├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md ├── andreaf ├── create_hooks.py ├── modify_imports.py ├── pltcov-hooks.S ├── pltcov-rt.c ├── print_imports.py ├── run.sh └── test.c ├── borzacchiello ├── Makefile ├── hook.py ├── hook.s ├── pltcov.c └── stuff │ ├── main.c │ └── modify_symbol.py ├── cristianrichie ├── .gitkeep ├── generate_hook_library.py ├── pltcov-rt.c └── run.sh ├── dp1 ├── .gitkeep ├── Makefile ├── changeme.c ├── hook_imports.py └── pltcov.c ├── jotaro-sama └── print_libs │ ├── .gitignore │ ├── Makefile.txt │ ├── cheatsheet.md │ ├── hashme.c │ ├── hook.c │ ├── hooks.asm │ ├── patch_exec.py │ ├── print_libs.py │ ├── run.sh │ └── script.py └── pietroborrello ├── .gitkeep ├── example └── ex.c ├── hook.c └── pltcov.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "AFLplusplus"] 2 | path = AFLplusplus 3 | url = https://github.com/AFLplusplus/AFLplusplus 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pltcov_groupcoding 2 | 3 | Group coding repository of PltCov, a tool to instrument ELF binaries for fuzzing with ngram coverage of imported APIs 4 | 5 | Slides: https://docs.google.com/presentation/d/1BqkUwnXPji32ZP2kCcv1Ra1br9hSPb4nQpEzLUdhVsE/edit?usp=sharing 6 | 7 | ## Requirements 8 | 9 | + git clone https://github.com/AFLplusplus/AFLplusplus 10 | + pip3 install lief 11 | + clang 12 | 13 | ## Useful links 14 | 15 | + https://lief.quarkslab.com/doc/stable/tutorials/04_elf_hooking.html 16 | + https://gist.github.com/apsun/1e144bf7639b22ff0097171fa0f8c6b1 17 | + https://en.wikipedia.org/wiki/X86_calling_conventions#System_V_AMD64_ABI 18 | + https://github.com/bitsecurerlab/afl-sensitive/blob/elf_and_lava/afl-n4/qemu_mode/patches/afl-qemu-cpu-inl.h#L230 19 | + https://github.com/AFLplusplus/AFLplusplus/blob/master/llvm_mode/afl-llvm-rt.o.c#L62 20 | 21 | ## DC11396 Group Coding HowTo 22 | 23 | Group Coding is an experiment at DC11396. Each partecipant will code its own version of the tool (sharing tips with others in livestream) following an idea proposed by the group origanizers. 24 | 25 | The workflow is the following: 26 | 27 | + Fork this repo. 28 | + Add a folder with your name or nickname. You are allowed only to create/delete/modify files in this directory. 29 | + Open immediately a pull request (with you name or nickname as title). The PR will be automatically updated with the code that you pushed in your fork. 30 | + At the end of the event, **@andreafioraldi** will merge *all* pull requests. 31 | + During the following the week, the best portions of code produced by all will be merged to create the first version of the tool (in another repo of this organization). 32 | 33 | ## People 34 | 35 | + [**@andreafioraldi**](https://github.com/andreafioraldi) 36 | + [**@cristianrichie**](https://github.com/cristianassaiante) 37 | + [**@borzacchiello**](https://github.com/borzacchiello) 38 | + [**@dp1**](https://github.com/dp1) 39 | + [**@jotaro-sama**](https://github.com/jotaro-sama) 40 | + [**@pietroborrello**](https://github.com/pietroborrello) 41 | 42 | Add yourself here when submitting the pull request. 43 | -------------------------------------------------------------------------------- /andreaf/create_hooks.py: -------------------------------------------------------------------------------- 1 | import lief 2 | import sys 3 | 4 | elf = lief.parse(sys.argv[1]) 5 | 6 | print(".text") 7 | print() 8 | 9 | for idx, sym in enumerate(elf.imported_symbols): 10 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC and "@" not in sym.name and sym.name != "__libc_start_main": 11 | print(""" 12 | .globl __pltcov_hook_%d 13 | __pltcov_hook_%d: 14 | push %%rax 15 | push %%rbx 16 | push %%rcx 17 | push %%rdx 18 | push %%rsi 19 | push %%rdi 20 | push %%rbp 21 | push %%r8 22 | push %%r9 23 | push %%r10 24 | push %%r11 25 | push %%r12 26 | push %%r13 27 | push %%r14 28 | push %%r15 29 | movq 120(%%rsp), %%rdi 30 | call __pltcov_log@PLT 31 | pop %%r15 32 | pop %%r14 33 | pop %%r13 34 | pop %%r12 35 | pop %%r11 36 | pop %%r10 37 | pop %%r9 38 | pop %%r8 39 | pop %%rbp 40 | pop %%rdi 41 | pop %%rsi 42 | pop %%rdx 43 | pop %%rcx 44 | pop %%rbx 45 | pop %%rax 46 | jmp %s@PLT 47 | """ % (idx, idx, sym.name)) 48 | sym.name = "__pltcov_hook_%d" % idx 49 | 50 | elf.write("patched.elf") 51 | -------------------------------------------------------------------------------- /andreaf/modify_imports.py: -------------------------------------------------------------------------------- 1 | import lief 2 | import sys 3 | 4 | elf = lief.parse(sys.argv[1]) 5 | 6 | for idx, sym in enumerate(elf.imported_symbols): 