From 39ad3b89467d6de12cbb9d08ccd77d331c0d1f9e Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Wed, 28 Apr 2021 09:25:26 +0100
Subject: Frida persistent (#880)

* Added x64 support for persistent mode (function call only), in-memory teest cases and complog

* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC

* Various minor fixes and finished support for AFL_INST_LIBS

* Review changes

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/src/persistent/persistent.c | 68 ++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 frida_mode/src/persistent/persistent.c

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
new file mode 100644
index 00000000..fe3a1d20
--- /dev/null
+++ b/frida_mode/src/persistent/persistent.c
@@ -0,0 +1,68 @@
+#include <dlfcn.h>
+
+#include "frida-gum.h"
+
+#include "config.h"
+#include "debug.h"
+
+#include "persistent.h"
+#include "util.h"
+
+int                    __afl_sharedmem_fuzzing = 0;
+afl_persistent_hook_fn hook = NULL;
+guint64                persistent_start = 0;
+guint64                persistent_count = 0;
+
+void persistent_init(void) {
+
+  char *hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK");
+
+  persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR");
+  persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT");
+
+  if (persistent_count != 0 && persistent_start == 0)
+    FATAL(
+        "AFL_FRIDA_PERSISTENT_ADDR must be specified if "
+        "AFL_FRIDA_PERSISTENT_CNT is");
+
+  if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
+
+  if (persistent_count != 0 && persistent_count < 100)
+    WARNF("Persistent count out of recommended range (<100)");
+
+  if (persistent_count > 10000)
+    WARNF("Persistent count out of recommended range (<10000)");
+
+  if (persistent_start != 0 && !persistent_is_supported())
+    FATAL("Persistent mode not supported on this architecture");
+
+  OKF("Instrumentation - persistent mode [%c] (0x%016lX)",
+      persistent_start == 0 ? ' ' : 'X', persistent_start);
+  OKF("Instrumentation - persistent count [%c] (%ld)",
+      persistent_start == 0 ? ' ' : 'X', persistent_count);
+  OKF("Instrumentation - hook [%s]", hook_name);
+
+  if (hook_name != NULL) {
+
+    void *hook_obj = dlopen(hook_name, RTLD_NOW);
+    if (hook_obj == NULL)
+      FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name);
+
+    int (*afl_persistent_hook_init_ptr)(void) =
+        dlsym(hook_obj, "afl_persistent_hook_init");
+    if (afl_persistent_hook_init_ptr == NULL)
+      FATAL("Failed to find afl_persistent_hook_init in %s", hook_name);
+
+    if (afl_persistent_hook_init_ptr() == 0)
+      FATAL("afl_persistent_hook_init returned a failure");
+
+    hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook");
+    if (hook == NULL)
+      FATAL("Failed to find afl_persistent_hook in %s", hook_name);
+
+    __afl_sharedmem_fuzzing = 1;
+
+  }
+
+}
+
-- 
cgit 1.4.1


From da65eef57279dae7b652c40bdb31bc6cd749f63d Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 28 Apr 2021 12:57:29 +0200
Subject: fix frida mode

---
 frida_mode/GNUmakefile                 | 6 +++---
 frida_mode/include/persistent.h        | 7 ++++++-
 frida_mode/src/lib.c                   | 2 +-
 frida_mode/src/persistent/persistent.c | 3 ---
 4 files changed, 10 insertions(+), 8 deletions(-)

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 51107910..6b193806 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -5,7 +5,7 @@ SRC_DIR:=$(PWD)src/
 INCLUDES:=$(wildcard $(INC_DIR)*.h)
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 BUILD_DIR:=$(PWD)build/
-CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor
+CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor -fcommon -Wl,--allow-multiple-definition
 
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
@@ -71,8 +71,8 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_A
 		-I $(ROOT) \
 		-I $(ROOT)include \
 		-I $(INC_DIR) \
-		$(ROOT)instrumentation/afl-compiler-rt.o.c \
-		-lpthread -ldl -lresolv -lelf
+		$(ROOT)instrumentation/afl-compiler-rt.o.c
+#		-lpthread -ldl -lresolv -lelf
 
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index 14c8a268..017c26c7 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -1,5 +1,9 @@
-#include "frida-gum.h"
 
+#ifndef _PERSISTENT_H
+
+#define _PERSISTENT_H
+
+#include "frida-gum.h"
 #include "config.h"
 
 typedef struct arch_api_regs api_regs;
@@ -24,3 +28,4 @@ gboolean persistent_is_supported(void);
 
 void persistent_prologue(GumStalkerOutput *output);
 
+#endif
diff --git a/frida_mode/src/lib.c b/frida_mode/src/lib.c
index 326d4819..6e27c170 100644
--- a/frida_mode/src/lib.c
+++ b/frida_mode/src/lib.c
@@ -1,6 +1,6 @@
 #include <elf.h>
 #include <fcntl.h>
-#include <linux/limits.h>
+#include <limits.h>
 #include <stdio.h>
 #include <sys/mman.h>
 #include <unistd.h>
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index fe3a1d20..34e4093e 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -9,9 +9,6 @@
 #include "util.h"
 
 int                    __afl_sharedmem_fuzzing = 0;
-afl_persistent_hook_fn hook = NULL;
-guint64                persistent_start = 0;
-guint64                persistent_count = 0;
 
 void persistent_init(void) {
 
-- 
cgit 1.4.1


From 3a0d4fe0d0a585d152a59ca4601d1981cedbf113 Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Wed, 28 Apr 2021 18:26:19 +0100
Subject: Bumped warnings up to the max and fixed remaining issues (#890)

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/GNUmakefile                     | 64 +++++++++++++++++++++++++-----
 frida_mode/include/complog.h               |  5 +++
 frida_mode/include/instrument.h            | 11 +++--
 frida_mode/include/interceptor.h           |  5 +++
 frida_mode/include/lib.h                   |  5 +++
 frida_mode/include/persistent.h            |  8 ++--
 frida_mode/include/prefetch.h              |  5 +++
 frida_mode/include/ranges.h                |  5 +++
 frida_mode/include/stalker.h               |  5 +++
 frida_mode/include/util.h                  |  8 ++++
 frida_mode/src/complog/complog.c           |  3 ++
 frida_mode/src/complog/complog_x64.c       | 50 ++++++++++-------------
 frida_mode/src/instrument/instrument.c     |  9 +++--
 frida_mode/src/interceptor.c               |  2 +-
 frida_mode/src/main.c                      |  7 ++--
 frida_mode/src/persistent/persistent.c     |  3 ++
 frida_mode/src/persistent/persistent_x64.c |  2 +-
 frida_mode/src/ranges.c                    | 19 ++++-----
 frida_mode/test/png/GNUmakefile            |  1 -
 19 files changed, 153 insertions(+), 64 deletions(-)

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 6b193806..e317237a 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -3,9 +3,25 @@ ROOT:=$(shell realpath $(PWD)..)/
 INC_DIR:=$(PWD)include/
 SRC_DIR:=$(PWD)src/
 INCLUDES:=$(wildcard $(INC_DIR)*.h)
-SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 BUILD_DIR:=$(PWD)build/
-CFLAGS+=-fPIC -D_GNU_SOURCE -Wno-prio-ctor-dtor -fcommon -Wl,--allow-multiple-definition
+OBJ_DIR:=$(BUILD_DIR)obj/
+SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
+OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
+CFLAGS+=-fPIC \
+		-D_GNU_SOURCE \
+		-D_FORTIFY_SOURCE=2 \
+		-Werror \
+		-Wall \
+		-Wextra \
+		-Wpointer-arith \
+		-g \
+		-O3 \
+		-funroll-loops \
+
+LDFLAGS+=-shared \
+		 -lpthread \
+		 -lresolv \
+		 -ldl \
 
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
@@ -36,7 +52,8 @@ GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
 GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a
 GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h
 
-TEST_BUILD_DIR:=$(BUILD_DIR)test/
+AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
+AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
 
 .PHONY: all clean format
@@ -49,6 +66,9 @@ all: $(FRIDA_TRACE)
 $(BUILD_DIR):
 	mkdir -p $(BUILD_DIR)
 
+$(OBJ_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
 $(FRIDA_BUILD_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
@@ -61,18 +81,40 @@ $(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL)
 $(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
 
