diff options
Diffstat (limited to 'custom_mutators/honggfuzz/honggfuzz.c')
| -rw-r--r-- | custom_mutators/honggfuzz/honggfuzz.c | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/custom_mutators/honggfuzz/honggfuzz.c b/custom_mutators/honggfuzz/honggfuzz.c new file mode 100644 index 00000000..bde922c6 --- /dev/null +++ b/custom_mutators/honggfuzz/honggfuzz.c @@ -0,0 +1,143 @@ +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +#include "custom_mutator_helpers.h" +#include "mangle.h" + +#define NUMBER_OF_MUTATIONS 5 + +uint8_t * queue_input; +size_t queue_input_size; +afl_state_t * afl_struct; +run_t run; +honggfuzz_t global; +struct _dynfile_t dynfile; + +typedef struct my_mutator { + + afl_state_t *afl; + run_t * run; + u8 * mutator_buf; + unsigned int seed; + unsigned int extras_cnt, a_extras_cnt; + +} my_mutator_t; + +my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { + + my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); + if (!data) { + + perror("afl_custom_init alloc"); + return NULL; + + } + + if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) { + + perror("mutator_buf alloc"); + return NULL; + + } + + run.dynfile = &dynfile; + run.global = &global; + data->afl = afl; + data->seed = seed; + data->run = &run; + afl_struct = afl; + + run.global->mutate.maxInputSz = MAX_FILE; + run.global->mutate.mutationsPerRun = NUMBER_OF_MUTATIONS; + run.mutationsPerRun = NUMBER_OF_MUTATIONS; + run.global->timing.lastCovUpdate = 6; + + // global->feedback.cmpFeedback + // global->feedback.cmpFeedbackMap + + return data; + +} + +/* When a new queue entry is added we check if there are new dictionary + entries to add to honggfuzz structure */ + +void afl_custom_queue_new_entry(my_mutator_t * data, + const uint8_t *filename_new_queue, + const uint8_t *filename_orig_queue) { + + if (run.global->mutate.dictionaryCnt >= 1024) return; + + while (data->extras_cnt < data->afl->extras_cnt && + run.global->mutate.dictionaryCnt < 1024) { + + memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val, + data->afl->extras[data->extras_cnt].data, + data->afl->extras[data->extras_cnt].len); + run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len = + data->afl->extras[data->extras_cnt].len; + run.global->mutate.dictionaryCnt++; + data->extras_cnt++; + + } + + while (data->a_extras_cnt < data->afl->a_extras_cnt && + run.global->mutate.dictionaryCnt < 1024) { + + memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val, + data->afl->a_extras[data->a_extras_cnt].data, + data->afl->a_extras[data->a_extras_cnt].len); + run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len = + data->afl->a_extras[data->a_extras_cnt].len; + run.global->mutate.dictionaryCnt++; + data->a_extras_cnt++; + + } + +} + +/* we could set only_printable if is_ascii is set ... let's see +uint8_t afl_custom_queue_get(void *data, const uint8_t *filename) { + + //run.global->cfg.only_printable = ... + +} + +*/ + +/* here we run the honggfuzz mutator, which is really good */ + +size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, + u8 **out_buf, uint8_t *add_buf, size_t add_buf_size, + size_t max_size) { + + /* set everything up, costly ... :( */ + memcpy(data->mutator_buf, buf, buf_size); + queue_input = data->mutator_buf; + run.dynfile->data = data->mutator_buf; + queue_input_size = buf_size; + run.dynfile->size = buf_size; + *out_buf = data->mutator_buf; + + /* the mutation */ + mangle_mangleContent(&run, NUMBER_OF_MUTATIONS); + + /* return size of mutated data */ + return run.dynfile->size; + +} + +/** + * Deinitialize everything + * + * @param data The data ptr from afl_custom_init + */ +void afl_custom_deinit(my_mutator_t *data) { + + free(data->mutator_buf); + free(data); + +} + |