From a947d865395d2b5f9be5ff331b1d2b8db57015e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joel=20H=C3=B6ner?= Date: Sun, 28 Aug 2016 23:08:07 +0200 Subject: [PATCH 1/3] added tool for fuzzing the disassembler --- tools/ZydisFuzzIn.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 tools/ZydisFuzzIn.c diff --git a/tools/ZydisFuzzIn.c b/tools/ZydisFuzzIn.c new file mode 100644 index 0000000..e69de29 From 589c4ae691aeaf4dee2c32a9acb32d863cc57fae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joel=20H=C3=B6ner?= Date: Sun, 28 Aug 2016 23:12:40 +0200 Subject: [PATCH 2/3] added stuff forgotten in previous commit --- CMakeLists.txt | 27 +++++++------ tools/ZydisDisasm.c | 2 +- tools/ZydisFuzzIn.c | 93 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 107 insertions(+), 15 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5ea45cb..098847c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -10,7 +10,7 @@ option(FORCE_SHARED_CRT "Forces shared linkage against the CRT even when building a static library" FALSE) option(BUILD_EXAMPLES "Build examples" TRUE) -option(BUILD_TOOLS "Build tools") +option(BUILD_TOOLS "Build tools" TRUE) if (NOT CONFIGURED_ONCE) if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU" OR @@ -74,24 +74,23 @@ include_directories(${PROJECT_BINARY_DIR}) # Examples if (BUILD_EXAMPLES) include_directories("include") - add_executable("ZydisTest" "examples/ZydisTest.c") - target_link_libraries("ZydisTest" "Zydis") - set_target_properties ("ZydisTest" PROPERTIES - FOLDER "Examples" - ) - add_executable("ZydisPE" "examples/ZydisPE.c") - target_link_libraries("ZydisPE" "Zydis") - set_target_properties ("ZydisPE" PROPERTIES - FOLDER "Examples" - ) + + if (WIN32) + add_executable("ZydisPE" "examples/ZydisPE.c") + target_link_libraries("ZydisPE" "Zydis") + set_target_properties ("ZydisPE" PROPERTIES FOLDER "Examples") + endif () endif () # Tools if (BUILD_TOOLS) include_directories("include") + add_executable("ZydisDisasm" "tools/ZydisDisasm.c") target_link_libraries("ZydisDisasm" "Zydis") - set_target_properties ("ZydisDisasm" PROPERTIES - FOLDER "Tools" - ) + set_target_properties ("ZydisDisasm" PROPERTIES FOLDER "Tools") + + add_executable("ZydisFuzzIn" "tools/ZydisFuzzIn.c") + target_link_libraries("ZydisFuzzIn" "Zydis") + set_target_properties("ZydisFuzzIn" PROPERTIES FOLDER "Tools") endif () diff --git a/tools/ZydisDisasm.c b/tools/ZydisDisasm.c index 7e6ae94..7f506aa 100644 --- a/tools/ZydisDisasm.c +++ b/tools/ZydisDisasm.c @@ -85,7 +85,7 @@ int main(int argc, char** argv) } ZydisFormatterFormatInstruction(&formatter, &info, buffer, sizeof(buffer)); - printf("%s\n", &buffer[0]); + puts(buffer); } } diff --git a/tools/ZydisFuzzIn.c b/tools/ZydisFuzzIn.c index e69de29..3c5c023 100644 --- a/tools/ZydisFuzzIn.c +++ b/tools/ZydisFuzzIn.c @@ -0,0 +1,93 @@ +/*************************************************************************************************** + + Zyan Disassembler Engine (Zydis) + + Original Author : Joel Höner + + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + +***************************************************************************************************/ + +#include +#include +#include +#include +#include +#include + +typedef struct ZydisFuzzControlBlock_ { + int disasMode; + int decoderFlags; + int formatterStyle; + int formatterFlags; +} ZydisFuzzControlBlock; + +/* ============================================================================================== */ +/* Entry point */ +/* ============================================================================================== */ + +int main() +{ + ZydisFuzzControlBlock controlBlock; + if (fread(&controlBlock, 1, sizeof(controlBlock), stdin) != sizeof(controlBlock)) + { + fputs("not enough bytes to fuzz\n", stderr); + return EXIT_FAILURE; + } + + ZydisFileInput input; + if (!ZYDIS_SUCCESS(ZydisInputInitFileInput(&input, stdin))) + { + fputs("failed to initialize file-input\n", stderr); + return EXIT_FAILURE; + } + + ZydisInstructionFormatter formatter; + if (!ZYDIS_SUCCESS(ZydisFormatterInitInstructionFormatterEx(&formatter, + controlBlock.formatterStyle, controlBlock.formatterFlags))) + { + fputs("failed to initialized instruction-formatter\n", stderr); + return EXIT_FAILURE; + } + + ZydisInstructionDecoder decoder; + if (!ZYDIS_SUCCESS(ZydisDecoderInitInstructionDecoderEx(&decoder, controlBlock.disasMode, + (ZydisCustomInput*)&input, controlBlock.decoderFlags))) + { + fputs("Failed to initialize instruction-decoder\n", stderr); + return EXIT_FAILURE; + } + + ZydisInstructionInfo info; + while (ZYDIS_SUCCESS(ZydisDecoderDecodeNextInstruction(&decoder, &info))) + { + if (info.flags & ZYDIS_IFLAG_ERROR_MASK) + { + printf("db %02X\n", info.data[0]); + continue; + } + + char outBuf[256]; + ZydisFormatterFormatInstruction(&formatter, &info, outBuf, sizeof(outBuf)); + puts(outBuf); + } +} + +/* ============================================================================================== */ + From 5eee4a6b180424e8dc940eeb0dfde5e2f78e8b8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joel=20H=C3=B6ner?= Date: Thu, 1 Sep 2016 19:14:08 +0200 Subject: [PATCH 3/3] made output buffer in fuzzer input tool dynamic --- tools/ZydisFuzzIn.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/ZydisFuzzIn.c b/tools/ZydisFuzzIn.c index 3c5c023..5e96c53 100644 --- a/tools/ZydisFuzzIn.c +++ b/tools/ZydisFuzzIn.c @@ -24,6 +24,12 @@ ***************************************************************************************************/ +/* + * This file implements a tool that is supposed to be fed as input for fuzzers like AFL, + * reading a control block from stdin, allowing the fuzzer to reach every possible + * code-path, testing any possible combination of disassembler configurations. + */ + #include #include #include @@ -36,6 +42,7 @@ typedef struct ZydisFuzzControlBlock_ { int decoderFlags; int formatterStyle; int formatterFlags; + uint8_t bufSize; } ZydisFuzzControlBlock; /* ============================================================================================== */ @@ -75,6 +82,7 @@ int main() } ZydisInstructionInfo info; + char *outBuf = malloc(controlBlock.bufSize); while (ZYDIS_SUCCESS(ZydisDecoderDecodeNextInstruction(&decoder, &info))) { if (info.flags & ZYDIS_IFLAG_ERROR_MASK) @@ -83,10 +91,12 @@ int main() continue; } - char outBuf[256]; - ZydisFormatterFormatInstruction(&formatter, &info, outBuf, sizeof(outBuf)); + ZydisFormatterFormatInstruction(&formatter, &info, outBuf, controlBlock.bufSize); puts(outBuf); } + + free(outBuf); + return 0; } /* ============================================================================================== */