def start(config): if not post_self_check(config): return -1 if config.argument_values['v']: enable_logging(config.argument_values["work_dir"]) log_info("Dumping target addresses...") # TODO: use proper temp file or store to $work_dir if os.path.exists("/tmp/kAFL_info.txt"): os.remove("/tmp/kAFL_info.txt") q = qemu(0, config) q.start() q.shutdown() try: with open("/tmp/kAFL_info.txt", 'r') as f: print(f.read()) os.remove("/tmp/kAFL_info.txt") except: pass return 0
def main(): global null_hash KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/" KAFL_CONFIG = KAFL_ROOT + "kafl.ini" print("<< " + common.color.BOLD + common.color.OKGREEN + " kAFL Coverage Analyzer " + common.color.ENDC + ">>\n") if not self_check(KAFL_ROOT): return -1 config = DebugConfiguration(KAFL_CONFIG) if not post_self_check(config): return -1 verbose = config.argument_values['v'] if verbose: enable_logging(config.argument_values["work_dir"]) data_dir = config.argument_values["input"] null_hash = ExecutionResult.get_null_hash( config.config_values['BITMAP_SHM_SIZE']) print(" Scanning target data_dir »%s«..." % data_dir) input_list = get_inputs_by_time(data_dir) trace_dir = generate_traces(config, input_list) if not trace_dir: return -1 trace_parser = TraceParser(trace_dir) trace_parser.parse_trace_list(input_list) trace_parser.gen_reports()
def main(): KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/" KAFL_CONFIG = KAFL_ROOT + "kafl.ini" print("<< " + common.color.BOLD + common.color.OKGREEN + " kAFL Coverage Analyzer " + common.color.ENDC + ">>\n") if not self_check(KAFL_ROOT): return -1 config = DebugConfiguration(KAFL_CONFIG) if not post_self_check(config): return -1 verbose = config.argument_values['v'] if verbose: enable_logging(config.argument_values["work_dir"]) data_dir = config.argument_values["input"] print(" Scanning target data_dir »%s«..." % data_dir) input_list = get_inputs_by_time(data_dir) trace_dir = generate_traces(config, input_list) if not trace_dir: return -1 plot_bbs_from_traces(trace_dir, input_list)
def start(): config = InfoConfiguration() if not post_self_check(config): return -1 config.argument_values["work_dir"] = DEFAULT_INFO_WORKDIR if config.argument_values['v']: enable_logging(config.argument_values["work_dir"]) prepare_working_dir(config.argument_values['work_dir']) log_info("Dumping target addresses...") if os.path.exists("/tmp/kAFL_info.txt"): os.remove("/tmp/kAFL_info.txt") q = qemu(0, config) q.start() q.__del__() try: for line in open("/tmp/kAFL_info.txt"): print line, os.remove("/tmp/kAFL_info.txt") except: pass shutil.rmtree(DEFAULT_INFO_WORKDIR) return 0
def start(config): if not post_self_check(config): return -1 work_dir = config.argument_values["work_dir"] if config.argument_values['v'] or config.argument_values['debug']: enable_logging(work_dir) if not prepare_working_dir(config): print_fail("Refuse to operate on existing work directory. Use --purge to override.") return 1 # Load an interface json file. interface_manager.load(config.argument_values['interface']) # Start IRPT! qemu_sweep() proc = Process(config) try: proc.loop() except KeyboardInterrupt: print_note("Received Ctrl-C") finally: proc.database.save() proc.shutdown() os._exit(0)
def start(config): prepare_working_dir(config) if not post_self_check(config): return -1 # kAFL debug output is redirected to logs as part of -v mode. stdout will only print test/debug results. if config.argument_values['v']: enable_logging(config.argument_values["work_dir"]) # Without -ip0, Qemu will not active PT tracing and Redqueen will not # attempt to handle debug traps. This is a requirement for modes like gdb. if not config.argument_values['ip0']: print_warning("No trace region configured! Intel PT disabled!") max_execs = config.argument_values['n'] try: # TODO: noise, benchmark, trace are working, others untested mode = config.argument_values['action'] if (mode == "noise"): debug_non_det(config, max_execs) elif (mode == "benchmark"): benchmark(config) elif (mode == "gdb"): gdb_session(config, qemu_verbose=True) elif (mode == "single"): execute_once(config, max_execs) elif (mode == "trace"): debug_execution(config, max_execs) elif (mode == "trace-qemu"): debug_execution(config, max_execs, qemu_verbose=True) elif (mode == "printk"): debug_execution(config, 1, qemu_verbose=True, notifiers=False) elif (mode == "redqueen"): redqueen_dbg(config, qemu_verbose=False) elif (mode == "redqueen-qemu"): redqueen_dbg(config, qemu_verbose=True) elif (mode == "verify"): verify_dbg(config, qemu_verbose=True) else: print("Unknown debug mode. Exit") except Exception as e: raise finally: # cleanup #os.system("stty sane") for i in range(512): if os.path.exists("/tmp/kAFL_printf.txt." + str(i)): os.remove("/tmp/kAFL_printf.txt." + str(i)) else: break print( "\nDone. Check logs for details.\nAny remaining qemu instances should be GC'ed on exit:" ) os.system("pgrep qemu-system") return 0
def start(): config = FuzzerConfiguration() if not post_self_check(config): return -1 if config.argument_values['v']: enable_logging(config.argument_values["work_dir"]) num_processes = config.argument_values['p'] if not config.argument_values['Purge']: if ask_for_permission("PURGE", " to wipe old workspace:"): print_warning("Wiping old workspace...") time.sleep(2) else: print_fail("Aborting...") return 0 prepare_working_dir(config.argument_values['work_dir']) if not copy_seed_files(config.argument_values['work_dir'], config.argument_values['seed_dir']): print_fail("Seed directory is empty...") return 1 master = MasterProcess(config) slaves = [] for i in range(num_processes): print "fuzzing process {}".format(i) slaves.append( multiprocessing.Process(name='SLAVE' + str(i), target=slave_loader, args=(i, ))) slaves[i].start() try: master.loop() except KeyboardInterrupt: pass signal.signal(signal.SIGINT, signal.SIG_IGN) counter = 0 # print_pre_exit_msg(counter, clrscr=True) for slave in slaves: while True: counter += 1 # print_pre_exit_msg(counter) slave.join(timeout=0.25) if not slave.is_alive(): break # print_exit_msg() return 0
def start(config): if not post_self_check(config): return -1 work_dir = config.argument_values["work_dir"] seed_dir = config.argument_values["seed_dir"] num_slaves = config.argument_values['p'] if config.argument_values['v']: enable_logging(work_dir) if not prepare_working_dir(config): print_fail( "Refuse to operate on existing work directory. Use --purge to override." ) return 1 if seed_dir and not copy_seed_files(work_dir, seed_dir): print_fail("Error when importing seeds. Exit.") return 1 # Without -ip0, Qemu will not active PT tracing and we turn into a blind fuzzer if not config.argument_values['ip0']: print_warning("No trace region configured! PT feedback disabled!") master = MasterProcess(config) slaves = [] for i in range(num_slaves): slaves.append( multiprocessing.Process(name="Slave " + str(i), target=slave_loader, args=(i, ))) slaves[i].start() try: master.loop() except KeyboardInterrupt: print_note("Received Ctrl-C, killing slaves...") except: print_fail("Exception in Master. Exiting..") print(traceback.format_exc()) finally: graceful_exit(slaves) time.sleep(0.2) qemu_sweep() sys.exit(0)
def start(config): if not post_self_check(config): return -1 work_dir = config.argument_values["work_dir"] seed_dir = config.argument_values["seed_dir"] num_slaves = config.argument_values['p'] if config.argument_values['v'] or config.argument_values['debug']: enable_logging(work_dir) if not prepare_working_dir(config): print_fail("Refuse to operate on existing work directory. Use --purge to override.") return 1 if seed_dir and not copy_seed_files(work_dir, seed_dir): print_fail("Error when importing seeds. Exit.") return 1 if config.argument_values['wdm']: interface_manager.load(config.argument_values['wdm']) master = MasterProcess(config) slaves = [] for i in range(num_slaves): slaves.append(multiprocessing.Process(name="Slave " + str(i), target=slave_loader, args=(i,))) slaves[i].start() try: master.loop() except KeyboardInterrupt: print_note("Received Ctrl-C, killing slaves...") except SystemExit as e: print_fail("Master exit: " + str(e)) finally: graceful_exit(slaves) time.sleep(0.2) qemu_sweep() sys.exit(0)
