ttdennis / fpicker Goto Github PK

fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)

License: MIT License

Makefile 1.05% C 80.38% JavaScript 18.57%

fpicker's Introduction

fpicker

fpicker is a Frida-based fuzzing suite that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive tracing mode. It should run on all platforms that are supported by Frida.

Installation Instructions
Building and Running
Creating a Fuzzing Harness
Modes and Configuration

Some background information and the thoughts and ideas behind fpicker can be found in a blogpost I wrote.

Fpicker is based on previous efforts on ToothPicker, which was developed during my master thesis. Most of fpicker was developed during working hours at my employer (ERNW).

Requirements and Installation

Required for running fpicker:

frida_compile to compile the harness script into one JS file
The frida-core-devkit for the respective platform found at Frida releases on GitHub.
- Depending on the platform you want to target store the library as libfrida-core-ios.a, libfrida-core-macos.a, or libfrida-core-linux.a.
- The same goes for the header files (frida-core.h). Store them as frida-core-linux.h or frida-core-ios.h depending on the platform.
- The makefile was built this way so you can build for different systems on the same system (usually this is for building on macOS, where you can compile for both iOS and macOs). (There is probably a better way do to this?)
For example, run the following commands:
```
cd fpicker
wget https://github.com/frida/frida/releases/[yourversion].tar.xz
unxz *tar.xz
mkdir frida-devkit
cd frida-devkit
tar -xzf ../*tar
cd ..
cp frida-devkit/libfrida-core.a libfrida-core-[youros].a
cp frida-devkit/frida-core.h frida-core-[youros].h
```
Afterwards, make fpicker-[youros] should succeed.

Required only when running in AFL++ mode:

AFL++
- on macOS:
  - Compile with CFLAGS="-DUSEMMAP=1".
- on iOS:
  - Apply the aflpp-ios.patch. This changes the shared mem and out file mode to 666 instead of 600. Fpicker needs to be run as root on iOS. If the target is not running as root, it will not be able to read and write shared memory.
  - Compile with CFLAGS="-DUSEMMAP=1".

Building and Running

Fpicker can be built for macOS, iOS or Linux. The Makefile currently only supports building for iOS on macOS but it should be totally possible to build fpicker using an iOS toolchain on Linux.

Depending on the desired target run:

make fpicker-macos
make fpicker-ios
make fpicker-linux

to build fpicker.

Once fpicker is built, the fuzzing harness needs to be built next:

See the examples folder for different sample fuzzing cases. The general approach is as follows:

Create a custom harness for the target (e.g. examples/test/test.js) (see here for more information on harnesses)
Compile the custom harness using frida-compile frida-compile test.js -o harness.js

Now fpicker can start fuzzing. The exact command highly depends on the configuration and setup. In the following, a few example cases are given. These mostly correspond to the examples in the examples folder.

Run fpicker as AFL++ proxy attaching to a target process fuzzing a specific function in process:

afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- \\
    ./fpicker --fuzzer-mode afl -e attach -p test-network -f ./examples/test-network/harness.js

Run fpicker in standalone mode attaching to a server and running a client program to send the fuzzing input:

./fpicker --fuzzer-mode standalone -e attach -p server-process -f harness.js --input-mode cmd \\
    --command "./client-send @@" -i indir -o outdir

Run fpicker in standalone mode attaching to a server, fuzzing in-process with a custom mutator cmd:

./fpicker --fuzzer-mode active --communication-mode shm -e attach -p server-process -f harness.js \\
    -i indir -o outdir --standalone-mutator cmd --mutator-command "radamsa"

Run fpicker in passive mode attaching to a server collecting coverage and payloads:

./fpicker --fuzzer-mode passive --communication-mode send -e attach -p server-process -o outdir -f harness.js

Run fpicker in standalone mode attaching to a running process on a remote device, fuzzing in-process with a custom mutator cmd:

./fpicker --fuzzer-mode active -e attach -p test -D remote -o examples/test/out/ -i examples/test/in/ \\
    -f fuzzer-agent.js --standalone-mutator cmd --mutator-command "radamsa"

Creating a Fuzzing Harness

Each target requires its own fuzzing harness. The most important part of this harness is defining the entry function of Frida's Stalker, which effectively determines at which point the instrumentation is inserted. In the in-process mode this is simple. The function would usually be the one that is called on each fuzzing iteration. However, it could also be a different one.

A minimalist harness implementation (in command mode) could be this:

// Import the fuzzer base class
const Fuzzer = require("harness/fuzzer.js");

// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer.Fuzzer {
    constructor() {
        // The constructor needs to specify the address of the targeted function and a NativeFunction
        // object that can later be called by the fuzzer.

        const FUZZ_FUNCTION_ADDR = Module.getExportByName(null, "FUZZ_FUNCTION");
        const FUZZ_FUNCTION = new NativeFunction(
            FUZZ_FUNCTION_ADDR,
            "void", ["pointer", "int64"], {
        });

        super("test", FUZZ_FUNCTION_ADDR, FUZZ_FUNCTION);
    }
}

const f = new TestFuzzer();
exports.fuzzer = f;

This harness configures the instrumentation to follow the function FUZZ_FUNCTION. The instrumentation will start when this function is entered and stops when the function returns. This function should be chosen carefully as it is expensive and the more (potentially unimportant) parts of the process are instrumented, the slower the fuzzer gets. Of course, this is a consideration between speed and intended coverage. Additionally, the fuzzer currently only supports functions that are only entered once during one fuzzing iteration, i.e., the function should not be called more than once during one fuzz case, otherwise the coverage information might become unreliable.

When the in-process mode is used, another function is required in the fuzzer script. The fuzz method. It will get called on each iteration. It will be called with two parameters, a pointer to a buffer and the length of the buffer. Our exemplary target function takes two parameters, a pointer to a buffer and its length. Thus, we can just pass the parameters were getting in the fuzz method.

fuzz(payload, len) {
    this.target_function(payload, parseInt(len));
}

In passive mode, a callback needs to be specified that processes the required data. The fuzzer expects to receive a payload buffer and its length. Depending on the target function that is fuzzed, this data needs to be extracted. In the following example, we again have a function that has two parameters: a pointer to a buffer and its length. The args parameter contains all potential parameters the target function receives, so the length parameter (which is the second one in our case) can be accessed with args[1]. We then read the buffer as Uint8Array and send it back to the fuzzer using the sendPassiveCorpus method.

passiveCallback(args) {
    const len = args[1];
    const data = new Uint8Array(Memory.readByteArray(args[0], parseInt(len)));

    // this encodes the data and sends it back to the fuzzer
    this.sendPassiveCorpus(data, len);
}

In case the target needs some sort of preparation before the fuzzer can start, fpicker provides a prepare method that is called during the initialization of the fuzzer. Preparation could be the establishment of state, e.g., by instantiating an object. Such a preparation function could look like the following:

prepare() {
  // the object can be attached to the fuzzer instance so that it can be used within the
  // fuzz() method later on.
  this.required_object = call_native_function_that_creates_object();
}

Modes and Configuration

pficker offers a large set of modes and configurations that are explained in the following. Most of these modes can be combined in different ways. At the end of this section is a table that shows which options can be combined and what their implementation status is.

