diff options
| author | van Hauser <vh@thc.org> | 2021-12-09 11:55:36 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-09 11:55:36 +0100 |
| commit | 08ca4d54a55fe73e64a994c41a12af61f52e497e (patch) | |
| tree | 2d0f060cf98afbe80f5bf810fd6b167a5152be81 /utils/afl_untracer | |
| parent | 773baf9391ff5f1793deb7968366819e7fa07adc (diff) | |
| parent | 4c6d94ea5f854071277ed9729de2d4ef7d07cc84 (diff) | |
| download | afl++-08ca4d54a55fe73e64a994c41a12af61f52e497e.tar.gz | |
Merge pull request #1101 from AFLplusplus/dev
Dev
Diffstat (limited to 'utils/afl_untracer')
| -rw-r--r-- | utils/afl_untracer/README.md | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/utils/afl_untracer/README.md b/utils/afl_untracer/README.md index ada0c916..da0e0c77 100644 --- a/utils/afl_untracer/README.md +++ b/utils/afl_untracer/README.md @@ -5,9 +5,9 @@ afl-untracer is an example skeleton file which can easily be used to fuzz a closed source library. -It requires less memory and is x3-5 faster than qemu_mode however it is way -more course grained and does not provide interesting features like compcov -or cmplog. +It requires less memory and is x3-5 faster than QEMU mode, however, it is way +more course grained and does not provide interesting features like compcov or +cmplog. Supported is so far Intel (i386/x86_64) and AARCH64. @@ -15,7 +15,7 @@ Supported is so far Intel (i386/x86_64) and AARCH64. ### Modify afl-untracer.c -Read and modify afl-untracer.c then `make`. +Read and modify afl-untracer.c, then `make`. To adapt afl-untracer.c to your needs, read the header of the file and then search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. @@ -28,28 +28,34 @@ To generate the `patches.txt` file for your target library use the The patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`. To easily run the scripts without needing to run the GUI with Ghidra: + ``` /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java rm -rf /tmp/tmp$$ ``` + The file is created at `~/Desktop/patches.txt` ### Fuzzing Example (after modifying afl-untracer.c to your needs, compiling and creating patches.txt): + ``` LD_LIBRARY_PATH=/path/to/target/library AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer ``` + (or even remote via afl-network-proxy). ### Testing and debugging For testing/debugging you can try: + ``` make DEBUG=1 AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer ``` + and then you can easily set breakpoints to "breakpoint" and "fuzz". # Background @@ -57,4 +63,4 @@ and then you can easily set breakpoints to "breakpoint" and "fuzz". This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). This implementation is slower because the traps are not patched out with each -run, but on the other hand gives much better coverage information. +run, but on the other hand gives much better coverage information. \ No newline at end of file |