def benchmark(config):
log_debug("Starting benchmark...")
payload_file = config.argument_values["input"]
q = qemu(1337, config, debug_mode=False)
q.start()
q.set_payload(read_binary_file(payload_file))
log_debug("Hash: " + str(q.send_payload().hash()))
try:
while True:
start = time.time()
execs = 0
# for i in range(execs):
while (time.time() - start < REFRESH):
q.set_payload(read_binary_file(payload_file))
q.send_payload()
execs += 1
end = time.time()
# print("Performance: " + str(execs/(end - start)) + "t/s")
stdout.write(common.color.FLUSH_LINE + "Performance: " +
str(execs / (end - start)) + "t/s")
stdout.flush()
except KeyboardInterrupt:
stdout.write("\n")
q.shutdown()
return 0
def debug_execution(config, execs, qemu_verbose=False, notifiers=True):
log_debug("Starting debug execution...(%d rounds)" % execs)
payload_file = config.argument_values["input"]
zero_hash = mmh3.hash(("\x00" * config.config_values['BITMAP_SHM_SIZE']),
signed=False)
q = qemu(1337, config, debug_mode=True, notifiers=notifiers)
assert q.start(), "Failed to start Qemu?"
start = time.time()
for i in range(execs):
log_debug("Launching payload %d/%d.." % (i + 1, execs))
if i % 3 == 0:
q.set_payload(read_binary_file(payload_file))
# time.sleep(0.01 * rand.int(0, 9))
# a = str(q.send_payload())
# hexdump(a)
result = q.send_payload()
current_hash = result.hash()
if zero_hash == current_hash:
log_debug("Feedback Hash: " + str(current_hash) +
common.color.WARNING + " (WARNING: Zero hash found!)" +
common.color.ENDC)
else:
log_debug("Feedback Hash: " + str(current_hash))
#log_debug("Full hexdump:\n" + hexdump(result.copy_to_array()))
if result.is_crash():
q.restart()
q.shutdown()
end = time.time()
print("Performance: " + str(execs / (end - start)) + "t/s")
return 0
def redqueen_dbg(config, qemu_verbose=False):
global thread_done
log_debug("Starting Redqueen debug...")
q = qemu(1337, config, debug_mode=True)
q.start()
payload = read_binary_file(config.argument_values["input"])
# q.set_payload(payload)
if os.path.exists("patches"):
shutil.copyfile("patches",
"/tmp/redqueen_workdir_1337/redqueen_patches.txt")
start = time.time()
thread = Thread(target=lambda: redqueen_dbg_thread(q))
thread.start()
result = q.execute_in_redqueen_mode(payload, debug_mode=True)
thread_done = True
thread.join()
requeen_print_state(q)
end = time.time()
if result:
print(common.color.OKGREEN + "Execution succeded!" + common.color.ENDC)
else:
print(common.color.FLUSH_LINE + common.color.FAIL +
"Execution failed!" + common.color.ENDC)
print("Time: " + str(end - start) + "t/s")
num_muts, muts = parser.parse_rq_data(
open(
"/tmp/kafl_debug_workdir/redqueen_workdir_1337/redqueen_results.txt"
).read(), payload)
count = 0
for offset in muts:
for lhs in muts[offset]:
for rhs in muts[offset][lhs]:
count += 1
print(offset, lhs, rhs)
print(count)
return 0
def execute_once(config, qemu_verbose=False, notifiers=True):
payload_file = config.argument_values["input"]
log_debug("Execute payload %s.. " % payload_file)
zero_hash = mmh3.hash(("\x00" * config.config_values['BITMAP_SHM_SIZE']),
signed=False)
q = qemu(1337, config, debug_mode=False, notifiers=notifiers)
assert q.start(), "Failed to start Qemu?"
q.set_payload(read_binary_file(payload_file))
result = q.send_payload()
current_hash = result.hash()
if zero_hash == current_hash:
log_debug("Feedback Hash: " + str(current_hash) +
common.color.WARNING + " (WARNING: Zero hash found!)" +
common.color.ENDC)
else:
log_debug("Feedback Hash: " + str(current_hash))
q.shutdown()
return 0
def debug_non_det(config, max_execs=0):
log_debug("Starting non-deterministic...")
delay = 0
payload_file = config.argument_values["input"]
assert os.path.isfile(
payload_file), "Provided -input argument must be a file."
assert "ip0" in config.argument_values, "Must set -ip0 range in order to obtain PT traces."
payload = read_binary_file(payload_file)
q = qemu(1337, config, debug_mode=False)
assert q.start(), "Failed to launch Qemu."