Fuzzer Mode

Fpicker has three different fuzzing modes: AFL++ Mode, Standalone Active Mode and Standalone Passive Mode:

AFL++ Mode: In AFL++ mode, fpicker acts as a proxy between AFL++ and the target process. Using Frida's instrumentation capabilities, AFL's coverage bitmap is populated while the target is fuzzed with input data generated by AFL++.
Standalone Active Mode: In standalone active mode, the fuzzer uses Frida's Stalker call summaries to gather coverage in form of basic blocks that are executed during an iteration. This is nothing new and has been implemented in various forms before. However, in combination with some of the other fuzzer settings this can have various benefits. It is also a good alternative if AFL++ is not applicable or desired in a given environment or case.
Standalone Passive Mode: Passive mode is less of a fuzzer and more of a tracer. Essentially, it does the same as standalone active mode. However, it does not send its own inputs. It just attaches to a certain function and collects coverage. Once new coverage is observed, both the coverage and the input is stored.

Input Mode

While fpicker is largely designed as an in-process fuzzer, it also supports fuzzing via an external command. For this fpicker offers two input modes.

Input Mode In-Process: In in-process input mode, the harness directly calls a specified function in the target process. The fuzzer sends the payload to the harness and the harness prepares the payload in such a way that it can call the targeted function.
Input Mode CMD: In command input mode, the payload is redirected to an external command. This is useful it is too complex to prepare the parameters other other state when directly calling the target function. The coverage collection still needs to be attached to a certain function. Maybe there is a client that can be supplied with a payload which then triggers the target function.

Communication Mode

Communication mode determines how the injected harness communicates with the fuzzer. This largely depends on the target application. Frida offers an API to send and receive messages from the injected agent script. This type of communication is quite costly. One of the factors is that the transported message needs to be encoded in JSON. So sending binary data is straight-forward. Therefore, fpicker offers a second communicateion mode over shared memory. However, this only works if it is possible to establish shared memory between the fuzzer and the target application, which means that this mode cannot be used when the target is attached to the fuzzer host via USB. In CMD input mode, the communication mode only refers to how the coverage information is communicated back to the fuzzer, not how the payload is sent, as this is deferred to an external command.

Communication Mode Send: In send communication mode the payload is sent by using Frida's RPC calling mechanism. This lets the fuzzer execute a JavaScript function within the injected harness script. This function inside the harness can then do all the necessary preparations to call the target function. Once the target function is returned from, coverage collection will stop and the harness can signal the fuzzer that the iteration is finished. This is done by sending the coverage information back to the fuzzer using Frida's send API.
Communication Mode SHM: In SHM communication mode the fuzzer and the harness script communicate via shared memory and semaphores. A buffer in shared memory is used to send the payload and receive the coverage information. Instead of sending and receiving, the two components use waiting and posting to the semaphore. Depending on the system and the target, this introduces quite some perfomance gains. Especially, because the binary payload is written to memory once and does not have to be encoded and decoded or copied into other memory locations. Unfortunately, this mode sometimes leads to a low stability when running with AFL++. Not sure why, yet.

Exec Mode

Exec mode can be either spawn or attach. This is pretty self-explanatory. fpicker can either attach to a runnning process or spawn a process. One thing that is a major difference between the two modes is that, should the attached target crash, fpicker will not try to respawn.

Standalone Mutator

In standalone mode fpicker offers three different input mutation strategies. Nicely put, input mutation certainly has lots of room for improvement.

Standalone Mutator NULL: This mutator does not mutate the payload and just returns a copy of the same payload. Mostly for testing purposes. Otherwise not really useful.
Standalone Mutator Rand: A very bad random mutator. All it does is randomly replace values at random locations in the original payload. It does not change the payload length.
Standalone Mutator Custom: This mutator can call an external command to mutate payloads. It writes the payload to stdin and receives the mutated payload from stdout. Due to its shallow implementation it has quite a performance impact.

USB devices

Using the -D usb device option, Frida will pick the first local USB device, e.g. an iPhone or Android phone.

Network devices

With option -D remote it is possible to fuzz a process running on a network device. For this, the remote device must be running frida-server. As a sample configuration, use SSH with port forwarding to bind the frida-server default listening port 27042 on the remote device to a socket on the local client.

ssh -N [email protected] -L 127.0.0.1:27042:127.0.0.1:27042

On an iPhone, one can also use iproxy to forward the port from a USB connection. This might be especially useful if running Frida on a non-standard port on a non-jailbroken device with the Frida gadget. When working with the Frida gadget, the only available process will have the name Gadget, regardless of the target app name.

iproxy 27042 27042

Then use frida-ps to validate the configuration by listing processes on the remote device:

frida-ps -R

fpicker's People

Contributors

Stargazers

Watchers

fpicker's Issues

multiple definition of `verbose'

returnzero@returnzero-virtual-machine:~/Fuzz/fpicker-aflpp-android/fpicker$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:535,
from frida-core-linux.h:9315,
from fpicker.h:2,
from fp_communication.c:1:
In function ‘strncpy’,
inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/ld: /tmp/cc49uJGR.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here /usr/bin/ld: /tmp/ccfmi0ID.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here
/usr/bin/ld: /tmp/cc4RMsRp.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: multiple definition of `verbose'; /tmp/ccBjYP55.o:/home/returnzero/Fuzz/fpicker-aflpp-android/fpicker/fpicker.h:245: first defined here
collect2: error: ld returned 1 exit status
make: *** [Makefile:11: fpicker-linux] Error 1

Resuming fuzzing

What is the best practice to resume fuzzing?

Thanks,

building fpicker for linux

Hi,

I'm trying to build fpicker for linux x64. I've downloaded frida-core-devkit-15.1.28-linux-x86_64 and renamed the library and the header file to frida-core-linux.a and frida-core-linux.h.

When I'm running make fpicker-linux I'm getting an error:


➜ make fpicker-linux  
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux.a -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:495,
                 from frida-core-linux.h:22131,
                 from fpicker.h:2,
                 from fp_communication.c:1:
In function ‘strncpy’,
    inlined from ‘create_communication_map’ at fp_communication.c:248:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
  106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/bin/ld: cannot find -lfrida-core-linux.a
collect2: error: ld returned 1 exit status
make: *** [Makefile:11: fpicker-linux] Error 1

Errors and exceptions with more and bigger file in seeds

Somehow when I run the fuzzer with one file in seed (input directory) with this size

-rw-r--r-- 1 root root 1267 Apr 28 13:42 small_movie.mp4

It works rather smoothly:

      __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode: 			FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: 		STANDALONE_MUTATOR_NULL
- communication_mode: 		COMMUNICATION_MODE_SEND
- input_mode: 			INPUT_MODE_IN_PROCESS
- exec_mode: 			EXEC_MODE_ATTACH
- device_type: 			DEVICE_REMOTE
- process_name: 		stagefright
- command: 			(null)
- fuzzer_timeout: 		500
- fuzzer_sleep: 		100
- verbose: 			false
- agent_script: 		fuzzer-agent.js
- corpus_dir: 			examples/test/in/
- out_dir: 			examples/test/out/
- metrics: enabled