-$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(SOURCES) $(QEMU_INC_API) Makefile | $(BUILD_DIR)
-	$(CC) -shared \
+$(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
+	$(CC) \
 		$(CFLAGS) \
-		-o $@ \
-		$(SOURCES) \
-		$(GUM_DEVIT_LIBRARY) \
-		-I $(FRIDA_BUILD_DIR) \
 		-I $(ROOT) \
 		-I $(ROOT)include \
+		-Wno-unused-parameter \
+		-Wno-sign-compare \
+		-Wno-unused-function \
+		-Wno-prio-ctor-dtor \
+		-Wno-unused-result \
+		-o $@ \
+		-c $<
+
+
+define BUILD_SOURCE =
+$(2): $(1) GNUmakefile | $(OBJ_DIR)
+	$(CC) \
+		$(CFLAGS) \
+		-I $(ROOT)include \
+		-I $(FRIDA_BUILD_DIR) \
 		-I $(INC_DIR) \
-		$(ROOT)instrumentation/afl-compiler-rt.o.c
-#		-lpthread -ldl -lresolv -lelf
+		-c $1 \
+		-o $2
+endef
+
+$(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))))
+
+$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR)
+	$(CC) \
+		-o $@ \
+		$(OBJS) \
+		$(GUM_DEVIT_LIBRARY) \
+		$(AFL_COMPILER_RT_OBJ) \
+		$(LDFLAGS) \
 
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
diff --git a/frida_mode/include/complog.h b/frida_mode/include/complog.h
index 094b7b93..1c1adb6d 100644
--- a/frida_mode/include/complog.h
+++ b/frida_mode/include/complog.h
@@ -1,3 +1,6 @@
+#ifndef _COMPLOG_H
+#define _COMPLOG_H
+
 extern struct cmp_map *__afl_cmp_map;
 
 void complog_init(void);
@@ -7,3 +10,5 @@ void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
 
 gboolean complog_is_readable(void *addr, size_t size);
 
+#endif
+
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 1b6c6bba..03fd33e5 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -1,10 +1,13 @@
+#ifndef _INSTRUMENT_H
+#define _INSTRUMENT_H
+
 #include "frida-gum.h"
 
 #include "config.h"
 
-extern uint64_t __thread previous_pc;
-extern uint8_t *__afl_area_ptr;
-extern uint32_t __afl_map_size;
+extern __thread uint64_t previous_pc;
+extern uint8_t *         __afl_area_ptr;
+extern uint32_t          __afl_map_size;
 
 void instrument_init(void);
 
@@ -16,3 +19,5 @@ gboolean instrument_is_coverage_optimize_supported(void);
 void instrument_coverage_optimize(const cs_insn *   instr,
                                   GumStalkerOutput *output);
 
+#endif
+
diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h
index 49c0630a..0ff754a4 100644
--- a/frida_mode/include/interceptor.h
+++ b/frida_mode/include/interceptor.h
@@ -1,6 +1,11 @@
+#ifndef _INTERCEPTOR_H
+#define _INTERCEPTOR_H
+
 #include "frida-gum.h"
 
 void intercept(void *address, gpointer replacement, gpointer user_data);
 void unintercept(void *address);
 void unintercept_self(void);
 
+#endif
+
diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h
index 1dc426a2..237aecb0 100644
--- a/frida_mode/include/lib.h
+++ b/frida_mode/include/lib.h
@@ -1,3 +1,6 @@
+#ifndef _LIB_H
+#define _LIB_H
+
 #include "frida-gum.h"
 
 void lib_init(void);
@@ -6,3 +9,5 @@ guint64 lib_get_text_base(void);
 
 guint64 lib_get_text_limit(void);
 
+#endif
+
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index 017c26c7..e58c5301 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -1,6 +1,5 @@
 
 #ifndef _PERSISTENT_H
-
 #define _PERSISTENT_H
 
 #include "frida-gum.h"
@@ -17,9 +16,9 @@ extern int __afl_persistent_loop(unsigned int max_cnt);
 extern unsigned int * __afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;
 
-guint64                persistent_start;
-guint64                persistent_count;
-afl_persistent_hook_fn hook;
+extern guint64                persistent_start;
+extern guint64                persistent_count;
+extern afl_persistent_hook_fn hook;
 
 void persistent_init(void);
 
@@ -29,3 +28,4 @@ gboolean persistent_is_supported(void);
 void persistent_prologue(GumStalkerOutput *output);
 
 #endif
+
diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h
index 110f717f..8f0cee68 100644
--- a/frida_mode/include/prefetch.h
+++ b/frida_mode/include/prefetch.h
@@ -1,6 +1,11 @@
+#ifndef _PREFETCH_H
+#define _PREFETCH_H
+
 #include "frida-gum.h"
 
 void prefetch_init(void);
 void prefetch_write(void *addr);
 void prefetch_read(void);
 
+#endif
+
diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h
index a021f35c..f652eb8a 100644
--- a/frida_mode/include/ranges.h
+++ b/frida_mode/include/ranges.h
@@ -1,6 +1,11 @@
+#ifndef _RANGES_H
+#define _RANGES_H
+
 #include "frida-gum.h"
 
 void ranges_init(void);
 
 gboolean range_is_excluded(gpointer address);
 
+#endif
+
diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h
index 1962eec9..1f1abb6b 100644
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@@ -1,3 +1,6 @@
+#ifndef _STALKER_H
+#define _STALKER_H
+
 #include "frida-gum.h"
 
 void        stalker_init(void);
@@ -6,3 +9,5 @@ void        stalker_start(void);
 void        stalker_pause(void);
 void        stalker_resume(void);
 
+#endif
+
diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h
index 5b4ea76b..afd0b9c1 100644
--- a/frida_mode/include/util.h
+++ b/frida_mode/include/util.h
@@ -1,6 +1,14 @@
+#ifndef _UTIL_H
+#define _UTIL_H
+
 #include "frida-gum.h"
 
+#define UNUSED_PARAMETER(x) (void)(x)
+#define IGNORED_RERURN(x) (void)!(x)
+
 guint64 util_read_address(char *key);
 
 guint64 util_read_num(char *key);
 
+#endif
+
diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c
index 3b679a5c..1857ea3b 100644
--- a/frida_mode/src/complog/complog.c
+++ b/frida_mode/src/complog/complog.c
@@ -2,6 +2,7 @@
 
 #include "debug.h"
 #include "cmplog.h"
+#include "util.h"
 
 extern struct cmp_map *__afl_cmp_map;
 
@@ -10,8 +11,10 @@ static GArray *complog_ranges = NULL;
 static gboolean complog_range(const GumRangeDetails *details,
                               gpointer               user_data) {
 
+  UNUSED_PARAMETER(user_data);
   GumMemoryRange range = *details->range;
   g_array_append_val(complog_ranges, range);
+  return TRUE;
 
 }
 
diff --git a/frida_mode/src/complog/complog_x64.c b/frida_mode/src/complog/complog_x64.c
index 253ec041..28010e7f 100644
--- a/frida_mode/src/complog/complog_x64.c
+++ b/frida_mode/src/complog/complog_x64.c
@@ -4,6 +4,7 @@
 #include "cmplog.h"
 
 #include "complog.h"
+#include "util.h"
 
 #if defined(__x86_64__)
 
@@ -148,7 +149,27 @@ static guint64 complog_read_mem(GumX64CpuContext *ctx, x86_op_mem *mem) {
 
 }
 
-static void complog_handle_call(GumCpuContext *context, guint64 target) {
+static guint64 cmplog_get_operand_value(GumCpuContext *context,
+                                        complog_ctx_t *ctx) {
+
+  switch (ctx->type) {
+
+    case X86_OP_REG:
+      return complog_read_reg(context, ctx->reg);
+    case X86_OP_IMM:
+      return ctx->imm;
+    case X86_OP_MEM:
+      return complog_read_mem(context, &ctx->mem);
+    default:
+      FATAL("Invalid operand type: %d\n", ctx->type);
+
+  }
+
+}
+
+static void complog_call_callout(GumCpuContext *context, gpointer user_data) {
+
+  UNUSED_PARAMETER(user_data);
 
   guint64 address = complog_read_reg(context, X86_REG_RIP);
   guint64 rdi = complog_read_reg(context, X86_REG_RDI);
@@ -179,33 +200,6 @@ static void complog_handle_call(GumCpuContext *context, guint64 target) {
 
