From 5a0c8aef3405bf1a954c4f51cbf9899d654d313e Mon Sep 17 00:00:00 2001 From: 1LuB <3622487951@qq.com> Date: Wed, 8 Jan 2025 15:41:01 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/AFLplusplus-stable/src/afl-analyze.c | 253 +++++++++++++---------- 1 file changed, 140 insertions(+), 113 deletions(-) diff --git a/src/AFLplusplus-stable/src/afl-analyze.c b/src/AFLplusplus-stable/src/afl-analyze.c index 97c79e3..a5e1381 100644 --- a/src/AFLplusplus-stable/src/afl-analyze.c +++ b/src/AFLplusplus-stable/src/afl-analyze.c @@ -21,6 +21,8 @@ its structure by observing how changes to it affect the execution path. If the output scrolls past the edge of the screen, pipe it to 'less -r'. + + shashaqingkuangwoq */ @@ -96,9 +98,7 @@ static afl_forkserver_t fsrv = {0}; /* The forkserver */ /* Classify tuple counts. This is a slow & naive version, but good enough here. */ - - -//将模糊测试的错误数进行归并,在不造成太大影响的情况下减少运算、提升性能 +//鍒嗙被璁℃暟锛屽苟閫氳繃涓嶅悓鐨勮寖鍥村皢杈撳叆鏄犲皠鍒扮壒瀹氱殑鍊间笂銆 static u8 count_class_lookup[256] = { [0] = 0, @@ -113,11 +113,11 @@ static u8 count_class_lookup[256] = { }; -//结束子进程 +//缁堟涓涓瓙杩涚▼ static void kill_child() { - + // 鍒ゆ柇fsrv缁撴瀯浣撲腑鐨刢hild_pid鏄惁澶т簬0锛堝嵆鏄惁鏈夋湁鏁堢殑瀛愯繘绋婭D锛 if (fsrv.child_pid > 0) { - + // 浣跨敤kill鍑芥暟鍚戝瓙杩涚▼鍙戦佺粓姝俊鍙凤紝淇″彿绫诲瀷涓篺srv.child_kill_signal kill(fsrv.child_pid, fsrv.child_kill_signal); fsrv.child_pid = -1; @@ -125,6 +125,7 @@ static void kill_child() { } +//瀵圭粰瀹氬唴瀛樺潡涓殑鏁版嵁杩涜鍒嗙被澶勭悊銆傛牴鎹ā绯婃祴璇曠殑妯″紡锛屽喅瀹氭槸灏嗛潪闆跺艰缃负1锛岃繕鏄牴鎹甤ount_class_lookup鏁扮粍瀵规瘡涓瓧鑺傝繘琛屽垎绫绘槧灏勩 static void classify_counts(u8 *mem, u32 mem_size) { u32 i = mem_size; @@ -132,7 +133,7 @@ static void classify_counts(u8 *mem, u32 mem_size) { if (edges_only) { while (i--) { - + // 濡傛灉褰撳墠鎸囬拡鎵鎸囧悜鐨勫奸潪闆讹紝鍒欏皢鍏惰缃负1 if (*mem) { *mem = 1; } mem++; @@ -141,7 +142,7 @@ static void classify_counts(u8 *mem, u32 mem_size) { } else { while (i--) { - + // 鏍规嵁count_class_lookup鏁扮粍锛屽皢褰撳墠鎸囬拡鎵鎸囧悜鐨勫艰繘琛屽垎绫绘浛鎹 *mem = count_class_lookup[*mem]; mem++; @@ -152,9 +153,9 @@ static void classify_counts(u8 *mem, u32 mem_size) { } /* See if any bytes are set in the bitmap. */ - +// 妫鏌itmap涓槸鍚﹀瓨鍦ㄩ浂鍊 static inline u8 anything_set(void) { - + // 灏 fsrv.trace_bits 杞崲涓烘寚鍚 u32 绫诲瀷鐨勬寚閽 u32 *ptr = (u32 *)fsrv.trace_bits; u32 i = (map_size >> 2); @@ -163,7 +164,7 @@ static inline