文章目录

  • 一、源码
  • 1.信号处理函数
  • 2.check_asan_opts(检查内存错误)
  • 3.fix_up_sync(检查ID、sync_id是否过长,检查互斥)
  • 4.save_cmdline(将当前输入参数拷贝进buf空间中)
  • 5.fix_up_banner(修剪并且创建一个运行横幅)
  • 6.check_if_tty(检查是否在tty终端上面运行)
  • 7.get_core_count(计算逻辑CPU核的数量)
  • 8.check_crash_handling(确保核心转储不会进入程序)
  • 9.check_cpu_governor(检查CPU管理者)
  • 10.setup_post(加载后处理器(如果可用))

一、源码

1.信号处理函数

/* Handle stop signal (Ctrl-C, etc). */
/*手动停止信号*/
static void handle_stop_sig(int sig) {stop_soon = 1; //设置stop_soon为1if (child_pid > 0) kill(child_pid, SIGKILL);//如果child_pid存在,向其发送SIGKILL终止信号,从而被系统杀死if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL);//如果forksrv_pid存在,向其发送SIGKILL终止信号}/* Handle skip request (SIGUSR1). */
//处理跳过请求
static void handle_skipreq(int sig) {skip_requested = 1;//设置skip_requested=1}/* Handle timeout (SIGALRM). */
//处理超时的情况
static void handle_timeout(int sig) {if (child_pid > 0) {//如果child_pid>0,则设置child_timed_out为1,并kill掉child_pidchild_timed_out = 1; kill(child_pid, SIGKILL);} else if (child_pid == -1 && forksrv_pid > 0) {//如果child_pid==-1,且forksrv_pid>0,则设置child_timed_out为1,并kill掉forksrv_pidchild_timed_out = 1; kill(forksrv_pid, SIGKILL);}}
/* Handle screen resize (SIGWINCH). */
//处理窗口大小的变化信号
static void handle_resize(int sig) {clear_screen = 1;//设置clear_screen=1
}* Set up signal handlers. More complicated that needs to be, because libc onSolaris doesn't resume interrupted reads(), sets SA_RESETHAND when you callsiginterrupt(), and does other unnecessary things. */
/*设置信号处理程序。这需要更加复杂,因为libcSolaris不会恢复中断读取(),在调用时设置SA_RESETHAND
siginterrupt(),并执行其他不必要的操作*/
EXP_ST void setup_signal_handlers(void) {//注册必要的信号处理函数struct sigaction sa;sa.sa_handler   = NULL;//处理函数指针,相当于signal函数的func参数。sa.sa_flags     = SA_RESTART; //信号处理修改器sa.sa_sigaction = NULL;//设置sigaction为NULLsigemptyset(&sa.sa_mask);//sa_mask 的值通常是通过使用信号集函数来设置的  初始为空/* Various ways of saying "stop". */sa.sa_handler = handle_stop_sig;sigaction(SIGHUP, &sa, NULL);sigaction(SIGINT, &sa, NULL);sigaction(SIGTERM, &sa, NULL);/* Exec timeout notifications. */sa.sa_handler = handle_timeout;sigaction(SIGALRM, &sa, NULL);/* Window resize */sa.sa_handler = handle_resize;sigaction(SIGWINCH, &sa, NULL);/* SIGUSR1: skip entry */sa.sa_handler = handle_skipreq;sigaction(SIGUSR1, &sa, NULL);/* Things we don't care about. */sa.sa_handler = SIG_IGN;sigaction(SIGTSTP, &sa, NULL);sigaction(SIGPIPE, &sa, NULL);}

2.check_asan_opts(检查内存错误)

/* Check ASAN options. */static void check_asan_opts(void) {u8* x = getenv("ASAN_OPTIONS");//读取环境变量ASAN_OPTIONSif (x) {if (!strstr(x, "abort_on_error=1")) //检查是否设置了abort_on_error=1,如果没有抛异常FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");//不带中止abort_on_error=1-请修复!if (!strstr(x, "symbolize=0"))//检查是否设置了symbolize=0,如果没有抛异常FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");}x = getenv("MSAN_OPTIONS");//读取环境变量MSAN_OPTIONSif (x) {if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))FATAL("Custom MSAN_OPTIONS set without exit_code="STRINGIFY(MSAN_ERROR) " - please fix!");if (!strstr(x, "symbolize=0"))FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");}}