 }
 
-static guint64 cmplog_get_operand_value(GumCpuContext *context,
-                                        complog_ctx_t *ctx) {
-
-  switch (ctx->type) {
-
-    case X86_OP_REG:
-      return complog_read_reg(context, ctx->reg);
-    case X86_OP_IMM:
-      return ctx->imm;
-    case X86_OP_MEM:
-      return complog_read_mem(context, &ctx->mem);
-    default:
-      FATAL("Invalid operand type: %d\n", ctx->type);
-
-  }
-
-}
-
-static void complog_call_callout(GumCpuContext *context, gpointer user_data) {
-
-  complog_ctx_t *ctx = (complog_ctx_t *)user_data;
-
-  guint64 target = cmplog_get_operand_value(context, ctx);
-  complog_handle_call(context, target);
-
-}
-
 static void complog_instrument_put_operand(complog_ctx_t *ctx,
                                            cs_x86_op *    operand) {
 
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 81080bee..3806136a 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -11,17 +11,18 @@
 #include "prefetch.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 static gboolean               tracing = false;
 static gboolean               optimize = false;
-static gboolean               strict = false;
 static GumStalkerTransformer *transformer = NULL;
 
-uint64_t __thread previous_pc = 0;
+__thread uint64_t previous_pc = 0;
 
 __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
                                                 gpointer       user_data) {
 
+  UNUSED_PARAMETER(context);
   /*
    * This function is performance critical as it is called to instrument every
    * basic block. By moving our print buffer to a global, we avoid it affecting
@@ -44,7 +45,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
                    "x, previous_pc: 0x%016" G_GINT64_MODIFIER "x\n",
                    current_pc, previous_pc);
 
-    write(STDOUT_FILENO, buffer, len + 1);
+    IGNORED_RERURN(write(STDOUT_FILENO, buffer, len + 1));
 
   }
 
@@ -72,6 +73,8 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
 static void instr_basic_block(GumStalkerIterator *iterator,
                               GumStalkerOutput *output, gpointer user_data) {
 
+  UNUSED_PARAMETER(user_data);
+
   const cs_insn *instr;
   gboolean       begin = TRUE;
   while (gum_stalker_iterator_next(iterator, &instr)) {
diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c
index 8d41b075..d2802752 100644
--- a/frida_mode/src/interceptor.c
+++ b/frida_mode/src/interceptor.c
@@ -10,7 +10,7 @@ void intercept(void *address, gpointer replacement, gpointer user_data) {
   gum_interceptor_begin_transaction(interceptor);
   GumReplaceReturn ret =
       gum_interceptor_replace(interceptor, address, replacement, user_data);
-  if (ret != GUM_ATTACH_OK) { FATAL("gum_interceptor_attach: %d", ret); }
+  if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); }
   gum_interceptor_end_transaction(interceptor);
 
 }
diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c
index f712a8c0..11cf041c 100644
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@@ -21,6 +21,7 @@
 #include "prefetch.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 #ifdef __APPLE__
 extern mach_port_t mach_task_self();
@@ -36,8 +37,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp);
 
 static main_fn_t main_fn = NULL;
 
-static GumMemoryRange code_range = {0};
-
 extern void __afl_manual_init();
 
 static int on_fork(void) {
@@ -55,6 +54,8 @@ static void on_main_os(int argc, char **argv, char **envp) {
 #else
 static void on_main_os(int argc, char **argv, char **envp) {
 
+  UNUSED_PARAMETER(argc);
+
   /* Personality doesn't affect the current process, it only takes effect on
    * evec */
   int persona = personality(ADDR_NO_RANDOMIZE);
@@ -97,7 +98,7 @@ static int *on_main(int argc, char **argv, char **envp) {
   /* Child here */
   previous_pc = 0;
   stalker_resume();
-  main_fn(argc, argv, envp);
+  return main_fn(argc, argv, envp);
 
 }
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 34e4093e..fe3a1d20 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -9,6 +9,9 @@
 #include "util.h"
 
 int                    __afl_sharedmem_fuzzing = 0;
+afl_persistent_hook_fn hook = NULL;
+guint64                persistent_start = 0;
+guint64                persistent_count = 0;
 
 void persistent_init(void) {
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 0cabbf24..5b8493b2 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -231,7 +231,7 @@ static int instrument_afl_persistent_loop_func(void) {
 
 }
 
-static int instrument_afl_persistent_loop(GumX86Writer *cw) {
+static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         -(GUM_RED_ZONE_SIZE));
diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c
index 6fcbd258..e3f09f9e 100644
--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@@ -5,6 +5,7 @@
 #include "lib.h"
 #include "ranges.h"
 #include "stalker.h"
+#include "util.h"
 
 #define MAX_RANGES 20
 
@@ -167,6 +168,7 @@ gint range_sort(gconstpointer a, gconstpointer b) {
 static gboolean print_ranges_callback(const GumRangeDetails *details,
                                       gpointer               user_data) {
 
+  UNUSED_PARAMETER(user_data);
   if (details->file == NULL) {
 
     OKF("MAP - 0x%016" G_GINT64_MODIFIER "x - 0x%016" G_GINT64_MODIFIER "X",
@@ -190,7 +192,7 @@ static gboolean print_ranges_callback(const GumRangeDetails *details,
 static void print_ranges(char *key, GArray *ranges) {
 
   OKF("Range: %s Length: %d", key, ranges->len);
-  for (int i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i);
     GumAddress      curr_limit = curr->base_address + curr->size;
@@ -345,10 +347,10 @@ static GArray *intersect_ranges(GArray *a, GArray *b) {
 
   result = g_array_new(false, false, sizeof(GumMemoryRange));
 
-  for (int i = 0; i < a->len; i++) {
+  for (guint i = 0; i < a->len; i++) {
 
     ra = &g_array_index(a, GumMemoryRange, i);
-    for (int j = 0; j < b->len; j++) {
+    for (guint j = 0; j < b->len; j++) {
 
       rb = &g_array_index(b, GumMemoryRange, j);
 
@@ -377,11 +379,11 @@ static GArray *subtract_ranges(GArray *a, GArray *b) {
 
   result = g_array_new(false, false, sizeof(GumMemoryRange));
 
-  for (int i = 0; i < a->len; i++) {
+  for (guint i = 0; i < a->len; i++) {
 
     ra = &g_array_index(a, GumMemoryRange, i);
     ral = ra->base_address + ra->size;
-    for (int j = 0; j < b->len; j++) {
+    for (guint j = 0; j < b->len; j++) {
 
       rb = &g_array_index(b, GumMemoryRange, j);
 
@@ -453,7 +455,7 @@ static GArray *merge_ranges(GArray *a) {
 
   rp = g_array_index(a, GumMemoryRange, 0);
 
-  for (int i = 1; i < a->len; i++) {
+  for (guint i = 1; i < a->len; i++) {
 
     r = &g_array_index(a, GumMemoryRange, i);
 
@@ -535,7 +537,7 @@ void ranges_init(void) {
 
   stalker = stalker_get();
 
-  for (int i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     r = &g_array_index(ranges, GumMemoryRange, i);
     gum_stalker_exclude(stalker, r);
@@ -551,12 +553,11 @@ void ranges_init(void) {
 
 gboolean range_is_excluded(gpointer address) {
 
-  int        i;
   GumAddress test = GUM_ADDRESS(address);
 
   if (ranges == NULL) { return false; }
 
-  for (i = 0; i < ranges->len; i++) {
+  for (guint i = 0; i < ranges->len; i++) {
 
     GumMemoryRange *curr = &g_array_index(ranges, GumMemoryRange, i);
     GumAddress      curr_limit = curr->base_address + curr->size;
diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile
index c381f5ab..7de3e85a 100644
--- a/frida_mode/test/png/GNUmakefile
+++ b/frida_mode/test/png/GNUmakefile
@@ -80,7 +80,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB)
 		-o $@ \
 		$(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \
 		-lz \
-		$(TEST_LDFLAGS)
 
 clean:
 	rm -rf $(BUILD_DIR)
-- 
cgit 1.4.1


From 423c32969c0111f5fdc666a159497dff805bff89 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 28 Apr 2021 22:48:43 +0200
Subject: nit

