/*
* BPatch_image::findVariable
*
* Returns a BPatch_variableExpr* representing the given variable in the
* application image. If no such variable exists, returns NULL.
*
* name The name of the variable to look up.
*
* First look for the name with an `_' prepended to it, and if that is not
* found try the original name.
*/
BPatch_variableExpr *BPatch_image::findVariableInt(const char *name, bool showError)
{
pdvector<int_variable *> vars;
process *llproc = proc->llproc;
if (!llproc->findVarsByAll(name, vars)) {
// _name?
pdstring under_name = pdstring("_") + pdstring(name);
if (!llproc->findVarsByAll(under_name, vars)) {
// "default Namespace prefix?
if (defaultNamespacePrefix) {
pdstring prefix_name = pdstring(defaultNamespacePrefix) + pdstring(".") + pdstring(name);
if (!llproc->findVarsByAll(prefix_name, vars)) {
if (showError) {
pdstring msg = pdstring("Unable to find variable: ") + pdstring(prefix_name);
showErrorCallback(100, msg);
}
return NULL;
}
} else {
if (showError) {
pdstring msg = pdstring("Unable to find variable: ") + pdstring(name);
showErrorCallback(100, msg);
}
return NULL;
}
}
}
assert(vars.size());
if (vars.size() > 1) {
cerr << "Warning: found multiple matches for var " << name << endl;
}
int_variable *var = vars[0];
BPatch_variableExpr *bpvar = AddrToVarExpr->hash[var->getAddress()];
if (bpvar) {
return bpvar;
}
// XXX - should this stuff really be by image ??? jkh 3/19/99
BPatch_Vector<BPatch_module *> *mods = getModules();
BPatch_type *type = NULL;
// XXX look up the type off of the int_variable's module
BPatch_module *module = NULL;
for (unsigned int m = 0; m < mods->size(); m++) {
if( (*mods)[m]->lowlevel_mod() == var->mod() ) {
module = (*mods)[m];
break;
}
}
if(module) {
type = module->getModuleTypes()->findVariableType(name);
}
else {
bperr("findVariable: failed look up module %s\n",
var->mod()->fileName().c_str());
}
if(!type) {
// if we can't find the type in the module, check the other modules
// (fixes prob on alpha) -- actually seems like most missing types
// end up in DEFAULT_MODULE
for (unsigned int m = 0; m < mods->size(); m++) {
BPatch_module *tm = (*mods)[m];
type = tm->getModuleTypes()->findVariableType(name);
if (type) {
#if 0
char buf1[1024], buf2[1024];
tm->getName(buf1, 1024);
module->getName(buf2, 1024);
fprintf(stderr, "%s[%d]: found type for %s in module %s, not %s\n", FILE__, __LINE__, name, buf2, buf1);
#endif
break;
}
}
if (!type) {
char buf[128];
sprintf(buf, "%s[%d]: cannot find type for var %s\n", FILE__, __LINE__, name);
BPatch_reportError(BPatchWarning, 0, buf);
type = BPatch::bpatch->type_Untyped;
}
}
char *nameCopy = strdup(name);
assert(nameCopy);
BPatch_variableExpr *ret = new BPatch_variableExpr((char *) nameCopy,
proc, (void *)var->getAddress(),
type);
AddrToVarExpr->hash[var->getAddress()] = ret;
return ret;
}
// static int mutatorTest(char *pathname, BPatch *bpatch)
test_results_t test1_41_Mutator::executeTest() {
unsigned int n=0;
const char *child_argv[5];
child_argv[n++] = pathname;
if (debugPrint) child_argv[n++] = const_cast<char*>("-verbose");
child_argv[n++] = const_cast<char*>("-run");
child_argv[n++] = const_cast<char*>("test1_41"); // run test41 in mutatee
child_argv[n++] = NULL;
int counts[iterations];
// Run the mutatee twice, querying line info each time & store the info
for (n = 0; n < iterations; n++) {
dprintf("Starting \"%s\"\n", pathname);
BPatch_process *proc = bpatch->processCreate(pathname, child_argv,
NULL);
if (!proc) {
logerror("*ERROR*: unable to create handle for executable\n", n);
logerror("**Failed** test #41 (repeated line information)\n");
return FAILED;
}
dprintf("Mutatee started, pid=%d\n", n, proc->getPid());
BPatch_image *image = proc->getImage();
if (!image) {
logerror("*ERROR*: unable to get image from thread\n");
logerror("**Failed** test #41 (repeated line information)\n");
return FAILED;
}
if (isMutateeFortran(image)) {
// This shouldn't happen..
