int pht18(void)
{
if(orcPHT->p_type != PT_GNU_EH_FRAME)
return 0;
if(rand() % 3 == 0)
orcPHT->p_offset = getElf_Off();
orcPHT->p_vaddr = getElf_Addr();
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
#if defined(__i386__)
orcPHT->p_memsz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_memsz = getElf_Xword();
#endif
orcPHT->p_flags = getElf_Word();
#if defined(__i386__)
orcPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", ph, orcPHT->p_offset);
fprintf(logfp, " p_vaddr = 0x"HEX",", orcPHT->p_vaddr);
fprintf(logfp, " p_filesz = 0x"HEX",", orcPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX",", orcPHT->p_memsz);
fprintf(logfp, " p_flags = 0x%x,", orcPHT->p_flags);
fprintf(logfp, " p_align = 0x"HEX")", orcPHT->p_align);
return 1;
}
int rel2(void)
{
if(rand() % 3 < 2)
return 0;
if(rand() % 4 < 3) { // 75% chance to only change its related Symbol Table index
Elf_Section sym_ndx;
if(rand() % 2)
sym_ndx = rand() % orcHDR->e_shnum; // A random but valid Symbol Table index within the SHT
else
sym_ndx = getElf_Section();
if(orcSHT->sh_type == SHT_REL)
orcREL->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcREL->r_info));
else
orcRELA->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcRELA->r_info));
} else {
if(orcSHT->sh_type == SHT_REL)
#if defined(__i386__)
orcREL->r_info = getElf_Word();
#elif defined(__x86_64__)
orcREL->r_info = getElf_Xword();
#endif
else
#if defined(__i386__)
orcRELA->r_info = getElf_Word();
#elif defined(__x86_64__)
orcRELA->r_info = getElf_Xword();
#endif
}
int pht4(void)
{
if(orcPHT->p_type == PT_INTERP)
if(rand() % 5 < 4) // 80% chance
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
#if defined(__i386__)
Elf_Word p_memsz;
#elif defined(__x86_64__)
Elf_Xword p_memsz;
#endif
int r = rand();
if(r % 3 == 0) {
orcPHT->p_filesz = 0;
#if defined(__i386__)
while((p_memsz = getElf_Word()))
#elif defined(__x86_64__)
while((p_memsz = getElf_Xword()))
#endif
if(p_memsz % PAGESIZE == 0) {
orcPHT->p_memsz = p_memsz;
break;
}
} else if(r % 3 == 1) {
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
orcPHT->p_memsz = 0;
} else {
if(rand() % 2) {
orcPHT->p_filesz = 0;
orcPHT->p_memsz = 0;
} else
orcPHT->p_memsz = getElf_Word();
}
fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX",", ph, orcPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX")", orcPHT->p_memsz);
return 1;
}
int sym4(void)
{
#if defined(__i386__)
orcSYM->st_size = getElf_Word();
#elif defined(__x86_64__)
if(rand() % 3 < 2)
orcSYM->st_size = getElf_Xword();
else
orcSYM->st_size = getElf_Word();
#endif
fprintf(logfp, "(SYM[%d]->st_size = 0x"HEX")", entry, orcSYM->st_size);
return 1;
}
int pht6(void)
{
if(orcPHT->p_type == PT_INTERP)
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
if(rand() % 2) // p_type is a critical field
return 0;
Elf_Word p_type;
while((p_type = (getElf_Word() + PT_LOPROC)))
if(p_type >= PT_LOPROC && p_type < PT_HIPROC)
break;
orcPHT->p_type = p_type;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", ph, orcPHT->p_type);
return 1;
}
int sht15(void)
{
Elf_Section ndx;
if(!(ndx = findSectionIndexByName(".data")))
return 0;
// Return if not the current section header being fuzzed