7 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC: 8 | if sym.name == "read": 9 | print(sym) 10 | sym.name = "write" 11 | 12 | elf.write("patched.elf") 13 | -------------------------------------------------------------------------------- /andreaf/pltcov-hooks.S: -------------------------------------------------------------------------------- 1 | .text 2 | 3 | 4 | .globl __pltcov_hook_0 5 | __pltcov_hook_0: 6 | push %rax 7 | push %rbx 8 | push %rcx 9 | push %rdx 10 | push %rsi 11 | push %rdi 12 | push %rbp 13 | push %r8 14 | push %r9 15 | push %r10 16 | push %r11 17 | push %r12 18 | push %r13 19 | push %r14 20 | push %r15 21 | movq 120(%rsp), %rdi 22 | call __pltcov_log@PLT 23 | pop %r15 24 | pop %r14 25 | pop %r13 26 | pop %r12 27 | pop %r11 28 | pop %r10 29 | pop %r9 30 | pop %r8 31 | pop %rbp 32 | pop %rdi 33 | pop %rsi 34 | pop %rdx 35 | pop %rcx 36 | pop %rbx 37 | pop %rax 38 | jmp __stack_chk_fail@PLT 39 | 40 | 41 | .globl __pltcov_hook_1 42 | __pltcov_hook_1: 43 | push %rax 44 | push %rbx 45 | push %rcx 46 | push %rdx 47 | push %rsi 48 | push %rdi 49 | push %rbp 50 | push %r8 51 | push %r9 52 | push %r10 53 | push %r11 54 | push %r12 55 | push %r13 56 | push %r14 57 | push %r15 58 | movq 120(%rsp), %rdi 59 | call __pltcov_log@PLT 60 | pop %r15 61 | pop %r14 62 | pop %r13 63 | pop %r12 64 | pop %r11 65 | pop %r10 66 | pop %r9 67 | pop %r8 68 | pop %rbp 69 | pop %rdi 70 | pop %rsi 71 | pop %rdx 72 | pop %rcx 73 | pop %rbx 74 | pop %rax 75 | jmp read@PLT 76 | 77 | 78 | .globl __pltcov_hook_3 79 | __pltcov_hook_3: 80 | push %rax 81 | push %rbx 82 | push %rcx 83 | push %rdx 84 | push %rsi 85 | push %rdi 86 | push %rbp 87 | push %r8 88 | push %r9 89 | push %r10 90 | push %r11 91 | push %r12 92 | push %r13 93 | push %r14 94 | push %r15 95 | movq 120(%rsp), %rdi 96 | call __pltcov_log@PLT 97 | pop %r15 98 | pop %r14 99 | pop %r13 100 | pop %r12 101 | pop %r11 102 | pop %r10 103 | pop %r9 104 | pop %r8 105 | pop %rbp 106 | pop %rdi 107 | pop %rsi 108 | pop %rdx 109 | pop %rcx 110 | pop %rbx 111 | pop %rax 112 | jmp __cxa_finalize@PLT 113 | 114 | -------------------------------------------------------------------------------- /andreaf/pltcov-rt.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include "../AFLplusplus/include/config.h" 6 | 7 | extern void __afl_manual_init(void); 8 | 9 | extern uint8_t *__afl_area_ptr; 10 | 11 | void __pltcov_log(void* retaddr) { 12 | 13 | uintptr_t cur_loc = (uintptr_t)retaddr; 14 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 15 | cur_loc &= MAP_SIZE - 1; 16 | 17 | printf("called from %lx\n", cur_loc); 18 | 19 | __afl_area_ptr[cur_loc]++; 20 | 21 | } 22 | 23 | static int (*real_main)(int, char **, char **); 24 | 25 | static int libcov_main(int argc, char** argv, char** env) { 26 | 27 | __afl_manual_init(); 28 | 29 | return real_main(argc, argv, env); 30 | 31 | } 32 | 33 | int __libc_start_main( 34 | int (*main)(int, char **, char **), 35 | int argc, 36 | char **argv, 37 | int (*init)(int, char **, char **), 38 | void (*fini)(void), 39 | void (*rtld_fini)(void), 40 | void *stack_end) { 41 | 42 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 43 | real_main = main; 44 | 45 | return orig(main, argc, argv, init, fini, rtld_fini, stack_end); 46 | } 47 | -------------------------------------------------------------------------------- /andreaf/print_imports.py: -------------------------------------------------------------------------------- 1 | import lief 2 | import sys 3 | 4 | elf = lief.parse(sys.argv[1]) 5 | 6 | for idx, sym in enumerate(elf.imported_symbols): 7 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC: 8 | print(sym.name) 9 | 10 | -------------------------------------------------------------------------------- /andreaf/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | make -C ../AFLplusplus 4 | make -C ../AFLplusplus/llvm_mode 5 | 6 | gcc test.c -o test 7 | 8 | python3 create_hooks.py ./test > pltcov-hooks.S 9 | 10 | chmod +x patched.elf 11 | 12 | gcc -fPIC -shared pltcov-hooks.S pltcov-rt.c ../AFLplusplus/afl-llvm-rt.o -o libpltcov.so -ldl 13 | 14 | echo 'a' | env AFL_PRELOAD=./libpltcov.so ../AFLplusplus/afl-showmap -o - -- ./patched.elf 15 | -------------------------------------------------------------------------------- /andreaf/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | 6 | char buf[2] = {'a', 0}; 7 | 8 | read(0, buf, 2); 9 | 10 | if (buf[0] == '0') 11 | return 1; 12 | 13 | return 0; 14 | 15 | } 16 | -------------------------------------------------------------------------------- /borzacchiello/Makefile: -------------------------------------------------------------------------------- 1 | all: compile 2 | 3 | compile: 4 | python3 hook.py ${INPUT_EXE} 5 | gcc hook.s pltcov.c ../AFLplusplus/afl-llvm-rt.o -o hook.so -fPIC -shared -ldl 6 | chmod +x ./patched.bin 7 | 8 | run: compile 9 | LD_PRELOAD=./hook.so ./patched.bin 10 | 11 | showmap: compile 12 | AFL_PRELOAD=./hook.so ../AFLplusplus/afl-showmap -o - -- ./patched.bin 13 | 14 | clean: 15 | rm -f hook.so patched.bin 16 | -------------------------------------------------------------------------------- /borzacchiello/hook.py: -------------------------------------------------------------------------------- 1 | import lief 2 | import sys 3 | import os 4 | 5 | binary = lief.parse(sys.argv[1]) 6 | 7 | idx = 0 8 | hooks = [] 9 | 10 | for sym in binary.imported_symbols: 11 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC: 12 | old_name = sym.name 13 | if "@@" in old_name: 14 | continue 15 | if "__libc_start_main" in old_name: 16 | continue 17 | 18 | hook_name = "__hook_%d" % idx 19 | idx += 1 20 | 21 | hooks.append ( 22 | ( 23 | hook_name, 24 | old_name 25 | ) 26 | ) 27 | 28 | sym.name = hook_name 29 | binary.write("patched.bin") 30 | 31 | asm_file = open("hook.s", "w") 32 | for hook_name, _ in hooks: 33 | asm_file.write(".globl %s\n" % hook_name) 34 | 35 | asm_file.write("\n\n") 36 | asm_file.write(".section .text\n\n") 37 | 38 | for hook_name, fun_name in hooks: 39 | asm_file.write("%s:\n" % hook_name) 40 | asm_file.write(" push %rax\n") 41 | asm_file.write(" push %rbx\n") 42 | asm_file.write(" push %rcx\n") 43 | asm_file.write(" push %rdx\n") 44 | asm_file.write(" push %rbp\n") 45 | asm_file.write(" push %rdi\n") 46 | asm_file.write(" push %rsi\n") 47 | asm_file.write(" push %r8\n") 48 | asm_file.write(" push %r9\n") 49 | asm_file.write(" push %r10\n") 50 | asm_file.write(" push %r11\n") 51 | asm_file.write(" push %r12\n") 52 | asm_file.write(" push %r13\n") 53 | asm_file.write(" push %r14\n") 54 | asm_file.write(" push %r15\n") 55 | asm_file.write(" movq 120(%rsp), %rdi\n") 56 | asm_file.write(" call pltcov_log@plt\n") 57 | asm_file.write(" pop %r15\n") 58 | asm_file.write(" pop %r14\n") 59 | asm_file.write(" pop %r13\n") 60 | asm_file.write(" pop %r12\n") 61 | asm_file.write(" pop %r11\n") 62 | asm_file.write(" pop %r10\n") 63 | asm_file.write(" pop %r9\n") 64 | asm_file.write(" pop %r8\n") 65 | asm_file.write(" pop %rsi\n") 66 | asm_file.write(" pop %rdi\n") 67 | asm_file.write(" pop %rbp\n") 68 | asm_file.write(" pop %rdx\n") 69 | asm_file.write(" pop %rcx\n") 70 | asm_file.write(" pop %rbx\n") 71 | asm_file.write(" pop %rax\n") 72 | asm_file.write(" jmp %s@plt\n\n" % fun_name) 73 | asm_file.close() 74 | 75 | # os.system("gcc hook.s logger.c -o hook.so -fPIC -shared") 76 | 77 | -------------------------------------------------------------------------------- /borzacchiello/hook.s: -------------------------------------------------------------------------------- 1 | .globl __hook_0 2 | .globl __hook_1 3 | 4 | 5 | .section .text 6 | 7 | __hook_0: 8 | push %rax 9 | push %rbx 10 | push %rcx 11 | push %rdx 12 | push %rbp 13 | push %rdi 14 | push %rsi 15 | push %r8 16 | push %r9 17 | push %r10 18 | push %r11 19 | push %r12 20 | push %r13 21 | push %r14 22 | push %r15 23 | movq 120(%rsp), %rdi 24 | call pltcov_log@plt 25 | pop %r15 26 | pop %r14 27 | pop %r13 28 | pop %r12 29 | pop %r11 30 | pop %r10 31 | pop %r9 32 | pop %r8 33 | pop %rsi 34 | pop %rdi 35 | pop %rbp 36 | pop %rdx 37 | pop %rcx 38 | pop %rbx 39 | pop %rax 40 | jmp puts@plt 41 | 42 | __hook_1: 43 | push %rax 44 | push %rbx 45 | push %rcx 46 | push %rdx 47 | push %rbp 48 | push %rdi 49 | push %rsi 50 | push %r8 51 | push %r9 52 | push %r10 53 | push %r11 54 | push %r12 55 | push %r13 56 | push %r14 57 | push %r15 58 | movq 120(%rsp), %rdi 59 | call pltcov_log@plt 60 | pop %r15 61 | pop %r14 62 | pop %r13 63 | pop %r12 64 | pop %r11 65 | pop %r10 66 | pop %r9 67 | pop %r8 68 | pop %rsi 69 | pop %rdi 70 | pop %rbp 71 | pop %rdx 72 | pop %rcx 73 | pop %rbx 74 | pop %rax 75 | jmp __cxa_finalize@plt 76 | 77 | -------------------------------------------------------------------------------- /borzacchiello/pltcov.