Skip to content

Commit

Permalink
Hello from windows
Browse files Browse the repository at this point in the history
  • Loading branch information
Your Name committed Jan 11, 2025
1 parent 3aa6e54 commit 07de32e
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 67 deletions.
23 changes: 14 additions & 9 deletions libafl/src/executors/hooks/inprocess.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ use windows::Win32::System::Threading::{CRITICAL_SECTION, PTP_TIMER};
use crate::executors::hooks::timer::TimerStruct;
#[cfg(all(unix, feature = "std"))]
use crate::executors::hooks::unix::unix_signal_handler;
#[cfg(windows)]
use crate::state::State;
#[cfg(any(unix, windows))]
use crate::{corpus::Corpus, observers::ObserversTuple};
use crate::{
Expand Down Expand Up @@ -271,14 +269,18 @@ impl<S> InProcessHooks<S> {
#[allow(unused_variables)] // for `exec_tmout` without `std`
pub fn new<E, EM, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
where
E: Executor<EM, Z> + HasObservers + HasInProcessHooks<E::State>,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: State + HasExecutions + HasSolutions + HasCorpus,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasObservers + HasInProcessHooks<S>,
E::Observers: ObserversTuple<<S as UsesInput>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCorpus
+ HasCurrentTestcase
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
{
let ret;
#[cfg(feature = "std")]
Expand All @@ -288,6 +290,7 @@ impl<S> InProcessHooks<S> {
E,
EM,
OF,
S,
Z,
>();
setup_exception_handler(data)?;
Expand All @@ -297,13 +300,15 @@ impl<S> InProcessHooks<S> {
E,
EM,
OF,
S,
Z,
> as *const _;
let timeout_handler =
crate::executors::hooks::windows::windows_exception_handler::inproc_timeout_handler::<
E,
EM,
OF,
S,
Z,
> as *const c_void;
let timer = TimerStruct::new(exec_tmout, timeout_handler);
Expand Down
110 changes: 63 additions & 47 deletions libafl/src/executors/hooks/windows.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,27 @@ pub mod windows_asan_handler {
},
feedbacks::Feedback,
fuzzer::HasObjective,
inputs::UsesInput,
inputs::{Input, UsesInput},
observers::ObserversTuple,
state::{HasCorpus, HasExecutions, HasSolutions, UsesState},
state::{HasCorpus, HasCurrentTestcase, HasExecutions, HasSolutions},
};

/// # Safety
/// ASAN deatch handler
pub unsafe extern "C" fn asan_death_handler<E, EM, OF, Z>()
pub unsafe extern "C" fn asan_death_handler<E, EM, OF, S, Z>()
where
E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: HasExecutions + HasSolutions + HasCorpus,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasObservers,
E::Observers: ObserversTuple<<S::Corpus as Corpus>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCurrentTestcase
+ HasCorpus
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
{
let data = &raw mut GLOBAL_STATE;
(*data).set_in_handler(true);
Expand Down Expand Up @@ -78,16 +82,16 @@ pub mod windows_asan_handler {
(*data).ptp_timer = None;
}

let state = (*data).state_mut::<E::State>();
let state = (*data).state_mut::<S>();
let fuzzer = (*data).fuzzer_mut::<Z>();
let event_mgr = (*data).event_mgr_mut::<EM>();

log::error!("Child crashed!");

// Make sure we don't crash in the crash handler forever.
let input = (*data).take_current_input::<<E::State as UsesInput>::Input>();
let input = (*data).take_current_input::<<S::Corpus as Corpus>::Input>();

run_observers_and_save_state::<E, EM, OF, Z>(
run_observers_and_save_state::<E, EM, OF, S, Z>(
executor,
state,
input,
Expand Down Expand Up @@ -138,7 +142,7 @@ pub mod windows_exception_handler {
fuzzer::HasObjective,
inputs::{Input, UsesInput},
observers::ObserversTuple,
state::{HasCorpus, HasExecutions, HasSolutions, State, UsesState},
state::{HasCorpus, HasCurrentTestcase, HasExecutions, HasSolutions},
};

pub(crate) type HandlerFuncPtr =
Expand Down Expand Up @@ -182,16 +186,20 @@ pub mod windows_exception_handler {
/// # Safety
/// Well, exception handling is not safe
#[cfg(feature = "std")]
pub fn setup_panic_hook<E, EM, OF, Z>()
pub fn setup_panic_hook<E, EM, OF, S, Z>()
where
E: HasObservers + Executor<EM, Z>,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: HasExecutions + HasSolutions + HasCorpus,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasObservers,
E::Observers: ObserversTuple<<S::Corpus as Corpus>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCurrentTestcase
+ HasCorpus
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
{
let old_hook = panic::take_hook();
panic::set_hook(Box::new(move |panic_info| unsafe {
Expand All @@ -216,13 +224,13 @@ pub mod windows_exception_handler {
if (*data).is_valid() {
// We are fuzzing!
let executor = (*data).executor_mut::<E>();
let state = (*data).state_mut::<E::State>();
let state = (*data).state_mut::<S>();
let fuzzer = (*data).fuzzer_mut::<Z>();
let event_mgr = (*data).event_mgr_mut::<EM>();

let input = (*data).take_current_input::<<E::State as UsesInput>::Input>();
let input = (*data).take_current_input::<<S::Corpus as Corpus>::Input>();