def start(): config = DebugConfiguration() prepare_working_dir(config.argument_values['work_dir']) if not post_self_check(config): return -1 if config.argument_values['v']: enable_logging(config.argument_values["work_dir"]) if not config.argument_values['ip0']: print(common.color.WARNING + "[WARNING]\tNo trace region configured!" + common.color.ENDC) if (config.argument_values['debug_mode'] == "noise"): debug_non_det(config, open(config.argument_values["payload"][0]).read()) if (config.argument_values['debug_mode'] == "noise-multiple"): q = qemu(1337, config, debug_mode=False) q.start(verbose=False) for e in config.argument_values["payload"]: print("FILE: " + e) debug_non_det(config, open(e).read(), max_iterations=20, q=q) elif (config.argument_values['debug_mode'] == "benchmark"): benchmark(config) elif (config.argument_values['debug_mode'] == "trace"): debug_execution(config, config.argument_values['i']) elif (config.argument_values['debug_mode'] == "trace-qemu"): debug_execution(config, config.argument_values['i'], qemu_verbose=True) elif (config.argument_values['debug_mode'] == "printk"): debug_execution(config, 1, qemu_verbose=True, notifiers=False) elif (config.argument_values['debug_mode'] == "redqueen"): redqueen_dbg(config, qemu_verbose=False) elif (config.argument_values['debug_mode'] == "redqueen-qemu"): redqueen_dbg(config, qemu_verbose=True) elif (config.argument_values['debug_mode'] == "cov"): redqueen_cov(config, qemu_verbose=True) elif (config.argument_values['debug_mode'] == "verify"): verify_dbg(config, qemu_verbose=True) return 0
def start(): config = InfoConfiguration() if not post_self_check(config): return -1 if config.argument_values['v']: enable_logging() log_info("Dumping target addresses...") if os.path.exists("/tmp/kAFL_info.txt"): os.remove("/tmp/kAFL_info.txt") q = qemu(0, config) q.start() q.__del__() try: for line in open("/tmp/kAFL_info.txt"): print line, os.remove("/tmp/kAFL_info.txt") except: pass return 0
def start(): config = FuzzerConfiguration() if not post_self_check(config): return -1 if config.argument_values['v']: enable_logging() num_processes = config.argument_values['p'] if config.argument_values['Purge'] and check_if_old_state_exits( config.argument_values['work_dir']): print_warning("Old workspace found!") if ask_for_permission("PURGE", " to wipe old workspace:"): print_warning("Wiping old workspace...") prepare_working_dir(config.argument_values['work_dir'], purge=True) time.sleep(2) else: print_fail("Aborting...") return 0 if not check_if_old_state_exits(config.argument_values['work_dir']): if not prepare_working_dir(config.argument_values['work_dir'], purge=True): print_fail("Working directory is weired or corrupted...") return 1 if not copy_seed_files(config.argument_values['work_dir'], config.argument_values['seed_dir']): print_fail("Seed directory is empty...") return 1 config.save_data() else: log_core("Old state exist -> loading...") config.load_data() comm = Communicator(num_processes=num_processes, tasks_per_requests=config.argument_values['t'], bitmap_size=config.config_values["BITMAP_SHM_SIZE"]) comm.create_shm() qlookup = QemuLookupSet() master = MasterProcess(comm) update_process = multiprocessing.Process(name='UPDATE', target=update_loader, args=(comm, )) mapserver_process = multiprocessing.Process(name='MAPSERVER', target=mapserver_loader, args=(comm, )) slaves = [] for i in range(num_processes): slaves.append( multiprocessing.Process(name='SLAVE' + str(i), target=slave_loader, args=(comm, i))) slaves[i].start() update_process.start() mapserver_process.start() try: master.loop() except KeyboardInterrupt: master.save_data() log_core("Date saved!") signal.signal(signal.SIGINT, signal.SIG_IGN) counter = 0 print_pre_exit_msg(counter, clrscr=True) for slave in slaves: while True: counter += 1 print_pre_exit_msg(counter) slave.join(timeout=0.25) if not slave.is_alive(): break print_exit_msg() return 0