AFL( American fuzzy lop)build_qemu教程。[Error: ‘libtool’ ‘automake‘ ‘bison‘ ‘glib2‘ ‘Ninja‘]
Since the qemu version involved in build_qemu_support.sh in AFL is too ancient and full of problems during the installation process, the build_qemu.sh of other bloggers is used. The installation environment is ubuntu18.04. As for other versions of the system, whether it can be used is unknown.
1. build_qemu.sh
#!/bin/sh
# 这里版本可以自行修改
VERSION="6.1.1"
QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
# 这个校验搞不懂,后面注释掉了
QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105"
echo "================================================="
echo "AFL binary-only instrumentation QEMU build script"
echo "================================================="
echo
echo "[*] Performing basic sanity checks..."
if [ ! "`uname -s`" = "Linux" ]; then
echo "[-] Error: QEMU instrumentation is supported only on Linux."
exit 1
fi
if [ ! -f "patches/afl-qemu-cpu-inl.h" -o ! -f "../config.h" ]; then
echo "[-] Error: key files not found - wrong working directory?"
exit 1
fi
if [ ! -f "../afl-showmap" ]; then
echo "[-] Error: ../afl-showmap not found - compile AFL first!"
exit 1
fi
for i in libtool wget python automake autoconf sha384sum bison iconv; do
T=`which "$i" 2>/dev/null`
if [ "$T" = "" ]; then
echo "[-] Error: '$i' not found, please install first."
exit 1
fi
done
if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then
echo "[-] Error: devel version of 'glib2' not found, please install first."
exit 1
fi
if echo "$CC" | grep -qF /afl-; then
echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
exit 1
fi
echo "[+] All checks passed!"
ARCHIVE="`basename -- "$QEMU_URL"`"
CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
#if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then
# 正常下载就行了,不做校验
echo "[*] Downloading QEMU ${VERSION} from the web..."
rm -f "$ARCHIVE"
wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
# CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
#fi
#if [ "$CKSUM" = "$QEMU_SHA384" ]; then
# echo "[+] Cryptographic signature on $ARCHIVE checks out."
#else
# echo "[-] Error: signature mismatch on $ARCHIVE (perhaps download error?)."
# exit 1
#fi
echo "[*] Uncompressing archive (this will take a while)..."
# 解压
rm -rf "qemu-${VERSION}" || exit 1
tar xf "$ARCHIVE" || exit 1
echo "[+] Unpacking successful."
echo "[*] Configuring QEMU for $CPU_TARGET..."
ORIG_CPU_TARGET="$CPU_TARGET"
test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
cd qemu-$VERSION || exit 1
# 原本2.10.0版本安装是需要补丁的,而且还会有错误,这里用6.1.1就不需要了
echo "[*] Applying patches..."
echo "[*] QEMU ${VERSION} don't need patches"
#patch -p1 <../patches/elfload.diff || exit 1
#patch -p1 <../patches/cpu-exec.diff || exit 1
#patch -p1 <../patches/syscall.diff || exit 1
#patch -p1 <../patches/configure.diff || exit 1
#patch -p1 <../patches/memfd.diff || exit 1
echo "[+] Patching done."
# --enable-pie seems to give a couple of exec's a second performance
# improvement, much to my surprise. Not sure how universal this is..
# 配置,自动设置成当前linux用户的CPU,如x86_64
CFLAGS="-O3 -ggdb" ./configure --disable-system \
--enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
--target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
echo "[+] Configuration complete."
echo "[*] Attempting to build QEMU (fingers crossed!)..."
# 编译
make || exit 1
echo "[+] Build process successful!"
echo "[*] Copying binary..."
