def benchmark(config): log_debug("Starting benchmark...") payload_file = config.argument_values["input"] q = qemu(1337, config, debug_mode=False) q.start() q.set_payload(read_binary_file(payload_file)) log_debug("Hash: " + str(q.send_payload().hash())) try: while True: start = time.time() execs = 0 # for i in range(execs): while (time.time() - start < REFRESH): q.set_payload(read_binary_file(payload_file)) q.send_payload() execs += 1 end = time.time() # print("Performance: " + str(execs/(end - start)) + "t/s") stdout.write(common.color.FLUSH_LINE + "Performance: " + str(execs / (end - start)) + "t/s") stdout.flush() except KeyboardInterrupt: stdout.write("\n") q.shutdown() return 0
def debug_execution(config, execs, qemu_verbose=False, notifiers=True): log_debug("Starting debug execution...(%d rounds)" % execs) payload_file = config.argument_values["input"] zero_hash = mmh3.hash(("\x00" * config.config_values['BITMAP_SHM_SIZE']), signed=False) q = qemu(1337, config, debug_mode=True, notifiers=notifiers) assert q.start(), "Failed to start Qemu?" start = time.time() for i in range(execs): log_debug("Launching payload %d/%d.." % (i + 1, execs)) if i % 3 == 0: q.set_payload(read_binary_file(payload_file)) # time.sleep(0.01 * rand.int(0, 9)) # a = str(q.send_payload()) # hexdump(a) result = q.send_payload() current_hash = result.hash() if zero_hash == current_hash: log_debug("Feedback Hash: " + str(current_hash) + common.color.WARNING + " (WARNING: Zero hash found!)" + common.color.ENDC) else: log_debug("Feedback Hash: " + str(current_hash)) #log_debug("Full hexdump:\n" + hexdump(result.copy_to_array())) if result.is_crash(): q.restart() q.shutdown() end = time.time() print("Performance: " + str(execs / (end - start)) + "t/s") return 0
def redqueen_dbg(config, qemu_verbose=False): global thread_done log_debug("Starting Redqueen debug...") q = qemu(1337, config, debug_mode=True) q.start() payload = read_binary_file(config.argument_values["input"]) # q.set_payload(payload) if os.path.exists("patches"): shutil.copyfile("patches", "/tmp/redqueen_workdir_1337/redqueen_patches.txt") start = time.time() thread = Thread(target=lambda: redqueen_dbg_thread(q)) thread.start() result = q.execute_in_redqueen_mode(payload, debug_mode=True) thread_done = True thread.join() requeen_print_state(q) end = time.time() if result: print(common.color.OKGREEN + "Execution succeded!" + common.color.ENDC) else: print(common.color.FLUSH_LINE + common.color.FAIL + "Execution failed!" + common.color.ENDC) print("Time: " + str(end - start) + "t/s") num_muts, muts = parser.parse_rq_data( open( "/tmp/kafl_debug_workdir/redqueen_workdir_1337/redqueen_results.txt" ).read(), payload) count = 0 for offset in muts: for lhs in muts[offset]: for rhs in muts[offset][lhs]: count += 1 print(offset, lhs, rhs) print(count) return 0
def execute_once(config, qemu_verbose=False, notifiers=True): payload_file = config.argument_values["input"] log_debug("Execute payload %s.. " % payload_file) zero_hash = mmh3.hash(("\x00" * config.config_values['BITMAP_SHM_SIZE']), signed=False) q = qemu(1337, config, debug_mode=False, notifiers=notifiers) assert q.start(), "Failed to start Qemu?" q.set_payload(read_binary_file(payload_file)) result = q.send_payload() current_hash = result.hash() if zero_hash == current_hash: log_debug("Feedback Hash: " + str(current_hash) + common.color.WARNING + " (WARNING: Zero hash found!)" + common.color.ENDC) else: log_debug("Feedback Hash: " + str(current_hash)) q.shutdown() return 0