if(ndx != sh)
return 0;
if(rand() % 2){
if(rand() % 2){
Elf_Word t;
while((t = rand() % SHT_NUM)){
switch(t){
case SHT_STRTAB:
if(mode & STRS)
continue;
break;
case SHT_NOTE:
if(mode & NOTE)
continue;
break;
case SHT_DYNAMIC:
if(mode & DYN)
continue;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
continue;
break;
case SHT_REL:
case SHT_RELA:
if(mode & REL)
continue;
break;
default:
break;
}
break;
}
orcSHT->sh_type = t;
} else
orcSHT->sh_type = getElf_Word();
}
fuzzFlags();
fuzzSize();
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x,", sh, orcSHT->sh_type);
fprintf(logfp, " sh_size = 0x"HEX",", orcSHT->sh_size);
fprintf(logfp, " sh_flags = 0x"HEX")", orcSHT->sh_flags);
return 1;
}
int sht12(void)
{
if(orcSHT->sh_type != SHT_REL &&
orcSHT->sh_type != SHT_RELA)
return 0;
Elf_Word l;
if(mode & REL){
if(rand() % 2){
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
fprintf(logfp, "(SHT[%d]->sh_info = 0x%x)", sh, orcSHT->sh_info);
return 1;
} else
return 0;
} else {
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_SYMTAB && orcOrigSHT[l].sh_type != SHT_DYNSYM)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
}
fprintf(logfp, "(SHT[%d]->sh_link = 0x%x,", sh, orcSHT->sh_link);
fprintf(logfp, " sh_info = 0x%x)", orcSHT->sh_info);
return 1;
}
int pht7(void)
{
if(orcPHT->p_type == PT_INTERP)
if(rand() % 5 < 4) // 80% chance
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
#if defined(__i386__)
Elf_Word p_filesz;
#elif defined(__x86_64__)
Elf_Xword p_filesz;
#endif
if(rand() % 3 < 2) {
#if defined(__i386__)
while((p_filesz = getElf_Word()))
#elif defined(__x86_64__)
while((p_filesz = getElf_Xword()))
#endif
if(p_filesz >= orcPHT->p_memsz) {
orcPHT->p_filesz = p_filesz;
break;
}
} else
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX")", ph, orcPHT->p_filesz);
return 1;
}
void fuzzSize()
{
if((rand() % 4) < 3){ // 75% chance
if(rand() % 2)
#if defined(__i386__) || defined(__ANDROID_API__)
orcSHT->sh_size = getElf_Word();
#elif defined(__x86_64__)
orcSHT->sh_size = getElf_Xword();
#endif
else
orcSHT->sh_size = getElf_Half();
} else
int sym1(void)
{
if(entry != STN_UNDEF)
return 0;
if(rand() % 2)
return 0;
#if defined(__i386__)
orcSYM->st_size = getElf_Word();
#elif defined(__x86_64__)
if(rand() % 3 < 2)
orcSYM->st_size = getElf_Xword();
else
orcSYM->st_size = getElf_Word();
#endif
orcSYM->st_value = getElf_Addr();
orcSYM->st_info = rand() & 0xff;
orcSYM->st_other = rand() & 0xff;
if(rand() % 4 == 0)
orcSYM->st_shndx = getElf_Section();
else
orcSYM->st_shndx = rand() % orcHDR->e_shnum;
if(rand() % 4 == 0)
orcSYM->st_name = getElf_Word();
else
orcSYM->st_name = rand() & 0xff;
fprintf(logfp, "(SYM[%d]->st_value = 0x"HEX",", entry, orcSYM->st_value);
fprintf(logfp, " st_size = 0x"HEX",", orcSYM->st_size);
fprintf(logfp, " st_info = 0x%x,", orcSYM->st_info);
fprintf(logfp, " st_other = 0x%x,", orcSYM->st_other);
fprintf(logfp, " st_shndx = 0x%x,", orcSYM->st_shndx);
fprintf(logfp, " st_name = 0x%x)", orcSYM->st_name);
return 1;
}
int sht11(void)
{
if(orcSHT->sh_type != SHT_DYNAMIC &&
orcSHT->sh_type != SHT_HASH &&
orcSHT->sh_type != SHT_GNU_HASH)
return 0;
Elf_Word l;
if(rand() % 2)