---
 frida_mode/src/persistent/persistent.c | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index fe3a1d20..5aad3724 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -30,9 +30,6 @@ void persistent_init(void) {
   if (persistent_count != 0 && persistent_count < 100)
     WARNF("Persistent count out of recommended range (<100)");
 
-  if (persistent_count > 10000)
-    WARNF("Persistent count out of recommended range (<10000)");
-
   if (persistent_start != 0 && !persistent_is_supported())
     FATAL("Persistent mode not supported on this architecture");
 
-- 
cgit 1.4.1


From 26b84e3521936ec11b7615bb833310d62795020e Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Thu, 29 Apr 2021 08:06:14 +0100
Subject: Fixes for aarch64, OSX and other minor issues (#891)

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/GNUmakefile                       |  28 +++--
 frida_mode/src/complog/complog.c             |   5 +-
 frida_mode/src/complog/complog_arm.c         |   6 +-
 frida_mode/src/complog/complog_arm64.c       |   6 +-
 frida_mode/src/complog/complog_x86.c         |   6 +-
 frida_mode/src/lib.c                         | 169 -------------------------
 frida_mode/src/lib/lib                       | Bin 0 -> 4144 bytes
 frida_mode/src/lib/lib.c                     | 176 +++++++++++++++++++++++++++
 frida_mode/src/lib/lib_apple.c               |  82 +++++++++++++
 frida_mode/src/main.c                        |   4 +
 frida_mode/src/persistent/persistent.c       |   4 +-
 frida_mode/src/persistent/persistent_arm32.c |   2 +
 frida_mode/src/persistent/persistent_arm64.c |   2 +
 frida_mode/src/persistent/persistent_x86.c   |   2 +
 frida_mode/test/exe/GNUmakefile              |  50 ++++++++
 frida_mode/test/exe/Makefile                 |  12 ++
 frida_mode/test/exe/testinstr.c              | 112 +++++++++++++++++
 frida_mode/test/png/GNUmakefile              |   4 +
 18 files changed, 487 insertions(+), 183 deletions(-)
 delete mode 100644 frida_mode/src/lib.c
 create mode 100755 frida_mode/src/lib/lib
 create mode 100644 frida_mode/src/lib/lib.c
 create mode 100644 frida_mode/src/lib/lib_apple.c
 create mode 100644 frida_mode/test/exe/GNUmakefile
 create mode 100644 frida_mode/test/exe/Makefile
 create mode 100644 frida_mode/test/exe/testinstr.c

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 65a7a1c3..d2f5ba4b 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -10,16 +10,29 @@ OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
 CFLAGS+=-fPIC \
 		-D_GNU_SOURCE \
 		-D_FORTIFY_SOURCE=2 \
-		-Wno-pointer-arith \
 		-g \
 		-O3 \
 		-funroll-loops \
 
+RT_CFLAGS:=-Wno-unused-parameter \
+		   -Wno-sign-compare \
+		   -Wno-unused-function \
+		   -Wno-unused-result \
+
 LDFLAGS+=-shared \
 		 -lpthread \
 		 -lresolv \
 		 -ldl \
 
+ifdef DEBUG
+CFLAGS+=-Werror \
+		-Wall \
+		-Wextra \
+		-Wpointer-arith
+else
+CFLAGS+=-Wno-pointer-arith
+endif
+
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
 FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded
@@ -31,7 +44,11 @@ endif
 
 ifeq "$(shell uname)" "Darwin"
  OS:=macos
- CFLAGS:=$(CFLAGS) -Wno-deprecated-declarations
+ RT_CFLAGS:=$(RT_CFLAGS) -Wno-deprecated-declarations
+else
+ifdef DEBUG
+ RT_CFLAGS:=$(RT_CFLAGS) -Wno-prio-ctor-dtor
+endif
 endif
 
 ifeq "$(shell uname)" "Linux"
@@ -81,17 +98,14 @@ $(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL)
 $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
 	$(CC) \
 		$(CFLAGS) \
+		$(RT_CFLAGS) \
 		-I $(ROOT) \
 		-I $(ROOT)include \
-		-Wno-unused-parameter \
-		-Wno-sign-compare \
-		-Wno-unused-function \
-		-Wno-unused-result \
 		-o $@ \
 		-c $<
 
 
-define BUILD_SOURCE =
+define BUILD_SOURCE
 $(2): $(1) GNUmakefile | $(OBJ_DIR)
 	$(CC) \
 		$(CFLAGS) \
diff --git a/frida_mode/src/complog/complog.c b/frida_mode/src/complog/complog.c
index 1857ea3b..ce8a3f62 100644
--- a/frida_mode/src/complog/complog.c
+++ b/frida_mode/src/complog/complog.c
@@ -36,8 +36,9 @@ void complog_init(void) {
   for (guint i = 0; i < complog_ranges->len; i++) {
 
     GumMemoryRange *range = &g_array_index(complog_ranges, GumMemoryRange, i);
-    OKF("CompLog Range - 0x%016lX - 0x%016lX", range->base_address,
-        range->base_address + range->size);
+    OKF("CompLog Range - 0x%016" G_GINT64_MODIFIER
+        "X - 0x%016" G_GINT64_MODIFIER "X",
+        range->base_address, range->base_address + range->size);
 
   }
 
diff --git a/frida_mode/src/complog/complog_arm.c b/frida_mode/src/complog/complog_arm.c
index 82cc2557..1b8eb8f1 100644
--- a/frida_mode/src/complog/complog_arm.c
+++ b/frida_mode/src/complog/complog_arm.c
@@ -3,10 +3,14 @@
 #include "debug.h"
 
 #include "complog.h"
+#include "util.h"
 
-#if defined(__arm64__)
+#if defined(__arm__)
 void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
 
+  UNUSED_PARAMETER(instr);
+  UNUSED_PARAMETER(iterator);
+  if (__afl_cmp_map == NULL) { return; }
   FATAL("Complog mode not supported on this architecture");
 
 }
diff --git a/frida_mode/src/complog/complog_arm64.c b/frida_mode/src/complog/complog_arm64.c
index e4dbf322..ce62f6fd 100644
--- a/frida_mode/src/complog/complog_arm64.c
+++ b/frida_mode/src/complog/complog_arm64.c
@@ -3,10 +3,14 @@
 #include "debug.h"
 
 #include "complog.h"
+#include "util.h"
 
-#if defined(__i386__)
+#if defined(__aarch64__)
 void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
 
+  UNUSED_PARAMETER(instr);
+  UNUSED_PARAMETER(iterator);
+  if (__afl_cmp_map == NULL) { return; }
   FATAL("Complog mode not supported on this architecture");
 
 }
diff --git a/frida_mode/src/complog/complog_x86.c b/frida_mode/src/complog/complog_x86.c
index df7b7cc1..b2e5ddcf 100644
--- a/frida_mode/src/complog/complog_x86.c
+++ b/frida_mode/src/complog/complog_x86.c
@@ -3,10 +3,14 @@
 #include "debug.h"
 
 #include "complog.h"
+#include "util.h"
 
-#if defined(__arm__)
+#if defined(__i386__)
 void complog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
 
+  UNUSED_PARAMETER(instr);
+  UNUSED_PARAMETER(iterator);
+  if (__afl_cmp_map == NULL) { return; }
   FATAL("Complog mode not supported on this architecture");
 
