Giters

sslab-gatech / winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

What does sample_name mean?

gonbbb opened this issue · comments

commented

There is an argument -sample in synthether.py. If this argument is not included, the encoding below will result in a NoneType judgment and processing will stop when running synthesizer.py (this).

winnie/harnessgen/synthesizer.py

Lines 115 to 117 in b046bce

har_parser.add_argument("-sample", "--sample-name", dest="sample_name", type=str,
default=None, help="name of the original sample name",
required=False)

winnie/harnessgen/common.py

Lines 650 to 652 in b046bce

if self.sample_name.encode() in first_string:
arguments.append("filename")
continue

commented

For example, I run the following command. the contents of input\test is Hello, World!.

$ pin.exe -t \path\to\tools\Tracer\x64\Debug\Tracer.dll -logfile "\path\to\cor1_1" -trace_mode "all" -only_to_target "\path\to\toy_example.exe " -only_to_lib "example_library.dll " -- path\to\toy_example.exe "input\test"

Next, I run the following command, and I tried two options for -sample.

$ python3 synthesizer.py harness -t drltrace.PID.log -d memdump -s "test" -sample ""

case -sample ""

typedef int (__cdecl *_func_t)(int, int, int, int, int, int, int, int, int);
void fuzz_me(char* filename){

    _func_t _func;

    
    /* Harness function #0 */    
    LOAD_FUNC(dlllib, );
    int _ret = _func(filename, filename, filename, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0);
    dbg_printf(", ret = %d\n", _ret); 

}

case -sample "Hello"

typedef int (__cdecl *_func_t)(int, int, int, int, int, int, int, int, int);
void fuzz_me(char* filename){

    _func_t _func;

    
    /* Harness function #0 */    
    LOAD_FUNC(dlllib, );
    int _ret = _func(filename, *((int*)c0_a0[232]), 0x6c6c6548, 0x57202c6f, 0x646c726f, 0xa0d21, 0x0, 0x0, 0x0);
    dbg_printf(", ret = %d\n", _ret); 

}

I think the latter option is incorrect because the compile error was printed for the reason that *((int*)c0_a0[232]) is undefined.

p.s.
Is it possible to edit this harness and use winnie to apply fuzzing, like variable declaration of c0_a0, LOAD_FUNC(dlllib, ); -> LOAD_FUNC(dlllib, 0);?

commented

I tried using their provided toy_sample. In this case, -sample needs to point to the built example_library.dll. Then in the CLI, it outputs the generated harness code.

commented

@LeoLiu-2020 @gonbbb I‘m also interesting in this problem. If you have figured it out, can you tell me more details?

commented

@LeoLiu-2020 @gonbbb I‘m also interesting in this problem. If you have figured it out, can you tell me more details?

It's been a while since I answered this problem. But I think what I wanted to say is that I test the command for their provided sample called example_library.dll. And the parameter for the -sample flag should be the path of the example_library.dll.