is read: 4

Array is filled

0 1 2 3

Array should be printed here

Array deleted

 

5.2 Target seems to be running correctly with command C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -debug -- target .\input\1

I see expected output but have no idea what "failed to suspend" threads are mentioned at the end.

Output:

<Starting application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (13780)>

<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">

<Early threads found>

<Initial options = -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >

<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2079

version 10.0.0, custom build

-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>

<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082

version 10.0.0, custom build

-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>

<Cleaning hooked Nt wrapper @0x00007ffd16bf08d0 sysnum=0x1c2>

<curiosity: rex.w on OPSZ_6_irex10_short4!>

<spurious rep/repne prefix @0x00007ffd16bf1d4a (f3 0f c7 f9): >

<CURIOSITY : (thread_lookup(tid) != ((void *)0) || check_filter("win32.suspend.exe;runall.detach_test.exe;" "win32.threadinjection.exe", get_short_name(get_application_name()))) && "app suspending unknown thread" in file D:\a\dynamorio\dynamorio\core\win32\syscall.c line 3607

version 10.0.0, custom build

-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct

0x000000c30a9fec29 0xf000007ffce2a5b4

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>

call target_function

File is open

File is closed

Size is read: 4

Array is filled

0 1 2 3

Array should be printed here

Array deleted

<Stopping application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (13780)>

<Failed to suspend attached-but-never-scheduled thread 18160>

<Failed to suspend attached-but-never-scheduled thread 17500>

<Failed to suspend attached-but-never-scheduled thread 12648>

 

If needed, I will provide any more information.


afl.target.exe.22576.0000.proc.log
test.cpp

Kai Luk

unread,
Jun 5, 2024, 12:45:03 PMJun 5
to DynamoRIO Users
Is the target offset -target_offset 0x1a60, the absolute value, or the offset? Please refer to the following thread to determine if the
target_offset is correct.

https://groups.google.com/g/dynamorio-users/c/QYDfwg3NqaM/m/FtCpvV6lAAAJ

Kai

Derek Bruening

unread,
Jun 5, 2024, 2:25:15 PMJun 5
to Kai Luk, DynamoRIO Users
Note that your command line passed `-debug` to winafl, *not* to DR, as you placed `-debug` after the `-c` parameter.  Try moving `-debug` to before `-c`: do you have console output now at least in the form of DR info and soft warnings?  Also note that past versions of Windows had complex console behavior in the "cmd" shell where it was quite difficult for DR or its clients to write to the console; but on Win10 that should not be an issue.  Even so, which console is this?  You can also try redirecting stdout and stderr to a file as a test to see whether direct on-screen console output is the problem: redirecting should always work regardless of which console or Windows version.

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/d68ab6a2-2b5d-47a4-b6d3-5263b8bd497cn%40googlegroups.com.

steppanovva

unread,
Jun 6, 2024, 3:52:59 AMJun 6
to DynamoRIO Users
Thanks for the answer, I have tried what you suggested.

1. Passing '-debug' before '-c' 
When redirecting output of the "original" command:
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -c ..\winafl.dll -debug -target_module target.exe -target_offset 0x1a60 -fuzz_iterations 10 -nargs 2 -- target.exe .\input\1 2> errorfile
to errorfile still see nothing. 
P.S. I still need '-debug' option after '-c',  otherwise winafl client will try to connect to afl-fuzz - what expectedly results in an error.

But if I pass '-debug' before '-c' parameter,  there is output like this:
<Starting application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (21700)>

<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -client_lib 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target_module" "target.exe" "-target_offset" "0x1a60" "-fuzz_iterations" "10" "-nargs" "2"' -client_lib64 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target_module" "target.exe" "-target_offset" "0x1a60" "-fuzz_iterations" "10" "-nargs" "2"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >

<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2079
version 10.0.0, custom build
-no_dynamic_options -client_lib 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target_module" "target.exe" "-target_offset" "0x1a60" "-fuzz_iterations" "10" "-nargs" "2"' -client_lib64 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll=0x00007ff7158e0000
C:\Windows/system32/KERNEL32.dll=0x000001e560720000
C:\Windows/system32/KERNELBASE.dll=0x000001e5607e0000
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/ext\lib64\debug/drwrap.dll=0x00007ff715960000
C:\Users\stepanova.a>

<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 10.0.0, custom build
-no_dynamic_options -client_lib 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target_module" "target.exe" "-target_offset" "0x1a60" "-fuzz_iterations" "10" "-nargs" "2"' -client_lib64 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll=0x00007ff7158e0000
C:\Windows/system32/KERNEL32.dll=0x000001e560720000
C:\Windows/system32/KERNELBASE.dll=0x000001e5607e0000
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/ext\lib64\debug/drwrap.dll=0x00007ff715960000
C:\Users\stepanova.a>

<Cleaning hooked Nt wrapper @0x00007ffd16bf08d0 sysnum=0x1c2>
<curiosity: rex.w on OPSZ_6_irex10_short4!>
<spurious rep/repne prefix @0x00007ffd16bf1d4a (f3 0f c7 f9): >
<CURIOSITY : (thread_lookup(tid) != ((void *)0) || check_filter("win32.suspend.exe;runall.detach_test.exe;" "win32.threadinjection.exe", get_short_name(get_application_name()))) && "app suspending unknown thread" in file D:\a\dynamorio\dynamorio\core\win32\syscall.c line 3607
version 10.0.0, custom build
-no_dynamic_options -client_lib 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target_module" "target.exe" "-target_offset" "0x1a60" "-fuzz_iterations" "10" "-nargs" "2"' -client_lib64 'C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll;0;"-debug" "-target
0x000000811d1fea39 0x0000007ffce2a5b4