 }
diff --git a/frida_mode/src/lib.c b/frida_mode/src/lib.c
deleted file mode 100644
index e50163ac..00000000
--- a/frida_mode/src/lib.c
+++ /dev/null
@@ -1,169 +0,0 @@
-#include <elf.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <stdio.h>
-#include <sys/mman.h>
-#include <unistd.h>
-
-#include "frida-gum.h"
-
-#include "debug.h"
-
-#include "lib.h"
-
-#if defined(__arm__) || defined(__i386__)
-  #define ELFCLASS ELFCLASS32
-typedef Elf32_Ehdr Elf_Ehdr;
-typedef Elf32_Phdr Elf_Phdr;
-typedef Elf32_Shdr Elf_Shdr;
-#elif defined(__aarch64__) || defined(__x86_64__)
-  #define ELFCLASS ELFCLASS64
-typedef Elf64_Ehdr Elf_Ehdr;
-typedef Elf64_Phdr Elf_Phdr;
-typedef Elf64_Shdr Elf_Shdr;
-#else
-  #error "Unsupported platform"
-#endif
-
-typedef struct {
-
-  gchar      name[PATH_MAX + 1];
-  gchar      path[PATH_MAX + 1];
-  GumAddress base_address;
-  gsize      size;
-
-} lib_details_t;
-
-static guint64 text_base = 0;
-static guint64 text_limit = 0;
-
-static gboolean lib_find_exe(const GumModuleDetails *details,
-                             gpointer                user_data) {
-
-  lib_details_t *lib_details = (lib_details_t *)user_data;
-
-  memcpy(lib_details->name, details->name, PATH_MAX);
-  memcpy(lib_details->path, details->path, PATH_MAX);
-  lib_details->base_address = details->range->base_address;
-  lib_details->size = details->range->size;
-  return FALSE;
-
-}
-
-static gboolean lib_is_little_endian(void) {
-
-  int probe = 1;
-  return *(char *)&probe;
-
-}
-
-static void lib_validate_hdr(Elf_Ehdr *hdr) {
-
-  if (hdr->e_ident[0] != ELFMAG0) FATAL("Invalid e_ident[0]");
-  if (hdr->e_ident[1] != ELFMAG1) FATAL("Invalid e_ident[1]");
-  if (hdr->e_ident[2] != ELFMAG2) FATAL("Invalid e_ident[2]");
-  if (hdr->e_ident[3] != ELFMAG3) FATAL("Invalid e_ident[3]");
-  if (hdr->e_ident[4] != ELFCLASS) FATAL("Invalid class");
-/*
-  if (hdr->e_ident[5] != (lib_is_little_endian() ? ELFDATA2LSB : ELFDATA2MSB))
-    FATAL("Invalid endian");
-  if (hdr->e_ident[6] != EV_CURRENT) FATAL("Invalid version");
-  if (hdr->e_type != ET_DYN) FATAL("Invalid type");
-  if (hdr->e_version != EV_CURRENT) FATAL("Invalid e_version");
-  if (hdr->e_phoff != sizeof(Elf_Ehdr)) FATAL("Invalid e_phoff");
-  if (hdr->e_ehsize != sizeof(Elf_Ehdr)) FATAL("Invalid e_ehsize");
-  if (hdr->e_phentsize != sizeof(Elf_Phdr)) FATAL("Invalid e_phentsize");
-  if (hdr->e_shentsize != sizeof(Elf_Shdr)) FATAL("Invalid e_shentsize");
-*/
-
-}
-
-static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
-
-  Elf_Shdr *shdr;
-  Elf_Shdr *shstrtab;
-  char *    shstr;
-  char *    section_name;
-  Elf_Shdr *curr;
-  char      text_name[] = ".text";
-
-  shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff);
-  shstrtab = &shdr[hdr->e_shstrndx];
-  shstr = (char *)hdr + shstrtab->sh_offset;
-
-  OKF("shdr: %p", shdr);
-  OKF("shstrtab: %p", shstrtab);
-  OKF("shstr: %p", shstr);
-
-  for (size_t i = 0; i < hdr->e_shnum; i++) {
-
-    curr = &shdr[i];
-
-    if (curr->sh_name == 0) continue;
-
-    section_name = &shstr[curr->sh_name];
-    OKF("Section: %2lu - base: 0x%016lX size: 0x%016lX %s", i, curr->sh_addr,
-        curr->sh_size, section_name);
-    if (memcmp(section_name, text_name, sizeof(text_name)) == 0 &&
-        text_base == 0) {
-
-      text_base = lib_details->base_address + curr->sh_addr;
-      text_limit = lib_details->base_address + curr->sh_addr + curr->sh_size;
-      OKF("> text_addr: 0x%016lX", text_base);
-      OKF("> text_limit: 0x%016lX", text_limit);
-
-    }
-
-  }
-
-}
-
-static void lib_get_text_section(lib_details_t *details) {
-
-  int       fd = -1;
-  off_t     len;
-  Elf_Ehdr *hdr;
-
-  fd = open(details->path, O_RDONLY);
-  if (fd < 0) { FATAL("Failed to open %s", details->path); }
-
-  len = lseek(fd, 0, SEEK_END);
-
-  if (len == (off_t)-1) { FATAL("Failed to lseek %s", details->path); }
-
-  OKF("len: %ld", len);
-
-  hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0);
-  if (hdr == MAP_FAILED) { FATAL("Failed to map %s", details->path); }
-
-  lib_validate_hdr(hdr);
-  lib_read_text_section(details, hdr);
-
-  munmap(hdr, len);
-  close(fd);
-
-}
-
-void lib_init(void) {
-
-  lib_details_t lib_details;
-  gum_process_enumerate_modules(lib_find_exe, &lib_details);
-  OKF("Executable: 0x%016lx - %s", lib_details.base_address, lib_details.path);
-  lib_get_text_section(&lib_details);
-
-}
-
-guint64 lib_get_text_base(void) {
-
-  if (text_base == 0) FATAL("Lib not initialized");
-  return text_base;
-
-}
-
-guint64 lib_get_text_limit(void) {
-
-  if (text_limit == 0) FATAL("Lib not initialized");
-  return text_limit;
-
-}
-
diff --git a/frida_mode/src/lib/lib b/frida_mode/src/lib/lib
new file mode 100755
index 00000000..8f09a3b1
Binary files /dev/null and b/frida_mode/src/lib/lib differ
diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c
new file mode 100644
index 00000000..c5045533
--- /dev/null
+++ b/frida_mode/src/lib/lib.c
@@ -0,0 +1,176 @@
+#ifndef __APPLE__
+  #include <elf.h>
+  #include <fcntl.h>
+  #include <limits.h>
+  #include <stdio.h>
+  #include <sys/mman.h>
+  #include <unistd.h>
+
+  #include "frida-gum.h"
+
+  #include "debug.h"
+
+  #include "lib.h"
+
+  #if defined(__arm__) || defined(__i386__)
+    #define ELFCLASS ELFCLASS32
+typedef Elf32_Ehdr Elf_Ehdr;
+typedef Elf32_Phdr Elf_Phdr;
+typedef Elf32_Shdr Elf_Shdr;
+typedef Elf32_Addr Elf_Addr;
+  #elif defined(__aarch64__) || defined(__x86_64__)
+    #define ELFCLASS ELFCLASS64
+typedef Elf64_Ehdr Elf_Ehdr;
+typedef Elf64_Phdr Elf_Phdr;
+typedef Elf64_Shdr Elf_Shdr;
+typedef Elf64_Addr Elf_Addr;
+  #else
+    #error "Unsupported platform"
+  #endif
+
+typedef struct {
+
+  gchar      name[PATH_MAX + 1];
+  gchar      path[PATH_MAX + 1];
+  GumAddress base_address;
+  gsize      size;
+
+} lib_details_t;
+
+static guint64 text_base = 0;
+static guint64 text_limit = 0;
+
+static gboolean lib_find_exe(const GumModuleDetails *details,
+                             gpointer                user_data) {
+
+  lib_details_t *lib_details = (lib_details_t *)user_data;
+
+  memcpy(lib_details->name, details->name, PATH_MAX);
+  memcpy(lib_details->path, details->path, PATH_MAX);
+  lib_details->base_address = details->range->base_address;
+  lib_details->size = details->range->size;
+  return FALSE;
+
+}
+
+static void lib_validate_hdr(Elf_Ehdr *hdr) {
+
+  if (hdr->e_ident[0] != ELFMAG0) FATAL("Invalid e_ident[0]");
+  if (hdr->e_ident[1] != ELFMAG1) FATAL("Invalid e_ident[1]");
+  if (hdr->e_ident[2] != ELFMAG2) FATAL("Invalid e_ident[2]");
+  if (hdr->e_ident[3] != ELFMAG3) FATAL("Invalid e_ident[3]");
+  if (hdr->e_ident[4] != ELFCLASS) FATAL("Invalid class");
+
+}
+
+static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
+
+  Elf_Phdr *phdr;
+  gboolean  found_preferred_base = FALSE;
+  Elf_Addr  preferred_base;
+  Elf_Shdr *shdr;
+  Elf_Shdr *shstrtab;
+  char *    shstr;
+  char *    section_name;
+  Elf_Shdr *curr;
+  char      text_name[] = ".text";
+
+  phdr = (Elf_Phdr *)((char *)hdr + hdr->e_phoff);
+  for (size_t i = 0; i < hdr->e_phnum; i++) {
+
+    if (phdr[i].p_type == PT_LOAD) {
+
+      preferred_base = phdr[i].p_vaddr;
+      found_preferred_base = TRUE;
+      break;
+
+    }
+
+  }
+
+  if (!found_preferred_base) { FATAL("Failed to find preferred load address"); }
+
+  OKF("Image preferred load address 0x%016lx", preferred_base);
+
+  shdr = (Elf_Shdr *)((char *)hdr + hdr->e_shoff);
+  shstrtab = &shdr[hdr->e_shstrndx];
+  shstr = (char *)hdr + shstrtab->sh_offset;
+
+  OKF("shdr: %p", shdr);
+  OKF("shstrtab: %p", shstrtab);
+  OKF("shstr: %p", shstr);
+
+  for (size_t i = 0; i < hdr->e_shnum; i++) {
+
+    curr = &shdr[i];
+
+    if (curr->sh_name == 0) continue;
+
+    section_name = &shstr[curr->sh_name];
+    OKF("Section: %2lu - base: 0x%016lX size: 0x%016lX %s", i, curr->sh_addr,
+        curr->sh_size, section_name);
+    if (memcmp(section_name, text_name, sizeof(text_name)) == 0 &&
+        text_base == 0) {
+
+      text_base = lib_details->base_address + curr->sh_addr - preferred_base;
+      text_limit = text_base + curr->sh_size;
+      OKF("> text_addr: 0x%016lX", text_base);
+      OKF("> text_limit: 0x%016lX", text_limit);
+
+    }
+
+  }
+
+}
+
+static void lib_get_text_section(lib_details_t *details) {
+
+  int       fd = -1;
+  off_t     len;
+  Elf_Ehdr *hdr;
+
+  fd = open(details->path, O_RDONLY);
+  if (fd < 0) { FATAL("Failed to open %s", details->path); }
+
+  len = lseek(fd, 0, SEEK_END);
+
+  if (len == (off_t)-1) { FATAL("Failed to lseek %s", details->path); }
+
+  OKF("len: %ld", len);
+
+  hdr = (Elf_Ehdr *)mmap(NULL, len, PROT_READ, MAP_PRIVATE, fd, 0);
+  if (hdr == MAP_FAILED) { FATAL("Failed to map %s", details->path); }
+
+  lib_validate_hdr(hdr);
+  lib_read_text_section(details, hdr);
+
+  munmap(hdr, len);
+  close(fd);
+
+}
+
+void lib_init(void) {
+
+  lib_details_t lib_details;
+  gum_process_enumerate_modules(lib_find_exe, &lib_details);
+  OKF("Executable: 0x%016lx - %s", lib_details.base_address, lib_details.path);
+  lib_get_text_section(&lib_details);
+
+}
+
+guint64 lib_get_text_base(void) {
+
+  if (text_base == 0) FATAL("Lib not initialized");
+  return text_base;
+
+}
+
+guint64 lib_get_text_limit(void) {
+
+  if (text_limit == 0) FATAL("Lib not initialized");
+  return text_limit;
+
+}
+
+#endif
+
diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c
new file mode 100644
index 00000000..8f863861
--- /dev/null
+++ b/frida_mode/src/lib/lib_apple.c
@@ -0,0 +1,82 @@
+#ifdef __APPLE__
+  #include "frida-gum.h"
+
+  #include "debug.h"
+
+  #include "lib.h"
+  #include "util.h"
+
+extern mach_port_t mach_task_self();
+extern void        gum_darwin_enumerate_modules(mach_port_t        task,
+                                                GumFoundModuleFunc func,
+                                                gpointer           user_data);
+
+static guint64 text_base = 0;
+static guint64 text_limit = 0;
+
+static gboolean lib_get_main_module(const GumModuleDetails *details,
+                                    gpointer                user_data) {
+
+  GumDarwinModule **ret = (GumDarwinModule **)user_data;
+  GumDarwinModule * module = gum_darwin_module_new_from_memory(
+      details->path, mach_task_self(), details->range->base_address,
+      GUM_DARWIN_MODULE_FLAGS_NONE, NULL);
+
+  OKF("Found main module: %s", module->name);
+
+  *ret = module;
+
+  return FALSE;
+
+}
+
+gboolean lib_get_text_section(const GumDarwinSectionDetails *details,
+                              gpointer                       user_data) {
+
+  UNUSED_PARAMETER(user_data);
+  static size_t idx = 0;
+  char          text_name[] = "__text";
+
+  OKF("Section: %2lu - base: 0x%016" G_GINT64_MODIFIER
+      "X size: 0x%016" G_GINT64_MODIFIER "X %s",
+      idx++, details->vm_address, details->vm_address + details->size,
+      details->section_name);
+
+  if (memcmp(details->section_name, text_name, sizeof(text_name)) == 0 &&
+      text_base == 0) {
+
+    text_base = details->vm_address;
+    text_limit = details->vm_address + details->size;
+    OKF("> text_addr: 0x%016" G_GINT64_MODIFIER "X", text_base);
+    OKF("> text_limit: 0x%016" G_GINT64_MODIFIER "X", text_limit);
+
+  }
+
+  return TRUE;
+
+}
+
+void lib_init(void) {
+
+  GumDarwinModule *module = NULL;
+  gum_darwin_enumerate_modules(mach_task_self(), lib_get_main_module, &module);
+  gum_darwin_module_enumerate_sections(module, lib_get_text_section, NULL);
+
+}
+
+guint64 lib_get_text_base(void) {
+
+  if (text_base == 0) FATAL("Lib not initialized");
+  return text_base;
+
+}
+
+guint64 lib_get_text_limit(void) {
+
+  if (text_limit == 0) FATAL("Lib not initialized");
+  return text_limit;
+
+}
+
+#endif
+
diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c
index 11cf041c..5c64d192 100644
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@@ -49,6 +49,10 @@ static int on_fork(void) {
 #ifdef __APPLE__
 static void on_main_os(int argc, char **argv, char **envp) {
 