[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[!] Unable to find stagefright PID, retrying.
[!] Unable to find stagefright PID, retrying.
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (small_movie.mp4)
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 1 input files covering a total of 0 basic blocks
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610172] [BBs=0] [seed=0] [fc=1] [fcps=1] [cur_loop=81031] [mut_avg=2] [cov_avg=158824] [corpus=1]
[!] New coverage found, nice!
[*] Added new file small_movie.mp4 to corpus
[t=1619610172] [BBs=1567] [seed=1] [fc=3] [fcps=3] [cur_loop=108254] [mut_avg=2] [cov_avg=86993] [corpus=2]
[t=1619610172] [BBs=1567] [seed=2] [fc=5] [fcps=5] [cur_loop=143084] [mut_avg=2] [cov_avg=79711] [corpus=2]
[t=1619610173] [BBs=1567] [seed=3] [fc=7] [fcps=7] [cur_loop=133520] [mut_avg=2] [cov_avg=68858] [corpus=2]
[t=1619610173] [BBs=1567] [seed=4] [fc=9] [fcps=9] [cur_loop=140593] [mut_avg=2] [cov_avg=68610] [corpus=2]
[t=1619610173] [BBs=1567] [seed=5] [fc=11] [fcps=11] [cur_loop=122006] [mut_avg=2] [cov_avg=59444] [corpus=2]
[t=1619610173] [BBs=1567] [seed=6] [fc=13] [fcps=13] [cur_loop=134830] [mut_avg=3] [cov_avg=60178] [corpus=2]
[t=1619610173] [BBs=1567] [seed=7] [fc=15] [fcps=15] [cur_loop=134421] [mut_avg=2] [cov_avg=60759] [corpus=2]
[t=1619610173] [BBs=1567] [seed=8] [fc=17] [fcps=17] [cur_loop=121575] [mut_avg=2] [cov_avg=57927] [corpus=2]
[t=1619610173] [BBs=1567] [seed=9] [fc=19] [fcps=19] [cur_loop=127596] [mut_avg=2] [cov_avg=58070] [corpus=2]
[t=1619610173] [BBs=1567] [seed=10] [fc=21] [fcps=21] [cur_loop=137293] [mut_avg=2] [cov_avg=58728] [corpus=2]
[t=1619610174] [BBs=1567] [seed=11] [fc=23] [fcps=23] [cur_loop=134883] [mut_avg=2] [cov_avg=57410] [corpus=2]
[t=1619610174] [BBs=1567] [seed=12] [fc=25] [fcps=25] [cur_loop=142315] [mut_avg=2] [cov_avg=58299] [corpus=2]
[t=1619610174] [BBs=1567] [seed=13] [fc=27] [fcps=27] [cur_loop=121059] [mut_avg=2] [cov_avg=58060] [corpus=2]
[t=1619610174] [BBs=1567] [seed=14] [fc=29] [fcps=29] [cur_loop=130966] [mut_avg=2] [cov_avg=58199] [corpus=2]
[t=1619610174] [BBs=1567] [seed=15] [fc=31] [fcps=15] [cur_loop=109512] [mut_avg=2] [cov_avg=57834] [corpus=2]
[t=1619610174] [BBs=1567] [seed=16] [fc=33] [fcps=16] [cur_loop=136583] [mut_avg=2] [cov_avg=58313] [corpus=2]
[t=1619610174] [BBs=1567] [seed=17] [fc=35] [fcps=17] [cur_loop=125231] [mut_avg=2] [cov_avg=58416] [corpus=2]
[t=1619610174] [BBs=1567] [seed=18] [fc=37] [fcps=18] [cur_loop=121583] [mut_avg=2] [cov_avg=58386] [corpus=2]
[t=1619610175] [BBs=1567] [seed=19] [fc=39] [fcps=19] [cur_loop=131471] [mut_avg=3] [cov_avg=57334] [corpus=2]
[t=1619610175] [BBs=1567] [seed=20] [fc=41] [fcps=20] [cur_loop=125470] [mut_avg=3] [cov_avg=57349] [corpus=2]
[t=1619610175] [BBs=1567] [seed=21] [fc=43] [fcps=21] [cur_loop=133559] [mut_avg=3] [cov_avg=57482] [corpus=2]
[t=1619610175] [BBs=1567] [seed=22] [fc=45] [fcps=22] [cur_loop=116070] [mut_avg=2] [cov_avg=57400] [corpus=2]
[t=1619610175] [BBs=1567] [seed=23] [fc=47] [fcps=15] [cur_loop=134269] [mut_avg=2] [cov_avg=57699] [corpus=2]
[t=1619610175] [BBs=1567] [seed=24] [fc=49] [fcps=16] [cur_loop=140688] [mut_avg=2] [cov_avg=57972] [corpus=2]
[t=1619610175] [BBs=1567] [seed=25] [fc=51] [fcps=17] [cur_loop=125048] [mut_avg=2] [cov_avg=57277] [corpus=2]
[t=1619610175] [BBs=1567] [seed=26] [fc=53] [fcps=17] [cur_loop=107827] [mut_avg=2] [cov_avg=57008] [corpus=2]
[t=1619610176] [BBs=1567] [seed=27] [fc=55] [fcps=18] [cur_loop=129959] [mut_avg=2] [cov_avg=57212] [corpus=2]

With more files or bigger file, it fuzzes I see it in the process output but get those:

       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode: 			FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: 		STANDALONE_MUTATOR_NULL
- communication_mode: 		COMMUNICATION_MODE_SEND
- input_mode: 			INPUT_MODE_IN_PROCESS
- exec_mode: 			EXEC_MODE_ATTACH
- device_type: 			DEVICE_REMOTE
- process_name: 		stagefright
- command: 			(null)
- fuzzer_timeout: 		500
- fuzzer_sleep: 		100
- verbose: 			false
- agent_script: 		fuzzer-agent.js
- corpus_dir: 			examples/test/in/
- out_dir: 			examples/test/out/
- metrics: enabled

[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (hevc-crash-poc.mp4)
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for payload hevc-crash-poc.mp4 (probably due to crash)
[*] Getting corpus coverage (small_movie.mp4)
[->] error_send_message: {"type":"send","payload":["frida:rpc",2,"error","access violation accessing 0x0","Error","Error: access violation accessing 0x0\n    at fuzz (test-fuzzer.js:38)\n    at fuzzInternal (../../harness/fuzzer.js:273)\n    at fuzz (../../harness/fuzzer.js:103)\n    at apply (native)\n    at <anonymous> (frida/runtime/message-dispatcher.js:13)\n    at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0x0","type":"access-violation","address":"0x0","memory":{"operation":"execute","address":"0x0"},"context":{"pc":"0x0","sp":"0x7baf5aafc780","rax":"0x7baf4514b4de","rcx":"0x0","rdx":"0x2","rbx":"0x7bafdf5c12c8","rsp":"0x7baf5aafc780","rbp":"0x0","rsi":"0x1","rdi":"0x0","r8":"0x7baf1a067a10","r9":"0x0","r10":"0x18b813780000000","r11":"0x246","r12":"0x7bafdf7253a0","r13":"0x1","r14":"0x7baf5aafca90","r15":"0x2","rip":"0x0"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}]}
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 2 input files covering a total of 0 basic blocks
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=0] [fc=2] [fcps=2] [cur_loop=125670] [mut_avg=5] [cov_avg=103289] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=1] [fc=4] [fcps=4] [cur_loop=129653] [mut_avg=4] [cov_avg=82736] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=2] [fc=6] [fcps=6] [cur_loop=135099] [mut_avg=3] [cov_avg=75664] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=3] [fc=8] [fcps=8] [cur_loop=135543] [mut_avg=3] [cov_avg=72405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=4] [fc=10] [fcps=10] [cur_loop=136007] [mut_avg=4] [cov_avg=70405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=5] [fc=12] [fcps=12] [cur_loop=131615] [mut_avg=4] [cov_avg=68903] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n    at <input>:1\n    at parse (native)\n    at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=6] [fc=14] [fcps=14] [cur_loop=135562] [mut_avg=3] [cov_avg=68022] [corpus=2]

Any ideas how to debug/fix it?

Thanks,

What does it mean by "Compile with CFLAGS="-DUSEMMAP=1""?

