"process dead" issue that is not occured by WinAFL or other Fuzzer

Question

"process dead" issue that is not occured by WinAFL or other Fuzzer

hyjun0407 opened this issue 10 months ago · 6 comments

Hello, I'm trying to use Jackalope, and I have a 'process death' issue that doesn't happen with winAFL or kAFL.
The fuzzer should be executed on the assumption that it is repeated and executed within the function fuzzme(), where Jackalope does not loop and the process 'dead'. It actually crash target process (WerFault.exe) and the target process dies.
What I suspect is that dlls that are targeting fuzzing will generate C++ exceptions (CPPEH), which JackAlpope does not seem to send to the original exception handler. I'm flustered that this problem hasn't happened with DynamicRIO or Host. What should I do in this case?

Answer 1 · 2024-02-04T09:09:34.000Z

I already Tried with:
-generate_unwind
-patch_return_addresses

Answer 2 · 2024-02-04T09:15:28.000Z

Of course, after the target process dies, the program is start again, but the program I'm targeting should be Loopable because the initial initial process takes too long.

Answer 3 · 2024-02-05T08:58:03.000Z

Hi, could you share the output you're getting from Jackalope?

Does the test program work correctly for you:
fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module test.exe -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- test.exe -m @@

Answer 4 · 2024-02-05T09:42:16.000Z

YES. I got everything ok with other things(original test.cpp) but, my harness's DLL make some Exception(C++ EH exception, in normal situation, it will be handle by program's handler) but It handle by Jackalope and Program died so I cant loop.
And I can't understand what do you mean for "output from jackalope"

Answer 5 · 2024-02-05T10:02:22.000Z

By "output from jackalope", I mean what Jackalope prints.
It's difficult to diagnose the issue without knowing more about your target, but if it was due to C++ exceptions, then -generate_unwind or patch_return_addresses should have fixed it. One other thing you can try is -stack_offset 1024.

Answer 6 · 2024-02-05T10:37:55.000Z

Jackalope doesn't export any error messages. But, EXEC/s is zero, and only runs(exec increase) once every 10 seconds. (I can infer that it runs once and the process dies because the time for the first initialization is about 10 seconds, and when I look at it in Process Explorer, it's actually dying.) I'll try additional solutions and let you know the results right away.