+  UNUSED_PARAMETER(argc);
+  UNUSED_PARAMETER(argv);
+  UNUSED_PARAMETER(envp);
+
 }
 
 #else
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 5aad3724..918ff153 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -33,9 +33,9 @@ void persistent_init(void) {
   if (persistent_start != 0 && !persistent_is_supported())
     FATAL("Persistent mode not supported on this architecture");
 
-  OKF("Instrumentation - persistent mode [%c] (0x%016lX)",
+  OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)",
       persistent_start == 0 ? ' ' : 'X', persistent_start);
-  OKF("Instrumentation - persistent count [%c] (%ld)",
+  OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)",
       persistent_start == 0 ? ' ' : 'X', persistent_count);
   OKF("Instrumentation - hook [%s]", hook_name);
 
diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c
index 10dab3b2..bc021ff3 100644
--- a/frida_mode/src/persistent/persistent_arm32.c
+++ b/frida_mode/src/persistent/persistent_arm32.c
@@ -3,6 +3,7 @@
 #include "debug.h"
 
 #include "persistent.h"
+#include "util.h"
 
 #if defined(__arm__)
 
@@ -62,6 +63,7 @@ gboolean persistent_is_supported(void) {
 
 void persistent_prologue(GumStalkerOutput *output) {
 
+  UNUSED_PARAMETER(output);
   FATAL("Persistent mode not supported on this architecture");
 
 }
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index 5a18ac2c..c198da69 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -4,6 +4,7 @@
 #include "debug.h"
 
 #include "instrument.h"
+#include "util.h"
 
 #if defined(__aarch64__)
 
@@ -105,6 +106,7 @@ gboolean persistent_is_supported(void) {
 
 void persistent_prologue(GumStalkerOutput *output) {
 
+  UNUSED_PARAMETER(output);
   FATAL("Persistent mode not supported on this architecture");
 
 }
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 4daa61a9..9d39c4e9 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -3,6 +3,7 @@
 #include "debug.h"
 
 #include "persistent.h"
+#include "util.h"
 
 #if defined(__i386__)
 
@@ -45,6 +46,7 @@ gboolean persistent_is_supported(void) {
 
 void persistent_prologue(GumStalkerOutput *output) {
 
+  UNUSED_PARAMETER(output);
   FATAL("Persistent mode not supported on this architecture");
 
