WinAFL Crashes with testing code about winafl HOT 15 OPEN

from winafl.

Which WinAFL version are you using?

I'm not sure this is the cause of your crash, but
-target_module should take just the name, not a path, so -target_module FuzzSample.exe
-nargs is missing (unless it's intended to be 0)

Does the debug log get created at all?
Can you run your target under DynamoRIO but without WinAFL like this:

C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt

from winafl.

I got the latest winAFL from the github. Compiled with latest DynamoRio.

When I tried to run
C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -c winafl.dll -debug -target_module FuzzSample.exe -target_method Fuzz -coverage_module vulnerable.dll -fuzz_iterations 10000 -nargs 0 -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt

I got the following log:

Module loaded, MFC140ENU.DLL
Module loaded, drreg.dll
Module loaded, FuzzSample.exe
Exception caught: c0000005
crashed
WARNING: Target function was never called. Incorrect target_offset?
Coverage map follows:

If you need the sample Fuzz Code which I am fuzzing, I can provide you that too.

I tried - C:\Users\in3o\Desktop\acrobat\dynamorio\build\bin32\drrun.exe -- "C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe" in\sample.txt. Its giving me the same error.

<Application C:\Users\in3o\Desktop\acrobat\winafl\bin32\test_gdiplus.exe (8616). WinAFL internal crash at PC 0x702bcffb. Please report this at . Program aborted.
0xc0000005 0x00000000 0x702bcffb 0x702bcffb 0x00000003 0x00000000
Base: 0x701f0000
Registers: eax=0x00000000 ebx=0x009af118 ecx=0xd27a70b4 edx=0x00000000
esi=0x1a65db10 edi=0x1a65db04 esp=0x009af138 ebp=0x009af1e8
eflags=0x0001020
version 6.2.17367, custom build
-no_dynamic_options -client_lib 'C:\Users\in3o\Desktop\acrobat\winafl\bin32\winafl.dll;0;"-debug" "-target_module" "FuzzSample.exe" "-target_method" "Fuzz" "-coverage_module" "vulnerable.dll" "-fuzz_iterations" "10000" "-nargs" "0"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignore
0x009af1e8 0x702976f4
0x009af214 0x70297591
0x009af720 0x702972db
0x009af760 0x7022095d
0x009af788 0x70290f2c
0x009af7a8 0x702bc8c8>

from winafl.

Wait, how can you get the same error when the command line doesn't incude WinAFL at all and the error log references winafl.dll (that shouldn't even exist in the same address space). Can you doublecheck and try again? Your error log also references test_gdiplus.exe that isn't present anywhere in the command line.

from winafl.

Sorry, I added the wrong log. Here is the correct log.

<Application C:\Users\in3o\Documents\FuzzSample\Release\FuzzSample.exe (3804). DynamoRIO internal crash at PC 0x7063cffb. Please report this at http://dynamorio.org/issues/. Program aborted.
0xc0000005 0x00000000 0x7063cffb 0x7063cffb 0x00000003 0x00000000
Base: 0x70570000
Registers: eax=0x00000000 ebx=0x00aff6c8 ecx=0xd27a70b4 edx=0x00000000
esi=0x24ee2080 edi=0x24ee207c esp=0x00aff6e8 ebp=0x00aff798
eflags=0x0001
version 6.2.17367, custom build
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct -no_aslr_dr -pad_jmps_mark_no_trace
0x00aff798 0x706176f4
0x00aff7c4 0x70617591
0x00affcd0 0x706172db
0x00affd10 0x705a095d
0x00affd38 0x70610f2c
0x00affd58 0x7063c8c8>

Apologies.

from winafl.

Hmm in that case the issue seems to be with how DR interacts with your target and not in WinAFL. Can you try disabling your antivirus? Antivirus software caused similar issues in the past.

from winafl.

Seems like it. Can you confirm which version of DR would work perfectly with winafl?

