diff options
| author | van Hauser <vh@thc.org> | 2020-07-15 00:08:38 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-07-15 00:08:38 +0200 |
| commit | a8726b8254f2f8c429c8b3e1c2d30b9f7baa6e93 (patch) | |
| tree | c28ca705308f7ec63065d782379271d4ab75f496 | |
| parent | c5963f707c9a1b1ec0d869d90fabf09072093e1d (diff) | |
| download | afl++-a8726b8254f2f8c429c8b3e1c2d30b9f7baa6e93.tar.gz | |
ensure afl-frida uses persistent mode
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | examples/afl_frida/README.md | 10 | ||||
| -rw-r--r-- | examples/afl_frida/afl-frida.c | 8 |
3 files changed, 13 insertions, 7 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 8fb85ce6..50f5629f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -18,6 +18,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - LTO: autodictionary mode is a default - LTO: instrim instrumentation disabled, only classic support used as it is always better + - added afl-frida gum solution to examples/afl_frida (mostly imported + from https://github.com/meme/hotwax/) - small fixes to afl-plot, afl-whatsup and man page creation diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md index 93e8f35a..33bd67c8 100644 --- a/examples/afl_frida/README.md +++ b/examples/afl_frida/README.md @@ -24,14 +24,10 @@ afl-fuzz -i in -o out -- ./afl-frida ``` (or even remote via afl-network-proxy). -### Testing and debugging +# Speed and stability -For testing/debugging you can try: -``` -make DEBUG=1 -AFL_DEBUG=1 gdb ./afl-frida -``` -and then you can easily set breakpoints to "breakpoint" and "fuzz". +The speed is very good, about x12 of fork() qemu_mode. +However the stability is low. Reason is currently unknown. # Background diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c index c24e05b7..ff10ffb7 100644 --- a/examples/afl_frida/afl-frida.c +++ b/examples/afl_frida/afl-frida.c @@ -39,6 +39,7 @@ #ifndef __APPLE__ #include <sys/wait.h> + #include <sys/personality.h> #endif @@ -216,6 +217,10 @@ static int enumerate_ranges(const GumRangeDetails *details, int main() { +#ifndef __APPLE__ + (void)personality(ADDR_NO_RANDOMIZE); // disable ASLR +#endif + // STEP 2: load the library you want to fuzz and lookup the functions, // inclusive of the cleanup functions. // If there is just one function, then there is nothing to change @@ -264,6 +269,9 @@ int main() { GumEventSink *event_sink = gum_fake_event_sink_new(); + // to ensure that the signatures are not optimized out + memcpy(__afl_area_ptr, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1); + memcpy(__afl_area_ptr + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR) + 1); __afl_manual_init(); // |