C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000
C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\winafl.dll=0x00007ff7158e0000
C:\Windows/system32/KERNEL32.dll=0x000001e560720000
C:\Windows/system32/KERNELBASE.dll=0x000001e5607e0000
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/ext\lib64\debug/drwrap.dll=0x00007ff715960000
C:\Users\stepanova.a>
<Stopping application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (21700)>
<memory leak: Client 6192 bytes not freed>
<memory leak: Client 93160 bytes not freed>
<memory leak: Client 99352 bytes not freed>

Maybe dryrun crashes because it founds "memory leak" somewhere?

P.P.S. I'm using win10 console.


2. Checking target_offset
I suppose target_offset should be correct: I used windbg to find it and followed the algorythm:
Command: lm m target
Output: 
start             end               module name 
00007ff7`758b0000 00007ff7`758d5000 target

Base address is 00007ff7`758b0000

Then x target!*main*, output:
00007ff7`758b7010 target!__mingw_winmain_hInstance = 0x00000000`00000000 
00007ff7`758b7008 target!__mingw_winmain_lpCmdLine = 0x00000000`00000000 "" 
00007ff7`758b3000 target!__mingw_winmain_nShowCmd = 0xa 
00007ff7`758b7024 target!mainret = 0n0 
00007ff7`758b3024 target!__native_dllmain_reason = 0xffffffff 
00007ff7`758b30b8 target!__imp___getmainargs = 0x00007ff7`758b2ad0 
00007ff7`758b30b0 target!__imp___wgetmainargs = 0x00007ff7`758b2b40 
00007ff7`758b1180 target!__tmainCRTStartup (void) 
00007ff7`758b14d0 target!mainCRTStartup (void) 
00007ff7`758b1a60 target!__main (void) 
00007ff7`758b2b40 target!__wgetmainargs (int *, wchar_t ***, wchar_t ***, int, _startupinfo *) 
00007ff7`758b2ad0 target!__getmainargs (int *, char ***, char ***, int, _startupinfo *)

Interesting line is highlighted. Function address is 00007ff7`758b1a60
So, offset is 0x1a60

Also I've tried to disable inlining by adding  __declspec(noinline) into target_function:
int __declspec(noinline) target_function(const char* filename) {

Of course, the offset changed a bit, but there is still the same results.

Can you please tell me if there is a noob mistake I have made?



среда, 5 июня 2024 г. в 21:25:15 UTC+3, Derek Bruening:

steppanovva

unread,
Jun 6, 2024, 9:01:28 AMJun 6
to DynamoRIO Users

Tackled this problem (I used the previous binary compiled without -g flag, so apparently instruments were unable to locate main() correctly).

Now the output of
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -c ..\winafl.dll -debug -target_module target.exe -target_offset 0x1cf3 -fuzz_iterations 10 -nargs 2 -- target.exe .\input\1.txt
is absolutely correct.
Ten times text below:

call target_function 
File is open 
File is closed 
Size is read: 4 
Array is filled 
0 1 2 3 
Array should be printed here 
Array deleted

But now, when I try to run afl-fuzz.exe with command:
..\afl-fuzz.exe -i .\input -o .\output -D C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64 -t 20000 -- -coverage_module target -target_module target -target_offset 0x1cf3 -fuzz_iterations 5000 -nargs 2 -- target.exe @@

I result in an error:

[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout Location : perform_dry_run(), C:\Users\stepanova.anna\dev\projects\winafl\afl-fuzz.c:3254
process 17260 is not running under DR
0 processes nudged
nudge operation failed, verify permissions and parameters.

What can be the point of DR not attaching to proccess as I can see? Maybe I have missed some crucial points?

Full output:

WinAFL 1.17 by <ifra...@google.com>
Based on AFL 2.43b by <lca...@google.com>
[+] You have 16 CPU cores with average utilization of 0%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '.\input'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...

[-] The program took more than 20000 ms to process one of the initial test cases.
    In WinAFL, this error could also mean incorrect instrumentation params.
    Please make sure instrumentation runs correctly using the debug mode
    (see the README) before attempting to run afl-fuzz.

[-] PROGRAM ABORT : Test case 'id_000000' results in a timeout
         Location : perform_dry_run(), C:\Users\stepanova.anna\dev\projects\winafl\afl-fuzz.c:3254


C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app>process 17260 is not running under DR
0 processes nudged
nudge operation failed, verify permissions and parameters.


четверг, 6 июня 2024 г. в 10:52:59 UTC+3, steppanovva:

Derek Bruening

unread,
Jun 7, 2024, 1:07:49 PMJun 7
to steppanovva, DynamoRIO Users
You're saying afl-fuzz launched a process under DR and then tried to nudge it, which failed with the error that the target process is not under DR?  I would try a nudge of a process under DR on this same platform without afl-fuzz in the picture and confirm that nudging works for this Windows version for a process you started.  If so you would then have to figure out how afl-fuzz's launch of the process and nudge invocation are different.

To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/104ff674-c3b7-4259-ad66-39e704c08f17n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages