diff options
| -rw-r--r-- | frida_mode/DEBUGGING.md | 6 | ||||
| -rw-r--r-- | frida_mode/README.md | 2 | ||||
| -rw-r--r-- | instrumentation/README.lto.md | 12 | ||||
| -rw-r--r-- | instrumentation/README.persistent_mode.md | 17 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 2 | ||||
| m--------- | unicorn_mode/unicornafl | 0 | ||||
| -rw-r--r-- | utils/plot_ui/Makefile | 2 | ||||
| -rwxr-xr-x | utils/qbdi_mode/README.md | 4 |
8 files changed, 23 insertions, 22 deletions
diff --git a/frida_mode/DEBUGGING.md b/frida_mode/DEBUGGING.md index f8d91f2f..69663510 100644 --- a/frida_mode/DEBUGGING.md +++ b/frida_mode/DEBUGGING.md @@ -10,7 +10,7 @@ you are very familiar with the implementation of Stalker, the instrumented code generated by FRIDA is likely to be very difficult to follow. For this reason, the following debugging strategies are outlined below. -Byte convention below all files should be provided with their path (they are +By convention below all files should be provided with their path (they are omitted for readability) and all items in `<braces>` are placeholders and should be replaced accordingly. @@ -113,8 +113,8 @@ void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, ``` ## ASAN -It is also possible to enalbe ASAN (if that is the configuration you are having -issues with) without having to use `afl-fuzz` this can be done as follows (note +It is also possible to enable ASAN (if that is the configuration you are having +issues with) without having to use `afl-fuzz`. This can be done as follows (note that the name of the asan DSO may need to be changed depending on your platform). Note that the asan DSO must appear first in the `LD_PRELOAD` environment variable: diff --git a/frida_mode/README.md b/frida_mode/README.md index 5e944daa..9f00c294 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -319,7 +319,7 @@ library and call a target function within it. The dependent library can either be loaded in using `dlopen` and `dlsym` in a function marked `__attribute__((constructor()))` or the test harness can simply be linked against it. It is important that the target library is loaded before execution -of `main`, since this is the point that FRIDA mode is initialized. Otherwise, it +of `main`, since this is the point where FRIDA mode is initialized. Otherwise, it will not be possible to configure coverage for the test library using `AFL_FRIDA_INST_RANGES` or similar. diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 38252308..3e9d7585 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -146,22 +146,22 @@ afl-clang-lto instead of shared libraries! To make instrumented shared libraries work with afl-clang-lto you have to do quite some extra steps. -Every shared library you want to instrument has to be individually compiled- +Every shared library you want to instrument has to be individually compiled. The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during compilation. Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to -the combined edge values of all previous compiled instrumented shared +the added edge count values of all previous compiled instrumented shared libraries for that target. E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and afl-clang-lto will then report how many edges have been instrumented (let's say it reported 1000 instrumented edges). The second shared library then has to be set to that value -(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous -combined, etc. +(`AFL_LLVM_LTO_STARTID=1000` in our example), for the third to all previous +counts added, etc. The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID` -set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared -libaries it will be linked to. +set, and `AFL_LLVM_LTO_STARTID` must be set to all edge counts added of all shared +libraries it will be linked to. This is quite some hands-on work, so better stay away from instrumenting shared libraries :-) diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md index 0517886b..c6ba2103 100644 --- a/instrumentation/README.persistent_mode.md +++ b/instrumentation/README.persistent_mode.md @@ -2,17 +2,18 @@ ## 1) Introduction -In persistent mode, AFL++ fuzzes a target multiple times -in a single process, instead of forking a new process for each fuzz execution. -This is the most effective way to fuzz, as the speed can easily -be x10 or x20 times faster without any disadvanges. +In persistent mode, AFL++ fuzzes a target multiple times in a single forked +process, instead of forking a new process for each fuzz execution. +This is the most effective way to fuzz, as the speed can easily be x10 or x20 +times faster without any disadvanges. *All professional fuzzing uses this mode.* - Persistent mode requires that the target can be called in one or more functions, -and that its state can be reset so that multiple calls can be performed -without resource leaks and earlier runs will have no impact on future runs -(this can be seen by the `stability` indicator in the `afl-fuzz` UI). +and that it's state can be completely reset so that multiple calls can be +performed without resource leaks, and that earlier runs will have no impact on +future runs (an indicator for this is the `stability` value in the `afl-fuzz` +UI, if this decreases to lower values in persistent mode compared to +non-persistent mode, that the fuzz target keeps state). Examples can be found in [utils/persistent_mode](../utils/persistent_mode). diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 1d32d966..eb1fe2d9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -1339,7 +1339,7 @@ void show_init_stats(afl_state_t *afl) { } - ACTF("No -t option specified, so I'll use exec an timeout of %u ms.", + ACTF("No -t option specified, so I'll use an exec timeout of %u ms.", afl->fsrv.exec_tmout); afl->timeout_given = 1; diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject 9064bca9ba875d868742cdb9251edfaa2d7d294 +Subproject 019b871539fe9ed3f41d882385a8b02c243d49a diff --git a/utils/plot_ui/Makefile b/utils/plot_ui/Makefile index 7ade8a40..b2013248 100644 --- a/utils/plot_ui/Makefile +++ b/utils/plot_ui/Makefile @@ -7,4 +7,4 @@ afl-plot-ui: afl-plot-ui.c $(CC) $(CFLAGS) -o afl-plot-ui afl-plot-ui.c $(LDFLAGS) clean: - rm -f afl-plot-ui \ No newline at end of file + rm -f afl-plot-ui diff --git a/utils/qbdi_mode/README.md b/utils/qbdi_mode/README.md index a68da616..8b768906 100755 --- a/utils/qbdi_mode/README.md +++ b/utils/qbdi_mode/README.md @@ -1,8 +1,8 @@ # qbdi-based binary-only instrumentation for afl-fuzz NOTE: this code is outdated and first would need to be adapted to the current -AFL++ versions first. -Try frida_mode/ or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need. +AFL++ versions. +Try frida_mode or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need. ## 1) Introduction |