3.fix_up_sync(检查ID、sync_id是否过长,检查互斥)

/* Validate and fix up out_dir and sync_dir when using -S. */
//使用-S时验证并修复out_dir和sync_dir。
static void fix_up_sync(void) {u8* x = sync_id;if (dumb_mode)FATAL("-S / -M and -n are mutually exclusive");//-S/-M和-n是互斥的if (skip_deterministic) {if (force_deterministic)FATAL("use -S instead of -M -d");elseFATAL("-S already implies -d");}while (*x) {if (!isalnum(*x) && *x != '_' && *x != '-')FATAL("Non-alphanumeric fuzzer ID specified via -S or -M");//通过-S或-M指定的非字母数字fuzzer IDx++;}if (strlen(sync_id) > 32)//如果sync_id超过32位报错FATAL("Fuzzer ID too long");x = alloc_printf("%s/%s", out_dir, sync_id);sync_dir = out_dir;//设置sync_dir的值为out_dirout_dir  = x;//设置out_dir的值为out_dir/sync_idif (!force_deterministic) {//如果没有设置force_deterministicskip_deterministic = 1;//设置skip_deterministic为1use_splicing = 1;//设置use_splicing为1}}

4.save_cmdline(将当前输入参数拷贝进buf空间中)

/* Make a copy of the current command line. *//*复制当前命令行*/static void save_cmdline(u32 argc, char** argv) {u32 len = 1, i;u8* buf;for (i = 0; i < argc; i++)len += strlen(argv[i]) + 1;//计算参数长度buf = orig_cmdline = ck_alloc(len);//给参数分配内存空间for (i = 0; i < argc; i++) {u32 l = strlen(argv[i]);//计算长度memcpy(buf, argv[i], l); //将argv[i]中的内容存放至buf空间buf += l;if (i != argc - 1) *(buf++) = ' ';}*buf = 0;}

5.fix_up_banner(修剪并且创建一个运行横幅)

/* Trim and possibly create a banner for the run. */static void fix_up_banner(u8* name) {if (!use_banner) {//如果没有设置use_bannerif (sync_id) {//如果没有设置use_banneruse_banner = sync_id;//将sync_id赋值给use_banner} else {u8* trim = strrchr(name, '/'); //获取最后一个参数中最后一个“/”后的内容if (!trim)//如果没有获取到use_banner = name;//将目标文件路径赋值给use_bannerelse use_banner = trim + 1;}}if (strlen(use_banner) > 40) {//如果use_banner长度超过40,u8* tmp = ck_alloc(44);//分配44的空间给tmpsprintf(tmp, "%.40s...", use_banner);//取use_banner的前40个字节并在其后面加省略号use_banner = tmp;//将tmp赋值给use_banner}}

6.check_if_tty(检查是否在tty终端上面运行)

/* Check if we're on TTY. */static void check_if_tty(void) {struct winsize ws;if (getenv("AFL_NO_UI")) {//如果设置了AFL_NO_UI环境变量OKF("Disabling the UI because AFL_NO_UI is set.");//禁用UInot_on_tty = 1; //设置not_on_tty的值设为1return;}if (ioctl(1, TIOCGWINSZ, &ws)) {//获取窗口大小if (errno == ENOTTY) {//如果报错为ENOTTYOKF("Looks like we're not running on a tty, so I'll be a bit less verbose.");//看起来我们没有在tty上运行,所以我会少一点冗长。not_on_tty = 1;}return;}}

7.get_core_count(计算逻辑CPU核的数量)

/* Count the number of logical CPU cores. */static void get_core_count(void) {u32 cur_runnable = 0;

8.check_crash_handling(确保核心转储不会进入程序)