What does it mean by "Compile with CFLAGS="-DUSEMMAP=1""?
May I just type :
AFLplusplus $ export CFLAGS="-DUSEMMAP=1"
AFLplusplus $ gmake
...
or any other commands.
Sorry i am not familiar with AFL++ that much.

stability issue

ensure that you reset prev_loc to zero for every fuzz attempt, as otherwise the first edge ID calculated is always different, resulting in "new paths" being found that are not.

Building and running on Android

Hello,

currently I am trying to get fpicker to run on Android devices.
I already tried to do it like in the issues #19 and #5, but did not succeded.
As this is not featured in the docs yet, I wanted to (1) ask about some help on building and running it and (2) use this issue as a base to update the docs for running fpicker on Android devices.

First, I wanted to ask, which frida-core-devkit to download. Is frida-core-devkit-16.0.2-android-arm64.tar.xz the right one? Or can I use
frida-core-devkit-16.0.2-linux-arm64.tar.xz as well?

I tried both of them and added the header file and the library as frida-core-linux.h and libfrida-core-linux.a to the fpicker root.
After that, I simply tried to run make fpicker-linux.
Unfortunately I ran with both of them in the following error:
cannot find -lfrida-core-linux: No such file or directory
As I am not really fluent with C, I am not sure, if this error is trivial or I am missing something.

I would be really thankful for any input and would like to update the README with detailed instructions for running on Android, as this seems to be an often asked request. (At least as seen in #5)

Not tracking edge coverage properly

This line does not update prev_cov in the user_data struct so prev_cov is always 0 and AFL bits are computed only on the target address:
https://github.com/ttdennis/fpicker/blob/main/harness/stalker-instrumentation.js#L62

It probably should be ud->prev_loc = cur_loc >> 1;

Error while cross compiling for Android

I'm getting this error while cross compiling fpicker for Android (x86_64 CPU architecture):

ld: error: unable to find library -lresolv
ld: error: unable to find library -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile:11: fpicker-linux] Error 1

I tested with NDK r22 and r23 but i get the same error.

Fields explanation

Can you briefly explain the fields meaning?

[t=1619610289] [BBs=1567] [seed=795] [fc=1591] [fcps=13] [cur_loop=105957] [mut_avg=2] [cov_avg=59723] [corpus=2]

Also how a "healthy" fuzzing output should look like?

I assume corpus increasing etc?

Thanks,

fpicker -> emulated android

What could be the problem with segmentation fault at the target process search stage? Frida can attach to this process in emulator without faults (frida_device_enumerate_processes_sync() returns NULL)

Sample for custom mutator - i.e radamsa

What would writing custom mutator involve? How can I write it? Anything I can base off?

A very simple example would be great.

Thanks,

Fuzzing in AFL++ mode on IOS device

I have succeeded on macos，what should I do to fuzz on IOS device.
Should I rewrite the test-fuzzer.js?
where should I put the fpicker, afl-fuzz and harness.js?

FPicker with AFL++ v4.20/Frida v16.2.1

Hello,
I have built Frida, AFL++ and FPicker on a custom Linux target.
Frida JS injection/tracing seems to work, FPicker in standalone mode works (attach/in-process, shm or send).
I am trying AFL FPicker mode and it appears to fail

[*] Spinning up the fork server...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:001.bin'...
[D] DEBUG: calibration stage 1/7

[-] PROGRAM ABORT : No instrumentation detected
         Location : perform_dry_run(), src/afl-fuzz-init.c:1238

Quick question; would you know if the AFL++ vs FPicker combo I am running is compatible?
Looking through the AFL++ afl-proxy.c example, it looks like that (assuming NOT USEMMAP) AFL++
expects the proxy to

__afl_area_ptr = shmat(shm_id, 0, 0);

and write the coverage to __afl_area_ptr, and I understand that in FPicker this is done in harness/fuzzer.js. But it doesn't seem to work.
I don't mind trying to figure out how to get it to work, but I figure I ask first what you think about this.

Thanks!

Use CFLAGS="-DUSEMMAP=1" parameter to compile afl++ seems to make an error

Hello, I encountered a link error with 3.14a on MacOS.

Compiler Environment:

MacOS Big Sur 11.3.1
llvm 12
python3.9

Environment variable:

export LDFLAGS="-L/usr/local/opt/llvm/lib -Wl,-rpath,/usr/local/opt/llvm/lib"
export PATH="/usr/local/opt/llvm/bin:$PATH"
export CPPFLAGS="-I/usr/local/opt/llvm/include"

If I execute the make distrib command, it can compile normally.
If I execute theCFLAGS="-DUSEMMAP=1" make distrib command when compiling afl++, the compilation will pass, but the link will report an error:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/usr/local/Cellar/llvm/12.0.0_1/bin\" -DVERSION=\"++3.14a\" -DLLVM_LIBDIR=\"/usr/local/Cellar/llvm/12.0.0_1/lib\" -DLLVM_VERSION=\"12.0.0\" -Wno-deprecated -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/usr/local/Cellar/llvm/12.0.0_1/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/usr/local/Cellar/llvm/12.0.0_1/bin/clang\" -DCLANGPP_BIN=\"/usr/local/Cellar/llvm/12.0.0_1/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/Users/cqy/AFLplusplus=llvm_mode" -I/usr/local/opt/llvm/include ./test-instr.c -o test-instr -L/usr/local/opt/llvm/lib -Wl,-rpath,/usr/local/opt/llvm/lib
ld: library not found for -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [test_build] Error 1
make: [llvm] Error 2 (ignored)
/Library/Developer/CommandLineTools/usr/bin/make -f GNUmakefile.gcc_plugin
[+] shmat seems to be working.
[*] Checking for working 'gcc'...
[*] Checking for gcc plugin development header files...
[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'.
make[1]: *** [test_deps] Error 1
make: [gcc_plugin] Error 2 (ignored)
[*] Testing the CC wrapper afl-cc and its instrumentation output...
afl-cc ++3.14a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
SanitizerCoveragePCGUARD++3.14a
[+] Instrumented 11 locations with no collisions (non-hardened mode).
ld: library not found for -lrt
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
Oops, afl-cc failed
make: *** [test_build] Error 1

I want to ask, have you encountered this situation?

Failed the examples/test on MACOS while using AFL++ mode as the README.md requires.

These are my commans:

➜  test git:(main) ✗ AFL_DEBUG=1 afl-fuzz -i ./in -o ./out -m none -- ../../fpicker -m afl -u shm -e attach -p test -f harness.js -v
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 12 CPU cores and 3 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './in'...
[+] Loaded a total of 6 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
1
4
[D] DEBUG: calibration stage 1/7
5
6
7
8
7
AAAAA
../../fpicker

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - On MacOS X, the semantics of fork() syscalls are non-standard and may
      break afl-fuzz performance optimizations when running platform-specific
      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke the Awesome Fuzzing Discord for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:0' results in a crash, skipping

and the syslogs are:

