persistent hook example

README.md

@@ -166,7 +166,7 @@ If you want to build afl++ yourself you have many options.
 The easiest choice is to build and install everything:
 
 ```shell
-sudo apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm
+sudo apt install build-essential python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm
 make distrib
 sudo make install
 ```

examples/qemu_persistent_hook/Makefile

@@ -0,0 +1,6 @@
+all:
+	$(CC) -no-pie test.c -o test
+	$(CC) -fPIC -shared read_into_rdi.c -o read_into_rdi.so
+
+clean:
+	rm -rf in out test read_into_rdi.so

examples/qemu_persistent_hook/README.md

@@ -3,8 +3,7 @@
 Compile the test binary and the library:
 
 ```
-gcc -no-pie test.c -o test
-gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so
+make
 ```
 
 Fuzz with:

examples/qemu_persistent_hook/read_into_rdi.c

@@ -15,11 +15,11 @@ void afl_persistent_hook(struct x86_64_regs *regs,
   // of the target buffer, and the length of the input is in RSI.
   // This can be seen with a debugger, e.g. gdb (and "disass main")
 
-  printf("Placing input into %p\n", regs->rdi);
+  printf("Placing input into 0x%lx\n", regs->rdi);
 
-  if (input_len > 1024) input_len = 1024;
-  memcpy(g2h(regs->rdi), input_buf, input_len);
-  regs->rsi = input_len;
+  if (input_buf_len > 1024) input_buf_len = 1024;
+  memcpy(g2h(regs->rdi), input_buf, input_buf_len);
+  regs->rsi = input_buf_len;
 
 #undef g2h
 #undef h2g

qemu_mode/README.md

@@ -90,7 +90,16 @@ fork() mode but, opposed to fork(), it can scale better with multicore.
 If the AFL++ Snaphsot kernel module is loaded, qemuafl will use it and, in this
 case, the speed is better than fork() and also the scaling capabilities.
 
-## 6) CompareCoverage
+## 6) Partial instrumentation
+
+You can tell QEMU to instrument only a part of the address space.
+
+Just set AFL_QEMU_INST_RANGES=A,B,C...
+
+The format of the iterms in the list is either a range of addresses like 0x123-0x321
+or a module name like module.so (that is mathed in the mapped object filename).
+
+## 7) CompareCoverage
 
 CompareCoverage is a sub-instrumentation with effects similar to laf-intel.
 
@@ -111,7 +120,7 @@ on the x86, x86_64, arm and aarch64 targets.
 
 Highly recommended.
 
-## 7) CMPLOG mode
+## 8) CMPLOG mode
 
 Another new feature is CMPLOG, which is based on the redqueen project.
 Here all immidiates in CMP instructions are learned and put into a dynamic
@@ -123,7 +132,7 @@ and aarch64.
 To enable it you must pass on the command line of afl-fuzz:
   -c /path/to/your/target
 
-## 8) Wine mode
+## 9) Wine mode
 
 AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz.
 
@@ -131,7 +140,7 @@ Note that some binaries require user interaction with the GUI and must be patche
 
 For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO).
 
-## 9) Notes on linking
+## 10) Notes on linking
 
 The feature is supported only on Linux. Supporting BSD may amount to porting
 the changes made to linux-user/elfload.c and applying them to
@@ -152,7 +161,7 @@ practice, this means two things:
 Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
 and instrument every basic block encountered.
 
-## 10) Benchmarking
+## 11) Benchmarking
 
 If you want to compare the performance of the QEMU instrumentation with that of
 afl-gcc compiled code against the same target, you need to build the
@@ -167,7 +176,7 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.
 
-## 11) Gotchas, feedback, bugs
+## 12) Gotchas, feedback, bugs
 
 If you need to fix up checksums or do other cleanup on mutated test cases, see
 examples/custom_mutators/ for a viable solution.
@@ -188,7 +197,7 @@ with -march=core2, can help.
 Beyond that, this is an early-stage mechanism, so fields reports are welcome.
 You can send them to <afl-users@googlegroups.com>.
 
-## 12) Alternatives: static rewriting
+## 13) Alternatives: static rewriting
 
 Statically rewriting binaries just once, instead of attempting to translate
 them at run time, can be a faster alternative. That said, static rewriting is

qemu_mode/build_qemu_support.sh

@@ -60,7 +60,7 @@ if [ ! -f "../afl-showmap" ]; then
 fi
 
 PREREQ_NOTFOUND=
-for i in libtool wget automake autoconf sha384sum bison flex iconv patch pkg-config; do
+for i in git wget sha384sum bison flex iconv patch pkg-config; do
 
   T=`command -v "$i" 2>/dev/null`