 }
diff --git a/frida_mode/test/exe/GNUmakefile b/frida_mode/test/exe/GNUmakefile
new file mode 100644
index 00000000..7719ad2b
--- /dev/null
+++ b/frida_mode/test/exe/GNUmakefile
@@ -0,0 +1,50 @@
+PWD:=$(shell pwd)/
+ROOT:=$(shell realpath $(PWD)../../..)/
+BUILD_DIR:=$(PWD)build/
+TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
+TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
+
+TESTINSTBIN:=$(BUILD_DIR)testinstr
+TESTINSTSRC:=$(PWD)testinstr.c
+
+QEMU_OUT:=$(BUILD_DIR)qemu-out
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+
+.PHONY: all clean qemu frida
+
+all: $(TESTINSTBIN)
+	make -C $(ROOT)frida_mode/
+
+$(BUILD_DIR):
+	mkdir -p $@
+
+$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
+$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
+	echo -n "000" > $@
+
+$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
+	$(CC) -o $@ $< -no-pie
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+
+qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	$(ROOT)afl-fuzz \
+		-D \
+		-Q \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(QEMU_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
+
+frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
\ No newline at end of file
diff --git a/frida_mode/test/exe/Makefile b/frida_mode/test/exe/Makefile
new file mode 100644
index 00000000..f322d1f5
--- /dev/null
+++ b/frida_mode/test/exe/Makefile
@@ -0,0 +1,12 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+qemu:
+	@gmake qemu
+
+frida:
+	@gmake frida
\ No newline at end of file
diff --git a/frida_mode/test/exe/testinstr.c b/frida_mode/test/exe/testinstr.c
new file mode 100644
index 00000000..5e26fc46
--- /dev/null
+++ b/frida_mode/test/exe/testinstr.c
@@ -0,0 +1,112 @@
+/*
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef __APPLE__
+  #define TESTINSTR_SECTION
+#else
+  #define TESTINSTR_SECTION __attribute__((section(".testinstr")))
+#endif
+
+void testinstr(char *buf, int len) {
+
+  if (len < 1) return;
+  buf[len] = 0;
+
+  // we support three input cases
+  if (buf[0] == '0')
+    printf("Looks like a zero to me!\n");
+  else if (buf[0] == '1')
+    printf("Pretty sure that is a one!\n");
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+TESTINSTR_SECTION int main(int argc, char **argv) {
+
+  char * file;
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  if (argc != 2) { return 1; }
+
+  do {
+
+    file = argv[1];
+
+    dprintf(STDERR_FILENO, "Running: %s\n", file);
+
+    fd = open(file, O_RDONLY);
+    if (fd < 0) {
+
+      perror("open");
+      break;
+
+    }
+
+    len = lseek(fd, 0, SEEK_END);
+    if (len < 0) {
+
+      perror("lseek (SEEK_END)");
+      break;
+
+    }
+
+    if (lseek(fd, 0, SEEK_SET) != 0) {
+
+      perror("lseek (SEEK_SET)");
+      break;
+
+    }
+
+    buf = malloc(len);
+    if (buf == NULL) {
+
+      perror("malloc");
+      break;
+
+    }
+
+    n_read = read(fd, buf, len);
+    if (n_read != len) {
+
+      perror("read");
+      break;
+
+    }
+
+    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
+
+    testinstr(buf, len);
+    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
+
+    result = 0;
+
+  } while (false);
+
+  if (buf != NULL) { free(buf); }
+
+  if (fd != -1) { close(fd); }
+
+  return result;
+
+}
+
diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile
index 7de3e85a..515728c4 100644
--- a/frida_mode/test/png/GNUmakefile
+++ b/frida_mode/test/png/GNUmakefile
@@ -21,6 +21,9 @@ PNGTEST_OBJ:=$(PNGTEST_BUILD_DIR)target.o
 PNGTEST_URL:="https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libpng-1.2.56/target.cc"
 
 TEST_BIN:=$(BUILD_DIR)test
+ifeq "$(shell uname)" "Darwin"
+TEST_BIN_LDFLAGS:=-undefined dynamic_lookup
+endif
 
 TEST_DATA_DIR:=$(LIBPNG_DIR)contrib/pngsuite/
 
@@ -80,6 +83,7 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB)
 		-o $@ \
 		$(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \
 		-lz \
+		$(TEST_BIN_LDFLAGS) \
 
 clean:
 	rm -rf $(BUILD_DIR)
-- 
cgit 1.4.1


From f677be5e86a096edbba74cb8c739e8b10850a379 Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Thu, 27 May 2021 21:33:44 +0100
Subject: Support for AFL_FRIDA_PERSISTENT_RET (#941)

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/GNUmakefile                            |   7 +-
 frida_mode/include/persistent.h                   |   4 +
 frida_mode/src/instrument/instrument.c            |   1 +
 frida_mode/src/persistent/persistent.c            |  34 +++++-
 frida_mode/src/persistent/persistent_arm32.c      |   7 ++
 frida_mode/src/persistent/persistent_arm64.c      |   7 ++
 frida_mode/src/persistent/persistent_x64.c        |  19 +++-
 frida_mode/src/persistent/persistent_x86.c        |  15 +++
 frida_mode/src/util.c                             |  13 +--
 frida_mode/test/persistent_ret/GNUmakefile        | 105 +++++++++++++++++++
 frida_mode/test/persistent_ret/Makefile           |  22 ++++
 frida_mode/test/persistent_ret/get_symbol_addr.py |  36 +++++++
 frida_mode/test/persistent_ret/testinstr.c        | 120 ++++++++++++++++++++++
 include/envs.h                                    |   3 +
 14 files changed, 382 insertions(+), 11 deletions(-)
 create mode 100644 frida_mode/test/persistent_ret/GNUmakefile
 create mode 100644 frida_mode/test/persistent_ret/Makefile
 create mode 100755 frida_mode/test/persistent_ret/get_symbol_addr.py
 create mode 100644 frida_mode/test/persistent_ret/testinstr.c

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 20fbb544..f9c0f1f7 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -36,6 +36,10 @@ else
 CFLAGS+=-Wno-pointer-arith
 endif
 
+ifdef FRIDA_DEBUG
+CFLAGS += -DFRIDA_DEBUG
+endif
+
 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
 FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded
@@ -94,9 +98,6 @@ AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
 all: $(FRIDA_TRACE)
 
-32:
-	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
-
 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
 
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index e58c5301..25b44ab0 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -18,6 +18,9 @@ extern unsigned char *__afl_fuzz_ptr;
 
 extern guint64                persistent_start;
 extern guint64                persistent_count;
+extern guint64                persistent_ret;
+extern guint64                persistent_ret_offset;
+extern gboolean               persistent_debug;
 extern afl_persistent_hook_fn hook;
 
 void persistent_init(void);
@@ -26,6 +29,7 @@ void persistent_init(void);
 gboolean persistent_is_supported(void);
 
 void persistent_prologue(GumStalkerOutput *output);
+void persistent_epilogue(GumStalkerOutput *output);
 
 #endif
 
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index f21849a6..c4f18797 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -85,6 +85,7 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
     if (instr->address == entry_start) { entry_prologue(iterator, output); }
     if (instr->address == persistent_start) { persistent_prologue(output); }
+    if (instr->address == persistent_ret) { persistent_epilogue(output); }
 
     /*
      * Until we reach AFL_ENTRYPOINT (assumed to be main if not specified) or
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 918ff153..2ec5b9cc 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -12,6 +12,9 @@ int                    __afl_sharedmem_fuzzing = 0;
 afl_persistent_hook_fn hook = NULL;
 guint64                persistent_start = 0;
 guint64                persistent_count = 0;
+guint64                persistent_ret = 0;
+guint64                persistent_ret_offset = 0;
+gboolean               persistent_debug = FALSE;
 
 void persistent_init(void) {
 
@@ -19,12 +22,36 @@ void persistent_init(void) {
 
   persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR");
   persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT");
+  persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET");
+  persistent_ret_offset =
+      util_read_address("AFL_FRIDA_PERSISTENT_RETADDR_OFFSET");
+
+  if (getenv("AFL_FRIDA_PERSISTENT_DEBUG") != NULL) { persistent_debug = TRUE; }
+
+  if (persistent_count != 0 && persistent_start == 0) {
 