17:19:15.804460+0800	fpicker	[JS]: [*] afl_area_ptr: 0x0
17:19:15.804554+0800	fpicker	[JS]: [*] commap: 0x103f79000
17:19:15.804807+0800	fpicker	[JS]: [*] commap_id: /fp_comm_shm_10492_1804289383
17:19:15.805056+0800	fpicker	[JS]: [*] base: 0x1027ab000
17:19:15.805157+0800	fpicker	[JS]: [*] iteration_sem: 0x4
17:19:15.805352+0800	fpicker	[JS]: [*] exec_sem: 0x4
17:19:15.805589+0800	fpicker	[JS]: [*] Not excluding test from stalker
17:19:15.805721+0800	fpicker	[JS]: [*] Setting up interceptor
17:19:15.806433+0800	fpicker	[JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"test","base":"0x1027ab000","size":16384,"path":"/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test","id":0,"end":"0x1027af000"},{"name":"libSystem.B.dylib","base":"0x7ff811cf7000","size":8192,"path":"/usr/lib/libSystem.B.dylib","id":1,"end":"0x7ff811cf9000"},{"name":"libcache.dylib","base":"0x7ff811cf1000","size":24568,"path":"/usr/lib/system/libcache.dylib","id":2,"end":"0x7ff811cf6ff8"},{"name":"libcommonCrypto.dylib","base":"0x7ff811ca8000","size":49144,"path":"/usr/lib/system/libcommonCrypto.dylib","id":3,"end":"0x7ff811cb3ff8"},{"name":"libcompiler_rt.dylib","base":"0x7ff811cd5000","size":32768,"path":"/usr/lib/system/libcompiler_rt.dylib","id":4,"end":"0x7ff811cdd000"},{"name":"libcopyfile.dylib","base":"0x7ff811cc7000","size":57344,"path":"/usr/lib/system/libcopyfile.dylib","id":5,"end":"0x7ff811cd5000"},{"name":"libcorecrypto.dylib","base":"0x7ff805c26000","size":618448,"path":"/usr/lib/system/libcorecrypto.dyli<…>
17:19:15.806474+0800	fpicker	[*] MODULE=/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test, start=0x1027ab000, end=0x1027af000
17:19:15.806587+0800	fpicker	[JS]: [1] before sem_wait in wait_for_exec (1694078355805)
17:19:15.809526+0800	fpicker	[*] Harness preparation done
17:19:15.809650+0800	fpicker	[*] Everything ready, starting to fuzz!
17:19:15.827044+0800	fpicker	[2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827088+0800	fpicker	[*] POST SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827105+0800	fpicker	[*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827117+0800	fpicker	[*] 1
17:19:15.827572+0800	fpicker	[JS]: [3] after sem_wait in wait_for_exec (1694078355827). This took 22 ms
17:19:15.827688+0800	fpicker	[JS]: 0x103f79020 5
17:19:15.827816+0800	fpicker	[JS]: [*] Interceptor ENTER (1694078355827)
17:19:15.829277+0800	fpicker	[JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829315+0800	fpicker	[->] CRASH type received
17:19:15.829338+0800	fpicker	[->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829353+0800	fpicker	[*] SEM_POST in _signal_exec_finished_with_ret_status 1694078355829
17:19:15.829380+0800	fpicker	[*] 2

I can't figure out where the mistakes lie. I just use the example in the repo and do as the README teaches.
This has been confuded with me for three days in work.

Make Issue :@

Kindly provide clear instructions and commands always.

┌──(kali㉿kali)-[~/AFL++/AFLplusplus/fpicker-main]
└─$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from fpicker.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_communication.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_standalone_mode.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from fp_afl_mode.c:1:
fpicker.h:2:14: fatal error: frida-core-linux.h: No such file or directory
2 | #include "frida-core-linux.h"
| ^~~~~~~~~~~~~~~~~~~~

unable to find method 'prepare'

I tried all the examples in the example folder as-is to practice using fpicker, but they do not work and produce the following error.

root@u20:/data/research/fpicker# AFL_DEBUG=1 afl-fuzz -i ./examples/protocol_example/in -o ./examples/protocol_example/out/ -- ./fpicker --fuzzer-mode afl -e attach -p protocol_example -f ./examples/protocol_example/harness.js 
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.05a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 2 CPU cores and 4 runnable tasks (utilization: 200%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning './examples/protocol_example/in'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (setting AFL_FORKSRV_INIT_TMOUT may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:1036

The AFL_DEBUG and ulimit options did not help with debugging, and the syslog is as follows.

Mar 28 14:22:09 u20 fpicker:        __       _      _                     #012      / _|     (_)    | |                    #012     | |_ _ __  _  ___| | _____ _ __         #012     |  _| '_ \| |/ __| |/ / _ \ '__|      #012     | | | |_) | | (__|   <  __/ |           #012     |_| | .__/|_|\___|_|\_\___|_|        #012         | |                                 #012         |_|        Frida-Based Fuzzing Suite#012- - - - - - - - - - - - - - - - - - - - - - -#012
Mar 28 14:22:09 u20 fpicker: Running fpicker using the following configuration:
Mar 28 14:22:09 u20 fpicker: - fuzzer-mode: #011#011#011FUZZER_MODE_AFL
Mar 28 14:22:09 u20 fpicker: - coverage_mode: #011#011COVERAGE_MODE_STALKER_SUMMARY
Mar 28 14:22:09 u20 fpicker: - standalone_mutator: #011#011STANDALONE_MUTATOR_NULL
Mar 28 14:22:09 u20 fpicker: - communication_mode: #011#011COMMUNICATION_MODE_SEND
Mar 28 14:22:09 u20 fpicker: - input_mode: #011#011#011INPUT_MODE_IN_PROCESS
Mar 28 14:22:09 u20 fpicker: - exec_mode: #011#011#011EXEC_MODE_ATTACH
Mar 28 14:22:09 u20 fpicker: - device_type: #011#011#011DEVICE_LOCAL
Mar 28 14:22:09 u20 fpicker: - process_name: #011#011protocol_example
Mar 28 14:22:09 u20 fpicker: - command: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - fuzzer_timeout: #011#011500
Mar 28 14:22:09 u20 fpicker: - fuzzer_sleep: #011#011100
Mar 28 14:22:09 u20 fpicker: - verbose: #011#011#011false
Mar 28 14:22:09 u20 fpicker: - agent_script: #011#011./examples/protocol_example/harness.js
Mar 28 14:22:09 u20 fpicker: - corpus_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - out_dir: #011#011#011(null)
Mar 28 14:22:09 u20 fpicker: - metrics: disabled
Mar 28 14:22:09 u20 fpicker: 
Mar 28 14:22:09 u20 fpicker: [*] SHM_ENV_VAR = 32823
Mar 28 14:22:09 u20 fpicker: [*] Found 2 Frida devices.
Mar 28 14:22:09 u20 fpicker: [*] Found desired Frida device: Local System(0)
Mar 28 14:22:09 u20 fpicker: [*] Trying to attach to process with name protocol_example.
Mar 28 14:22:09 u20 fpicker: [*] Found process protocol_example with PID 3987034
Mar 28 14:22:09 u20 fpicker: [*] Attached to process protocol_example on frida device Local System
Mar 28 14:22:09 u20 fpicker: [*] Agent script created
Mar 28 14:22:09 u20 fpicker: [->] error: {"type":"error","description":"TypeError: parent class must be constructor","stack":"TypeError: parent class must be constructor\n    at <anonymous> (test-fuzzer.js:5)","fileName":"test-fuzzer.js","lineNumber":5,"columnNumber":1}
Mar 28 14:22:09 u20 fpicker: [*] Agent script loaded
Mar 28 14:22:10 u20 fpicker: [*] Slept a bit to give the agent script some time.
Mar 28 14:22:10 u20 fpicker: [->] error_send_message: {"type":"send","payload":["frida:rpc",0,"error","unable to find method 'prepare'"]}

The test environment is as follows:

host info

root@u20:/data/research/fpicker# cat /etc/issue
Ubuntu 20.04.3 LTS \n \l

frida-core-devkit version

root@u20:/data/research/fpicker# ls -al frida-core-devkit*
-rw-r--r-- 1 root root 220743680  2월 11 21:09 frida-core-devkit-16.0.9-linux-x86_64.tar

frida-compile version

root@u20:/data/research/fpicker# npm list frida-compile
[email protected] /data/research/fpicker
└── [email protected]

Do I need to add or modify the prepare statement in the provided fuzzer.js file?