proc->terminateExecution();
logerror("Skipped test #41 (repeated line information)\n");
return SKIPPED;
}
BPatch_module *module = image->findModule("test1_41_mutatee.c", true);
if (!module) {
module = image->findModule("solo_mutatee_boilerplate.c", true);
if (true) {
logerror("*ERROR*: unable to get module from image\n");
logerror("Looking for \"test1_41_solo_me.c\" or \"solo_mutatee_boilerplate.c\". Available modules:\n");
BPatch_Vector<BPatch_module *> *mods = image->getModules();
char buffer[512];
for (unsigned i = 0; i < mods->size(); i++) {
BPatch_module *mod = (*mods)[i];
char name[512];
mod->getName(name, 512);
sprintf(buffer, "\t%s\n",
name);
logerror(buffer);
}
}
}
if (!module) {
fprintf(stderr, "%s[%d]: could not find module solo_mutatee_boilerplate.c\n", FILE__, __LINE__);
// First try again for 'test1_41_solo_me.c'
module = image->findModule("test1_41_solo_me.c", true);
if (!module) {
logerror("*ERROR*: unable to get module from image\n");
logerror("Looking for \"test1_41_solo_me.c\" or \"solo_mutatee_boilerplate.c\". Available modules:\n");
BPatch_Vector<BPatch_module *> *mods = image->getModules();
char buffer[512];
for (unsigned i = 0; i < mods->size(); i++) {
BPatch_module *mod = (*mods)[i];
char name[512];
mod->getName(name, 512);
sprintf(buffer, "\t%s\n",
name);
logerror(buffer);
}
logerror("**Failed** test #41 (repeated line information)\n");
return FAILED;
}
}
char buffer[16384]; // FIXME ugly magic number; No module name should be that long..
module->getName(buffer, sizeof(buffer));
BPatch_Vector<BPatch_statement> statements;
bool res = module->getStatements(statements);
if (!res) {
fprintf(stderr, "%s[%d]: getStatements()\n", __FILE__, __LINE__);
return FAILED;
}
counts[n] = statements.size();
dprintf("Trial %d: found %d statements\n", n, statements.size());
proc->terminateExecution();
}
// Make sure we got the same info each time we ran the mutatee
int last_count = -1;
for (int i = 0; i < iterations; i++) {
if ((last_count >= 0) && (last_count != counts[i])) {
logerror("*ERROR*: statement counts didn't match: %d vs. %d\n", last_count, counts[i]);
logerror("**Failed** test #41 (repeated line information)\n");
return FAILED;
}
last_count = counts[i];
}
logerror("Passed test #41 (repeated line information)\n");
return PASSED;
}
int main (int argc, char **argv)
{
if(!parseOptions(argc,argv)) {
return EXIT_FAILURE;
}
BPatch bpatch;
BPatch_binaryEdit *appBin = bpatch.openBinary (originalBinary, instrumentLibraries.size() != 1);
if (appBin == NULL) {
cerr << "Failed to open binary" << endl;
return EXIT_FAILURE;
}
BPatch_image *appImage = appBin->getImage ();
//get and iterate over all modules, instrumenting only the default and manualy specified ones
vector < BPatch_module * >*modules = appImage->getModules ();
vector < BPatch_module * >::iterator moduleIter;
vector < BPatch_function * >* funcsInModule;
BPatch_module *defaultModule = NULL;
string defaultModuleName;
// look for _init
if(defaultModuleName.empty()){
for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter){
funcsInModule = (*moduleIter)->getProcedures();
vector < BPatch_function * >::iterator funcsIterator;
for (funcsIterator = funcsInModule->begin(); funcsIterator != funcsInModule->end(); ++funcsIterator){
char funcName[1024];
(*funcsIterator)->getName(funcName,1024);
if(string(funcName) == string("_init")){
char moduleName[1024];
(*moduleIter)->getName(moduleName,1024);
defaultModuleName = string(moduleName);
if(verbose) {
cout << "Found _init in " << moduleName<< endl;
}
break;
}
}
if(!defaultModuleName.empty()) break;
}
}
// last resort, by name of the binary
if(defaultModuleName.empty())
defaultModuleName = string(originalBinary).substr(string(originalBinary).find_last_of("\\/")+1);
if (!appBin->loadLibrary (instLibrary)) {
cerr << "Failed to open instrumentation library." << endl;
