"process dead" issue that is not occured by WinAFL or other Fuzzer

[hyjun0407]

Hello, I'm trying to use Jackalope, and I have a 'process death' issue that doesn't happen with winAFL or kAFL.
The fuzzer should be executed on the assumption that it is repeated and executed within the function fuzzme(), where Jackalope does not loop and the process 'dead'. It actually crash target process (WerFault.exe) and the target process dies.
What I suspect is that dlls that are targeting fuzzing will generate C++ exceptions (CPPEH), which JackAlpope does not seem to send to the original exception handler. I'm flustered that this problem hasn't happened with DynamicRIO or Host. What should I do in this case?

[hyjun0407]

I already Tried with:
-generate_unwind
-patch_return_addresses

[hyjun0407]

Of course, after the target process dies, the program is start again, but the program I'm targeting should be Loopable because the initial initial process takes too long.

[ifratric]

Hi, could you share the output you're getting from Jackalope?

Does the test program work correctly for you:
fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module test.exe -target_module test.exe -target_method fuzz -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- test.exe -m @@

[hyjun0407]

YES. I got everything ok with other things(original test.cpp) but, my harness's DLL make some Exception(C++ EH exception, in normal situation, it will be handle by program's handler) but It handle by Jackalope and Program died so I cant loop.
And I can't understand what do you mean for "output from jackalope"

[ifratric]

By "output from jackalope", I mean what Jackalope prints.
It's difficult to diagnose the issue without knowing more about your target, but if it was due to C++ exceptions, then -generate_unwind or patch_return_addresses should have fixed it. One other thing you can try is -stack_offset 1024.

[hyjun0407]

Jackalope doesn't export any error messages. But, EXEC/s is zero, and only runs(exec increase) once every 10 seconds. (I can infer that it runs once and the process dies because the time for the first initialization is about 10 seconds, and when I look at it in Process Explorer, it's actually dying.) I'll try additional solutions and let you know the results right away.

[p0w1]

@hyjun0407 did you resolve it?

@ifratric When using .\fuzzer.exe -generate_unwind -trace_debug_events -iterations 1000 -persist -loop ... I get the same:

End of Fuzzing method <-- printf of the harness before the fuzz-method exits
Debugger: Exception c0000005 at address 0000000000000F22
Debugger: Persistence method ended
Debugger: Process exit
Debugger: Process created or attached

Most of the time it restarts after 1 execution, sometimes some more

[ifratric]

One thing that might help debugging issues like this is running litecov.exe (from TinyInst) with the same flags and some input file and see what kind of output you get.

[p0w1]

The reason was clean_target_on_coverage . The target took ~10seconds for the initialization most inputs triggered new coverage.
Using -clean_target_on_coverage 0 fixed it.