orcSHT->sh_info = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_info = getElf_Word();
if(orcSHT->sh_type == SHT_DYNAMIC){
if(mode & DYN){
if(rand() % 2){
fprintf(logfp, "(SHT[%d]->sh_info = 0x%x)", sh, orcSHT->sh_info);
return 1;
} else {
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_STRTAB)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
}
} else {
if(rand() % 2)
orcSHT->sh_link = 1 + (rand() % (orcHDR->e_shnum - 1));
else
orcSHT->sh_link = (Elf_Word) getElf_Half();
}
} else { // HASH
if(rand() % 4 < 3){
while((l = 1 + (rand() % (orcHDR->e_shnum - 1))))
if(orcOrigSHT[l].sh_type != SHT_SYMTAB && orcOrigSHT[l].sh_type != SHT_DYNSYM)
break;
} else
l = (Elf_Word) getElf_Half();
orcSHT->sh_link = l;
}
fprintf(logfp, "(SHT[%d]->sh_link = 0x%x,", sh, orcSHT->sh_link);
fprintf(logfp, " sh_info = 0x%x)", orcSHT->sh_info);
return 1;
}
void fuzzName()
{
if(rand() % 3 == 0){
if(rand() % 2)
orcSHT->sh_name = getElf_Word();
else
orcSHT->sh_name = getElf_Half();
} else {
if(rand() % 3 == 0)
orcSHT->sh_name = 0x00;
else
orcSHT->sh_name = (rand() % 0xff);
}
}
int hdr13(void)
{
if(rand() % 2){
orcHDR->e_version = getElf_Word() + EV_CURRENT + 1;
orcHDR->e_ident[EI_VERSION] = (rand() & 0xff) + EV_CURRENT + 1;
} else {
orcHDR->e_version = 0;
orcHDR->e_ident[EI_VERSION] = 0;
}
fprintf(logfp, "(HDR->e_version = 0x%x, e_ident[EI_VERSION] = 0x%.2x)", orcHDR->e_version, orcHDR->e_ident[EI_VERSION]);
return 1;
}
int sym3(void)
{
if(rand() % 5 < 4) // 80% chance to return. st_value is fuzzed in other rules as well.
return 0;
if(rand() % 4 < 3)
orcSYM->st_value = getElf_Addr();
else
orcSYM->st_value = getElf_Word();
fprintf(logfp, "(SYM[%d]->st_value = 0x"HEX")", entry, orcSYM->st_value);
return 1;
}
int pht1(void)
{
if(orcPHT->p_type == PT_INTERP)
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
if(rand() % 2) // p_type is a critical field
return 0;
Elf_Word p_type;
if(rand() % 2) { // 50% chance
while((p_type = rand() % PT_NUM)) {
switch(p_type) {
case PT_INTERP:
continue;
break;
case PT_DYNAMIC:
if(mode & DYN)
continue;
break;
case PT_NOTE:
if(mode & NOTE)
continue;
break;
}
break;
}
} else {
if(rand() % 2)
p_type = getElf_Word() + PT_NUM;
else
p_type = 0;
}
orcPHT->p_type = p_type;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", ph, orcPHT->p_type);
return 1;
}
int sht29(void)
{
if(orcSHT->sh_type != SHT_HASH &&
orcSHT->sh_type != SHT_GNU_HASH)
return 0;
if(rand() % 4 < 3)
return 0;
orcSHT->sh_type = getElf_Word();
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x)", sh, orcSHT->sh_type);
return 1;
}
int sym9(void)
{
if(orcHDR->e_type != ET_REL ||
orcSYM->st_shndx == SHN_COMMON)
return 0;
if(rand() % 2)
orcSYM->st_value = getElf_Off();
else
orcSYM->st_value = getElf_Word();
fprintf(logfp, "(SYM[%d]->st_value = 0x"HEX")", entry, orcSYM->st_value);
return 1;
}
int pht5(void)
{
if(rand() % 2) {
if(rand() % 2)
orcPHT->p_align = PAGESIZE - 1;
else
orcPHT->p_align = PAGESIZE + 1;
} else
#if defined(__i386__)
orcPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_align = 0x"HEX")", ph, orcPHT->p_align);
return 1;
}
int sym2(void)
{
if(rand() % 5 < 4) // 80% chance to return. The symbol name is important.
