Entrypoint trap trimed out: the forkserver injection failed, or the target process never reached its entrypoint.

[newuser54]

Hi, i want to use winnie but i have an error following the walkthrough for the toy_example sample.

CMD Used: afl-fuzz -i in -o out -t 1000 -I 1000 -- -bbfile basicblocks.bb -- -harness harness.dll -no_minidumps -debug -- toy_example.exe @@

-debug option returns:

Winnie 1.00 -- Forkserver-based Windows fuzzer
Based on WinAFL 1.16b and AFL 2.43b
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see docs\parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Using fullspeed (fault-based) instrumentation.
[*] Attempting dry run with 'id_000000'...
[*] Debug mode enabled

  cmd: toy_example.exe out\.cur_input
  PEB=0x000000000021D000, Base address=0x0000000000030000
  Binname: toy_example.exe, OEP: 0000000000001435
  Entrypoint = 0000000000031435


[-] PROGRAM ABORT : Entrypoint trap trimed out: the forkserver injection failed, or the target process never reached its entrypoint.

         Location : spawn_child_with_injection(), D:\WORK\codes\winnie\afl-fuzz\forkserver.c:448

BB File generated with IDA Pro 7.5 using the script provided

Compilation of Winnie and the toy example:

Windows 10 19044.1526
CSRSS Offsets generated successfully

Used Visual Studio 2019
Used SDK 10.0.22000
Used MSVC v142

No errors during compilation

I've tried to disable windows binary protections from settings but nothing.

Thanks and Regards!

[stong]

Could you compile in Debug mode and run it? There should be some more output I think

[kmackinley]

I'm having the same issue. The only additional information that came out of compiling in debug mode is:

TRACE: Watchdog timeout

Otherwise, it is identical to OP's output above.

[HE-UMU]

Hi, I am facing the same problem.

cmd: toy_example.exe out.cur_input
PEB=0x000000000028B000, Base address=0x0000000000030000
Binname: toy_example.exe, OEP: 0000000000001438
Entrypoint = 0000000000031438
TRACE: Watchdog timeout

[-] PROGRAM ABORT : Entrypoint trap trimed out: the forkserver injection failed, or the target process never reached its entrypoint.

     Location : spawn_child_with_injection(), e:\winnie\afl-fuzz\forkserver.c:448

[Vulmatch]

@HE-UMU @kmackinley @newuser54
I figured it out. It is because the DLL injection works only when 32bit injects 32 exe or 64 bit inject 64bit. In this repo, the author by default sets the toy_example project to x86. Recompile both afl-fuzzer and toy_example.exe with x64 works.

However, I am facing another bug: "Failed to set process affinity" pops up in the forkserver.exe. Still working on this issue.

[Vulmatch]

Ohhhh, finally it worked. I configured the virtual machine to contain 4 cores rather than one core and the problem solved. This is really a damn awesome project!

[stong]

@LeoLiu-2020 Thank you!

I will update the documentation to specify the machine must be multicore.