diff options
| -rw-r--r-- | examples/afl_untracer/README.md | 32 | ||||
| -rw-r--r-- | examples/afl_untracer/ida_get_patchpoints.py | 3 |
2 files changed, 31 insertions, 4 deletions
diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 0bd788f3..7d870c42 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -1,4 +1,6 @@ -# afl-untracer +# afl-untracer - fast fuzzing of binary-only libraries + +## Introduction afl-untracer is an example skeleton file which can easily be used to fuzz a closed source library. @@ -7,8 +9,17 @@ It requires less memory and is x3-5 faster than qemu_mode however it is way more course grained and does not provide interesting features like compcov or cmplog. -Read and modify afl-untracer.c then `make` and use it as the afl-fuzz target -(or even remote via afl-network-proxy). +Supported is so far Intel (i386/x86_64) and AARCH64. + +## How-to + +### Modify afl-untracer.c + +Read and modify afl-untracer.c then `make`. +To adapt afl-untracer.c to your need read the header of the file and then +search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. + +### Generate patches.txt file To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or @@ -16,19 +27,32 @@ To generate the `patches.txt` file for your target library use the The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. +To easily run the scripts without needing to run the GUI with Ghidra: +``` +$ /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java +$ rm -rf /tmp/tmp$$ +``` + +### Fuzzing + Example (after modfying afl-untracer.c to your needs, compiling and creating patches.txt): ``` AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer ``` +(or even remote via afl-network-proxy). + +### Testing and debugging -To testing/debugging you can try: +For testing/debugging you can try: ``` make DEBUG=1 AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer ``` and then you can easily set breakpoints to "breakpoint" and "fuzz". +# Background + This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). This implementation is slower because the traps are not patched out with each diff --git a/examples/afl_untracer/ida_get_patchpoints.py b/examples/afl_untracer/ida_get_patchpoints.py index c7e8f899..43cf6d89 100644 --- a/examples/afl_untracer/ida_get_patchpoints.py +++ b/examples/afl_untracer/ida_get_patchpoints.py @@ -57,3 +57,6 @@ with open(home + "/Desktop/patches.txt", "w") as f: f.write('\n') print("Done, found {} patchpoints".format(len(patchpoints))) + +# For headless script running remove the comment from the next line +#ida_pro.qexit() |