u8 anything_set(void) { if (*(ptr++)) { return 1; } } - + // 濡傛灉鎵鏈夊煎潎涓洪浂锛岃繑鍥 0 return 0; } @@ -171,22 +172,22 @@ static inline u8 anything_set(void) { /* Get rid of temp files (atexit handler). */ static void at_exit_handler(void) { - +//閫鍑 unlink(fsrv.out_file); /* Ignore errors */ } /* Read initial file. */ - +// 璇诲彇鍒濆鏂囦欢骞惰繘琛屾鏌 static void read_initial_file(void) { struct stat st; s32 fd = open(in_file, O_RDONLY); - + // 妫鏌ユ枃浠舵墦寮鏄惁鎴愬姛锛岃嫢澶辫触鍒欐墦鍗伴敊璇俊鎭苟缁堟绋嬪簭 if (fd < 0) { PFATAL("Unable to open '%s'", in_file); } - + // 鑾峰彇鏂囦欢鐘舵佷俊鎭紝骞舵鏌ユ枃浠跺ぇ灏忥紝鑻ヨ幏鍙栧け璐ユ垨鏂囦欢澶у皬涓洪浂锛屽垯缁堟绋嬪簭 if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); } - + // 妫鏌ユ枃浠跺ぇ灏忔槸鍚﹁秴杩囨渶澶ч檺鍒 TMIN_MAX_FILE锛岃嫢瓒呰繃鍒欑粓姝㈢▼搴 if (st.st_size >= TMIN_MAX_FILE) { FATAL("Input file is too large (%ld MB max)", TMIN_MAX_FILE / 1024 / 1024); @@ -194,43 +195,45 @@ static void read_initial_file(void) { } in_len = st.st_size; + // 鍒嗛厤鍐呭瓨浠ュ瓨鍌ㄦ枃浠跺唴瀹癸紝骞剁‘淇濆唴瀛樺垵濮嬪寲涓洪浂 in_data = ck_alloc_nozero(in_len); ck_read(fd, in_data, in_len, in_file); close(fd); - + // 鎵撳嵃璇诲彇鎴愬姛鐨勪俊鎭紝鍖呮嫭璇诲彇鐨勫瓧鑺傛暟 OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); } /* Execute target application. Returns exec checksum, or 0 if program times out. */ - +// 鍒嗘瀽鐩爣绋嬪簭鐨勮繍琛岀粨鏋 static u64 analyze_run_target(u8 *mem, u32 len, u8 first_run) { - + // 灏嗚緭鍏ユ暟鎹啓鍏ユ祴璇曠敤渚 afl_fsrv_write_to_testcase(&fsrv, mem, len); + // 杩愯鐩爣绋嬪簭骞惰幏鍙栬繍琛岀粨鏋 fsrv_run_result_t ret = afl_fsrv_run_target(&fsrv, exec_tmout, &stop_soon); if (ret == FSRV_RUN_ERROR) { - + // forkserver 閿欒 FATAL("Error in forkserver"); } else if (ret == FSRV_RUN_NOINST) { - + // 鐩爣鏈鎻掓々 FATAL("Target not instrumented"); } else if (ret == FSRV_RUN_NOBITS) { - + // 杩愯鐩爣澶辫触 FATAL("Failed to run target"); } - + // 鏍规嵁璺熻釜浣嶅浘鍒嗙被璁℃暟 classify_counts(fsrv.trace_bits, fsrv.map_size); total_execs++; if (stop_soon) { - + // 妫鏌ョ敤鎴锋槸鍚︿腑姝簡鍒嗘瀽 SAYF(cRST cLRD "\n+++ Analysis aborted by user +++\n" cRST); exit(1); @@ -239,7 +242,7 @@ static u64 analyze_run_target(u8 *mem, u32 len, u8 first_run) { /* Always discard inputs that time out. */ if (fsrv.last_run_timed_out) { - + // 缁熻瓒呮椂娆℃暟 exec_hangs++; return 0; @@ -248,14 +251,14 @@ static u64 analyze_run_target(u8 *mem, u32 len, u8 first_run) { u64 cksum = hash64(fsrv.trace_bits, fsrv.map_size, HASH_CONST); if (ret == FSRV_RUN_CRASH) { - + // 濡傛灉鐩爣绋嬪簭宕╂簝锛屼慨鏀瑰搱甯屽 /* We don't actually care if the target is crashing or not, except that when it does, the checksum should be different. */ cksum ^= 0xffffffff; } - + // 濡傛灉鏄涓娆¤繍琛岋紝灏嗗師濮嬪搱甯屽间繚瀛 if (first_run) { orig_cksum = cksum; } return cksum; @@ -263,7 +266,7 @@ static u64 analyze_run_target(u8 *mem, u32 len, u8 first_run) { } #ifdef USE_COLOR - +//濡傛灉缁欏嚭棰滆壊锛岃鑼冨寲琛ㄨ揪 /* Helper function to display a human-readable character. */ static void show_char(u8 val) { @@ -302,7 +305,7 @@ static void show_legend(void) { #endif /* USE_COLOR */ /* Interpret and report a pattern in the input file. */ - +// 浠ュ崄鍏繘鍒舵牸寮忚浆鍌ㄤ簩杩涘埗鏁版嵁骞惰繘琛屽垎绫 static void dump_hex(u32 len, u8 *b_data) { u32 i; @@ -314,13 +317,13 @@ static void dump_hex(u32 len, u8 *b_data) { #else u32 rlen = 1; #endif /* ^USE_COLOR */ - + // 鑾峰彇褰撳墠瀛楄妭鐨勭被鍨嬶紝鎻愬彇浣 4 浣 u8 rtype = b_data[i] & 0x0f; /* Look ahead to determine the length of run. */ - + //鍚戝墠鏌ョ湅浠ョ‘瀹氬綋鍓嶅瓧鑺傜殑杩愯闀垮害 while (i + rlen < len && (b_data[i] >> 7) == (b_data[i + rlen] >> 7)) { - + // 鏇存柊褰撳墠杩愯鐨勭被鍨 if (rtype < (b_data[i + rlen] & 0x0f)) { rtype = b_data[i + rlen] & 0x0f; @@ -332,7 +335,7 @@ static void dump_hex(u32 len, u8 *b_data) { } /* Try to do some further classification based on length & value. */ - + //鏍规嵁闀垮害鍜岀被鍨嬭繘琛岃繘涓姝ュ垎绫 if (rtype == RESP_FIXED) { switch (rlen) { @@ -344,7 +347,7 @@ static void dump_hex(u32 len, u8 *b_data) { /* Small integers may be length fields. */ if (val && (val <= in_len || SWAP16(val) <= in_len)) { - + // 灏嗙被鍨嬫洿鏀逛负闀垮害瀛楁 rtype = RESP_LEN; break; @@ -353,7 +356,7 @@ static void dump_hex(u32 len, u8 *b_data) { /* Uniform integers may be checksums. */ if (val && abs(in_data[i] - in_data[i + 1]) > 32) { - + // 灏嗙被鍨嬫洿鏀逛负鏍¢獙鍜 rtype = RESP_CKSUM; break; @@ -370,7 +373,7 @@ static void dump_hex(u32 len, u8 *b_data) { /* Small integers may be length fields. */ if (val && (val <= in_len || SWAP32(val) <= in_len)) { - + // 灏嗙被鍨嬫洿鏀逛负闀垮害瀛楁 rtype = RESP_LEN; break; @@ -381,7 +384,7 @@ static void dump_hex(u32 len, u8 *b_data) { if (val && (in_data[i] >> 7 != in_data[i + 1] >> 7 || in_data[i] >> 7 != in_data[i + 2] >> 7 || in_data[i] >> 7 != in_data[i + 3] >> 7)) { - + // 灏嗙被鍨嬫洿鏀逛负鏍¢獙鍜 rtype = RESP_CKSUM; break; @@ -390,7 +393,7 @@ static void dump_hex(u32 len, u8 *b_data) { break; } - + // 瀵逛簬 1, 3, 5 鍒 MAX_AUTO_EXTRA - 1 鐨勬儏鍐碉紝涓嶅仛澶勭悊 case 1: case 3: case 5 ... MAX_AUTO_EXTRA - 1: @@ -404,7 +407,7 @@ static void dump_hex(u32 len, u8 *b_data) { } /* Print out the entire run. */ - +//濡傛灉浣跨敤棰滆壊妯℃澘锛屼笅闈唬鐮佷細瑙勮寖鍖栬緭鍑 #ifdef USE_COLOR for (off = 0; off < rlen; off++) { @@ -513,17 +516,17 @@ static void dump_hex(u32 len, u8 *b_data) { } /* Actually analyze! */ - +// 鍒嗘瀽杈撳叆鏂囦欢 static void analyze() { - + // 瀹氫箟鍙橀噺 u32 i; u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0; - + // 鍔ㄦ佸垎閰嶅唴瀛橈紝鐢ㄤ簬瀛樺偍鍒嗘瀽缁撴灉 u8 *b_data = ck_alloc(in_len + 1); u8 seq_byte = 0; - + // 鍦ㄦ湯灏炬坊鍔犱竴涓晠鎰忕殑缁堟绗 b_data[in_len] = 0xff; /* Intentional terminator. */ - + // 杈撳嚭鍒嗘瀽寮濮嬬殑淇℃伅 ACTF("Analyzing input file (this may take a while)...\n"); #ifdef USE_COLOR @@ -531,50 +534,54 @@ static void analyze() { #endif /* USE_COLOR */ for (i = 0; i < in_len; i++) { - + // 瀹氫箟鍙橀噺鐢ㄤ簬瀛樺偍涓嶅悓鎿嶄綔鐨勭粨鏋 u64 xor_ff, xor_01, sub_10, add_10; + // 瀹氫箟鍙橀噺鐢ㄤ簬瀛樺偍鍘熷鏍¢獙鍜屾瘮杈冪粨鏋 u8 xff_orig, x01_orig, s10_orig, a10_orig; /* Perform walking byte adjustments across the file. We perform four operations designed to elicit some response from the underlying code. */ - + // 瀵规枃浠朵腑鐨勬瘡涓涓瓧鑺傝繘琛屽洓绉嶆搷浣滀互寮曞彂鍝嶅簲 + // 瀵瑰綋鍓嶅瓧鑺傝繘琛屽紓鎴栨搷浣 in_data[i] ^= 0xff; + // 杩愯鐩爣鍒嗘瀽骞惰幏鍙栫粨鏋 xor_ff = analyze_run_target(in_data, in_len, 0); - + // 杩涜鍙︿竴绉嶅紓鎴栨搷浣 in_data[i] ^= 0xfe; xor_01 = analyze_run_target(in_data, in_len, 0); - + // 杩涜鍑忔硶鍜屽紓鎴栨搷浣 in_data[i] = (in_data[i] ^ 0x01) - 0x10; sub_10 = analyze_run_target(in_data, in_len, 0); - + // 杩涜鍔犳硶鎿嶄綔 in_data[i] += 0x20; add_10 = analyze_run_target(in_data, in_len, 0); + // 鎭㈠褰撳墠瀛楄妭鐨勫 in_data[i] -= 0x10; /* Classify current behavior. */ - + // 鏍规嵁涓嶅悓鎿嶄綔鐨勭粨鏋滃垎绫诲綋鍓嶅瓧鑺傜殑琛屼负 xff_orig = (xor_ff == orig_cksum); x01_orig = (xor_01 == orig_cksum); s10_orig = (sub_10 == orig_cksum); a10_orig = (add_10 == orig_cksum); if (xff_orig && x01_orig && s10_orig && a10_orig) { - + // 濡傛灉鎵鏈夋搷浣滅殑缁撴灉鍧囦笌鍘熷鏍¢獙鍜岀浉鍚岋紝鍒欏皢褰撳墠瀛楄妭鐨勮涓鸿缃负 RESP_NONE b_data[i] = RESP_NONE; boring_len++; } else if (xff_orig || x01_orig || s10_orig || a10_orig) { - + // 濡傛灉鏈変竴涓搷浣滅殑缁撴灉涓庡師濮嬫牎楠屽拰鐩稿悓锛屽垯灏嗗綋鍓嶅瓧鑺傜殑琛屼负璁剧疆涓 RESP_MINOR b_data[i] = RESP_MINOR; boring_len++; } else if (xor_ff == xor_01 && xor_ff == sub_10 && xor_ff == add_10) { - + // 濡傛灉鎵鏈夋搷浣滅殑缁撴灉鍧囩浉鍚岋紝鍒欏皢褰撳墠瀛楄妭鐨勮涓鸿缃负 RESP_FIXED b_data[i] = RESP_FIXED; } else { - + // 鍚﹀垯灏嗗綋鍓嶅瓧鑺傜殑琛屼负璁剧疆涓 RESP_VARIABLE b_data[i] = RESP_VARIABLE; } @@ -583,24 +590,24 @@ static void analyze() { if (prev_xff != xor_ff && prev_x01 != xor_01 && prev_s10 != sub_10 && prev_a10 != add_10) { - + // 褰撴墍鏈夋牎楠屽拰閮藉彂鐢熷彉鍖栨椂锛屽皢 b_data 鐨勬渶楂樹綅缈昏浆 seq_byte ^= 0x80; } - + // 灏嗗綋鍓嶅瓧鑺傜殑琛屼负涓庡簭鍒楀瓧鑺傝繘琛屽悎骞 b_data[i] |= seq_byte; - + // 鏇存柊搴忓垪瀛楄妭 prev_xff = xor_ff; prev_x01 = xor_01; prev_s10 = sub_10; prev_a10 = add_10; } - + // 杈撳嚭鍒嗘瀽缁撴灉 dump_hex(in_len, b_data); - + // 杈撳嚭鍒嗘瀽缁撴潫淇℃伅 SAYF("\n"); - + // 杈撳嚭鍒嗘瀽瀹屾垚鐨勪俊鎭紝鍖呮嫭寮傚父鏁版嵁鐨勭櫨鍒嗘瘮 OKF("Analysis complete. Interesting bits: %0.02f%% of the input file.", 100.0 - ((double)boring_len * 100) / in_len); @@ -610,7 +617,7 @@ static void analyze() { exec_hangs); } - + // 閲婃斁鍒嗛厤鐨勫唴瀛 ck_free(b_data); } @@ -618,7 +625,7 @@ static void analyze() { /* Handle Ctrl-C and the like. */ static void handle_stop_sig(int sig) { - +//澶勭悊鐢ㄦ埛閫鍑轰簨浠跺嵆 Ctrl-C 浜嬩欢 (void)sig; stop_soon = 1; @@ -627,39 +634,41 @@ static void handle_stop_sig(int sig) { } /* Do basic preparations - persistent fds, filenames, etc. */ - +//璁剧疆鐜锛屾墦寮蹇呰鐨勭郴缁熸枃浠讹紝璁剧疆涓存椂杈撳嚭鏂囦欢锛屽鐞嗗拰閰嶇疆涓庡唴瀛樺垎鏋愩丵EMU 鍜 Frida 鐩稿叧鐨勭幆澧冨彉閲 static void set_up_environment(char **argv) { u8 *x; char *afl_preload; char *frida_afl_preload = NULL; - + // 灏濊瘯鎵撳紑 /dev/null锛岃幏鍙栨枃浠舵弿杩扮 fsrv.dev_null_fd = open("/dev/null", O_RDWR); + // 濡傛灉鎵撳紑澶辫触锛屽垯鎵撳嵃閿欒淇℃伅骞剁粓姝㈢▼搴 if (fsrv.dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } - + // 濡傛灉杈撳嚭鏂囦欢鏈缃紝榛樿浣跨敤褰撳墠鐩綍 if (!fsrv.out_file) { u8 *use_dir = "."; - + // 妫鏌ュ綋鍓嶇洰褰曟槸鍚﹀彲璇汇佸彲鍐欏拰鍙墽琛岋紝鑻ヤ笉鍙銆佸彲鍐欏拰鍙墽琛岋紝鍒欎娇鐢 /tmp 鐩綍 if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = get_afl_env("TMPDIR"); if (!use_dir) { use_dir = "/tmp"; } } - + // 鍒嗛厤涓存椂杈撳嚭鏂囦欢鍚 fsrv.out_file = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, (u32)getpid()); } - + // 鍒犻櫎宸插瓨鍦ㄧ殑涓存椂杈撳嚭鏂囦欢 unlink(fsrv.out_file); fsrv.out_fd = open(fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION); - + // 濡傛灉鎵撳紑澶辫触锛屽垯鎵撳嵃閿欒淇℃伅骞剁粓姝㈢▼搴 if (fsrv.out_fd < 0) { PFATAL("Unable to create '%s'", fsrv.out_file); } /* Set sane defaults... */ + // 鑾峰彇 MSAN_OPTIONS 鐜鍙橀噺锛屽苟妫鏌ユ槸鍚﹀寘鍚 exitcode=MSAN_ERROR x = get_afl_env("MSAN_OPTIONS"); if (x) { @@ -672,9 +681,9 @@ static void set_up_environment(char **argv) { } } - + // 璁剧疆榛樿鐨勬竻鐞嗗伐鍏 set_sanitizer_defaults(); - + // 妫鏌 AFL_PRELOAD 鐜鍙橀噺 if (get_afl_env("AFL_PRELOAD")) { if (qemu_mode) { @@ -682,9 +691,11 @@ static void set_up_environment(char **argv) { /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ } else if (frida_mode) { - + // 浠庣幆澧冨彉閲忚幏鍙 AFL_PRELOAD afl_preload = getenv("AFL_PRELOAD"); + // 鏌ユ壘 frida 浜岃繘鍒舵枃浠 u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); + // 鏍规嵁 AFL_PRELOAD 鏄惁璁剧疆锛屾瀯寤 frida_afl_preload if (afl_preload) { frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary); @@ -694,9 +705,9 @@ static void set_up_environment(char **argv) { frida_afl_preload = alloc_printf("%s", frida_binary); } - + // 閲婃斁 frida_binary 鐨勫唴瀛 ck_free(frida_binary); - + // 璁剧疆 LD_PRELOAD 鍜 DYLD_INSERT_LIBRARIES 鐜鍙橀噺 setenv("LD_PRELOAD", frida_afl_preload, 1); setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1); @@ -708,22 +719,23 @@ static void set_up_environment(char **argv) { setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); } - + // 濡傛灉娌℃湁璁剧疆 AFL_PRELOAD锛屼絾澶勪簬 frida 妯″紡 } else if (frida_mode) { u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); setenv("LD_PRELOAD", frida_binary, 1); setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1); - ck_free(frida_binary); + // 閲婃斁 frida_binary 鐨勫唴瀛 + ck_free(frida_binary); } - + // 濡傛灉 frida_afl_preload 琚垎閰嶄簡锛岄噴鏀惧叾鍐呭瓨 if (frida_afl_preload) { ck_free(frida_afl_preload); } } /* Setup signal handlers, duh. */ - +//璁剧疆绋嬪簭鐨勪俊鍙峰鐞嗘満鍒讹紝閫氳繃璁剧疆 sa.sa_mask 鍜 sa.sa_flags锛岀‘淇濈▼搴忚涓虹鍚堥鏈熴 static void setup_signal_handlers(void) { struct sigaction sa; @@ -748,7 +760,7 @@ static void setup_signal_handlers(void) { } /* Display usage hints. */ - +//鐢ㄦ埛鎸囧紩鎵嬪唽 static void usage(u8 *argv0) { SAYF( @@ -812,33 +824,35 @@ int main(int argc, char **argv_orig, char **envp) { u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; char **use_argv; char **argv = argv_cpy_dup(argc, argv_orig); - + // 妫鏌ユ枃妗h矾寰勬槸鍚﹀瓨鍦紝濡傛灉涓嶅瓨鍦紝浣跨敤榛樿鐨勬枃妗h矾寰 doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - + // 杈撳嚭绋嬪簭鐨勫熀鏈俊鎭 SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n"); - + // 鍒濆鍖栨枃浠舵湇鍔 afl_fsrv_init(&fsrv); - + // 瑙f瀽鍛戒护琛屽弬鏁 