def debug_non_det(config, max_execs=0): log_debug("Starting non-deterministic...") delay = 0 payload_file = config.argument_values["input"] assert os.path.isfile( payload_file), "Provided -input argument must be a file." assert "ip0" in config.argument_values, "Must set -ip0 range in order to obtain PT traces." payload = read_binary_file(payload_file) q = qemu(1337, config, debug_mode=False) assert q.start(), "Failed to launch Qemu." store_traces = config.argument_values["trace"] if store_traces: trace_out = config.argument_values[ "work_dir"] + "/redqueen_workdir_1337/pt_trace_results.txt" trace_dir = config.argument_values["work_dir"] + "/noise/" os.makedirs(trace_dir) hash_value = None default_hash = None hashes = dict() try: q.set_payload(payload) time.sleep(delay) if store_traces: q.send_enable_trace() exec_res = q.send_payload() if store_traces: q.send_disable_trace() default_hash = exec_res.hash() hashes[default_hash] = 1 log_debug("Default Hash: " + str(default_hash)) if store_traces: shutil.copyfile(trace_out, trace_dir + "/trace_%08x.txt" % default_hash) total = 1 hash_mismatch = 0 time.sleep(delay) while max_execs == 0 or total <= max_execs: mismatch_r = 0 start = time.time() execs = 0 while (time.time() - start < REFRESH): #time.sleep(0.0002 * rand.int(10)) q.set_payload(payload) time.sleep(delay) if store_traces: q.send_enable_trace() exec_res = q.send_payload() if store_traces: q.send_disable_trace() if exec_res.is_crash(): print("Crashed - restarting...") q.restart() time.sleep(delay) hash_value = exec_res.hash() if hash_value != default_hash: mismatch_r += 1 if hash_value in hashes: hashes[hash_value] = hashes[hash_value] + 1 else: hashes[hash_value] = 1 if store_traces: shutil.copyfile( trace_out, trace_dir + "/trace_%08x.txt" % hash_value) execs += 1 end = time.time() total += execs hash_mismatch += mismatch_r stdout.write(common.color.FLUSH_LINE + "Performance: " + str(format(((execs * 1.0) / (end - start)), '.0f')) + " t/s\tTotal: " + str(total) + "\tMismatch: ") if (len(hashes) != 1): stdout.write( common.color.FAIL + str(hash_mismatch) + common.color.ENDC + " (+" + str(mismatch_r) + ")\tRatio: " + str(format(( (hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%") stdout.write("\t\tHashes:\t" + str(len(hashes.keys())) + " (" + str( format(((len(hashes.keys()) * 1.0) / total) * 100.00, '.2f')) + "%)") else: stdout.write( common.color.OKGREEN + str(hash_mismatch) + common.color.ENDC + " (+" + str(mismatch_r) + ")\tRatio: " + str(format(( (hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%") stdout.flush() except Exception as e: raise except KeyboardInterrupt: pass finally: q.shutdown() stdout.write("\n") for h in hashes.keys(): if h == default_hash: print("* %08x: %03d" % (h, hashes[h])) else: print(" %08x: %03d" % (h, hashes[h])) return 0
def debug_non_det(config, payload, max_iterations=0): log_debug("Starting non-deterministic...") # Define IP Range!! q = qemu(1337, config, debug_mode=False) q.start() hash_value = None default_hash = None hash_list = [] try: q.set_payload(payload) time.sleep(0.2) bitmap = q.send_payload() default_hash = bitmap.hash() hash_list.append(default_hash) log_debug("Default Hash: " + str(default_hash)) total = 1 hash_mismatch = 0 count = 0 while True: mismatch_r = 0 start = time.time() execs = 0 while (time.time() - start < REFRESH): #time.sleep(0.0002 * rand.int(10)) q.set_payload(payload) #time.sleep(0.3) bitmap = q.send_payload() if execution_exited_abnormally(q): print("Crashed - restarting...") q.restart() hash_value = bitmap.hash() if hash_value != default_hash: mismatch_r += 1 if hash_value not in hash_list: hash_list.append(hash_value) log_debug( "Full hexdump for %x:\n%s\n" % (hash_value, hexdump(bitmap.copy_to_array()))) execs += 1 end = time.time() total += execs hash_mismatch += mismatch_r stdout.write(common.color.FLUSH_LINE + "Performance: " + str(format(((execs * 1.0) / (end - start)), '.0f')) + " t/s\tTotal: " + str(total) + "\tMismatch: ") if (len(hash_list) != 1): stdout.write( common.color.FAIL + str(hash_mismatch) + common.color.ENDC + " (+" + str(mismatch_r) + ")\tRatio: " + str(format(( (hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%") stdout.write("\t\tHashes:\t" + str(len(hash_list)) + " (" + str( format(((len(hash_list) * 1.0) / total) * 100.00, '.2f')) + "%)") else: stdout.write( common.color.OKGREEN + str(hash_mismatch) + common.color.ENDC + " (+" + str(mismatch_r) + ")\tRatio: " + str(format(( (hash_mismatch * 1.0) / total) * 100.00, '.2f')) + "%") stdout.flush() if max_iterations != 0 and total >= count: break count += 1 except Exception as e: raise except KeyboardInterrupt: stdout.write("\n") finally: q.shutdown() for h in hash_list: print("%x" % h) return 0