DynamoRIO possible incompatibility

[MakotoE]

I tried to compile winafl, but it failed, and I think it is due to incompatibility with DynamoRIO.

PS C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64> cmake -G"Visual Studio 17 2022" -A x64 .. -DDynamoRIO_DIR=C:\Users\MakotoEmura\Documents\fuzz-test\DynamoRIO-Windows-11.90.20395\cmake -DUSE_COLOR=1
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 will be removed from a future version of
  CMake.

  Update the VERSION argument <min> value or use a ...<max> suffix to tell
  CMake that the project does not need compatibility with older versions.


-- Selecting Windows SDK version 10.0.26100.0 to target Windows 6.2.9200.
-- The C compiler identification is MSVC 19.44.35220.0
-- The CXX compiler identification is MSVC 19.44.35220.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/Microsoft Visual Studio/2022/Community/VC/Tools/MSVC/14.44.35207/bin/Hostx64/x64/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/Microsoft Visual Studio/2022/Community/VC/Tools/MSVC/14.44.35207/bin/Hostx64/x64/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (3.5s)
-- Generating done (0.0s)
-- Build files have been written to: C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64

PS C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64> cmake --build . --config Release
MSBuild version 17.14.23+b0019275e for .NET Framework

  1>Checking Build System
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-analyze.c
  afl-analyze.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-analyze.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-fuzz.c
  afl-fuzz.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-fuzz.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-showmap.c
  afl-showmap.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-showmap.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  afl-tmin.c
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\afl-tmin.c(493,23): warning C4090: '=': different 'const' qualifiers [C
:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\afl-tmin.vcxproj]
  afl-tmin.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-tmin.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  custom_net_fuzzer.c
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_net_fuzzer.lib and object
  C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_net_fuzzer.exp
  custom_net_fuzzer.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\custom_net_fuzzer.dl
  l
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  custom_winafl_server.c
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_winafl_server.lib and obje
  ct C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/custom_winafl_server.exp
  custom_winafl_server.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\custom_winafl_ser
  ver.dll
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test.cpp
  test.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  gdiplus.cpp
  test_gdiplus.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_gdiplus.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test_netmode.cpp
  test_netmode.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_netmode.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  test_simple_winsock_client.cpp
  test_servermode.vcxproj -> C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\test_servermode.exe
  Building Custom Rule C:/Users/MakotoEmura/Documents/fuzz-test/winafl/CMakeLists.txt
  winafl.c
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(641,21): warning C4311: 'type cast': pointer truncation from '
void *' to 'DWORD' [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(642,18): warning C4312: 'type cast': conversion from 'DWORD' t
o 'void *' of greater size [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(648,21): warning C4311: 'type cast': pointer truncation from '
void *' to 'DWORD' [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\winafl.c(1000,5): warning C4013: 'DO_NOT_USE_exit_event_USE_drmgr_event
s_instead' undefined; assuming extern returning int [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcx
proj]
  modules.c
  Generating Code...
     Creating library C:/Users/MakotoEmura/Documents/fuzz-test/winafl/build64/Release/winafl.lib and object C:/Users/Ma
  kotoEmura/Documents/fuzz-test/winafl/build64/Release/winafl.exp
winafl.obj : error LNK2019: unresolved external symbol DO_NOT_USE_exit_event_USE_drmgr_events_instead referenced in fun
ction dr_client_main [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]
C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\winafl.dll : fatal error LNK1120: 1 unresolved exte
rnals [C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\winafl.vcxproj]

Here is where DO_NOT_USE_exit_event_USE_drmgr_events_instead is defined. Without knowing how exactly their source code works, my best guess is that dr_unregister_exit_event has been deprecated and it can't be used.

winafl commit: 92311a1df0a8f73d5e5b84a9f3953f281bf4c641
DynamoRIO version: 11.90.20395

Here is winafl.c(1000)

[ifratric]

Does it work if you replace dr_register_exit_event with drmgr_register_exit_event here: https://github.com/googleprojectzero/winafl/blob/master/winafl.c#L1000

[MakotoE]

Thank you, this replacement fixed the compilation issue. I was able to run drrun.exe -debug with no issue. (Outputs Everything appears to be running normally.) However, doing the following results in an error:

. "C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\afl-fuzz.exe" `
	-i input `
	-o output `
	-t 1000 `
	-D "C:\Users\MakotoEmura\Documents\fuzz-test\DynamoRIO-Windows-11.90.20418\bin64" `
	-w "C:\Users\MakotoEmura\Documents\fuzz-test\winafl\build64\bin\Release\winafl.dll" `
	-M fuzz00 `
	-- `
	-target_module eesimdFuzz.exe `
	-target_method Fuzz `
	-nargs 1 `
	-coverage_module eesimdFuzz.exe `
	-fuzz_iterations 1000000 `
	-- '..\x64\Release\eesimdFuzz.exe' `@`@

[+] You have 32 CPU cores with average utilization of 3%.
[+] Try parallel jobs - see afl_docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[+] Process affinity is set to 1.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'input'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Attempting dry run with 'id_000000'...

[-] PROGRAM ABORT : Unexpected result from pipe! expected 'P', instead received 'C'

         Location : run_target(), C:\Users\MakotoEmura\Documents\fuzz-test\winafl\afl-fuzz.c:2920

I'm not sure it this is related to the original issue. I wanted to put that here just in case it is related.

[ifratric]

You are most likely encountering a know issue with DynamoRIO instrumentation on Windows 11 after 24H2, see DynamoRIO/dynamorio#7487. Unfortunately little can be done on the WinAFL end until either the DynamoRIO issue is fixed or another workaround is found.

In the meantime, you can use TinyInst instrumentation instead, see https://github.com/googleprojectzero/winafl/blob/master/readme_tinyinst.md for more info. It should work on Windows 11. Note that some flags are slightly different than in DynamoRIO mode.

[4B5F5F4B]

You can try this fix DynamoRIO/dynamorio@7241a60 from @x9090 , I've tested it, it works on my enviroment.