run_observers_and_save_state::<E, EM, OF, Z>(
run_observers_and_save_state::<E, EM, OF, S, Z>(
executor,
state,
input,
Expand All @@ -242,19 +250,23 @@ pub mod windows_exception_handler {
///
/// # Safety
/// Well, exception handling is not safe
pub unsafe extern "system" fn inproc_timeout_handler<E, EM, OF, Z>(
pub unsafe extern "system" fn inproc_timeout_handler<E, EM, OF, S, Z>(
_p0: *mut u8,
global_state: *mut c_void,
_p1: *mut u8,
) where
E: HasObservers + HasInProcessHooks<E::State> + Executor<EM, Z>,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: State + HasExecutions + HasSolutions + HasCorpus,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasInProcessHooks<S> + HasObservers,
E::Observers: ObserversTuple<<S::Corpus as Corpus>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCurrentTestcase
+ HasCorpus
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
{
let data: &mut InProcessExecutorHandlerData =
&mut *(global_state as *mut InProcessExecutorHandlerData);
Expand All @@ -277,7 +289,7 @@ pub mod windows_exception_handler {

if data.in_target == 1 {
let executor = data.executor_mut::<E>();
let state = data.state_mut::<E::State>();
let state = data.state_mut::<S>();
let fuzzer = data.fuzzer_mut::<Z>();
let event_mgr = data.event_mgr_mut::<EM>();

Expand All @@ -286,12 +298,12 @@ pub mod windows_exception_handler {
} else {
log::error!("Timeout in fuzz run.");

let input = (data.current_input_ptr as *const <E::State as UsesInput>::Input)
let input = (data.current_input_ptr as *const <S::Corpus as Corpus>::Input)
.as_ref()
.unwrap();
data.current_input_ptr = ptr::null_mut();

run_observers_and_save_state::<E, EM, OF, Z>(
run_observers_and_save_state::<E, EM, OF, S, Z>(
executor,
state,
input,
Expand All @@ -315,18 +327,22 @@ pub mod windows_exception_handler {
///
/// # Safety
/// Well, exception handling is not safe
pub unsafe fn inproc_crash_handler<E, EM, OF, Z>(
pub unsafe fn inproc_crash_handler<E, EM, OF, S, Z>(
exception_pointers: *mut EXCEPTION_POINTERS,
data: &mut InProcessExecutorHandlerData,
) where
E: Executor<EM, Z> + HasObservers,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: HasExecutions + HasSolutions + HasCorpus,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasObservers,
E::Observers: ObserversTuple<<S::Corpus as Corpus>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCorpus
+ HasCurrentTestcase
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
{
// Have we set a timer_before?
if data.ptp_timer.is_some() {
Expand Down Expand Up @@ -400,7 +416,7 @@ pub mod windows_exception_handler {
data.ptp_timer = None;
}

let state = data.state_mut::<E::State>();
let state = data.state_mut::<S>();
let fuzzer = data.fuzzer_mut::<Z>();
let event_mgr = data.event_mgr_mut::<EM>();

Expand All @@ -412,7 +428,7 @@ pub mod windows_exception_handler {

// Make sure we don't crash in the crash handler forever.
if is_crash {
let input = data.take_current_input::<<E::State as UsesInput>::Input>();
let input = data.take_current_input::<<S::Corpus as Corpus>::Input>();
{
let mut bsod = Vec::new();
{
Expand All @@ -424,7 +440,7 @@ pub mod windows_exception_handler {
}
log::error!("{}", std::str::from_utf8(&bsod).unwrap());
}
run_observers_and_save_state::<E, EM, OF, Z>(
run_observers_and_save_state::<E, EM, OF, S, Z>(
executor,
state,
input,
Expand Down
26 changes: 15 additions & 11 deletions libafl_targets/src/windows_asan.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ use libafl::{
events::{EventFirer, EventRestarter},
executors::{hooks::windows::windows_asan_handler::asan_death_handler, Executor, HasObservers},
feedbacks::Feedback,
inputs::UsesInput,
inputs::{Input, UsesInput},
observers::ObserversTuple,
state::{HasCorpus, HasExecutions, HasSolutions, UsesState},
state::{HasCorpus, HasCurrentTestcase, HasExecutions, HasSolutions},
HasObjective,
};

Expand All @@ -30,16 +30,20 @@ extern "C" {
///
/// # Safety
/// Calls the unsafe `__sanitizer_set_death_callback` symbol, but should be safe to call otherwise.
pub unsafe fn setup_asan_callback<E, EM, OF, Z>(_executor: &E, _event_mgr: &EM, _fuzzer: &Z)
pub unsafe fn setup_asan_callback<E, EM, OF, S, Z>(_executor: &E, _event_mgr: &EM, _fuzzer: &Z)
where
E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<EM, E::Input, E::Observers, E::State>,
E::State: HasSolutions + HasCorpus + HasExecutions,
E::Observers: ObserversTuple<<E::State as UsesInput>::Input, E::State>,
E: Executor<EM, <S::Corpus as Corpus>::Input, S, Z> + HasObservers,
E::Observers: ObserversTuple<<S::Corpus as Corpus>::Input, S>,
EM: EventFirer<State = S> + EventRestarter<State = S>,
OF: Feedback<EM, <S::Corpus as Corpus>::Input, E::Observers, S>,
S: HasExecutions
+ HasSolutions
+ HasCurrentTestcase
+ HasCorpus
+ UsesInput<Input = <S::Corpus as Corpus>::Input>,
S::Solutions: Corpus<Input = <S::Corpus as Corpus>::Input>,
Z: HasObjective<Objective = OF>,
<<E as UsesState>::State as HasSolutions>::Solutions: Corpus<Input = E::Input>, //delete me
<<<E as UsesState>::State as HasCorpus>::Corpus as Corpus>::Input: Clone, //delete me
<S::Corpus as Corpus>::Input: Input + Clone,
{
__sanitizer_set_death_callback(Some(asan_death_handler::<E, EM, OF, Z>));
__sanitizer_set_death_callback(Some(asan_death_handler::<E, EM, OF, S, Z>));
}

0 comments on commit 07de32e

Please sign in to comment.