ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 01:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

persistent hook example

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-11-02 14:15:44 +01:00
parent 54ed02ef47
commit a260d34b49
6 changed files with 29 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -166,7 +166,7 @@ If you want to build afl++ yourself you have many options.
The easiest choice is to build and install everything: The easiest choice is to build and install everything:
```shell ```shell
sudo apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm sudo apt install build-essential python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm
make distrib make distrib
sudo make install sudo make install
``` ```

6
examples/qemu_persistent_hook/Makefile Normal file
View File

@ -0,0 +1,6 @@
all:
$(CC) -no-pie test.c -o test
$(CC) -fPIC -shared read_into_rdi.c -o read_into_rdi.so
clean:
rm -rf in out test read_into_rdi.so

3
examples/qemu_persistent_hook/README.md
View File

@ -3,8 +3,7 @@
Compile the test binary and the library: Compile the test binary and the library:
``` ```
gcc -no-pie test.c -o test make
gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so
``` ```
Fuzz with: Fuzz with:

8
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -15,11 +15,11 @@ void afl_persistent_hook(struct x86_64_regs *regs,
// of the target buffer, and the length of the input is in RSI. // of the target buffer, and the length of the input is in RSI.
// This can be seen with a debugger, e.g. gdb (and "disass main") // This can be seen with a debugger, e.g. gdb (and "disass main")
printf("Placing input into %p\n", regs->rdi); printf("Placing input into 0x%lx\n", regs->rdi);
if (input_len > 1024) input_len = 1024; if (input_buf_len > 1024) input_buf_len = 1024;
memcpy(g2h(regs->rdi), input_buf, input_len); memcpy(g2h(regs->rdi), input_buf, input_buf_len);
regs->rsi = input_len; regs->rsi = input_buf_len;
#undef g2h #undef g2h
#undef h2g #undef h2g

23
qemu_mode/README.md
View File

@ -90,7 +90,16 @@ fork() mode but, opposed to fork(), it can scale better with multicore.
If the AFL++ Snaphsot kernel module is loaded, qemuafl will use it and, in this If the AFL++ Snaphsot kernel module is loaded, qemuafl will use it and, in this
case, the speed is better than fork() and also the scaling capabilities. case, the speed is better than fork() and also the scaling capabilities.
## 6) CompareCoverage ## 6) Partial instrumentation
You can tell QEMU to instrument only a part of the address space.
Just set AFL_QEMU_INST_RANGES=A,B,C...
The format of the iterms in the list is either a range of addresses like 0x123-0x321
or a module name like module.so (that is mathed in the mapped object filename).
## 7) CompareCoverage
CompareCoverage is a sub-instrumentation with effects similar to laf-intel. CompareCoverage is a sub-instrumentation with effects similar to laf-intel.
@ -111,7 +120,7 @@ on the x86, x86_64, arm and aarch64 targets.
Highly recommended. Highly recommended.
## 7) CMPLOG mode ## 8) CMPLOG mode
Another new feature is CMPLOG, which is based on the redqueen project. Another new feature is CMPLOG, which is based on the redqueen project.
Here all immidiates in CMP instructions are learned and put into a dynamic Here all immidiates in CMP instructions are learned and put into a dynamic
@ -123,7 +132,7 @@ and aarch64.
To enable it you must pass on the command line of afl-fuzz: To enable it you must pass on the command line of afl-fuzz:
-c /path/to/your/target -c /path/to/your/target
## 8) Wine mode ## 9) Wine mode
AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz. AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz.
@ -131,7 +140,7 @@ Note that some binaries require user interaction with the GUI and must be patche
For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO). For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO).
## 9) Notes on linking ## 10) Notes on linking
The feature is supported only on Linux. Supporting BSD may amount to porting The feature is supported only on Linux. Supporting BSD may amount to porting
the changes made to linux-user/elfload.c and applying them to the changes made to linux-user/elfload.c and applying them to
@ -152,7 +161,7 @@ practice, this means two things:
Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
and instrument every basic block encountered. and instrument every basic block encountered.
## 10) Benchmarking ## 11) Benchmarking
If you want to compare the performance of the QEMU instrumentation with that of If you want to compare the performance of the QEMU instrumentation with that of
afl-gcc compiled code against the same target, you need to build the afl-gcc compiled code against the same target, you need to build the
@ -167,7 +176,7 @@ Comparative measurements of execution speed or instrumentation coverage will be
fairly meaningless if the optimization levels or instrumentation scopes don't fairly meaningless if the optimization levels or instrumentation scopes don't
match. match.
## 11) Gotchas, feedback, bugs ## 12) Gotchas, feedback, bugs
If you need to fix up checksums or do other cleanup on mutated test cases, see If you need to fix up checksums or do other cleanup on mutated test cases, see
examples/custom_mutators/ for a viable solution. examples/custom_mutators/ for a viable solution.
@ -188,7 +197,7 @@ with -march=core2, can help.
Beyond that, this is an early-stage mechanism, so fields reports are welcome. Beyond that, this is an early-stage mechanism, so fields reports are welcome.
You can send them to <afl-users@googlegroups.com>. You can send them to <afl-users@googlegroups.com>.
## 12) Alternatives: static rewriting ## 13) Alternatives: static rewriting
Statically rewriting binaries just once, instead of attempting to translate Statically rewriting binaries just once, instead of attempting to translate
them at run time, can be a faster alternative. That said, static rewriting is them at run time, can be a faster alternative. That said, static rewriting is

2
qemu_mode/build_qemu_support.sh
View File

@ -60,7 +60,7 @@ if [ ! -f "../afl-showmap" ]; then
fi fi
PREREQ_NOTFOUND= PREREQ_NOTFOUND=
for i in libtool wget automake autoconf sha384sum bison flex iconv patch pkg-config; do for i in git wget sha384sum bison flex iconv patch pkg-config; do
T=`command -v "$i" 2>/dev/null` T=`command -v "$i" 2>/dev/null`