cerr << "It needs to be located in the current working directory." << endl;
return EXIT_FAILURE;
}
appImage = appBin->getImage ();
/* Find code coverage functions in the instrumentation library */
BPatch_function *initAflForkServer =
findFuncByName (appImage, (char *) "initAflForkServer");
BPatch_function *bbCallback =
findFuncByName (appImage, (char *) "bbCallback");
if (!initAflForkServer || !bbCallback ) {
cerr << "Instrumentation library lacks callbacks!" << endl;
return EXIT_FAILURE;
}
int bbIndex = 0;
for (moduleIter = modules->begin (); moduleIter != modules->end (); ++moduleIter) {
char moduleName[1024];
(*moduleIter)->getName (moduleName, 1024);
if ((*moduleIter)->isSharedLib ()) {
if (instrumentLibraries.find (moduleName) == instrumentLibraries.end ()) {
cout << "Skipping library: " << moduleName << endl;
continue;
}
}
if (string (moduleName).find (defaultModuleName) != string::npos) {
defaultModule = (*moduleIter);
if(skipMainModule) continue;
}
cout << "Instrumenting module: " << moduleName << endl;
vector < BPatch_function * >*allFunctions =
(*moduleIter)->getProcedures ();
vector < BPatch_function * >::iterator funcIter;
// iterate over all functions in the module
for (funcIter = allFunctions->begin (); funcIter != allFunctions->end ();
++funcIter) {
BPatch_function *curFunc = *funcIter;
char funcName[1024];
curFunc->getName (funcName, 1024);
if(string (funcName) == string("_start")) continue; // here's a bug on hlt
insertBBCallback (appBin, curFunc, funcName, bbCallback, &bbIndex);
}
}
//if entrypoint set ,find function , else find _init
BPatch_function *funcToPatch = NULL;
if(!entryPoint) {
BPatch_Vector<BPatch_function*> funcs;
defaultModule->findFunction("_init", funcs);
if(!funcs.size()) {
cerr << "Couldn't locate _init, specify entry point manualy. "<< endl;
return EXIT_FAILURE;
}
// there should really be only one
funcToPatch = funcs[0];
} else {
funcToPatch = defaultModule->findFunctionByEntry(entryPoint);
}
if(!funcToPatch) {
cerr << "Couldn't locate function at given entry point. "<< endl;
return EXIT_FAILURE;
}
if(!insertCallToInit (appBin, initAflForkServer,defaultModule,funcToPatch)){
cerr << "Could not insert init callback at given entry point." << endl;
return EXIT_FAILURE;
}
cout << "Saving the instrumented binary to " << instrumentedBinary << "..." << endl;
// Output the instrumented binary
if (!appBin->writeFile (instrumentedBinary)) {
cerr << "Failed to write output file: " << instrumentedBinary << endl;
return EXIT_FAILURE;
}
if(!runtimeLibraries.empty()) {
cout << "Instrumenting runtime libraries." << endl;
set<string>::iterator rtLibIter ;
for(rtLibIter = runtimeLibraries.begin(); rtLibIter != runtimeLibraries.end(); rtLibIter++) {
BPatch_binaryEdit *libBin = bpatch.openBinary ((*rtLibIter).c_str(), false);
if (libBin == NULL) {
cerr << "Failed to open binary "<< *rtLibIter << endl;
return EXIT_FAILURE;
}
BPatch_image *libImg = libBin->getImage ();
vector < BPatch_module * >*modules = libImg->getModules ();
moduleIter = modules->begin ();
for ( ; moduleIter != modules->end (); ++moduleIter) {
char moduleName[1024];
(*moduleIter)->getName (moduleName, 1024);
cout << "Instrumenting module: " << moduleName << endl;
vector < BPatch_function * >*allFunctions =
(*moduleIter)->getProcedures ();
vector < BPatch_function * >::iterator funcIter;
// iterate over all functions in the module
for (funcIter = allFunctions->begin (); funcIter != allFunctions->end ();
++funcIter) {
BPatch_function *curFunc = *funcIter;
char funcName[1024];
curFunc->getName (funcName, 1024);
if(string (funcName) == string("_start")) continue;
insertBBCallback (libBin, curFunc, funcName, bbCallback, &bbIndex);
}
}
if (!libBin->writeFile ((*rtLibIter + ".ins").c_str())) {
cerr << "Failed to write output file: " <<(*rtLibIter + ".ins").c_str() << endl;
return EXIT_FAILURE;
} else {
cout << "Saved the instrumented library to " << (*rtLibIter + ".ins").c_str() << "." << endl;