Fpicker instrumentation hangs in AFL proxy mode

Hi @ttdennis,

Let me just start by saying thank you for such a cool idea! I'm excited to use this for some fuzzing research I am performing. However, I've been running into an issue when trying to usefpicker to perform instrumentation while fuzzing with AFL++.

I'm trying to fuzz a function within the CoreAudio MacOS library that handles incoming mach messages.

Here's the command I'm running:

sudo afl-fuzz -i in -o out -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js

Here's my harness.js file before compiling it with frida-compile:

// Import the fuzzer base class
import { Fuzzer } from "./harness/fuzzer.js";
//const Fuzzer = require("harness/fuzzer.js");

// The custom fuzzer needs to subclass the Fuzzer class to work properly
class TestFuzzer extends Fuzzer {
    constructor() {
        // The constructor needs to specify the address of the targeted function and a NativeFunction
        // object that can later be called by the fuzzer.

        const fuzz_function_addr = Module.enumerateSymbolsSync("CoreAudio").filter(function(o) {return o.name == "HALB_MIGServer_server";})[0].address;
        const fuzz_function = new NativeFunction(
            fuzz_function_addr,
            "int", ["pointer", "pointer"], {
        });

        super("CoreAudio", fuzz_function_addr, fuzz_function);
    }

    prepare() {
    }

    fuzz(payload, length) {

        const outputPointer = Memory.alloc(Process.pointerSize);
        Memory.writePointer(outputPointer, ptr("0x0"));

        this.target_function(payload, outputPointer);
    }
}

const f = new TestFuzzer();
//exports.fuzzer = f;
export const fuzzer = f;

However, fpicker stalls during the first test case, every time. Am I using the tool wrong? Any ideas? Thanks so much:

sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o HALB_MIGServer_server-OUT -- ./fpicker -v --fuzzer-mode afl --communication-mode shm -e attach -p coreaudiod -f harness.js
Password:
afl-fuzz++4.06a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[*] Setting up output directories...
[*] Scanning '../subsystem_messages/CoreAudio/HALB_MIGServer_server'...
[+] Loaded a total of 1235 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4'...

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - On MacOS X, the semantics of fork() syscalls are non-standard and may
      break afl-fuzz performance optimizations when running platform-specific
      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:fffd8968a91c12de202b3a81c1b0c0f4' results in a crash, skipping
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:fff272ad2955f2359fd438f00d9de95d'...
^Czsh: killed     sudo afl-fuzz -i ../subsystem_messages/CoreAudio/HALB_MIGServer_server -o  --

I dug into the logs a bit more and saw this output. It seems to be waiting for a semaphore to be released that never is:

log show --predicate 'process == "fpicker"' --last 5m

Filtering the log data using "process == "fpicker""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL  
2023-10-09 12:24:56.550043-0700 0xdcbff    Default     0x0                  35310  0    fpicker:        __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
2023-10-09 12:24:56.552630-0700 0xdcbff    Default     0x0                  35310  0    fpicker: Running fpicker using the following configuration:
2023-10-09 12:24:56.552634-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer-mode: 			FUZZER_MODE_AFL
2023-10-09 12:24:56.552636-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
2023-10-09 12:24:56.552638-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - standalone_mutator: 		STANDALONE_MUTATOR_NULL
2023-10-09 12:24:56.552639-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - communication_mode: 		COMMUNICATION_MODE_SHM
2023-10-09 12:24:56.552640-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - input_mode: 			INPUT_MODE_IN_PROCESS
2023-10-09 12:24:56.552641-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - exec_mode: 			EXEC_MODE_ATTACH
2023-10-09 12:24:56.552642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - device_type: 			DEVICE_LOCAL
2023-10-09 12:24:56.552647-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - process_name: 		coreaudiod
2023-10-09 12:24:56.552648-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - command: 			(null)
2023-10-09 12:24:56.552649-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_timeout: 		500
2023-10-09 12:24:56.552650-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - fuzzer_sleep: 		100
2023-10-09 12:24:56.552652-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - verbose: 			true
2023-10-09 12:24:56.552653-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - agent_script: 		harness.js
2023-10-09 12:24:56.552655-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - corpus_dir: 			(null)
2023-10-09 12:24:56.552656-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - out_dir: 			(null)
2023-10-09 12:24:56.552657-0700 0xdcbff    Default     0x0                  35310  0    fpicker: - metrics: disabled
2023-10-09 12:24:56.552663-0700 0xdcbff    Default     0x0                  35310  0    fpicker: 
2023-10-09 12:24:56.552666-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SHM_ENV_VAR = /afl_35296_846930886
2023-10-09 12:24:56.575475-0700 0xdcc01    Activity    0x16cd0              35310  0    fpicker: (CoreFoundation) Loading Preferences From System CFPrefsD
2023-10-09 12:24:56.580202-0700 0xdcc01    Activity    0x16cd1              35310  0    fpicker: (TCC) TCCAccessRequest() IPC
2023-10-09 12:24:56.602599-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.604590-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) No persisted cache on this platform.
2023-10-09 12:24:56.605377-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (libMobileGestalt.dylib) Failed to copy the SysCfgDict MG key with error: 0
2023-10-09 12:24:56.752310-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Current system appearance, (HLTB: 2), (SLS: 1)
2023-10-09 12:24:56.753025-0700 0xdcc01    Default     0x0                  35310  0    fpicker: (AppKit) [com.apple.AppKit:Appearance] Post-registration system appearance: (HLTB: 2)
2023-10-09 12:24:56.756934-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found 2 Frida devices.
2023-10-09 12:24:56.756943-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found desired Frida device: Local System(0)
2023-10-09 12:24:56.756965-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Trying to attach to process with name coreaudiod.
2023-10-09 12:24:56.761833-0700 0xdcc08    Activity    0x16cd2              35310  0    fpicker: (libsystem_info.dylib) Retrieve User by Name
2023-10-09 12:24:56.807690-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Found process coreaudiod with PID 35284
2023-10-09 12:24:56.989409-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Attached to process coreaudiod on frida device Local System
2023-10-09 12:24:56.992157-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script created
2023-10-09 12:24:57.097285-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Agent script loaded
2023-10-09 12:24:58.097628-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Slept a bit to give the agent script some time.
2023-10-09 12:24:58.097642-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] SEND: ["frida:rpc", 0, "call", "prepare", ["SHM", "AFL", "IN_PROCESS", "/afl_35296_846930886", "/fp_comm_shm_35310_1804289383", "1"]]
2023-10-09 12:24:58.099173-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] afl_area_ptr: 0x0
2023-10-09 12:24:58.099431-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap: 0x10a8d6000
2023-10-09 12:24:58.099675-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] commap_id: /fp_comm_shm_35310_1804289383
2023-10-09 12:24:58.099834-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] base: 0x7ff805b1f000
2023-10-09 12:24:58.100093-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] iteration_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100246-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] exec_sem: 0xffffffffffffffff
2023-10-09 12:24:58.100474-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Not excluding CoreAudio from stalker
2023-10-09 12:24:58.100742-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Setting up interceptor
2023-10-09 12:24:58.109838-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"coreaudiod","base":"0x1084c9000","size":98304,"path":"/usr/sbin/coreaudiod","id":0,"end":"0x1084e1000"},{"name":"caulk","base":"0x7ff80d25c000","size":155648,"path":"/System/Library/PrivateFrameworks/caulk.framework/Versions/A/caulk","id":1,"end":"0x7ff80d282000"},{"name":"CoreAudio","base":"0x7ff805b1f000","size":7462910,"path":"/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio","id":2,"end":"0x7ff80623cffe"},{"name":"CoreFoundation","base":"0x7ff803b6a000","size":4825088,"path":"/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation","id":3,"end":"0x7ff804004000"},{"name":"Foundation","base":"0x7ff8049e3000","size":10559479,"path":"/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation","id":4,"end":"0x7ff8053f4ff7"},{"name":"libobjc.A.dylib","base":"0x7ff803799000","size":245721,"path":"/usr/lib/libobjc.A.dylib","id":5,"end":"0x7ff8037d4fd9"},{"name":"libc++.1.dylib","base":"0<…>
2023-10-09 12:24:58.109848-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] MODULE=/usr/sbin/coreaudiod, start=0x1084c9000, end=0x1084e1000
2023-10-09 12:24:58.110678-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498103)
2023-10-09 12:24:58.110691-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498103). This took 0 ms
2023-10-09 12:24:58.110702-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498103)
2023-10-09 12:24:58.110738-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110770-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] CRASH type received
2023-10-09 12:24:58.110774-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8d1","type":"access-violation","address":"0x10873f1b5","memory":{"operation":"read","address":"0xd8d1"},"context":{"pc":"0x10873f1b5","sp":"0x70000f95ef80","rax":"0xd8d1","rcx":"0xd8d1","rdx":"0x0","rbx":"0x10fae3000","rsp":"0x70000f95ef80","rbp":"0x70000f95efb0","rsi":"0x10fea83e0","rdi":"0x70000f95f2e8","r8":"0x70000f95f3c8","r9":"0x10aa09800","r10":"0x0","r11":"0x7ff8060ebd0e","r12":"0x70000f95f580","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x10873f1b5"},"nativeContext":"0x0","fileName":"mach.js","lineNumber":28}}}
2023-10-09 12:24:58.110776-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [*] SEM_POST in _signal_exec_finished_with_ret_status 1696879498110
2023-10-09 12:24:58.110804-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [1] before sem_wait in wait_for_exec (1696879498105)
2023-10-09 12:24:58.110815-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [3] after sem_wait in wait_for_exec (1696879498105). This took 0 ms
2023-10-09 12:24:58.110825-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879498105)
2023-10-09 12:24:58.114698-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Harness preparation done
2023-10-09 12:24:58.114725-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] Everything ready, starting to fuzz!
2023-10-09 12:24:58.129164-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129173-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129175-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129179-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129791-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129797-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] POST SEM_POST in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:24:58.129798-0700 0xdcbff    Default     0x0                  35310  0    fpicker: [*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1696879498129
2023-10-09 12:25:28.336289-0700 0xdcc01    Default     0x0                  35310  0    fpicker: [JS]: [*] Interceptor ENTER (1696879528335)