I don't have any antivirus, just windows defender but I don't think that's interfering here.

from winafl.

I'm using 6.2.0-2 from https://github.com/DynamoRIO/dynamorio/wiki/Downloads

from winafl.

I tried it the with version 6.2.0-2, its working there. I don't know what bug DynamoRIO introduced.
Anyways, I am running Winafl on linked code.

I am getting following statistics.

           WinAFL 1.09 based on AFL 2.43b (FuzzSample.exe)

+- process timing -------------------------------------+- overall results ----+
| run time : 0 days, 0 hrs, 10 min, 35 sec | cycles done : 1 |
| last new path : none seen yet | total paths : 2 |
| last uniq crash : none seen yet | uniq crashes : 0 |
| last uniq hang : none seen yet | uniq hangs : 0 |
+- cycle progress --------------------+- map coverage -+----------------------+
| now processing : 0 (0.00%) | map density : 0.00% / 0.01% |
| paths timed out : 0 (0.00%) | count coverage : 1.00 bits/tuple |
+- stage progress --------------------+ findings in depth --------------------+
| now trying : splice 7 | favored paths : 2 (100.00%) |
| stage execs : 1/16 (6.25%) | new edges on : 2 (100.00%) |
| total execs : 420 | total crashes : 0 (0 unique) |
| exec speed : 0.69/sec (zzzz...) | total tmouts : 0 (0 unique) |
+- fuzzing strategy yields -----------+---------------+- path geometry -------+
| bit flips : 0/0, 0/0, 0/0 | levels : 1 |
| byte flips : 0/0, 0/0, 0/0 | pending : 0 |
| arithmetics : 0/0, 0/0, 0/0 | pend fav : 0 |
| known ints : 0/0, 0/0, 0/0 | own finds : 0 |
| dictionary : 0/0, 0/0, 0/0 | imported : n/a |
| havoc : 0/306, 0/96 | stability : 100.00% |
| trim : n/a, n/a +-----------------------+
^C----------------------------------------------------+

exec speed : 0.69/sec (zzzz...) speed is way to slow. What do you think is the problem?

Here is the command line I am using ->

afl-fuzz.exe -i - -o out -D C:\Users\in3o\dynamorio-6.2.0-2\bin32 -t 20000+ -- -fuzz_iterations 50000 -covtype edge -target_module FuzzSample.exe -target_method Fuzz -nargs 0 -coverage_module vulnerable.dll -- "C:\Users\in3o\FuzzSample.exe" @@
Here is the log during my test run. I dont see any issue here but still.
afl.FuzzSample.exe.27696.0000.proc.txt

from winafl.

Please see "WinAFL runs slower than expected" in the FAQ section of the readme. I'd say that "return;" without first closing the file is the problem.

from winafl.

Yes. That was the problem. Thanks ivanfrantic.

from winafl.

@ivanfratric Is there any tool or feature for visualization of code coverage?

I can't see if my code is reaching certain function or not.

from winafl.

@0vercl0k I have to do it automatically also can't afford IDA Pro as of now. Nice tool btw, useful during CTFs for sure.

Looking for something like https://github.com/mrash/afl-cov if there is, otherwise I will have to write it myself.

from winafl.

@iN3O I'd also suggest filing a bug with DynamoRIO and mention yo have an app that works fine on DR 6 but crashes on DR 7, perhaps DR devs will be interested in this.

from winafl.

Hi, I have the same issue with both winafl and dynamorio crashing with "internal crash; program aborted" as reported above. Following the thread, i thought it was because I used dynamorio 7 but I downloaded and used Dynamorio6 and still get same error.

Anti-virus (defender) disabled from real-time scanning.
Even running it directly with drrun, I still get the same error (and its not just adobe, almost any binary I have run thus far).
C:\DynamoRIO\bin32>drrun.exe -- "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\winafl\testcases\others\pdf\small.pdf

Any pointers?

Thanks

from winafl.