return 0;
if(mode & REL)
if(rand() % 2)
return 0;
if(rand() % 4 == 0)
orcSYM->st_name = getElf_Word();
else
orcSYM->st_name = rand() & 0xff;
fprintf(logfp, "(SYM[%d]->st_name = 0x%x)", entry, orcSYM->st_name);
return 1;
}
int sht7(void)
{
// Metadata dependencies
switch(orcSHT->sh_type){
case SHT_STRTAB:
if(mode & STRS)
return 0;
break;
case SHT_NOTE:
if(mode & NOTE)
return 0;
break;
case SHT_DYNAMIC:
if(mode & DYN)
return 0;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
return 0;
break;
case SHT_RELA:
case SHT_REL:
if(mode & REL)
return 0;
break;
default:
if(rand() % 4 < 3)
return 0;
}
if(rand() % 4 < 3){ // 75% chance
Elf_Word t;
while((t = rand() % SHT_NUM)){
switch(t){ // Metadata dependencies
case SHT_STRTAB:
if(mode & STRS)
continue;
break;
case SHT_NOTE:
if(mode & NOTE)
continue;
break;
case SHT_DYNAMIC:
if(mode & DYN)
continue;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
continue;
break;
case SHT_REL:
case SHT_RELA:
if(mode & REL)
continue;
break;
default:
break;
}
break;
}
orcSHT->sh_type = t;
} else
orcSHT->sh_type = getElf_Word();
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x)", sh, orcSHT->sh_type);
return 1;
}
int sht17(void)
{
if(sh == 0) // Avoid the first entry of the SHT
return 0;
Elf_Section dar = findSectionIndexByName(".debug_aranges");
Elf_Section din = findSectionIndexByName(".debug_info");
Elf_Section dab = findSectionIndexByName(".debug_abbrev");
Elf_Section dli = findSectionIndexByName(".debug_line");
Elf_Section dst = findSectionIndexByName(".debug_str");
if(dar != sh && din != sh && dab != sh && dli != sh && dst != sh)
return 0;
if(rand() % 2){
if(rand() % 2){
Elf_Word t;
while((t = rand() % SHT_NUM)){
switch(t){
case SHT_STRTAB:
if(mode & STRS)
continue;
break;
case SHT_NOTE:
if(mode & NOTE)
continue;
break;
case SHT_DYNAMIC:
if(mode & DYN)
continue;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
continue;
break;
case SHT_REL:
case SHT_RELA:
if(mode & REL)
continue;
break;
default:
break;
}
break;
}
orcSHT->sh_type = t;
} else
orcSHT->sh_type = getElf_Word();
}
fuzzFlags();
fuzzSize();
fuzzEntSize();
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x,", sh, orcSHT->sh_type);
fprintf(logfp, " sh_flags = 0x"HEX",", orcSHT->sh_flags);
fprintf(logfp, " sh_size = 0x"HEX",", orcSHT->sh_size);
fprintf(logfp, " sh_entsize = 0x"HEX")", orcSHT->sh_entsize);
return 1;
}
int pht22(void)
{
int p, found = 0;
Elf_Phdr *tmpPHT = orcOrigPHT;
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_DYNAMIC) {
found++;
break;
}
if(found) {
if(mode & DYN)
return 0;
if(rand() % 2) // PT_DYNAMIC is important
return 0;
if(rand() % 3 == 0)
tmpPHT->p_offset = getElf_Off();
tmpPHT->p_vaddr = getElf_Addr();
#if defined(__i386__)
tmpPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_filesz = getElf_Xword();
#endif
#if defined(__i386__)
tmpPHT->p_memsz = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_memsz = getElf_Xword();
#endif
tmpPHT->p_flags = getElf_Word();
#if defined(__i386__)
tmpPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", p, tmpPHT->p_offset);
fprintf(logfp, " p_vaddr = 0x"HEX",", tmpPHT->p_vaddr);
fprintf(logfp, " p_filesz = 0x"HEX",", tmpPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX",", tmpPHT->p_memsz);
fprintf(logfp, " p_flags = 0x%x,", tmpPHT->p_flags);
fprintf(logfp, " p_align = 0x"HEX")", tmpPHT->p_align);
return 1;
} else {
tmpPHT = orcOrigPHT;
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_NULL) {
if(mode & DYN)
return 0;
tmpPHT->p_type = PT_DYNAMIC;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type);
return 1;
}
tmpPHT = orcOrigPHT;
// Less priority than overwriting a PT_NULL
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_GNU_STACK) {
if(mode & DYN)
return 0;
tmpPHT->p_type = PT_DYNAMIC;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type);
return 1;
}
return 0;
}
}
int pht19(void)
{
int p, last_PT = -1;
Elf_Phdr *tmpPHT = orcOrigPHT;
int r = rand();
if(r % 3 == 0) { // 33.33% chance // Deletes the PT_PHDR from the PHT
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_PHDR) {
tmpPHT->p_type = getElf_Word();
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type);
break;
}
} else if(r % 3 == 1) { // Create an extra PT_PHT right after the first one found in the PHT
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_PHDR)
last_PT = p;
if(last_PT == -1)
return 0;
if(last_PT == (orcHDR->e_phnum - 1)) { // No more program headers
if(mode & DYN)
if(orcOrigPHT[last_PT].p_type == PT_DYNAMIC)
return 0;
if(mode & NOTE)
if(orcOrigPHT[last_PT].p_type == PT_NOTE)
return 0;
orcOrigPHT[last_PT].p_type = PT_PHDR;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", last_PT, orcOrigPHT[last_PT].p_type);
} else { // Set to PT_PHT right after the latest found
if(mode & DYN)
if(orcOrigPHT[last_PT + 1].p_type == PT_DYNAMIC)
return 0;
if(mode & NOTE)
if(orcOrigPHT[last_PT + 1].p_type == PT_NOTE)
return 0;
orcOrigPHT[last_PT + 1].p_type = PT_PHDR;
fprintf(logfp, "(PHT[%d + 1]->p_type = 0x%x)", last_PT, orcOrigPHT[last_PT + 1].p_type);
}
} else { // Set to PT_PHDR the latest entry in the PHT (after the PT_LOAD segments)
if(mode & DYN)
if(orcOrigPHT[orcHDR->e_phnum - 1].p_type == PT_DYNAMIC)
return 0;
if(mode & NOTE)
if(orcOrigPHT[orcHDR->e_phnum - 1].p_type == PT_NOTE)
return 0;
orcOrigPHT[orcHDR->e_phnum - 1].p_type = PT_PHDR;
fprintf(logfp, "(PHT[%d - 1]->p_type = 0x%x)", orcHDR->e_phnum, orcOrigPHT[orcHDR->e_phnum - 1].p_type);
}
return 1;
}
int sht19(void)
{
if(sh == 0) // Avoid the first entry of the SHT
return 0;
Elf_Section rodata = findSectionIndexByName(".rodata");
Elf_Section rodata1 = findSectionIndexByName(".rodata1");
if(rodata != sh && rodata1 != sh)
return 0;
if(rand() % 2){
if(rand() % 2){
Elf_Word t;
while((t = rand() % SHT_NUM)){
switch(t){
case SHT_STRTAB:
if(mode & STRS)
continue;
break;
case SHT_NOTE:
if(mode & NOTE)
continue;
break;
case SHT_DYNAMIC:
if(mode & DYN)
continue;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
continue;
break;
case SHT_REL:
case SHT_RELA:
