Greetings,
Ran into a problem and unfortunately have no idea what the error is. Any help to resolve this issue would be greatly appreciated.
I am attaching test.cpp source code and afl.target.exe.22576.0000.proc log file. Found requiered target_offset using WinDbg.
1. Description
2. Output
None
3. Expected output - 10 times text below (due to fuzz_iterations option = 10):
call target_function
File is open
File is closed
Size is read: 4
Array is filled
0 1 2 3
Array should be printed here
Array deleted
4. Log file output afl.target.exe.22576.0000.proc
Module loaded, dynamorio.dll
Module loaded, winafl.dll
Module loaded, drx.dll
Module loaded, drreg.dll
Module loaded, drmgr.dll
Module loaded, drwrap.dll
Module loaded, target.exe
Module loaded, libstdc++-6.dll
Module loaded, libgcc_s_seh-1.dll
Module loaded, libwinpthread-1.dll
Module loaded, KERNELBASE.dll
Module loaded, ucrtbase.dll
Module loaded, KERNEL32.dll
Module loaded, ntdll.dll
Module loaded, msvcrt.dll
Module loaded, RPCRT4.dll
Module loaded, bcrypt.dll
Module loaded, SECHOST.dll
Module loaded, ADVAPI32.dll
Module loaded, WTSAPI32.dll
Module loaded, siph64.dll
Module loaded, AppCore.dll
Module loaded, PluginAPI64.dll
Module loaded, SIHLib64.dll
In OpenFileW, reading \\.\{6BBFB4A2-B809-4194-8ED1-C0DA5D6B7429}
Module loaded, msvcp_win.dll
Module loaded, combase.dll
Module loaded, OLEAUT32.dll
Module loaded, WS2_32.dll
Module loaded, HdeSvc_p64.dll
Module loaded, WINSTA.dll
Module loaded, IPHLPAPI.DLL
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
In pre_fuzz_handler
In post_fuzz_handler
Everything appears to be running normally.
Coverage map follows:
Handlers are called 10 times but no console output and an empty coverage map.
5. To be mentioned
5.1 Target is running correctly without instrumentation.
Command: target .\input\1
Output:
call target_function
File is open
File is closed
Size is read: 4
Array is filled
0 1 2 3
Array should be printed here
Array deleted
5.2 Target seems to be running correctly with command C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -debug -- target .\input\1
I see expected output but have no idea what "failed to suspend" threads are mentioned at the end.
Output:
<Starting application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (13780)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2079
version 10.0.0, custom build
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 10.0.0, custom build
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<Cleaning hooked Nt wrapper @0x00007ffd16bf08d0 sysnum=0x1c2>
<curiosity: rex.w on OPSZ_6_irex10_short4!>
<spurious rep/repne prefix @0x00007ffd16bf1d4a (f3 0f c7 f9): >
<CURIOSITY : (thread_lookup(tid) != ((void *)0) || check_filter("win32.suspend.exe;runall.detach_test.exe;" "win32.threadinjection.exe", get_short_name(get_application_name()))) && "app suspending unknown thread" in file D:\a\dynamorio\dynamorio\core\win32\syscall.c line 3607
version 10.0.0, custom build
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c30a9fec29 0xf000007ffce2a5b4
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0/lib64\debug\dynamorio.dll=0x0000000015000000>
call target_function
File is open
File is closed
Size is read: 4
Array is filled
0 1 2 3
Array should be printed here
Array deleted
<Stopping application C:\Users\stepanova.anna\dev\projects\winafl\build64\bin\Release\app\target.exe (13780)>
<Failed to suspend attached-but-never-scheduled thread 18160>
<Failed to suspend attached-but-never-scheduled thread 17500>
<Failed to suspend attached-but-never-scheduled thread 12648>
If needed, I will provide any more information.
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/d68ab6a2-2b5d-47a4-b6d3-5263b8bd497cn%40googlegroups.com.
Tackled this problem (I used the previous binary compiled without -g flag, so apparently instruments were unable to locate main() correctly).
Now the output of
C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64\drrun.exe -c ..\winafl.dll -debug -target_module target.exe -target_offset 0x1cf3 -fuzz_iterations 10 -nargs 2 -- target.exe .\input\1.txt
is absolutely correct.
Ten times text below:
But now, when I try to run afl-fuzz.exe with command:
..\afl-fuzz.exe -i .\input -o .\output -D C:\Users\stepanova.anna\dev\projects\winafl\DynamoRIO-Windows-10.0.0\bin64 -t 20000 -- -coverage_module target -target_module target -target_offset 0x1cf3 -fuzz_iterations 5000 -nargs 2 -- target.exe @@
I result in an error:
What can be the point of DR not attaching to proccess as I can see? Maybe I have missed some crucial points?
Full output:
To view this discussion on the web visit https://groups.google.com/d/msgid/dynamorio-users/104ff674-c3b7-4259-ad66-39e704c08f17n%40googlegroups.com.