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include "../AFLplusplus/include/config.h" 6 | 7 | extern uint8_t *__afl_area_ptr; 8 | extern void __afl_manual_init(void); 9 | 10 | static int (*main_orig)(int, char **, char **); 11 | 12 | int main_hook(int argc, char **argv, char **envp) 13 | { 14 | __afl_manual_init(); 15 | return main_orig(argc, argv, envp); 16 | } 17 | 18 | int __libc_start_main( 19 | int (*main)(int, char **, char **), 20 | int argc, 21 | char **argv, 22 | int (*init)(int, char **, char **), 23 | void (*fini)(void), 24 | void (*rtld_fini)(void), 25 | void *stack_end) 26 | { 27 | main_orig = main; 28 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 29 | return orig(main_hook, argc, argv, init, fini, rtld_fini, stack_end); 30 | } 31 | 32 | void pltcov_log(unsigned long ret_addr) { 33 | uintptr_t cur_loc = (uintptr_t) ret_addr; 34 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 35 | cur_loc &= MAP_SIZE - 1; 36 | __afl_area_ptr[((uintptr_t) ret_addr) & (MAP_SIZE - 1)]++; 37 | } 38 | -------------------------------------------------------------------------------- /borzacchiello/stuff/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) { 4 | puts("ls"); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /borzacchiello/stuff/modify_symbol.py: -------------------------------------------------------------------------------- 1 | import lief 2 | 3 | binary = lief.parse("main") 4 | for sim in binary.imported_symbols: 5 | if sim.type == lief.ELF.SYMBOL_TYPES.FUNC: 6 | if sim.name == "puts": 7 | sim.name = "system" 8 | binary.write("main.obj") 9 | 10 | -------------------------------------------------------------------------------- /cristianrichie/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefconRome/pltcov_groupcoding/87afc2502cddf6ffa15281ff95f802561222b44c/cristianrichie/.gitkeep -------------------------------------------------------------------------------- /cristianrichie/generate_hook_library.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import lief 4 | from sys import argv 5 | import subprocess 6 | 7 | 8 | binary = lief.parse(argv[1]) 9 | 10 | for i, sym in enumerate(binary.imported_symbols): 11 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC: 12 | 13 | hook_name = "__pltcov_hook_" + str(i) 14 | 15 | code = """ 16 | .globl %s 17 | 18 | %s: 19 | pushq %%rax 20 | pushq %%rbx 21 | pushq %%rcx 22 | pushq %%rdx 23 | pushq %%rsi 24 | pushq %%rdi 25 | pushq %%rbp 26 | pushq %%r8 27 | pushq %%r9 28 | pushq %%r10 29 | pushq %%r11 30 | pushq %%r12 31 | pushq %%r13 32 | pushq %%r14 33 | pushq %%r15 34 | 35 | movq 120(%%rsp), %%rdi 36 | call __pltcov_logger 37 | 38 | popq %%r15 39 | popq %%r14 40 | popq %%r13 41 | popq %%r12 42 | popq %%r11 43 | popq %%r10 44 | popq %%r9 45 | popq %%r8 46 | popq %%rbp 47 | popq %%rdi 48 | popq %%rsi 49 | popq %%rdx 50 | popq %%rcx 51 | popq %%rbx 52 | popq %%rax 53 | 54 | jmp %s@PLT 55 | """ % (hook_name, hook_name, sym.name) 56 | 57 | print(code) 58 | 59 | sym.name = hook_name 60 | 61 | binary.write(argv[1] + ".patched") 62 | 63 | -------------------------------------------------------------------------------- /cristianrichie/pltcov-rt.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #include "../AFLplusplus/include/config.h" 8 | 9 | 10 | extern uint8_t *__afl_area_ptr; 11 | extern void __afl_manual_init(void); 12 | 13 | 14 | void __pltcov_logger(void* ret_addr) 15 | { 16 | uintptr_t cur_loc = (uintptr_t)ret_addr; 17 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 18 | cur_loc &= MAP_SIZE - 1; 19 | __afl_area_ptr[cur_loc]++; 20 | } 21 | 22 | 23 | 24 | static int (*main_orig)(int, char**, char**); 25 | 26 | int main_hook(int argc, char **argv, char **envp) 27 | { 28 | __afl_manual_init(); 29 | int ret = main_orig(argc, argv, envp); 30 | } 31 | 32 | int __libc_start_main( 33 | int (*main)(int, char **, char **), 34 | int argc, 35 | char **argv, 36 | int (*init)(int, char **, char **), 37 | void (*fini)(void), 38 | void (*rtld_fini)(void), 39 | void *stack_end) 40 | { 41 | main_orig = main; 42 | 43 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 44 | 45 | return orig(main_hook, argc, argv, init, fini, rtld_fini, stack_end); 46 | } 47 | -------------------------------------------------------------------------------- /cristianrichie/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -z $1 ] 4 | then 5 | echo "Error: missing ELF name." 6 | else 7 | 8 | python3 generate_hook_library.py $1 > pltcov-rt.S 9 | gcc pltcov-rt.S pltcov-rt.c ../AFLplusplus/afl-llvm-rt.o -o pltcov-rt.so -ldl -fPIC -shared 10 | 11 | LD_PRELOAD=./pltcov-rt.so ./$1.patched 12 | AFL_PRELOAD=./pltcov-rt.so ../AFLplusplus/afl-showmap -o - -- ./$1.patched 13 | fi 14 | -------------------------------------------------------------------------------- /dp1/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /dp1/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc changeme.c -o changeme 3 | python3 hook_imports.py changeme 4 | 5 | clean: 6 | rm hooks.s hook.so changeme changeme_hooked 7 | -------------------------------------------------------------------------------- /dp1/changeme.