/* Make sure that core dumps don't go to a program. */static void check_crash_handling(void) {#ifdef __APPLE__/* Yuck! There appears to be no simple C API to query for the state of loaded daemons on MacOS X, and I'm a bit hesitant to do somethingmore sophisticated, such as disabling crash reporting via Mach ports,until I get a box to test the code. So, for now, we check for crashreporting the awful way. */if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return;SAYF("\n" cLRD "[-] " cRST"Whoops, your system is configured to forward crash notifications to an\n""    external crash reporting utility. This will cause issues due to the\n""    extended delay between the fuzzed binary malfunctioning and this fact\n""    being relayed to the fuzzer via the standard waitpid() API.\n\n""    To avoid having crashes misinterpreted as timeouts, please run the\n" "    following commands:\n\n""    SL=/System/Library; PL=com.apple.ReportCrash\n""    launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n""    sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n");if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES"))//如果没有获取环境变量AFL_I_DONT_CARE_ABOUT_MISSING_CRASHESFATAL("Crash reporter detected");#else/* This is Linux specific, but I don't think there's anything equivalent on*BSD, so we can just let it slide for now. */s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY);u8  fchar;if (fd < 0) return;ACTF("Checking core_pattern...");if (read(fd, &fchar, 1) == 1 && fchar == '|') {SAYF("\n" cLRD "[-] " cRST"Hmm, your system is configured to send core dump notifications to an\n""    external utility. This will cause issues: there will be an extended delay\n""    between stumbling upon a crash and having this information relayed to the\n""    fuzzer via the standard waitpid() API.\n\n""    To avoid having crashes misinterpreted as timeouts, please log in as root\n" "    and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n""    echo core >/proc/sys/kernel/core_pattern\n");if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES"))//如果没有获取环境变量AFL_I_DONT_CARE_ABOUT_MISSING_CRASHESFATAL("Pipe at the beginning of 'core_pattern'");//报错}close(fd);#endif /* ^__APPLE__ */}

9.check_cpu_governor(检查CPU管理者)

/* Check CPU governor. */static void check_cpu_governor(void) {FILE* f;u8 tmp[128];u64 min = 0, max = 0;if (getenv("AFL_SKIP_CPUFREQ")) //获取环境变量AFL_SKIP_CPUFREQreturn;f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r");//打开文件只读if (!f) return;ACTF("Checking CPU scaling governor...");//“正在检查CPU比例调节器…”if (!fgets(tmp, 128, f)) PFATAL("fgets() failed");fclose(f);if (!strncmp(tmp, "perf", 4)) return;f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r");if (f) {if (fscanf(f, "%llu", &min) != 1) min = 0;fclose(f);}f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r");if (f) {if (fscanf(f, "%llu", &max) != 1) max = 0;fclose(f);}if (min == max) return;SAYF("\n" cLRD "[-] " cRST"Whoops, your system uses on-demand CPU frequency scaling, adjusted\n""    between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n""    kernel is imperfect and can miss the short-lived processes spawned by\n""    afl-fuzz. To keep things moving, run these commands as root:\n\n""    cd /sys/devices/system/cpu\n""    echo performance | tee cpu*/cpufreq/scaling_governor\n\n""    You can later go back to the original state by replacing 'performance' with\n""    'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ\n""    to make afl-fuzz skip this check - but expect some performance drop.\n",min / 1024, max / 1024);FATAL("Suboptimal CPU scaling governor");}

10.setup_post(加载后处理器(如果可用))

/* Load postprocessor, if available. */static void setup_post(void) {void* dh;u8* fn = getenv("AFL_POST_LIBRARY");//获取环境变量AFL_POST_LIBRARYu32 tlen = 6;if (!fn)//如果没有设置AFL_POST_LIBRARY环境变量,直接返回return;ACTF("Loading postprocessor from '%s'...", fn);//输出环境变量AFL_POST_LIBRARYdh = dlopen(fn, RTLD_NOW);//以RTLD_NOW模式打开AFL_POST_LIBRARY环境变量指向的动态链接库,在返回前解析出所有未定义的符号if (!dh) FATAL("%s", dlerror());post_handler = dlsym(dh, "afl_postprocess"); //post_handler赋值为动态链接库中afl_postprocess()函数地址if (!post_handler)//如果没有获取到afl_postprocess()函数地址,报错FATAL("Symbol 'afl_postprocess' not found.");/* Do a quick test. It's better to segfault now than later =) *//*做一个快速测试。现在做比以后做更好*/post_handler("hello", &tlen);OKF("Postprocessor installed successfully.");}

AFL源码分析之afl-fuzz(学习笔记)(一)相关推荐

  1. AFL源码分析之afl-fuzz(学习笔记)(二)

    文章目录 前言 1.shmget(key_t key, size_t size, int shmflg)函数 2.shmat(int shm_id, const void *shm_addr, int ...

