From 55efbe36ba8ec2603f3074f04dd59e57b445bcbc Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Tue, 27 Jul 2021 15:56:38 +0530 Subject: [PATCH 1/4] updated for shared memory support. updated for shared memory support. --- gdiplus.cpp | 136 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 113 insertions(+), 23 deletions(-) diff --git a/gdiplus.cpp b/gdiplus.cpp index 972ec179..75768eef 100644 --- a/gdiplus.cpp +++ b/gdiplus.cpp @@ -23,47 +23,137 @@ #include #include #include +#include +#include +#pragma comment(lib, "gdiplus.lib") +#pragma comment(lib, "shlwapi.lib") using namespace Gdiplus; +/* for shared memory fuzzing */ +#define MAX_SAMPLE_SIZE 1000000 +#define SHM_SIZE (4 + MAX_SAMPLE_SIZE) +unsigned char* shm_data; + +bool use_shared_memory; + +HANDLE map_file; + +//clear shared memory +int clear_shmem(void) { + UnmapViewOfFile(shm_data); + CloseHandle(map_file); + return 0; +} + +//setup shared memory +int setup_shmem(const char* name) { + map_file = OpenFileMapping( + FILE_MAP_ALL_ACCESS, // read/write access + FALSE, // do not inherit the name + name); // name of mapping object + + if (map_file == NULL) { + printf("Error accessing shared memory\n"); + return 0; + } + + shm_data = (unsigned char*)MapViewOfFile(map_file, // handle to map object + FILE_MAP_ALL_ACCESS, // read/write permission + 0, + 0, + SHM_SIZE); + + if (shm_data == NULL) { + printf("Error accessing shared memory\n"); + return 0; + } + CloseHandle(map_file); + return 1; +} + +/* end shared memory fuzzing */ + +#define FUZZ_TARGET_MODIFIERS __declspec(dllexport) + wchar_t* charToWChar(const char* text) { - size_t size = strlen(text) + 1; - wchar_t* wa = new wchar_t[size]; - mbstowcs(wa,text,size); - return wa; + size_t size = strlen(text) + 1; + wchar_t* wa = new wchar_t[size]; + mbstowcs(wa, text, size); + return wa; +} + +int FUZZ_TARGET_MODIFIERS FuzzMe(wchar_t* filename) +{ + Image* image = NULL; + Image* thumbnail = NULL; + if (!use_shared_memory) + { + image = new Image(filename); + } + else + { + char* sample_bytes = NULL; + uint32_t sample_size = 0; + sample_size = *(uint32_t*)(shm_data); + if (sample_size > MAX_SAMPLE_SIZE) sample_size = MAX_SAMPLE_SIZE; + sample_bytes = (char*)malloc(sample_size); + memcpy(sample_bytes, shm_data + sizeof(uint32_t), sample_size); + //lets create stream from memory and then we will create image. + IStream* stream = SHCreateMemStream(reinterpret_cast(sample_bytes), sample_size); + image = Gdiplus::Image::FromStream(stream); + } + if (image && (Ok == image->GetLastStatus())) { + //printf("Image loaded\n"); + thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); + if (thumbnail && (Ok == thumbnail->GetLastStatus())) { + //printf("Thumbnail created\n"); + } + } + + //printf("Done\n"); + + if (image) delete image; + if (thumbnail) delete thumbnail; + return 0; + } int main(int argc, char** argv) { - if(argc < 2) { - printf("Usage: %s \n", argv[0]); + wchar_t* filename; + + printf("[+] %s() offset: 0x%x\n", __FUNCTION__, (char*)(*&FuzzMe) - (char*)GetModuleHandleW(NULL)); + if (argc < 3) { + printf("Usage: %s <-f|-m> \n", argv[0]); + return 0; + } + + if (!strcmp(argv[1], "-m")) { + use_shared_memory = true; + } + else if (!strcmp(argv[1], "-f")) { + use_shared_memory = false; + } + else { + printf("Usage: %s <-f|-m> \n", argv[0]); return 0; } GdiplusStartupInput gdiplusStartupInput; ULONG_PTR gdiplusToken; GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, NULL); + filename = charToWChar(argv[2]); - Image *image = NULL; - //*thumbnail=NULL; - - image = new Image(charToWChar(argv[1])); - if(image && (Ok == image->GetLastStatus())) { - //printf("Image loaded\n"); - /*thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); - if(thumbnail && (Ok == thumbnail->GetLastStatus())) { - //printf("Thumbnail created\n"); - }*/ + if (use_shared_memory) { + if (!setup_shmem(argv[2])) { + printf("Error mapping shared memory\n"); + } } - //printf("Done\n"); - - if(image) delete image; - //if(thumbnail) delete thumbnail; - + FuzzMe(filename); + clear_shmem(); GdiplusShutdown(gdiplusToken); - return 0; } - From 72ba64821d92d886a232f6bc0f3a9a581c0d51cb Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Thu, 29 Jul 2021 13:43:58 +0530 Subject: [PATCH 2/4] Update gdiplus.cpp --- gdiplus.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gdiplus.cpp b/gdiplus.cpp index 75768eef..eec8d2ef 100644 --- a/gdiplus.cpp +++ b/gdiplus.cpp @@ -106,7 +106,7 @@ int FUZZ_TARGET_MODIFIERS FuzzMe(wchar_t* filename) } if (image && (Ok == image->GetLastStatus())) { //printf("Image loaded\n"); - thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); + //thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); if (thumbnail && (Ok == thumbnail->GetLastStatus())) { //printf("Thumbnail created\n"); } From cb6b286fc30421beb589b324cd6b33388df082ec Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Thu, 29 Jul 2021 13:45:52 +0530 Subject: [PATCH 3/4] Update gdiplus.cpp --- gdiplus.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gdiplus.cpp b/gdiplus.cpp index eec8d2ef..4cd46902 100644 --- a/gdiplus.cpp +++ b/gdiplus.cpp @@ -107,7 +107,7 @@ int FUZZ_TARGET_MODIFIERS FuzzMe(wchar_t* filename) if (image && (Ok == image->GetLastStatus())) { //printf("Image loaded\n"); //thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); - if (thumbnail && (Ok == thumbnail->GetLastStatus())) { + //if (thumbnail && (Ok == thumbnail->GetLastStatus())) { //printf("Thumbnail created\n"); } } From 5b929f1cbe71290ecbdcf4c306e3066bd44e21e7 Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Thu, 29 Jul 2021 14:00:29 +0530 Subject: [PATCH 4/4] Update gdiplus.cpp --- gdiplus.cpp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/gdiplus.cpp b/gdiplus.cpp index 4cd46902..c940b3c4 100644 --- a/gdiplus.cpp +++ b/gdiplus.cpp @@ -104,13 +104,13 @@ int FUZZ_TARGET_MODIFIERS FuzzMe(wchar_t* filename) IStream* stream = SHCreateMemStream(reinterpret_cast(sample_bytes), sample_size); image = Gdiplus::Image::FromStream(stream); } - if (image && (Ok == image->GetLastStatus())) { - //printf("Image loaded\n"); - //thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); - //if (thumbnail && (Ok == thumbnail->GetLastStatus())) { - //printf("Thumbnail created\n"); - } - } + if(image && (Ok == image->GetLastStatus())) { + //printf("Image loaded\n"); + /*thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL); + if(thumbnail && (Ok == thumbnail->GetLastStatus())) { + //printf("Thumbnail created\n"); + }*/ + } //printf("Done\n");