Current commit of winafl searches for the wrong method name when searching binary when specified with -target_method

[personnumber3377]

Hi!

When running winafl commit 5b7d718 and using the -target_method command line argument, winafl erroneously searches for to_wrap instead of the specified method on the command line.

Here is my harness:

#define _CRT_SECURE_NO_WARNINGS // Just shut up compiler warnings

#include <stdio.h>
#include <windows.h>
#include <gdiplus.h>

using namespace Gdiplus;

wchar_t* charToWChar(const char* text)
{
	size_t size = strlen(text) + 1;
	wchar_t* wa = new wchar_t[size];
	mbstowcs(wa, text, size);
	return wa;
}


__declspec(noinline) void loop(wchar_t* filename) {
	// Main persistent loop here
	Image* image = NULL;
	Image* thumbnail=NULL;

	image = new Image(filename);
	if (image && (Ok == image->GetLastStatus())) {
		//printf("Image loaded\n");
		thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL);
		/*
		if(thumbnail && (Ok == thumbnail->GetLastStatus())) {
			//printf("Thumbnail created\n");
		}
		*/

	}

	//printf("Done\n");

	if (image) delete image;
	if(thumbnail) delete thumbnail;
}



int main(int argc, char** argv)
{
	/*
	GdiplusStartupInput gdiplusStartupInput;
	GdiplusStartupOutput gdiplusStartupOutput;
	ULONG_PTR gdiplusToken = 0;
	*/
	if (argc < 2) {
		printf("Usage: %s <image file>\n", argv[0]);
		return 0;
	}

	GdiplusStartupInput gdiplusStartupInput;
	ULONG_PTR gdiplusToken;
	GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, NULL);

	wchar_t* fname = charToWChar(argv[1]);

	while (true) {
		loop(fname); // Just call the target method in a loop. This is to use the persistent mode of winafl.
	}

	GdiplusShutdown(gdiplusToken);


	return 0;
}

and here is my command line for fuzzing:

C:\Users\elsku\winafl\winafl\build\bin\Release\afl-fuzz.exe -i c:\Users\elsku\inputs -o c:\Users\elsku\outputs2 -D C:\Users\elsku\dynamorio2\DynamoRIO-Windows-11.3.0-1\bin64 -I 40000   -t 40000 -f input.emf -- -coverage_module gdiplus.dll -fuzz_iterations 1000 -persistence_mode in_app -target_module gdiplusharness.exe -verbose 100 -target_method loop -nargs 1 -- "C:\Users\elsku\source\repos\gdiplusharness\x64\Release\gdiplusharness.exe" "@@"

here is the error box displayed by the program when I try to run it.

so the culprit seems to be in the way the program tries to find the symbol:

            } else {
                //first try exported symbols
                to_wrap = (app_pc)dr_get_proc_address(info->handle, options.fuzz_method);
                if(!to_wrap) {
                    //if that fails, try with the symbol access library
#ifdef USE_DRSYMS
                    drsym_init(0);
                    drsym_lookup_symbol(info->full_path, options.fuzz_method, (size_t *)(&to_wrap), 0);
                    drsym_exit();
#endif
                    DR_ASSERT_MSG(to_wrap, "Can't find specified method in target_module");
                    to_wrap += (size_t)info->start;
                }
            }

I have verified that the loop function actually exists in the resulting binary with ghidra.