Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated for shared memory support. #328

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 113 additions & 23 deletions gdiplus.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -23,47 +23,137 @@
#include <stdio.h>
#include <windows.h>
#include <gdiplus.h>
#include<shlwapi.h>
#include <inttypes.h>

#pragma comment(lib, "gdiplus.lib")
#pragma comment(lib, "shlwapi.lib")
using namespace Gdiplus;

/* for shared memory fuzzing */
#define MAX_SAMPLE_SIZE 1000000
#define SHM_SIZE (4 + MAX_SAMPLE_SIZE)
unsigned char* shm_data;

bool use_shared_memory;

HANDLE map_file;

//clear shared memory
int clear_shmem(void) {
UnmapViewOfFile(shm_data);
CloseHandle(map_file);
return 0;
}

//setup shared memory
int setup_shmem(const char* name) {
map_file = OpenFileMapping(
FILE_MAP_ALL_ACCESS, // read/write access
FALSE, // do not inherit the name
name); // name of mapping object

if (map_file == NULL) {
printf("Error accessing shared memory\n");
return 0;
}

shm_data = (unsigned char*)MapViewOfFile(map_file, // handle to map object
FILE_MAP_ALL_ACCESS, // read/write permission
0,
0,
SHM_SIZE);

if (shm_data == NULL) {
printf("Error accessing shared memory\n");
return 0;
}
CloseHandle(map_file);
return 1;
}

/* end shared memory fuzzing */

#define FUZZ_TARGET_MODIFIERS __declspec(dllexport)

wchar_t* charToWChar(const char* text)
{
size_t size = strlen(text) + 1;
wchar_t* wa = new wchar_t[size];
mbstowcs(wa,text,size);
return wa;
size_t size = strlen(text) + 1;
wchar_t* wa = new wchar_t[size];
mbstowcs(wa, text, size);
return wa;
}

int FUZZ_TARGET_MODIFIERS FuzzMe(wchar_t* filename)
{
Image* image = NULL;
Image* thumbnail = NULL;
if (!use_shared_memory)
{
image = new Image(filename);
}
else
{
char* sample_bytes = NULL;
uint32_t sample_size = 0;
sample_size = *(uint32_t*)(shm_data);
if (sample_size > MAX_SAMPLE_SIZE) sample_size = MAX_SAMPLE_SIZE;
sample_bytes = (char*)malloc(sample_size);
memcpy(sample_bytes, shm_data + sizeof(uint32_t), sample_size);
//lets create stream from memory and then we will create image.
IStream* stream = SHCreateMemStream(reinterpret_cast<BYTE*>(sample_bytes), sample_size);
image = Gdiplus::Image::FromStream(stream);
}
if (image && (Ok == image->GetLastStatus())) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation seems to be off here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trying multiple options.. but for some reasons its just not working..

//printf("Image loaded\n");
//thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL);
if (thumbnail && (Ok == thumbnail->GetLastStatus())) {
//printf("Thumbnail created\n");
}
}

//printf("Done\n");

if (image) delete image;
if (thumbnail) delete thumbnail;
return 0;

}

int main(int argc, char** argv)
{
if(argc < 2) {
printf("Usage: %s <image file>\n", argv[0]);
wchar_t* filename;

printf("[+] %s() offset: 0x%x\n", __FUNCTION__, (char*)(*&FuzzMe) - (char*)GetModuleHandleW(NULL));
if (argc < 3) {
printf("Usage: %s <-f|-m> <image file|shared memory>\n", argv[0]);
return 0;
}

if (!strcmp(argv[1], "-m")) {
use_shared_memory = true;
}
else if (!strcmp(argv[1], "-f")) {
use_shared_memory = false;
}
else {
printf("Usage: %s <-f|-m> <file or shared memory name>\n", argv[0]);
return 0;
}

GdiplusStartupInput gdiplusStartupInput;
ULONG_PTR gdiplusToken;
GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, NULL);
filename = charToWChar(argv[2]);

Image *image = NULL;
//*thumbnail=NULL;

image = new Image(charToWChar(argv[1]));
if(image && (Ok == image->GetLastStatus())) {
//printf("Image loaded\n");
/*thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL);
if(thumbnail && (Ok == thumbnail->GetLastStatus())) {
//printf("Thumbnail created\n");
}*/
if (use_shared_memory) {
if (!setup_shmem(argv[2])) {
printf("Error mapping shared memory\n");
}
}

//printf("Done\n");

if(image) delete image;
//if(thumbnail) delete thumbnail;

FuzzMe(filename);
clear_shmem();
GdiplusShutdown(gdiplusToken);

return 0;
}