}
}
}
cout << "All done! Happy fuzzing!" << endl;
return EXIT_SUCCESS;
}
int main(int argc, char **argv) {
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0 || strncmp(argv[1], "--h", 3) == 0) {
cout << "Usage: " << argv[0] << USAGE;
return false;
}
if (!parseOptions(argc, argv)) {
return EXIT_FAILURE;
}
if (do_bb == true) {
if (DYNINST_MAJOR_VERSION < 9 || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION < 3) || (DYNINST_MAJOR_VERSION == 9 && DYNINST_MINOR_VERSION == 3 && DYNINST_PATCH_VERSION <= 2)) {
if (dynfix == false)
fprintf(stderr, "Warning: your dyninst version does not include a critical fix, you should use the -f option!\n");
} else {
if (dynfix == true)
fprintf(stderr, "Notice: your dyninst version is fixed, the -f option should not be necessary.\n");
}
}
BPatch bpatch;
BPatch_binaryEdit *appBin = bpatch.openBinary(originalBinary, instrumentLibraries.size() != 1);
if (appBin == NULL) {
cerr << "Failed to open binary" << endl;
return EXIT_FAILURE;
}
BPatch_image *appImage = appBin->getImage();
//get and iterate over all modules, instrumenting only the default and manually specified ones
vector < BPatch_module * >*modules = appImage->getModules();
vector < BPatch_module * >::iterator moduleIter;
vector < BPatch_function * >*funcsInModule;
BPatch_module *defaultModule = NULL;
string defaultModuleName;
// look for _init
if (defaultModuleName.empty()) {
for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter) {
funcsInModule = (*moduleIter)->getProcedures();
vector < BPatch_function * >::iterator funcsIterator;
for (funcsIterator = funcsInModule->begin(); funcsIterator != funcsInModule->end(); ++funcsIterator) {
char funcName[1024];
(*funcsIterator)->getName(funcName, 1024);
if (string(funcName) == string("_init")) {
char moduleName[1024];
(*moduleIter)->getName(moduleName, 1024);
defaultModuleName = string(moduleName);
if (verbose) {
cout << "Found _init in " << moduleName << endl;
}
break;
}
}
if (!defaultModuleName.empty())
break;
}
}
// last resort, by name of the binary
if (defaultModuleName.empty())
defaultModuleName = string(originalBinary).substr(string(originalBinary).find_last_of("\\/") + 1);
if (!appBin->loadLibrary(instLibrary)) {
cerr << "Failed to open instrumentation library " << instLibrary << endl;
cerr << "It needs to be located in the current working directory." << endl;
return EXIT_FAILURE;
}
appImage = appBin->getImage();
/* Find code coverage functions in the instrumentation library */
BPatch_function *initAflForkServer;
save_rdi = findFuncByName(appImage, (char *) "save_rdi");
restore_rdi = findFuncByName(appImage, (char *) "restore_rdi");
BPatch_function *bbCallback = findFuncByName(appImage, (char *) "bbCallback");
BPatch_function *forceCleanExit = findFuncByName(appImage, (char *) "forceCleanExit");
if (do_bb == true)
initAflForkServer = findFuncByName(appImage, (char *) "initAflForkServer");
else
initAflForkServer = findFuncByName(appImage, (char *) "initOnlyAflForkServer");
if (!initAflForkServer || !bbCallback || !save_rdi || !restore_rdi || !forceCleanExit) {
cerr << "Instrumentation library lacks callbacks!" << endl;
return EXIT_FAILURE;
}
int bbIndex = 0;
// instrument all shared libraries:
for (moduleIter = modules->begin(); moduleIter != modules->end(); ++moduleIter) {
char moduleName[1024];
(*moduleIter)->getName(moduleName, 1024);
if ((*moduleIter)->isSharedLib()) {
if (instrumentLibraries.find(moduleName) == instrumentLibraries.end()) {
cout << "Skipping library: " << moduleName << endl;
continue;
}
}
if (string(moduleName).find(defaultModuleName) != string::npos) {
defaultModule = (*moduleIter);
if (skipMainModule)
continue;
}
if (do_bb == true) {
cout << "Instrumenting module: " << moduleName << endl;
vector < BPatch_function * >*allFunctions = (*moduleIter)->getProcedures();