if(mode & REL)
continue;
break;
default:
break;
}
break;
}
orcSHT->sh_type = t;
} else
orcSHT->sh_type = getElf_Word();
}
fuzzFlags();
fuzzSize();
fuzzEntSize();
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x,", sh, orcSHT->sh_type);
fprintf(logfp, " sh_flags = 0x"HEX",", orcSHT->sh_flags);
fprintf(logfp, " sh_size = 0x"HEX",", orcSHT->sh_size);
fprintf(logfp, " sh_entsize = 0x"HEX")", orcSHT->sh_entsize);
return 1;
}
int sht24(void)
{
if(sh == 0) // Avoid the first entry of the SHT
return 0;
Elf_Section init = findSectionIndexByName(".init");
Elf_Section fini = findSectionIndexByName(".fini");
if(init != sh && fini != sh)
return 0;
if(rand() % 2){
Elf_Word t;
while((t = rand() % SHT_NUM)){
switch(t){
case SHT_PROGBITS:
continue;
break;
case SHT_STRTAB:
if(mode & STRS)
continue;
break;
case SHT_NOTE:
if(mode & NOTE)
continue;
break;
case SHT_DYNAMIC:
if(mode & DYN)
continue;
break;
case SHT_SYMTAB:
case SHT_DYNSYM:
if(mode & (SYM | REL)) // In REL, sh_type of the symbol table will be needed
continue;
break;
case SHT_REL:
case SHT_RELA:
if(mode & REL)
continue;
break;
default:
break;
}
break;
}
orcSHT->sh_type = t;
} else
orcSHT->sh_type = getElf_Word();
int r = rand();
if(r % 3 == 0){
orcSHT->sh_flags &= ~SHF_ALLOC;
orcSHT->sh_flags &= ~SHF_EXECINSTR;
} else if(r % 3 == 1)
orcSHT->sh_flags = getElf_Word();
else
orcSHT->sh_flags = 0x00;
fprintf(logfp, "(SHT[%d]->sh_type = 0x%x,", sh, orcSHT->sh_type);
fprintf(logfp, " sh_flags = 0x"HEX")", orcSHT->sh_flags);
return 1;
}
int pht9(void)
{
if(orcPHT->p_type != PT_INTERP)
return 0;
if(rand() % 3 == 0) // p_type is a critical field
return 0;
Elf_Word p_type;
int r = rand();
if(r % 4 == 0) { // 25% chance
while((p_type = getElf_Word())) {
switch(p_type) {
case PT_INTERP:
continue;
break;
case PT_DYNAMIC:
if(mode & DYN)
continue;
break;
case PT_NOTE:
if(mode & NOTE)
continue;
break;
}
break;
}
orcPHT->p_type = p_type;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", ph, orcPHT->p_type);
} else if(r % 4 == 1) { // 25% chance
int k;
Elf_Phdr *tmpPHT = elfPHT;
for(k = 0; k < elfHDR->e_phnum; k++, tmpPHT++)
if(tmpPHT->p_type == PT_INTERP) {
strncpy(orcptr + tmpPHT->p_offset, dirname_orcfname, strlen(dirname_orcfname));
*(orcptr + tmpPHT->p_offset + strlen(dirname_orcfname)) = '\0';
fprintf(logfp, "(PHT[PT_INTERP] = %s)", orcptr + tmpPHT->p_offset);
return 1;
}
return 0; // Not found
} else if(ph > 0) {
if(rand() % 2) {
if(mode & DYN)
if(orcOrigPHT[ph - 1].p_type == PT_DYNAMIC)
return 0;
if(mode & NOTE)
if(orcOrigPHT[ph - 1].p_type == PT_NOTE)
return 0;
orcOrigPHT[ph - 1].p_type = PT_INTERP;
fprintf(logfp, "(PHT[%d - 1]->p_type = 0x%x)", ph, orcOrigPHT[ph - 1].p_type);
} else if(ph < (orcHDR->e_phnum - 1)) {
if(mode & DYN)
if(orcOrigPHT[ph + 1].p_type == PT_DYNAMIC)
return 0;
if(mode & NOTE)
if(orcOrigPHT[ph + 1].p_type == PT_NOTE)
return 0;
orcOrigPHT[ph + 1].p_type = PT_INTERP;
fprintf(logfp, "(PHT[%d + 1]->p_type = 0x%x)", ph, orcOrigPHT[ph + 1].p_type);
}
} else
return 0;
return 1;
}
