AFL自带安装脚本build_qemu_support.sh修改至新版本qemu

最新推荐文章于 2024-01-28 22:28:00 发布

qq_40796848

最新推荐文章于 2024-01-28 22:28:00 发布

阅读量1.2k

点赞数 5

文章标签： linux 服务器

本文链接：https://blog.csdn.net/qq_40796848/article/details/125616352

版权

AFL依赖QEMU实现了无源码的fuzzing功能，在其qemu_mode目录下自带了安装脚本build_qemu_support.sh，但是这个脚本版本极老，完全无法正常使用

我进行了自定义的修改，目前是能正常配置安装qemu，版本是6.1.1（原本是2.10.0，-_-||）
代码如下，有错误的话检查下注释的地方

#!/bin/sh
# 这里版本可以自行修改
VERSION="6.1.1"
QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
# 这个校验搞不懂，后面注释掉了
QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105"

echo "================================================="
echo "AFL binary-only instrumentation QEMU build script"
echo "================================================="
echo

echo "[*] Performing basic sanity checks..."

if [ ! "`uname -s`" = "Linux" ]; then

  echo "[-] Error: QEMU instrumentation is supported only on Linux."
  exit 1

fi

if [ ! -f "patches/afl-qemu-cpu-inl.h" -o ! -f "../config.h" ]; then

  echo "[-] Error: key files not found - wrong working directory?"
  exit 1

fi

if [ ! -f "../afl-showmap" ]; then

  echo "[-] Error: ../afl-showmap not found - compile AFL first!"
  exit 1

fi


for i in libtool wget python automake autoconf sha384sum bison iconv; do

  T=`which "$i" 2>/dev/null`

  if [ "$T" = "" ]; then

    echo "[-] Error: '$i' not found, please install first."
    exit 1

  fi

done

if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then

  echo "[-] Error: devel version of 'glib2' not found, please install first."
  exit 1

fi

if echo "$CC" | grep -qF /afl-; then

  echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
  exit 1

fi

echo "[+] All checks passed!"

ARCHIVE="`basename -- "$QEMU_URL"`"

CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`

#if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then

# 正常下载就行了，不做校验
echo "[*] Downloading QEMU ${VERSION} from the web..."
rm -f "$ARCHIVE"
wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1

#  CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`

#fi

#if [ "$CKSUM" = "$QEMU_SHA384" ]; then

#  echo "[+] Cryptographic signature on $ARCHIVE checks out."

#else

#  echo "[-] Error: signature mismatch on $ARCHIVE (perhaps download error?)."
#  exit 1

#fi

echo "[*] Uncompressing archive (this will take a while)..."
# 解压
rm -rf "qemu-${VERSION}" || exit 1
tar xf "$ARCHIVE" || exit 1

echo "[+] Unpacking successful."


echo "[*] Configuring QEMU for $CPU_TARGET..."

ORIG_CPU_TARGET="$CPU_TARGET"

test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"

cd qemu-$VERSION || exit 1

# 原本2.10.0版本安装是需要补丁的，而且还会有错误，这里用6.1.1就不需要了
echo "[*] Applying patches..."
echo "[*] QEMU ${VERSION} don't need patches"

#patch -p1 <../patches/elfload.diff || exit 1
#patch -p1 <../patches/cpu-exec.diff || exit 1
#patch -p1 <../patches/syscall.diff || exit 1
#patch -p1 <../patches/configure.diff || exit 1
#patch -p1 <../patches/memfd.diff || exit 1

echo "[+] Patching done."

# --enable-pie seems to give a couple of exec's a second performance
# improvement, much to my surprise. Not sure how universal this is..

# 配置，自动设置成当前linux用户的CPU，如x86_64
CFLAGS="-O3 -ggdb" ./configure --disable-system \
  --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
  --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1

echo "[+] Configuration complete."

echo "[*] Attempting to build QEMU (fingers crossed!)..."
# 编译
make || exit 1

echo "[+] Build process successful!"

echo "[*] Copying binary..."
# 这里的路径有点奇怪
# 总之就是要把qemu_mode/qemu-6.1.1/build/x86_64-linux-user下的qemu-x86_64放到afl目录下
# 但实际我这里还是报错，所以干脆手动放到bin目录下了
cp -f "./build/${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1

cd ..
ls -l ../afl-qemu-trace || exit 1

echo "[+] Successfully created '../afl-qemu-trace'."

if [ "$ORIG_CPU_TARGET" = "" ]; then

  echo "[*] Testing the build..."

  cd ..

  make >/dev/null || exit 1
  
  # 用gcc编译会出现No instrumentation detected错误，只是测试的话干脆就用afl-gcc了
  # 不知道这样做有没有问题
  #gcc test-instr.c -o test-instr || exit 1
  afl-gcc test-instr.c -o test-instr || exit 1

  unset AFL_INST_RATIO

  # We shouldn't need the /dev/null hack because program isn't compiled with any
  # optimizations.
  # 这里建议去掉-q（静默模式），不然一点提示都没有让人以为没在运行
  echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
  echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1

  rm -f test-instr

  # 这里的-s也是，添加后不显示错误信息了
  cmp -s .test-instr0 .test-instr1
  DR="$?"

  rm -f .test-instr0 .test-instr1

  if [ "$DR" = "0" ]; then

    echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
    exit 1

  fi

  echo "[+] Instrumentation tests passed. "
  echo "[+] All set, you can now use the -Q mode in afl-fuzz!"

else

  echo "[!] Note: can't test instrumentation when CPU_TARGET set."
  echo "[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!"

fi

exit 0