diff options
Diffstat (limited to 'src/afl-common.c')
| -rw-r--r-- | src/afl-common.c | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/src/afl-common.c b/src/afl-common.c index 62722cb9..0d690831 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -35,6 +35,8 @@ #include <unistd.h> #endif +u8 *target_path; /* Path to target binary */ + void detect_file_args(char** argv, u8* prog_in) { u32 i = 0; @@ -95,3 +97,176 @@ void detect_file_args(char** argv, u8* prog_in) { } + +/* Rewrite argv for QEMU. */ + +char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + u8 * tmp, *cp, *rsl, *own_copy; + + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + new_argv[2] = target_path; + new_argv[1] = "--"; + + /* Now we need to actually find the QEMU binary to put in argv[0]. */ + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } else + + ck_free(own_copy); + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + + target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); + return new_argv; + + } + + SAYF("\n" cLRD "[-] " cRST + "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " + "built\n" + " separately by following the instructions in qemu_mode/README.qemu. " + "If you\n" + " already have the binary installed, you may need to specify " + "AFL_PATH in the\n" + " environment.\n\n" + + " Of course, even without QEMU, afl-fuzz can still work with " + "binaries that are\n" + " instrumented at compile time with afl-gcc. It is also possible to " + "use it as a\n" + " traditional \"dumb\" fuzzer by specifying '-n' in the command " + "line.\n"); + + FATAL("Failed to locate 'afl-qemu-trace'."); + +} + +/* Rewrite argv for Wine+QEMU. */ + +char** get_wine_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 3)); + u8 * tmp, *cp, *rsl, *own_copy; + + memcpy(new_argv + 2, argv + 1, sizeof(char*) * argc); + + new_argv[1] = target_path; + + /* Now we need to actually find the QEMU binary to put in argv[0]. */ + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + + ck_free(cp); + + cp = alloc_printf("%s/afl-wine-trace", tmp); + + if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + ck_free(cp); + + cp = alloc_printf("%s/afl-wine-trace", own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } + + } else + + ck_free(own_copy); + + u8 *ncp = BIN_PATH "/afl-qemu-trace"; + + if (!access(ncp, X_OK)) { + + ncp = BIN_PATH "/afl-wine-trace"; + + if (!access(ncp, X_OK)) { + + target_path = new_argv[0] = ck_strdup(ncp); + return new_argv; + + } + + } + + SAYF("\n" cLRD "[-] " cRST + "Oops, unable to find the '%s' binary. The binary must be " + "built\n" + " separately by following the instructions in qemu_mode/README.qemu. " + "If you\n" + " already have the binary installed, you may need to specify " + "AFL_PATH in the\n" + " environment.\n\n" + + " Of course, even without QEMU, afl-fuzz can still work with " + "binaries that are\n" + " instrumented at compile time with afl-gcc. It is also possible to " + "use it as a\n" + " traditional \"dumb\" fuzzer by specifying '-n' in the command " + "line.\n", ncp); + + FATAL("Failed to locate '%s'.", ncp); + +} + + |