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | char s[128]; 8 | scanf("%127s", s); 9 | if(!strcmp(s, "secretflag")) 10 | puts("Win"); 11 | } 12 | -------------------------------------------------------------------------------- /dp1/hook_imports.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import subprocess 4 | import lief 5 | import sys 6 | 7 | if len(sys.argv) < 2: 8 | print(f"Usage: {sys.argv[0]} ") 9 | quit() 10 | 11 | binary = lief.ELF.parse(sys.argv[1]) 12 | 13 | stub = """ 14 | .globl %s 15 | %s: 16 | push %%rax 17 | push %%rbx 18 | push %%rcx 19 | push %%rdx 20 | push %%rbp 21 | push %%rsi 22 | push %%rdi 23 | push %%r8 24 | push %%r9 25 | push %%r10 26 | push %%r11 27 | push %%r12 28 | push %%r13 29 | push %%r14 30 | push %%r15 31 | 32 | # pass our return address to the instrumentation function 33 | movq 120(%%rsp), %%rdi 34 | call pltcov_instrument@PLT 35 | 36 | pop %%r15 37 | pop %%r14 38 | pop %%r13 39 | pop %%r12 40 | pop %%r11 41 | pop %%r10 42 | pop %%r9 43 | pop %%r8 44 | pop %%rdi 45 | pop %%rsi 46 | pop %%rbp 47 | pop %%rdx 48 | pop %%rcx 49 | pop %%rbx 50 | pop %%rax 51 | 52 | jmp %s@PLT 53 | """ 54 | 55 | sim_count = 0 56 | output_asm = "" 57 | 58 | def patch(sim): 59 | global sim_count, output_asm 60 | 61 | old_sim = sim.name 62 | new_sim = f'__pltcov_hook{str(sim_count)}' 63 | output_asm += stub % (new_sim, new_sim, old_sim) 64 | sim.name = new_sim 65 | 66 | sim_count += 1 67 | 68 | 69 | hook_blacklist = [ 70 | "__libc_start_main" 71 | ] 72 | 73 | for sim in binary.imported_symbols: 74 | if sim.type == lief.ELF.SYMBOL_TYPES.FUNC: 75 | if '@' not in sim.name and sim.name not in hook_blacklist: 76 | patch(sim) 77 | 78 | 79 | 80 | binary.write(f'{sys.argv[1]}_hooked') 81 | subprocess.run(['chmod', '+x', f'{sys.argv[1]}_hooked']) 82 | 83 | with open('hooks.s','w') as fout: 84 | fout.write(output_asm) 85 | 86 | subprocess.run('gcc hooks.s pltcov.c ../AFLplusplus/afl-llvm-rt.o -o hook.so -fPIC -shared -ldl', shell=True) 87 | -------------------------------------------------------------------------------- /dp1/pltcov.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include "../AFLplusplus/include/config.h" 6 | 7 | extern void __afl_manual_init(void); 8 | extern uint8_t *__afl_area_ptr; 9 | 10 | static int (*main_orig)(int, char **, char **); 11 | 12 | int main_hook(int argc, char **argv, char **envp) 13 | { 14 | __afl_manual_init(); 15 | return main_orig(argc, argv, envp); 16 | } 17 | 18 | int __libc_start_main( 19 | int (*main)(int, char **, char **), 20 | int argc, 21 | char **argv, 22 | int (*init)(int, char **, char **), 23 | void (*fini)(void), 24 | void (*rtld_fini)(void), 25 | void *stack_end) 26 | { 27 | main_orig = main; 28 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 29 | return orig(main_hook, argc, argv, init, fini, rtld_fini, stack_end); 30 | } 31 | 32 | void pltcov_instrument(uintptr_t retaddr) 33 | { 34 | uintptr_t cur_loc = (uintptr_t)retaddr; 35 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 36 | cur_loc &= MAP_SIZE - 1; 37 | __afl_area_ptr[cur_loc % MAP_SIZE]++; 38 | } 39 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/.gitignore: -------------------------------------------------------------------------------- 1 | env/ 2 | hashme 3 | a.out 4 | *.s 5 | *.so 6 | hook 7 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/Makefile.txt: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CXX=g++ 3 | 4 | all: hashme 5 | 6 | hashme: hashme.c 7 | $(CC) $^ -O0 -o $@ -lm 8 | chmod u+rx $@ 9 | 10 | run: all 11 | unset LD_LIBRARY_PATH 12 | ./hashme 123 13 | python script.py 14 | chmod u+x ./hashme.obf 15 | LD_LIBRARY_PATH=. ./hashme.obf 123 16 | 17 | .PHONY: clean 18 | 19 | clean: 20 | rm -rf *.o *~ *.so.* *.bin hashme hashme.obf 21 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/cheatsheet.md: -------------------------------------------------------------------------------- 1 | Run afl-showmap 2 | 3 | ``` 4 | AFL_PRELOAD=./hooks.so ../../AFLplusplus/afl-showmap -o - -- ./hashme 5 | ``` 6 | 7 | Run with env: 8 | 9 | ``` 10 | env LD_PRELOAD=./hooks.so ./hashme 4 11 | ``` 12 | 13 | Compile asm hooks, hook function with instrumented main and afl (ldl added for instrumenting main) 14 | 15 | ``` 16 | gcc hooks.s hook.c ../AFLplusplus/afl-llvm-rt.o -o hooks.so -fPIC -shared -ldl 17 | ``` 18 | 19 | Compile AFL 20 | 21 | ``` 22 | make && make -C llvm_mode 23 | ``` 24 | 25 | For intel syntax in asm, add this at the beginning: 26 | ``` 27 | .intel_syntax noprefix 28 | ``` 29 | 30 | How to not overflow in assembly: 31 | ``` 32 | https://github.com/AFLplusplus/AFLplusplus/blob/master/qemu_mode/patches/afl-qemu-common.h#L54 33 | ``` -------------------------------------------------------------------------------- /jotaro-sama/print_libs/hashme.