diff options
| author | hexcoder <hexcoder-@users.noreply.github.com> | 2020-11-02 20:06:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-02 20:06:55 +0100 |
| commit | d026a9a9c5e1b82a8c2e80df6f28d903e039affa (patch) | |
| tree | a6caab91e5c8ba59a42cf0199dcc3bd31ec05b38 | |
| parent | 445d8f991751bcbcfb2954e0f4b21de383828a0a (diff) | |
| download | afl++-d026a9a9c5e1b82a8c2e80df6f28d903e039affa.tar.gz | |
typos
| -rw-r--r-- | qemu_mode/README.persistent.md | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index 2744d172..d9e7e1cc 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -2,7 +2,7 @@ ## 1) Introduction -Persistent mode let you fuzz your target persistently between two +Persistent mode lets you fuzz your target persistently between two addresses - without forking for every fuzzing attempt. This increases the speed by a factor between x2 and x5, hence it is very, very valuable. @@ -14,7 +14,7 @@ and aarch64 targets. ### 2.1) The START address -The start of the persistent loop has to be set with AFL_QEMU_PERSISTENT_ADDR. +The start of the persistent loop has to be set with env var AFL_QEMU_PERSISTENT_ADDR. This address can be the address of whatever instruction. Setting this address to the start of a function makes the usage simple. @@ -42,7 +42,7 @@ message that the forkserver was not found. The RET address is the last instruction of the persistent loop. The emulator will emit a jump to START when translating the instruction at RET. -It is optional, and only needed if the the return should not be +It is optional, and only needed if the return should not be at the end of the function to which the START address points into, but earlier. It is defined by setting AFL_QEMU_PERSISTENT_RET, and too 0x4000000000 has to @@ -58,10 +58,10 @@ been set (so the end of the loop will be at the end of the function but START will not be at the beginning of it), we need an offset from the ESP pointer to locate the return address to patch. -The value by which the ESP pointer has to be corrected has to set in the -variable AFL_QEMU_PERSISTENT_RETADDR_OFFSET +The value by which the ESP pointer has to be corrected has to be set in the +variable AFL_QEMU_PERSISTENT_RETADDR_OFFSET. -Now to get this value right here some help: +Now to get this value right here is some help: 1. use gdb on the target 2. set a breakpoint to "main" (this is required for PIE/PIC binaries so the addresses are set up) @@ -77,23 +77,23 @@ Now to get this value right here some help: ### 2.4) Resetting the register state It is very, very likely you need to restore the general purpose registers state -when starting a new loop. Because of this you 99% of the time should set +when starting a new loop. Because of this 99% of the time you should set AFL_QEMU_PERSISTENT_GPR=1 -An example, is when you want to use main() as persistent START: +An example is when you want to use main() as persistent START: ```c int main(int argc, char **argv) { if (argc < 2) return 1; - // do stuffs + // do stuff } ``` -If you don't save and restore the registers in x86_64, the paramteter argc +If you don't save and restore the registers in x86_64, the parameter `argc` will be lost at the second execution of the loop. ### 2.5) Resetting the memory state @@ -112,7 +112,7 @@ The env variable is AFL_QEMU_PERSISTENT_EXITS. ### 2.7) Snapshot -AFL_QEMU_SNAPSHOT=address is just a shugar env variable that is equivalent to +AFL_QEMU_SNAPSHOT=address is just a "syntactical sugar" env variable that is equivalent to the following set of variables: ``` @@ -140,9 +140,9 @@ the reading of the fuzzing input via a file by reading directly into the memory address space of the target process. All this needs is that the START address has a register that can reach the -memory buffer or that the memory buffer is at a know location. You probably need +memory buffer or that the memory buffer is at a known location. You probably need the value of the size of the buffer (maybe it is in a register when START is -hitted). +hit). The persistent hook will execute a function on every persistent iteration (at the start START) defined in a shared object specified with @@ -162,12 +162,12 @@ You have to include `path/to/qemuafl/qemuafl/api.h`. In this hook, you can inspect and change the saved GPR state at START. -You can also initialize you data structures when QEMU loads the shared object +You can also initialize your data structures when QEMU loads the shared object with: `int afl_persistent_hook_init(void);` -If this reoutine returns true, the shared mem fuzzing feature of AFL++ is used +If this routine returns true, the shared mem fuzzing feature of AFL++ is used and so the input_buf variables of the hook becomes meaningful. Otherwise, you have to read the input from a file like stdin. |