vector < BPatch_function * >::iterator funcIter;
// iterate over all functions in the module
for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) {
BPatch_function *curFunc = *funcIter;
char funcName[1024];
int do_patch = 1;
curFunc->getName(funcName, 1024);
if (string(funcName) == string("_start"))
continue; // here's a bug on hlt // XXX: check what happens if removed
if (!skipAddresses.empty()) {
set < string >::iterator saiter;
for (saiter = skipAddresses.begin(); saiter != skipAddresses.end() && do_patch == 1; saiter++)
if (*saiter == string(funcName))
do_patch = 0;
if (do_patch == 0) {
cout << "Skipping instrumenting function " << funcName << endl;
continue;
}
}
insertBBCallback(appBin, curFunc, funcName, bbCallback, &bbIndex);
}
}
}
// if an entrypoint was set then find function, else find _init
BPatch_function *funcToPatch = NULL;
if (!entryPoint) {
BPatch_Vector < BPatch_function * >funcs;
defaultModule->findFunction("_init", funcs);
if (!funcs.size()) {
cerr << "Couldn't locate _init, specify entry point manually with -e 0xaddr" << endl;
return EXIT_FAILURE;
}
// there should really be only one
funcToPatch = funcs[0];
} else {
funcToPatch = defaultModule->findFunctionByEntry(entryPoint);
}
if (!funcToPatch) {
cerr << "Couldn't locate function at given entry point. " << endl;
return EXIT_FAILURE;
}
if (!insertCallToInit(appBin, initAflForkServer, defaultModule, funcToPatch)) {
cerr << "Could not insert init callback at given entry point." << endl;
return EXIT_FAILURE;
}
if (!exitAddresses.empty()) {
cout << "Instrumenting forced exit addresses." << endl;
set < unsigned long >::iterator uliter;
for (uliter = exitAddresses.begin(); uliter != exitAddresses.end(); uliter++) {
if (*uliter > 0 && (signed long)*uliter != -1) {
funcToPatch = defaultModule->findFunctionByEntry(*uliter);
if (!funcToPatch) {
cerr << "Could not find enty point 0x" << hex << *uliter << " (continuing)" << endl;
} else {
if (!insertCallToInit(appBin, forceCleanExit, defaultModule, funcToPatch))
cerr << "Could not insert force clean exit callback at 0x" << hex << *uliter << " (continuing)" << endl;
}
}
}
}
cout << "Saving the instrumented binary to " << instrumentedBinary << " ..." << endl;
// Output the instrumented binary
if (!appBin->writeFile(instrumentedBinary)) {
cerr << "Failed to write output file: " << instrumentedBinary << endl;
return EXIT_FAILURE;
}
if (!runtimeLibraries.empty()) {
cout << "Instrumenting runtime libraries." << endl;
set < string >::iterator rtLibIter;
for (rtLibIter = runtimeLibraries.begin(); rtLibIter != runtimeLibraries.end(); rtLibIter++) {
BPatch_binaryEdit *libBin = bpatch.openBinary((*rtLibIter).c_str(), false);
if (libBin == NULL) {
cerr << "Failed to open binary " << *rtLibIter << endl;
return EXIT_FAILURE;
}
BPatch_image *libImg = libBin->getImage();
vector < BPatch_module * >*modules = libImg->getModules();
moduleIter = modules->begin();
for (; moduleIter != modules->end(); ++moduleIter) {
char moduleName[1024];
(*moduleIter)->getName(moduleName, 1024);
cout << "Instrumenting module: " << moduleName << endl;
vector < BPatch_function * >*allFunctions = (*moduleIter)->getProcedures();
vector < BPatch_function * >::iterator funcIter;
// iterate over all functions in the module
for (funcIter = allFunctions->begin(); funcIter != allFunctions->end(); ++funcIter) {
BPatch_function *curFunc = *funcIter;
char funcName[1024];
curFunc->getName(funcName, 1024);
if (string(funcName) == string("_start"))
continue;
insertBBCallback(libBin, curFunc, funcName, bbCallback, &bbIndex);
}
}
if (!libBin->writeFile((*rtLibIter + ".ins").c_str())) {
cerr << "Failed to write output file: " << (*rtLibIter + ".ins").c_str() << endl;
return EXIT_FAILURE;
} else {
cout << "Saved the instrumented library to " << (*rtLibIter + ".ins").c_str() << "." << endl;
}
}
}
cout << "All done! Happy fuzzing!" << endl;
return EXIT_SUCCESS;
}