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | double hashme(double input) { 6 | return pow(input, 4) + log(input + 3); 7 | } 8 | 9 | int main(int argc, char** argv) { 10 | if (argc != 2) { 11 | printf("Usage: %s N\n", argv[0]); 12 | return EXIT_FAILURE; 13 | } 14 | 15 | double N = (double)atoi(argv[1]); 16 | double hash = hashme(N); 17 | printf("%f\n", hash); 18 | 19 | return EXIT_SUCCESS; 20 | } 21 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/hook.c: -------------------------------------------------------------------------------- 1 | // https://gist.github.com/apsun/1e144bf7639b22ff0097171fa0f8c6b1 2 | #define _GNU_SOURCE 3 | 4 | 5 | #include "../../AFLplusplus/include/config.h" 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | 12 | 13 | extern uint8_t *__afl_area_ptr; 14 | extern uint8_t *__afl_area_ptr; 15 | extern void __afl_manual_init(void); 16 | 17 | /* Trampoline for the real main() */ 18 | static int (*main_orig)(int, char **, char **); 19 | 20 | /* Our fake main() that gets called by __libc_start_main() */ 21 | int main_hook(int argc, char **argv, char **envp) { 22 | for (int i = 0; i < argc; ++i) { 23 | printf("argv[%d] = %s\n", i, argv[i]); 24 | } 25 | //printf("--- Before main ---\n"); 26 | __afl_manual_init(); 27 | int ret = main_orig(argc, argv, envp); 28 | printf("--- After main ----\n"); 29 | printf("main() returned %d\n", ret); 30 | return ret; 31 | } 32 | 33 | /* 34 | * Wrapper for __libc_start_main() that replaces the real main 35 | * function with our hooked version. 36 | */ 37 | int __libc_start_main( 38 | int (*main)(int, char **, char **), 39 | int argc, 40 | char **argv, 41 | int (*init)(int, char **, char **), 42 | void (*fini)(void), 43 | void (*rtld_fini)(void), 44 | void *stack_end) 45 | { 46 | /* Save the real main function address */ 47 | main_orig = main; 48 | 49 | /* Find the real __libc_start_main()... */ 50 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 51 | 52 | /* ... and call it with our custom main function */ 53 | return orig(main_hook, argc, argv, init, fini, rtld_fini, stack_end); 54 | } 55 | 56 | 57 | void pltcov_log(void* retaddr) { 58 | printf("%p\n", retaddr); 59 | // shitty hash for the address we call 60 | //__afl_area_ptr[((uintptr_t)retaddr) % MAP_SIZE]++; 61 | 62 | uintptr_t cur_loc = (uintptr_t)retaddr; 63 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 64 | cur_loc &= MAP_SIZE - 1; 65 | 66 | __afl_area_ptr[cur_loc]++; 67 | 68 | } -------------------------------------------------------------------------------- /jotaro-sama/print_libs/hooks.asm: -------------------------------------------------------------------------------- 1 | .globl logger_printf 2 | logger_printf: 3 | push %rax 4 | push %rbx 5 | push %rcx 6 | push %rdx 7 | push %rsi 8 | push %rdi 9 | push %rbp 10 | push %r8 11 | push %r9 12 | push %r10 13 | push %r11 14 | push %r12 15 | push %r13 16 | push %r14 17 | push %r15 18 | # return address 19 | mov 120(%rsp), %rdi 20 | call pltcov_log 21 | 22 | pop %r15 23 | pop %r14 24 | pop %r13 25 | pop %r12 26 | pop %r11 27 | pop %r10 28 | pop %r9 29 | pop %r8 30 | pop %rbp 31 | pop %rdi 32 | pop %rsi 33 | pop %rdx 34 | pop %rcx 35 | pop %rbx 36 | pop %rax 37 | 38 | jmp printf@PLT 39 | ret 40 | .globl logger_pow 41 | logger_pow: 42 | push %rax 43 | push %rbx 44 | push %rcx 45 | push %rdx 46 | push %rsi 47 | push %rdi 48 | push %rbp 49 | push %r8 50 | push %r9 51 | push %r10 52 | push %r11 53 | push %r12 54 | push %r13 55 | push %r14 56 | push %r15 57 | # return address 58 | mov 120(%rsp), %rdi 59 | call pltcov_log 60 | 61 | pop %r15 62 | pop %r14 63 | pop %r13 64 | pop %r12 65 | pop %r11 66 | pop %r10 67 | pop %r9 68 | pop %r8 69 | pop %rbp 70 | pop %rdi 71 | pop %rsi 72 | pop %rdx 73 | pop %rcx 74 | pop %rbx 75 | pop %rax 76 | 77 | jmp pow@PLT 78 | ret 79 | .globl logger_log 80 | logger_log: 81 | push %rax 82 | push %rbx 83 | push %rcx 84 | push %rdx 85 | push %rsi 86 | push %rdi 87 | push %rbp 88 | push %r8 89 | push %r9 90 | push %r10 91 | push %r11 92 | push %r12 93 | push %r13 94 | push %r14 95 | push %r15 96 | # return address 97 | mov 120(%rsp), %rdi 98 | call pltcov_log 99 | 100 | pop %r15 101 | pop %r14 102 | pop %r13 103 | pop %r12 104 | pop %r11 105 | pop %r10 106 | pop %r9 107 | pop %r8 108 | pop %rbp 109 | pop %rdi 110 | pop %rsi 111 | pop %rdx 112 | pop %rcx 113 | pop %rbx 114 | pop %rax 115 | 116 | jmp log@PLT 117 | ret 118 | .globl logger___libc_start_main 119 | logger___libc_start_main: 120 | push %rax 121 | push %rbx 122 | push %rcx 123 | push %rdx 124 | push %rsi 125 | push %rdi 126 | push %rbp 127 | push %r8 128 | push %r9 129 | push %r10 130 | push %r11 131 | push %r12 132 | push %r13 133 | push %r14 134 | push %r15 135 | # return address 136 | mov 120(%rsp), %rdi 137 | call pltcov_log 138 | 139 | pop %r15 140 | pop %r14 141 | pop %r13 142 | pop %r12 143 | pop %r11 144 | pop %r10 145 | pop %r9 146 | pop %r8 147 | pop %rbp 148 | pop %rdi 149 | pop %rsi 150 | pop %rdx 151 | pop %rcx 152 | pop %rbx 153 | pop %rax 154 | 155 | jmp __libc_start_main@PLT 156 | ret 157 | .globl logger_atoi 158 | logger_atoi: 159 | push %rax 160 | push %rbx 161 | push %rcx 162 | push %rdx 163 | push %rsi 164 | push %rdi 165 | push %rbp 166 | push %r8 167 | push %r9 168 | push %r10 169 | push %r11 170 | push %r12 171 | push %r13 172 | push %r14 173 | push %r15 174 | # return address 175 | mov 120(%rsp), %rdi 176 | call pltcov_log 177 | 178 | pop %r15 179 | pop %r14 180 | pop %r13 181 | pop %r12 182 | pop %r11 183 | pop %r10 184 | pop %r9 185 | pop %r8 186 | pop %rbp 187 | pop %rdi 188 | pop %rsi 189 | pop %rdx 190 | pop %rcx 191 | pop %rbx 192 | pop %rax 193 | 194 | jmp atoi@PLT 195 | ret 196 | .globl logger___cxa_finalize 197 | logger___cxa_finalize: 198 | push %rax 199 | push %rbx 200 | push %rcx 201 | push %rdx 202 | push %rsi 203 | push %rdi 204 | push %rbp 205 | push %r8 206 | push %r9 207 | push %r10 208 | push %r11 209 | push %r12 210 | push %r13 211 | push %r14 212 | push %r15 213 | # return address 214 | mov 120(%rsp), %rdi 215 | call pltcov_log 216 | 217 | pop %r15 218 | pop %r14 219 | pop %r13 220 | pop %r12 221 | pop %r11 222 | pop %r10 223 | pop %r9 224 | pop %r8 225 | pop %rbp 226 | pop %rdi 227 | pop %rsi 228 | pop %rdx 229 | pop %rcx 230 | pop %rbx 231 | pop %rax 232 | 233 | jmp __cxa_finalize@PLT 234 | ret 235 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/patch_exec.py: -------------------------------------------------------------------------------- 1 | import lief 2 | #binary = lief.parse("/usr/bin/ls") 3 | #library = lief.parse("/usr/lib/libc.so.6") 4 | 5 | import sys 6 | 7 | bin_name = sys.argv[1] 8 | 9 | #binary = lief.parse("a.out") 10 | binary = lief.parse(bin_name) 11 | 12 | print(binary.imported_functions) 13 | #print(library.exported_functions) 14 | 15 | hooksfile = "" 16 | 17 | for sym in binary.imported_symbols: 18 | assembly_name = sym.name 19 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC and "@" not in sym.name and sym.type != "__libc_startmain": 20 | newname = "logger_" + sym.name 21 | print(sym) 22 | hooksfile += """.globl %s 23 | %s: 24 | push %%rax 25 | push %%rbx 26 | push %%rcx 27 | push %%rdx 28 | push %%rsi 29 | push %%rdi 30 | push %%rbp 31 | push %%r8 32 | push %%r9 33 | push %%r10 34 | push %%r11 35 | push %%r12 36 | push %%r13 37 | push %%r14 38 | push %%r15 39 | # return address 40 | mov 120(%%rsp), %%rdi 41 | call pltcov_log@PLT 42 | #nop 43 | 44 | pop %%r15 45 | pop %%r14 46 | pop %%r13 47 | pop %%r12 48 | pop %%r11 49 | pop %%r10 50 | pop %%r9 51 | pop %%r8 52 | pop %%rbp 53 | pop %%rdi 54 | pop %%rsi 55 | pop %%rdx 56 | pop %%rcx 57 | pop %%rbx 58 | pop %%rax 59 | 60 | jmp %s 61 | """ % (newname, newname, assembly_name+"@PLT") 62 | sym.name = newname 63 | 64 | hooks_file = open("hooks.s", "w") 65 | hooks_file.write(hooksfile) 66 | hooks_file.close() 67 | 68 | binary.write("hashme") 69 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/print_libs.py: -------------------------------------------------------------------------------- 1 | import lief 2 | #binary = lief.parse("/usr/bin/ls") 3 | #library = lief.parse("/usr/lib/libc.so.6") 4 | 5 | binary = lief.parse("a.out") 6 | 7 | print(binary.imported_functions) 8 | #print(library.exported_functions) 9 | 10 | for sym in binary.imported_symbols: 11 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC: 12 | if sym.name == "log": 13 | print(sym) 14 | sym.name = "exp" 15 | 16 | binary.write("hashme") 17 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/run.