store_traces = config.argument_values["trace"]
if store_traces:
trace_out = config.argument_values[
"work_dir"] + "/redqueen_workdir_1337/pt_trace_results.txt"
trace_dir = config.argument_values["work_dir"] + "/noise/"
os.makedirs(trace_dir)
hash_value = None
default_hash = None
hashes = dict()
try:
q.set_payload(payload)
time.sleep(delay)
if store_traces: q.send_enable_trace()
exec_res = q.send_payload()
if store_traces: q.send_disable_trace()
default_hash = exec_res.hash()
hashes[default_hash] = 1
log_debug("Default Hash: " + str(default_hash))
if store_traces:
shutil.copyfile(trace_out,
trace_dir + "/trace_%08x.txt" % default_hash)
total = 1
hash_mismatch = 0
time.sleep(delay)
while max_execs == 0 or total <= max_execs:
mismatch_r = 0
start = time.time()
execs = 0
while (time.time() - start < REFRESH):
#time.sleep(0.0002 * rand.int(10))
q.set_payload(payload)
time.sleep(delay)
if store_traces: q.send_enable_trace()
exec_res = q.send_payload()
if store_traces: q.send_disable_trace()
if exec_res.is_crash():
print("Crashed - restarting...")
q.restart()
time.sleep(delay)
hash_value = exec_res.hash()
if hash_value != default_hash:
mismatch_r += 1
if hash_value in hashes:
hashes[hash_value] = hashes[hash_value] + 1
else:
hashes[hash_value] = 1
if store_traces:
shutil.copyfile(
trace_out,
trace_dir + "/trace_%08x.txt" % hash_value)
execs += 1
end = time.time()
total += execs
hash_mismatch += mismatch_r
stdout.write(common.color.FLUSH_LINE + "Performance: " +
str(format(((execs * 1.0) / (end - start)), '.0f')) +
" t/s\tTotal: " + str(total) + "\tMismatch: ")
if (len(hashes) != 1):
stdout.write(
common.color.FAIL + str(hash_mismatch) +
common.color.ENDC + " (+" + str(mismatch_r) +
")\tRatio: " +
str(format((
(hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%")
stdout.write("\t\tHashes:\t" + str(len(hashes.keys())) + " (" +
str(
format(((len(hashes.keys()) * 1.0) / total) *
100.00, '.2f')) + "%)")
else:
stdout.write(
common.color.OKGREEN + str(hash_mismatch) +
common.color.ENDC + " (+" + str(mismatch_r) +
")\tRatio: " +
str(format((
(hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%")
stdout.flush()
except Exception as e:
raise
except KeyboardInterrupt:
pass
finally:
q.shutdown()
stdout.write("\n")
for h in hashes.keys():
if h == default_hash:
print("* %08x: %03d" % (h, hashes[h]))
else:
print(" %08x: %03d" % (h, hashes[h]))
return 0
def debug_non_det(config, payload, max_iterations=0):
log_debug("Starting non-deterministic...")
# Define IP Range!!
q = qemu(1337, config, debug_mode=False)
q.start()
hash_value = None
default_hash = None
hash_list = []
try:
q.set_payload(payload)
time.sleep(0.2)
bitmap = q.send_payload()
default_hash = bitmap.hash()
hash_list.append(default_hash)
log_debug("Default Hash: " + str(default_hash))
total = 1
hash_mismatch = 0
count = 0
while True:
mismatch_r = 0
start = time.time()
execs = 0
while (time.time() - start < REFRESH):
#time.sleep(0.0002 * rand.int(10))
q.set_payload(payload)
#time.sleep(0.3)
bitmap = q.send_payload()
if execution_exited_abnormally(q):
print("Crashed - restarting...")
q.restart()
hash_value = bitmap.hash()
if hash_value != default_hash:
mismatch_r += 1
if hash_value not in hash_list:
hash_list.append(hash_value)
log_debug(
"Full hexdump for %x:\n%s\n" %
(hash_value, hexdump(bitmap.copy_to_array())))
execs += 1
end = time.time()
total += execs
hash_mismatch += mismatch_r
stdout.write(common.color.FLUSH_LINE + "Performance: " +
str(format(((execs * 1.0) / (end - start)), '.0f')) +
" t/s\tTotal: " + str(total) + "\tMismatch: ")
if (len(hash_list) != 1):
stdout.write(
common.color.FAIL + str(hash_mismatch) +
common.color.ENDC + " (+" + str(mismatch_r) +
")\tRatio: " +
str(format((
(hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%")
stdout.write("\t\tHashes:\t" + str(len(hash_list)) + " (" +
str(
format(((len(hash_list) * 1.0) / total) *
100.00, '.2f')) + "%)")
else:
stdout.write(
common.color.OKGREEN + str(hash_mismatch) +
common.color.ENDC + " (+" + str(mismatch_r) +
")\tRatio: " +
str(format((
(hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%")
stdout.flush()
if max_iterations != 0 and total >= count:
break
count += 1
except Exception as e:
raise
except KeyboardInterrupt:
stdout.write("\n")
finally:
q.shutdown()
for h in hash_list:
print("%x" % h)
return 0