while ((opt = getopt(argc, argv, "+i:f:m:t:eAOQUWXYh")) > 0) { switch (opt) { case 'i': - + // 妫鏌ユ槸鍚﹂噸澶嶆寚瀹 if (in_file) { FATAL("Multiple -i options not supported"); } in_file = optarg; break; case 'f': - + // 妫鏌ユ槸鍚﹂噸澶嶆寚瀹 if (fsrv.out_file) { FATAL("Multiple -f options not supported"); } + // 涓嶄娇鐢ㄦ爣鍑嗚緭鍏 fsrv.use_stdin = 0; fsrv.out_file = ck_strdup(optarg); break; - + // 浠呰竟缂樺垎鏋 case 'e': if (edges_only) { FATAL("Multiple -e options not supported"); } + // 鍚敤浠呰竟缂樺垎鏋 edges_only = 1; break; @@ -847,25 +861,26 @@ int main(int argc, char **argv_orig, char **envp) { u8 suffix = 'M'; if (mem_limit_given) { FATAL("Multiple -m options not supported"); } + // 璁剧疆鏍囧織琛ㄧず宸茬粰瀹氬唴瀛橀檺鍒 mem_limit_given = 1; - + // 妫鏌ュ弬鏁版湁鏁堟 if (!optarg) { FATAL("Wrong usage of -m"); } if (!strcmp(optarg, "none")) { - + // 濡傛灉鎸囧畾涓 none锛岃瀹氬唴瀛橀檺鍒朵负 0 mem_limit = 0; fsrv.mem_limit = 0; break; } - + // 璇诲彇鍐呭瓨闄愬埗鍊 if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || optarg[0] == '-') { FATAL("Bad syntax used for -m"); } - + // 鍒ゅ畾鍗曚綅骞惰浆鎹负瀛楄妭 switch (suffix) { case 'T': @@ -884,15 +899,15 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("Unsupported suffix or bad syntax for -m"); } - + // 闃叉璁剧疆杩囦綆鐨勯檺鍒 if (mem_limit < 5) { FATAL("Dangerously low value of -m"); } if (sizeof(rlim_t) == 4 && mem_limit > 2000) { - + // 閽堝 32 浣嶇郴缁熺殑鑼冨洿妫鏌 FATAL("Value of -m out of range on 32-bit systems"); } - + // 璁剧疆鏂囦欢鏈嶅姟鐨勫唴瀛橀檺鍒 fsrv.mem_limit = mem_limit; } @@ -999,27 +1014,30 @@ int main(int argc, char **argv_orig, char **envp) { } } - + // 妫鏌ユ槸鍚︽彁渚涗簡鏈夋晥鐨勮緭鍏ユ枃浠 if (optind == argc || !in_file) { usage(argv[0]); } - + // 鑾峰彇鏄犲皠澶у皬骞舵洿鏂版枃浠舵湇鍔$粨鏋 map_size = get_map_size(); fsrv.map_size = map_size; - + use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX"); - + // 妫鏌ョ幆澧冨彉閲 check_environment_vars(envp); - + // 鍒濆鍖栧叡浜唴瀛樼粨鏋 sharedmem_t shm = {0}; /* initialize cmplog_mode */ + // 鍒濆鍖 cmplog_mode shm.cmplog_mode = 0; - + // 娉ㄥ唽閫鍑哄鐞嗗嚱鏁 atexit(at_exit_handler); + // 璁剧疆淇″彿澶勭悊鍑芥暟 setup_signal_handlers(); - + // 璁剧疆鐜 set_up_environment(argv); #ifdef __linux__ + // 鏍规嵁妯″紡鏌ユ壘鐩爣璺緞 if (!fsrv.nyx_mode) { fsrv.target_path = find_binary(argv[optind]); @@ -1033,11 +1051,13 @@ int main(int argc, char **argv_orig, char **envp) { #else fsrv.target_path = find_binary(argv[optind]); #endif - + // 鍒濆鍖栧叡浜唴瀛樺拰璺熻釜浣嶅浘 fsrv.trace_bits = afl_shm_init(&shm, map_size, 0); + // 妫娴嬪悗缁枃浠跺弬鏁 detect_file_args(argv + optind, fsrv.out_file, &use_stdin); + // 璁剧疆瓒呮椂淇″彿鐨勫鐞 signal(SIGALRM, kill_child); - + // 鏍规嵁鎵閫夋ā寮忓噯澶囧懡浠よ鍙傛暟 if (qemu_mode) { if (use_wine) { @@ -1063,14 +1083,16 @@ int main(int argc, char **argv_orig, char **envp) { fsrv.nyx_id = 0; u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so"); + // 鍔犺浇鎻掍欢 fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); if (fsrv.nyx_handlers == NULL) { FATAL("failed to initialize libnyx.so..."); } - + // 浣跨敤涓存椂宸ヤ綔鐩綍 fsrv.nyx_use_tmp_workdir = true; + // 缁戝畾 CPU ID fsrv.nyx_bind_cpu_id = 0; use_argv = argv + optind; @@ -1081,27 +1103,28 @@ int main(int argc, char **argv_orig, char **envp) { use_argv = argv + optind; } - + // 杈撳嚭骞茶繍琛岀殑鐩稿叧淇℃伅 SAYF("\n"); if (getenv("AFL_FORKSRV_INIT_TMOUT")) { s32 forksrv_init_tmout = atoi(getenv("AFL_FORKSRV_INIT_TMOUT")); if (forksrv_init_tmout < 1) { - + // 妫鏌ュ垵濮嬪寲瓒呮椂閰嶇疆 FATAL("Bad value specified for AFL_FORKSRV_INIT_TMOUT"); } - + // 璁剧疆鍒濆鍖栬秴鏃 fsrv.init_tmout = (u32)forksrv_init_tmout; } - + // 閰嶇疆缁堟淇″彿 configure_afl_kill_signals( &fsrv, NULL, NULL, (fsrv.qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM); - + // 璇诲彇鍒濆鏂囦欢 read_initial_file(); #ifdef __linux__ + // 妫鏌ヤ簩杩涘埗绛惧悕 if (!fsrv.nyx_mode) { (void)check_binary_signatures(fsrv.target_path); } #else (void)check_binary_signatures(fsrv.target_path); @@ -1109,29 +1132,33 @@ int main(int argc, char **argv_orig, char **envp) { ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); - + // 鍚姩鏂囦欢鏈嶅姟 afl_fsrv_start(&fsrv, use_argv, &stop_soon, false); + // 鍒嗘瀽鐩爣 analyze_run_target(in_data, in_len, 1); if (fsrv.last_run_timed_out) { - + // 妫鏌ユ墽琛岃秴鏃 FATAL("Target binary times out (adjusting -t may help)."); } - + // 妫鏌ユ槸鍚﹁繘琛岃繃妫娴 if (get_afl_env("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) { FATAL("No instrumentation detected."); } - + // 璋冪敤鍒嗘瀽鍑芥暟锛堜富瑕佸姛鑳芥帴鍙 analyze(); OKF("We're done here. Have a nice day!\n"); - + // 閲婃斁鍏变韩鍐呭瓨 afl_shm_deinit(&shm); + // 閲婃斁鏂囦欢鏈嶅姟 afl_fsrv_deinit(&fsrv); + // 閲婃斁鐩爣璺緞 if (fsrv.target_path) { ck_free(fsrv.target_path); } + // 閲婃斁杈撳叆鏁版嵁 if (in_data) { ck_free(in_data); } exit(0);