diff options
| -rw-r--r-- | custom_mutators/examples/custom_post_run.c | 53 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 |
4 files changed, 79 insertions, 0 deletions
diff --git a/custom_mutators/examples/custom_post_run.c b/custom_mutators/examples/custom_post_run.c new file mode 100644 index 00000000..073aac96 --- /dev/null +++ b/custom_mutators/examples/custom_post_run.c @@ -0,0 +1,53 @@ +// +// This is an example on how to use afl_custom_post_run +// It executes custom code each time after AFL++ executes the target +// +// cc -O3 -fPIC -shared -g -o custom_send.so -I../../include custom_send.c /////////////////////to_be_edited +// cd ../.. +// afl-cc -o test-instr test-instr.c +// AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/examples/custom_send.so \ +// afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo +// + + +#include "afl-fuzz.h" + +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <stdio.h> + +typedef struct my_mutator { + + afl_state_t *afl; + +} my_mutator_t; + +my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { + + my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); + if (!data) { + + perror("afl_custom_init alloc"); + return NULL; + + } + + data->afl = afl; + + return data; + +} + +void afl_custom_post_run(my_mutator_t *data, uint8_t *buf, size_t buf_size) { + + printf("hello from afl_custom_post_run\n"); + return; +} + + +void afl_custom_deinit(my_mutator_t *data) { + + free(data); + +} \ No newline at end of file diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 8112d430..7e91dc03 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1021,6 +1021,18 @@ struct custom_mutator { void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size); /** + * This method can be used if you want to run some code or scripts each time + * AFL++ executes the target with afl-fuzz. + * + * (Optional) + * + * @param data pointer returned in afl_custom_init by this custom mutator + * @param buf Buffer containing the test case + * @param buf_size Size of the test case + */ + void (*afl_custom_post_run)(void *data, const u8 *buf, size_t buf_size); + + /** * Allow for additional analysis (e.g. calling a different tool that does a * different kind of coverage and saves this for the custom mutator). * diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 64dbe7c6..17fb9368 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -397,6 +397,18 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { } + /* "afl_custom_post_run", optional */ + mutator->afl_custom_post_run = dlsym(dh, "afl_custom_post_run"); + if (!mutator->afl_custom_post_run) { + + ACTF("optional symbol 'afl_custom_post_run' not found."); + + } else { + + OKF("Found 'afl_custom_post_run'."); + + } + /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); if (!mutator->afl_custom_queue_new_entry) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ac4fb4a9..29cc5352 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -60,6 +60,8 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); + + #ifdef PROFILING clock_gettime(CLOCK_REALTIME, &spec); time_spent_start = (spec.tv_sec * 1000000000) + spec.tv_nsec; |