Network device fuzzing with afl++ mode

Hi,

So I have to put the Frida Server on the mobile, do port forwarding and then run fpicker

Assuming I have test-network binary on the phone

This is what I should run:

afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- \\
    ./fpicker --fuzzer-mode afl -e attach -p test-network -D remote -f ./examples/test-network/harness.js

Thanks,

failed on linux

Hi, I tested this on ubuntu18.04, but got follow error message:

$ afl-fuzz -i examples/test/in -o ./examples/test/out --      ./fpicker --fuzzer-mode afl -e attach -p test -f ./examples/test/harness.js
afl-fuzz++3.12a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 4 CPU cores and 3 runnable tasks (utilization: 75%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'examples/test/in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code.
Most likely the target has a huge coverage map, retry with setting the
environment variable AFL_MAP_SIZE=8000000
Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:972

Error: compilation failed: module.c:45: error: field not found: undefined"

Hello. I'm having an issue with running fpicker.

Here's my command: fpicker --fuzzer-mode active -e attach -p <target_process> -D remote -o ./out -i ./in -f harness.js

I'm running on a X86_64 Host but my target application is a 32bit binary running in a chroot. I also have Frida-Server-x86 running in that chroot to facilitate the remote connection.

Here's my harness:

const Fuzzer = require("./harness/fuzzer.js");

class TestFuzzer extends Fuzzer.Fuzzer {
    constructor() {
      
        const fn_addr = Module.getExportByName("libtarget.so.0.1.0","target_function");
        const fn = new NativeFunction(
            fn_addr,
            "bool", ["pointer", "size_t"], {
        });

        super("target", fn_addr, fn);
    }
    fuzz(payload, len) {
        this.target_function(payload, parseInt(len));
    }
}

const f = new TestFuzzer();
exports.fuzzer = f;

Here's the output of when I run fpicker:

$ fpicker --fuzzer-mode active -e attach -p target -D remote -o ./out -i ./in -f harness.js
       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode: 			FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: 		STANDALONE_MUTATOR_NULL
- communication_mode: 		COMMUNICATION_MODE_SEND
- input_mode: 			INPUT_MODE_IN_PROCESS
- exec_mode: 			EXEC_MODE_ATTACH
- device_type: 			DEVICE_REMOTE
- process_name: 		target
- command: 			(null)
- fuzzer_timeout: 		500
- fuzzer_sleep: 		100
- verbose: 			false
- agent_script: 		harness.js
- corpus_dir: 			./in
- out_dir: 			./out
- metrics: enabled

[*] Found 2 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process target
[*] Found process targetwith PID 69823
[*] Attached to process target on frida device Local Socket
[*] Agent script created
[->] error: {"type":"error","description":"Error: compilation failed: module.c:45: error: field not found: undefined","stack":"Error: compilation failed: module.c:45: error: field not found: undefined\n    at <anonymous> (harness/stalker-instrumentation.js:64)\n    at call (native)\n    at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at <anonymous> (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at Fuzzer (harness/fuzzer.js:10)\n    at TestFuzzer (target-fuzzer.js:25)\n    at <anonymous> (target-fuzzer.js:46)\n    at call (native)\n    at o (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at r (../../../../../../../usr/local/lib/node_modules/frida-compile/node_modules/browser-pack/_prelude.js:1)\n    at <eval> (/harness.js:527)","fileName":"harness/stalker-instrumentation.js","lineNumber":64,"columnNumber":1}
[*] Agent script loaded
^C

Frida-server is not outputting anything while running in verbose mode.

Any Help would be appreciated.

The AFL test failed

I tried the example in Readme and executed the following command:

afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- ./fpicker --fuzzer-mode afl -e attach -p test-network -f ./examples/test-network/harness.js

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1175

javascript issues

 ✘ u@MBP ~/Code/fpicker <main ±> $ ./fpicker --fuzzer-mode active -e attach -p test -o examples/test/out/ -i examples/test/in/ -f examples/test/test-fuzzer.js
       __       _      _
      / _|     (_)    | |
     | |_ _ __  _  ___| | _____ _ __
     |  _| '_ \| |/ __| |/ / _ \ '__|
     | | | |_) | | (__|   <  __/ |
     |_| | .__/|_|\___|_|\_\___|_|
         | |
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode: 			FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: 		STANDALONE_MUTATOR_NULL
- communication_mode: 		COMMUNICATION_MODE_SEND
- input_mode: 			INPUT_MODE_IN_PROCESS
- exec_mode: 			EXEC_MODE_ATTACH
- device_type: 			DEVICE_LOCAL
- process_name: 		test
- command: 			(null)
- fuzzer_timeout: 		500
- fuzzer_sleep: 		100
- verbose: 			false
- agent_script: 		examples/test/test-fuzzer.js
- corpus_dir: 			examples/test/in/
- out_dir: 			examples/test/out/
- metrics: enabled

[*] Found 2 Frida devices.
[*] Found desired Frida device: Local System(0)
[*] Trying to attach to process test
[*] Found process test with PID 33317
[*] Attached to process test on frida device Local System
[!] Unable to create agent script: Script(line 1): SyntaxError: expecting '('
[!] Error injecting Frida agent script

The code seems to be a bit old and there are issues with the javascript engine

also in order to be able to execute that script I added

import { createRequire } from 'module';
const require = createRequire(import.meta.url);

before

// Import the fuzzer base class
const Fuzzer = require("../../harness/fuzzer.js");

FPicker/AFL++ to fuzz network application.

