ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

better README for untracer

Browse Source
This commit is contained in:
van Hauser
2020-05-06 17:20:42 +02:00
parent 8cdf767bf5
commit 01b5aa123d
2 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
examples/afl_untracer/README.md
View File

@ -1,4 +1,6 @@
# afl-untracer
# afl-untracer - fast fuzzing of binary-only libraries
## Introduction
afl-untracer is an example skeleton file which can easily be used to fuzz
a closed source library.
@ -7,8 +9,17 @@ It requires less memory and is x3-5 faster than qemu_mode however it is way
more course grained and does not provide interesting features like compcov
or cmplog.
Read and modify afl-untracer.c then `make` and use it as the afl-fuzz target
(or even remote via afl-network-proxy).
Supported is so far Intel (i386/x86_64) and AARCH64.
## How-to
### Modify afl-untracer.c
Read and modify afl-untracer.c then `make`.
To adapt afl-untracer.c to your need read the header of the file and then
search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations.
### Generate patches.txt file
To generate the `patches.txt` file for your target library use the
`ida_get_patchpoints.py` script for IDA Pro or
@ -16,19 +27,32 @@ To generate the `patches.txt` file for your target library use the
The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`.
To easily run the scripts without needing to run the GUI with Ghidra:
```
$ /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java
$ rm -rf /tmp/tmp$$
```
### Fuzzing
Example (after modfying afl-untracer.c to your needs, compiling and creating
patches.txt):
```
AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer
```
(or even remote via afl-network-proxy).
To testing/debugging you can try:
### Testing and debugging
For testing/debugging you can try:
```
make DEBUG=1
AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer
```
and then you can easily set breakpoints to "breakpoint" and "fuzz".
# Background
This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL)
and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz).
This implementation is slower because the traps are not patched out with each

3
examples/afl_untracer/ida_get_patchpoints.py
View File

@ -57,3 +57,6 @@ with open(home + "/Desktop/patches.txt", "w") as f:
f.write('\n')
print("Done, found {} patchpoints".format(len(patchpoints)))
# For headless script running remove the comment from the next line
#ida_pro.qexit()