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | gcc hashme.c -lm 3 | python3 patch_exec.py a.out 4 | gcc hooks.s hook.c ../../AFLplusplus/afl-llvm-rt.o -o hooks.so -fPIC -shared -ldl 5 | env LD_PRELOAD=./hooks.so ./hashme 4 6 | AFL_PRELOAD=./hooks.so ../../AFLplusplus/afl-showmap -o - -- ./hashme 7 | -------------------------------------------------------------------------------- /jotaro-sama/print_libs/script.py: -------------------------------------------------------------------------------- 1 | import lief 2 | 3 | hashme = lief.parse("hashme") 4 | libm = lief.parse("/usr/lib/libm.so.6") 5 | 6 | 7 | def swap(obj, a, b): 8 | symbol_a = [e for e in obj.dynamic_symbols if e.name == a].pop() 9 | symbol_b = [e for e in obj.dynamic_symbols if e.name == b].pop() 10 | b_name = symbol_b.name 11 | symbol_b.name = symbol_a.name 12 | symbol_a.name = b_name 13 | 14 | hashme_pow_sym = [e for e in hashme.imported_symbols if e.name == "pow"].pop() 15 | hashme_log_sym = [e for e in hashme.imported_symbols if e.name == "log"].pop() 16 | 17 | hashme_pow_sym.name = "cos" 18 | hashme_log_sym.name = "sin" 19 | 20 | swap(libm, "log", "sin") 21 | swap(libm, "pow", "cos") 22 | 23 | hashme.write("hashme.obf") 24 | libm.write("libm.so.6") 25 | 26 | print("done") 27 | 28 | -------------------------------------------------------------------------------- /pietroborrello/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefconRome/pltcov_groupcoding/87afc2502cddf6ffa15281ff95f802561222b44c/pietroborrello/.gitkeep -------------------------------------------------------------------------------- /pietroborrello/example/ex.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char* argv[]) { 5 | puts("echo yolo"); 6 | return 0; 7 | } -------------------------------------------------------------------------------- /pietroborrello/hook.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include "../AFLplusplus/include/config.h" 6 | 7 | extern uint8_t *__afl_area_ptr; 8 | extern void __afl_manual_init(void); 9 | 10 | /* Trampoline for the real main() */ 11 | static int (*main_orig)(int, char **, char **); 12 | 13 | int main_hook(int argc, char **argv, char **envp) 14 | { 15 | // printf("--- Before main ---\n"); 16 | __afl_manual_init(); 17 | int ret = main_orig(argc, argv, envp); 18 | // printf("--- After main ----\n"); 19 | return ret; 20 | } 21 | 22 | int __libc_start_main( 23 | int (*main)(int, char **, char **), 24 | int argc, 25 | char **argv, 26 | int (*init)(int, char **, char **), 27 | void (*fini)(void), 28 | void (*rtld_fini)(void), 29 | void *stack_end) 30 | { 31 | /* Save the real main function address */ 32 | main_orig = main; 33 | 34 | /* Find the real __libc_start_main()... */ 35 | typeof(&__libc_start_main) orig = dlsym(RTLD_NEXT, "__libc_start_main"); 36 | 37 | /* ... and call it with our custom main function */ 38 | return orig(main_hook, argc, argv, init, fini, rtld_fini, stack_end); 39 | } 40 | 41 | void pltcov__instrument(void* ret) { 42 | printf("%p\n", ret); 43 | uintptr_t cur_loc = (uintptr_t)ret; 44 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); 45 | cur_loc &= MAP_SIZE - 1; 46 | __afl_area_ptr[cur_loc]++; 47 | return; 48 | } -------------------------------------------------------------------------------- /pietroborrello/pltcov.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | import os 5 | import stat 6 | import lief 7 | from subprocess import check_call 8 | binary = lief.parse(sys.argv[1]) 9 | 10 | hook_basename = "pltcov__{func}__hook" 11 | 12 | stub_func = ''' 13 | .globl {stub_name} 14 | {stub_name}: 15 | push rax; 16 | push rbx; 17 | push rcx; 18 | push rdx; 19 | push rdi; 20 | push rsi; 21 | push rbp; 22 | push r8; 23 | push r9; 24 | push r10; 25 | push r11; 26 | push r12; 27 | push r13; 28 | push r14; 29 | push r15; 30 | mov rdi, qword ptr [rsp + 120] 31 | call pltcov__instrument@PLT; 32 | pop r15; 33 | pop r14; 34 | pop r13; 35 | pop r12; 36 | pop r11; 37 | pop r10; 38 | pop r9; 39 | pop r8; 40 | pop rbp; 41 | pop rsi; 42 | pop rdi; 43 | pop rdx; 44 | pop rcx; 45 | pop rbx; 46 | pop rax; 47 | jmp offset {original_func}@PLT; 48 | ''' 49 | 50 | pltcov_library_source = ''' 51 | .intel_syntax noprefix 52 | 53 | ''' 54 | 55 | for sym in binary.imported_symbols: 56 | if sym.type == lief.ELF.SYMBOL_TYPES.FUNC and "@" not in sym.name and sym.name[:2] != '__': 57 | new_name = hook_basename.format(func="puts") 58 | pltcov_library_source += stub_func.format(stub_name=new_name, original_func=sym.name) 59 | sym.name = new_name 60 | 61 | with open("pltcov.s", 'w') as f: 62 | f.write(pltcov_library_source) 63 | 64 | check_call("gcc -Os -fPIC -shared pltcov.s hook.c ../AFLplusplus/afl-llvm-rt.o -ldl -o libpltcov.so", shell=True) 65 | 66 | binary.write(sys.argv[1] + '.patched') 67 | os.chmod(sys.argv[1] + '.patched', stat.S_IWRITE | stat.S_IEXEC | stat.S_IREAD) --------------------------------------------------------------------------------