# 这里的路径有点奇怪
# 总之就是要把qemu_mode/qemu-6.1.1/build/x86_64-linux-user下的qemu-x86_64放到afl目录下
# 但实际我这里还是报错,所以干脆手动放到bin目录下了
cp -f "./build/${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
cd ..
ls -l ../afl-qemu-trace || exit 1
echo "[+] Successfully created '../afl-qemu-trace'."
if [ "$ORIG_CPU_TARGET" = "" ]; then
echo "[*] Testing the build..."
cd ..
make >/dev/null || exit 1
# 用gcc编译会出现No instrumentation detected错误,只是测试的话干脆就用afl-gcc了
# 不知道这样做有没有问题
#gcc test-instr.c -o test-instr || exit 1
afl-gcc test-instr.c -o test-instr || exit 1
unset AFL_INST_RATIO
# We shouldn't need the /dev/null hack because program isn't compiled with any
# optimizations.
# 这里建议去掉-q(静默模式),不然一点提示都没有让人以为没在运行
echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1
rm -f test-instr
# 这里的-s也是,添加后不显示错误信息了
cmp -s .test-instr0 .test-instr1
DR="$?"
rm -f .test-instr0 .test-instr1
if [ "$DR" = "0" ]; then
echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
exit 1
fi
echo "[+] Instrumentation tests passed. "
echo "[+] All set, you can now use the -Q mode in afl-fuzz!"
else
echo "[!] Note: can't test instrumentation when CPU_TARGET set."
echo "[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!"
fi
exit 0
2. Add the afl-gcc execution path to the environment variable
183 afl-gcc test-instr.c -o test-instr || exit 1 in build_qemu.sh , originally used gcc, now changed to afl-gcc, if afl-gcc is not added to the environment variable, it may Cause build_qemu to fail.
sudo vim /etc/environment
添加afl-gcc的路径,注意分号:
生效方式:重启系统
3. Build qemu exclusions.
3.1 libtool Error
AFL binary-only instrumentation QEMU build script
[*] Performing basic sanity checks…
[-] Error: ‘libtool’ not found, please install first.
sudo apt-get install libtool libtool-bin
3.2 automake Error
AFL binary-only instrumentation QEMU build script
[*] Performing basic sanity checks…
[-] Error: ‘automake’ not found, please install first.
sudo apt-get install automake
3.3 bison Error
AFL binary-only instrumentation QEMU build script
[*] Performing basic sanity checks…
[-] Error: ‘bison’ not found, please install first.
sudo apt-get install bison
3.4 glib2 Error
AFL binary-only instrumentation QEMU build script
[*] Performing basic sanity checks…
[-] Error: devel version of ‘glib2’ not found, please install first.
sudo apt-get install libglib2.0-dev
3.5 Ninja Error
ERROR: Cannot find Ninja
sudo apt-get install ninja-build
3.6 Use the 64-bit afl-qemu-trace tool to test the 32-bit program, and specify the 32-bit architecture through the following command:
[+] Successfully created ‘…/afl-qemu-trace’.
[*] Testing the build…
[-] Error: afl-qemu-trace instrumentation doesn’t seem to work!
指定cpu为32位架构,重新build
sudo CPU_TARGET=i386 ./build_qemu.sh
4. build qemu success
[+] Successfully created ‘…/afl-qemu-trace’.
[!] Note: can’t test instrumentation when CPU_TARGET set.
[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!
恭喜你!!
5. 参考文章
1.https://blog.csdn.net/qq_40796848/article/details/125616352
2.https://www.gandalf.site/2019/01/aflafl-qemufuzz.html#:~:text=%5B-%5D%20Error%3A%20afl-qemu-trace%20instrumentation%20doesn%27t%20seem,to%20work%21%20%E5%BA%94%E8%AF%A5%E6%98%AF%E7%94%A864%E4%BD%8D%20afl-qemu-trace%20%E5%B7%A5%E5%85%B7%E6%B5%8B%E8%AF%9532%E4%BD%8D%E7%A8%8B%E5%BA%8F%E5%BC%95%E8%B5%B7%E7%9A%84%EF%BC%8C%E5%BF%BD%E7%95%A5%E5%8D%B3%E5%8F%AF%EF%BC%8C%E6%88%96%E8%80%85%E9%80%9A%E8%BF%87%E5%A6%82%E4%B8%8B%E6%8C%87%E4%BB%A4%E6%8C%87%E5%AE%9A32%E4%BD%8D%E6%9E%B6%E6%9E%84%EF%BC%9A%20%24%20CPU_TARGET%3Di386.%2Fbuild_qemu_support.sh