I'm exploring the use of fpicker for a specific application and wonder if anyone else has tried something similar. Initially, I intended to use an AFL-proxy I developed for fuzzing embedded systems. However, my focus shifted after discovering fpicker. I'm working with a Linux licensing server program that communicates over a network socket. My goal is to fuzz this server binary using AFL++/fpicker specifically targeting the network handling function (like the recv() function from a client) and leveraging FRIDA or another Dynamic Binary Instrumentation (DBI) for coverage analysis. This coverage data would then feedback into AFL++'s loop, updating the coverage map as expected.

My key question is: does fpicker support a mode where I can send test cases to the target through a socket connection, as opposed to using Shared Memory (SHM) or other Inter-Process Communication (IPC) mechanisms? This approach seems theoretically feasible, but I'm curious if there are any known limitations or reasons it might not work. I'm eager to test this out and would appreciate any insights or experiences anyone might have in this area.

Linux make fpicker-linux frid-core.h fault

My current directory structure is：

syc@ubuntu:~/Downloads/fpicker-main$ tree ./
./
├── aflpp-ios.patch
├── assets
│   └── fpicker_logo.png
├── examples
│   ├── protocol_example
│   │   ├── in
│   │   │   └── 1
│   │   ├── protocol_example.c
│   │   ├── README.md
│   │   ├── test-fuzzer.js
│   │   └── wisec21_tutorial_frida_fuzzing.pdf
│   ├── test
│   │   ├── in
│   │   │   ├── 0
│   │   │   └── 1
│   │   ├── Makefile
│   │   ├── test.c
│   │   └── test-fuzzer.js
│   └── test-network
│       ├── in
│       │   ├── 0
│       │   └── 1
│       ├── Makefile
│       ├── test-network.c
│       └── test-network-fuzzer.js
├── fp_afl_mode.c
├── fp_communication.c
├── fpicker.c
├── fpicker.h
├── fp_standalone_mode.c
├── frida-core-linux.h
├── harness
│   ├── darwin-shm.js
│   ├── fuzzer.js
│   └── stalker-instrumentation.js
├── libfrida-core-linux.a
├── LICENSE
├── Makefile
└── README.md

A compile error occurs, indicating that there is no frida-core.h

syc@ubuntu:~/Downloads/fpicker-main$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
fpicker.c:2:10: fatal error: frida-core.h: No such file or directory
    2 | #include "frida-core.h"
      |          ^~~~~~~~~~~~~~
compilation terminated.
In file included from /usr/include/string.h:495,
                 from frida-core-linux.h:22131,
                 from fpicker.h:2,
                 from fp_communication.c:1:
In function ‘strncpy’,
    inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
  106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:11: fpicker-linux] Error 1

I can compile it successfully if I re-patch it （frida-core-devkit-15.2.2-linux-x86_64）

./
├── aflpp-ios.patch
├── assets
│   └── fpicker_logo.png
├── examples
│   ├── protocol_example
│   │   ├── in
│   │   │   └── 1
│   │   ├── protocol_example.c
│   │   ├── README.md
│   │   ├── test-fuzzer.js
│   │   └── wisec21_tutorial_frida_fuzzing.pdf
│   ├── test
│   │   ├── in
│   │   │   ├── 0
│   │   │   └── 1
│   │   ├── Makefile
│   │   ├── test.c
│   │   └── test-fuzzer.js
│   └── test-network
│       ├── in
│       │   ├── 0
│       │   └── 1
│       ├── Makefile
│       ├── test-network.c
│       └── test-network-fuzzer.js
├── fp_afl_mode.c
├── fp_communication.c
├── fpicker.c
├── fpicker.h
├── fp_standalone_mode.c
├── frida-core.h
├── frida-core-linux.h
├── harness
│   ├── darwin-shm.js
│   ├── fuzzer.js
│   └── stalker-instrumentation.js
├── libfrida-core-linux.a
├── LICENSE
├── Makefile
└── README.md

syc@ubuntu:~/Downloads/fpicker-main$ make fpicker-linux
cc -fPIC -m64 -ffunction-sections -fdata-sections -Wall -Wno-format -Os -pipe -g3 fpicker.c fp_communication.c fp_standalone_mode.c fp_afl_mode.c -o fpicker -L. -lfrida-core-linux -ldl -lm -lresolv -lrt -Wl,--export-dynamic -Wl,--gc-sections,-z,noexecstack -pthread
In file included from /usr/include/string.h:495,
                 from frida-core-linux.h:22131,
                 from fpicker.h:2,
                 from fp_communication.c:1:
In function ‘strncpy’,
    inlined from ‘create_communication_map’ at fp_communication.c:257:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output truncated before terminating nul copying 12 bytes from a string of the same length [-Wstringop-truncation]
  106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Is this right?

Fuzzing in afl++ mode on android device

Hi!

Read the doc, but could not figure it out.

Have a binary with a function (that takes buffer and lenght) on Android device.

Can I fuzz it with fpicker?

Wanted to use afl++ mode on it.

I saw fuzzing on network device, but how to fuzz on an Android mobile?

Or I should somehow install ssh on the mobile?

Maybe I am missing something.

Thanks,

Standalone mode works but AFL++ does not

Using the same harness and process in Standalone mode works but AFL++ mode does not.

Do I do something wrong? How can I debug it? Fix it?

[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
afl-fuzz++3.13a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 11 runnable tasks (utilization: 275%).
[!] WARNING: System under apparent load, performance may be spotty.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'examples/test-network/in'...
[+] Loaded a total of 2 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1029

Here in standalone mode


       __       _      _                     
      / _|     (_)    | |                    
     | |_ _ __  _  ___| | _____ _ __         
     |  _| '_ \| |/ __| |/ / _ \ '__|      
     | | | |_) | | (__|   <  __/ |           
     |_| | .__/|_|\___|_|\_\___|_|        
         | |                                 
         |_|        Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -

Running fpicker using the following configuration:
- fuzzer-mode: 			FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: 		COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: 		STANDALONE_MUTATOR_NULL
- communication_mode: 		COMMUNICATION_MODE_SEND
- input_mode: 			INPUT_MODE_IN_PROCESS
- exec_mode: 			EXEC_MODE_ATTACH
- device_type: 			DEVICE_REMOTE
- process_name: 		stagefright
- command: 			(null)
- fuzzer_timeout: 		500
- fuzzer_sleep: 		100
- verbose: 			false
- agent_script: 		fuzzer-agent.js
- corpus_dir: 			examples/test/in/
- out_dir: 			examples/test/out/
- metrics: enabled

[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 26487
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5b822941a000, end=0x5b822942f000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (0)

ttdennis / fpicker Goto Github PK

fpicker's Introduction

fpicker

Requirements and Installation

Building and Running

Creating a Fuzzing Harness

Modes and Configuration

Fuzzer Mode

Input Mode

Communication Mode

Exec Mode

Standalone Mutator

USB devices

Network devices

fpicker's People

Contributors

Stargazers

Watchers

Forkers

fpicker's Issues

Recommend Projects

Recommend Topics

Recommend Org