  2. AFL源码分析之afl-clang-fast(学习笔记)

    前言 通过afl-gcc来插桩这种做法已经属于不建议,更好的就是afl-clang-fast工具是通过llvm pass来插桩. #ifdef 是判断某个宏是否被定义,若已定义,执行随后的语句 #en ...

  3. 嵌入式之uboot源码分析-启动第一阶段学习笔记

    注: 以下的内容来自朱老师物联网大讲堂uboot部分课件 Uboot启动第一阶段start.S执行步骤 1.头文件包含 <config.h>(x210的各种宏定义) <version ...

  4. android源码编译 简书,android学习笔记之源码编译

    编译环境 1.需要Ubuntu 64bit,建议Ubuntu14.04 64-bit 2.安装openJDK7 $ sudo apt-get update $ sudo apt-get install ...

  5. as工程放到源码编译_方舟编译器学习笔记2 源码编译

    根据方舟官方文档编译了方舟编译器的源码,在这里简单谈谈其源码的编译过程: 1.操作系统环境: 64位版本的Ubuntu(官方推荐Ubuntu 16.04).我自己本身就有Ubuntu 16.04的虚拟 ...

  6. Redis源码分析(零)学习路径笔记

    文章目录 第一阶段 第二阶段 熟悉Redis的内存编码结构 第三阶段 熟悉Redis数据类型的实现 第四阶段 熟悉Redis数据库的实现 第五阶段 熟悉客户端和服务器端的代码实现 第六阶段 这一阶段主 ...

  7. java调用dubbo服务器_dubbo源码分析-服务端注册流程-笔记

    前面,我们已经知道,基于spring这个解析入口,到发布服务的过程,接着基于DubboProtocol去发布,最终调用Netty的api创建了一个NettyServer. 那么继续沿着Registry ...

  8. 《看透springmvc源码分析与实践》读书笔记二

    域名服务器DNS 专门将域名解析为IP的服务器. TCP/IP协议 tcp在传输之前会进行三次沟通,一般称为"三次握手", 传完数据断开的时候要进行四次沟通,一般称为"四 ...

  9. 《看透springmvc源码分析与实践》读书笔记一

    解决速度问题的核心是解决海量数据操作问题和高并发问题. 网站复杂的架构就是从这两个问题演变出来的. 海量数据的解决方案: 1. 缓存和页面静态化 将从数据库获取的数据暂时保存起来,在下次使用的时候无需 ...

最新文章

  1. 第五届合肥工业大学宣城校区程序设计大赛题解
  2. Linux 安装Boost
  3. python基本图形绘制_【Python】Python基本图形绘制-Go语言中文社区
  4. 利用dynamic解决匿名对象不能赋值的问题
  5. 如何避免GUIDE自动代码的Warning
  6. publishing failed with multiple errors resource is out of sync with the file system--转
  7. 使用C语言查看一个文件夹中所有文件及目录
  8. 树莓派4b ros镜像 网盘_树莓派4B的入手操作
  9. 自己如何获取ADO连接字符串
  10. mysql 当前时间戳_kettle教程-mysql数据增量抽取-无需时间戳无需标识
  11. float和clear都是布局的属性
  12. docker redis 删除集群_基于Docker的Redis集群实践
  13. 子页面应用母版页图片无法显示
  14. 2022年深圳杯建模A题思路: 破除“尖叫效应”与“回声室效应”,走出“信息茧房”
  15. 为什么选择浙工大计算机专业,研途生活 | 亲爱的你,当初是为什么选择浙工大...
  16. Druid关闭监控页面及设置密码
  17. 怎么用pdf压缩软件简单实现pdf压缩
  18. Kubernetes 常用命令及应用实例
  19. 将word的题注从Fig.改为Figure
  20. 平面四连杆运动方程分析with matlab

热门文章

  1. 做完肠镜检查需要多久恢复?
  2. 基于JAVA迅腾游戏交流网站计算机毕业设计源码+系统+lw文档+部署
  3. 安装polyglot出错
  4. 统计学习 最小错误率与最小风险的贝叶斯决策
  5. 校园网跑腿小程序源码开源
  6. vsCode 快捷键命令大全
  7. [喵咪Redis]Redis-Sentinel
  8. 设置windows远程登陆-----一对鼠标键盘控制多个电脑
  9. 科蒂斯控制器故障代码_科蒂斯控制器故障代码指示.pdf
  10. 儿童计算机知识竞赛,2016全国少儿百科知识挑战活动软件电脑版