ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

better README for untracer

Browse Source
This commit is contained in:
van Hauser
2020-05-06 17:20:42 +02:00
parent 8cdf767bf5
commit 01b5aa123d
2 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
examples/afl_untracer/README.md
View File

@ -1,4 +1,6 @@
# afl-untracer # afl-untracer - fast fuzzing of binary-only libraries
## Introduction
afl-untracer is an example skeleton file which can easily be used to fuzz afl-untracer is an example skeleton file which can easily be used to fuzz
a closed source library. a closed source library.
@ -7,8 +9,17 @@ It requires less memory and is x3-5 faster than qemu_mode however it is way
more course grained and does not provide interesting features like compcov more course grained and does not provide interesting features like compcov
or cmplog. or cmplog.
Read and modify afl-untracer.c then `make` and use it as the afl-fuzz target Supported is so far Intel (i386/x86_64) and AARCH64.
(or even remote via afl-network-proxy).
## How-to
### Modify afl-untracer.c
Read and modify afl-untracer.c then `make`.
To adapt afl-untracer.c to your need read the header of the file and then
search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations.
### Generate patches.txt file
To generate the `patches.txt` file for your target library use the To generate the `patches.txt` file for your target library use the
`ida_get_patchpoints.py` script for IDA Pro or `ida_get_patchpoints.py` script for IDA Pro or
@ -16,19 +27,32 @@ To generate the `patches.txt` file for your target library use the
The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`.
To easily run the scripts without needing to run the GUI with Ghidra:
```
$ /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java
$ rm -rf /tmp/tmp$$
```
### Fuzzing
Example (after modfying afl-untracer.c to your needs, compiling and creating Example (after modfying afl-untracer.c to your needs, compiling and creating
patches.txt): patches.txt):
``` ```
AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer
``` ```
(or even remote via afl-network-proxy).
To testing/debugging you can try: ### Testing and debugging
For testing/debugging you can try:
``` ```
make DEBUG=1 make DEBUG=1
AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer
``` ```
and then you can easily set breakpoints to "breakpoint" and "fuzz". and then you can easily set breakpoints to "breakpoint" and "fuzz".
# Background
This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL)
and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz).
This implementation is slower because the traps are not patched out with each This implementation is slower because the traps are not patched out with each

3
examples/afl_untracer/ida_get_patchpoints.py
View File

@ -57,3 +57,6 @@ with open(home + "/Desktop/patches.txt", "w") as f:
f.write('\n') f.write('\n')
print("Done, found {} patchpoints".format(len(patchpoints))) print("Done, found {} patchpoints".format(len(patchpoints)))
# For headless script running remove the comment from the next line
#ida_pro.qexit()