Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What does sample_name mean? #40

Open
gonbbb opened this issue Mar 17, 2022 · 4 comments
Open

What does sample_name mean? #40

gonbbb opened this issue Mar 17, 2022 · 4 comments

Comments

@gonbbb
Copy link

gonbbb commented Mar 17, 2022

There is an argument -sample in synthether.py. If this argument is not included, the encoding below will result in a NoneType judgment and processing will stop when running synthesizer.py (this).

winnie/harnessgen/synthesizer.py

Lines 115 to 117 in b046bce

har_parser.add_argument("-sample", "--sample-name", dest="sample_name", type=str,
default=None, help="name of the original sample name",
required=False)

winnie/harnessgen/common.py

Lines 650 to 652 in b046bce

if self.sample_name.encode() in first_string:
arguments.append("filename")
continue

@gonbbb
Copy link
Author

gonbbb commented Mar 19, 2022
edited
Loading

For example, I run the following command. the contents of input\test is Hello, World!.

$ pin.exe -t \path\to\tools\Tracer\x64\Debug\Tracer.dll -logfile "\path\to\cor1_1" -trace_mode "all" -only_to_target "\path\to\toy_example.exe " -only_to_lib "example_library.dll " -- path\to\toy_example.exe "input\test"

Next, I run the following command, and I tried two options for -sample.

$ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test" -sample ""

case -sample ""

typedef int (__cdecl *_func_t)(int, int, int, int, int, int, int, int, int);
void fuzz_me(char* filename){

    _func_t _func;

    
    /* Harness function #0 */    
    LOAD_FUNC(dlllib, );
    int _ret = _func(filename, filename, filename, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0);
    dbg_printf(", ret = %d\n", _ret); 

}

case -sample "Hello"

typedef int (__cdecl *_func_t)(int, int, int, int, int, int, int, int, int);
void fuzz_me(char* filename){

    _func_t _func;

    
    /* Harness function #0 */    
    LOAD_FUNC(dlllib, );
    int _ret = _func(filename, *((int*)c0_a0[232]), 0x6c6c6548, 0x57202c6f, 0x646c726f, 0xa0d21, 0x0, 0x0, 0x0);
    dbg_printf(", ret = %d\n", _ret); 

}

I think the latter option is incorrect because the compile error was printed for the reason that *((int*)c0_a0[232]) is undefined.

p.s.
Is it possible to edit this harness and use winnie to apply fuzzing, like variable declaration of c0_a0, LOAD_FUNC(dlllib, ); -> LOAD_FUNC(dlllib, 0);?

@Vulmatch
Copy link

I tried using their provided toy_sample. In this case, -sample needs to point to the built example_library.dll. Then in the CLI, it outputs the generated harness code.

@mineechor
Copy link

@LeoLiu-2020 @gonbbb I‘m also interesting in this problem. If you have figured it out, can you tell me more details?

@Vulmatch
Copy link

@LeoLiu-2020 @gonbbb I‘m also interesting in this problem. If you have figured it out, can you tell me more details?

It's been a while since I answered this problem. But I think what I wanted to say is that I test the command for their provided sample called example_library.dll. And the parameter for the -sample flag should be the path of the example_library.dll.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Vulmatch @mineechor @gonbbb