-  if (persistent_count != 0 && persistent_start == 0)
     FATAL(
         "AFL_FRIDA_PERSISTENT_ADDR must be specified if "
         "AFL_FRIDA_PERSISTENT_CNT is");
 
+  }
+
+  if (persistent_ret != 0 && persistent_start == 0) {
+
+    FATAL(
+        "AFL_FRIDA_PERSISTENT_ADDR must be specified if "
+        "AFL_FRIDA_PERSISTENT_RET is");
+
+  }
+
+  if (persistent_ret_offset != 0 && persistent_ret == 0) {
+
+    FATAL(
+        "AFL_FRIDA_PERSISTENT_RET must be specified if "
+        "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET is");
+
+  }
+
   if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
 
   if (persistent_count != 0 && persistent_count < 100)
@@ -39,6 +66,11 @@ void persistent_init(void) {
       persistent_start == 0 ? ' ' : 'X', persistent_count);
   OKF("Instrumentation - hook [%s]", hook_name);
 
+  OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
+      persistent_ret == 0 ? ' ' : 'X', persistent_ret);
+  OKF("Instrumentation - persistent ret offset [%c] (%" G_GINT64_MODIFIER "d)",
+      persistent_ret_offset == 0 ? ' ' : 'X', persistent_ret_offset);
+
   if (hook_name != NULL) {
 
     void *hook_obj = dlopen(hook_name, RTLD_NOW);
diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c
index bc021ff3..6a3c06fa 100644
--- a/frida_mode/src/persistent/persistent_arm32.c
+++ b/frida_mode/src/persistent/persistent_arm32.c
@@ -68,5 +68,12 @@ void persistent_prologue(GumStalkerOutput *output) {
 
 }
 
+void persistent_epilogue(GumStalkerOutput *output) {
+
+  UNUSED_PARAMETER(output);
+  FATAL("Persistent mode not supported on this architecture");
+
+}
+
 #endif
 
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index c198da69..1215d8da 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -111,5 +111,12 @@ void persistent_prologue(GumStalkerOutput *output) {
 
 }
 
+void persistent_epilogue(GumStalkerOutput *output) {
+
+  UNUSED_PARAMETER(output);
+  FATAL("Persistent mode not supported on this architecture");
+
+}
+
 #endif
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index aa772b7f..4c495d47 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -1,9 +1,11 @@
 #include "frida-gum.h"
 
 #include "config.h"
+#include "debug.h"
 
 #include "instrument.h"
 #include "persistent.h"
+#include "util.h"
 
 #if defined(__x86_64__)
 
@@ -264,7 +266,6 @@ void persistent_prologue(GumStalkerOutput *output) {
   GumX86Writer *cw = output->writer.x86;
 
   gconstpointer loop = cw->code + 1;
-  // gum_x86_writer_put_breakpoint(cw);
 
   /* Stack must be 16-byte aligned per ABI */
   instrument_persitent_save_regs(cw, &saved_regs);
@@ -288,7 +289,9 @@ void persistent_prologue(GumStalkerOutput *output) {
   instrument_persitent_restore_regs(cw, &saved_regs);
   gconstpointer original = cw->code + 1;
   /* call original */
+
   gum_x86_writer_put_call_near_label(cw, original);
+
   /* jmp loop */
   gum_x86_writer_put_jmp_near_label(cw, loop);
 
@@ -300,9 +303,23 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* original: */
   gum_x86_writer_put_label(cw, original);
 
+  if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
+
   gum_x86_writer_flush(cw);
 
 }
 
+void persistent_epilogue(GumStalkerOutput *output) {
+
+  GumX86Writer *cw = output->writer.x86;
+
+  if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
+
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+                                        persistent_ret_offset);
+  gum_x86_writer_put_ret(cw);
+
+}
+
 #endif
 
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 20a3dc42..b30dfadf 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -244,9 +244,24 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* original: */
   gum_x86_writer_put_label(cw, original);
 
+  if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
+
   gum_x86_writer_flush(cw);
 
 }
 
+void persistent_epilogue(GumStalkerOutput *output) {
+
+  GumX86Writer *cw = output->writer.x86;
+
+  if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
+
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP,
+                                        persistent_ret_offset);
+
+  gum_x86_writer_put_ret(cw);
+
+}
+
 #endif
 
diff --git a/frida_mode/src/util.c b/frida_mode/src/util.c
index 86b94970..09e8a58b 100644
--- a/frida_mode/src/util.c
+++ b/frida_mode/src/util.c
@@ -10,7 +10,7 @@ guint64 util_read_address(char *key) {
 
   if (!g_str_has_prefix(value_str, "0x")) {
 
-    FATAL("Invalid address should have 0x prefix: %s\n", value_str);
+    FATAL("Invalid address should have 0x prefix: %s=%s\n", key, value_str);
 
   }
 
@@ -20,8 +20,8 @@ guint64 util_read_address(char *key) {
 
     if (!g_ascii_isxdigit(*c)) {
 
-      FATAL("Invalid address not formed of hex digits: %s ('%c')\n", value_str,
-            *c);
+      FATAL("Invalid address not formed of hex digits: %s=%s ('%c')\n", key,
+            value_str, *c);
 
     }
 
@@ -30,7 +30,7 @@ guint64 util_read_address(char *key) {
   guint64 value = g_ascii_strtoull(value_str2, NULL, 16);
   if (value == 0) {
 
-    FATAL("Invalid address failed hex conversion: %s\n", value_str2);
+    FATAL("Invalid address failed hex conversion: %s=%s\n", key, value_str2);
 
   }
 
@@ -48,7 +48,8 @@ guint64 util_read_num(char *key) {
 
     if (!g_ascii_isdigit(*c)) {
 
-      FATAL("Invalid address not formed of decimal digits: %s\n", value_str);
+      FATAL("Invalid address not formed of decimal digits: %s=%s\n", key,
+            value_str);
 
     }
 
@@ -57,7 +58,7 @@ guint64 util_read_num(char *key) {
   guint64 value = g_ascii_strtoull(value_str, NULL, 10);
   if (value == 0) {
 
-    FATAL("Invalid address failed numeric conversion: %s\n", value_str);
+    FATAL("Invalid address failed numeric conversion: %s=%s\n", key, value_str);
 
   }
 
diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile
new file mode 100644
index 00000000..df48d065
--- /dev/null
+++ b/frida_mode/test/persistent_ret/GNUmakefile
@@ -0,0 +1,105 @@
+PWD:=$(shell pwd)/
+ROOT:=$(shell realpath $(PWD)../../..)/
+BUILD_DIR:=$(PWD)build/
+TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
+TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
+
+TESTINSTBIN:=$(BUILD_DIR)testinstr
+TESTINSTSRC:=$(PWD)testinstr.c
+
+QEMU_OUT:=$(BUILD_DIR)qemu-out
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+
+ifndef ARCH
+
+ARCH=$(shell uname -m)
+ifeq "$(ARCH)" "aarch64"
+ ARCH:=arm64
+endif
+
+ifeq "$(ARCH)" "i686"
+ ARCH:=x86
+endif
+endif
+
+ARCH=$(shell uname -m)
+ifeq "$(ARCH)" "aarch64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000aaaaaaaaa000)
+ AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000aaaaaaaaa000)
+endif
+
+ifeq "$(ARCH)" "x86_64"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x0000555555554000)
+ AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x0000555555554000)
+endif
+
+ifeq "$(ARCH)" "x86"
+ AFL_FRIDA_PERSISTENT_ADDR=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s main -b 0x56555000)
+ AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x56555000)
+endif
+
+AFL_FRIDA_PERSISTENT_RETADDR_OFFSET:=0x50
+
+.PHONY: all 32 clean qemu frida
+
+all: $(TESTINSTBIN)
+	make -C $(ROOT)frida_mode/
+
+32:
+	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
+
+$(BUILD_DIR):
+	mkdir -p $@
+
+$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
+$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
+	echo -n "000" > $@
+
+$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
+
+frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
+	AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
+	AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
+
+debug: $(TESTINSTR_DATA_FILE)
+	gdb \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET)' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \
+		--ex 'set environment AFL_DEBUG_CHILD=1' \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+
+run: $(TESTINSTR_DATA_FILE)
+	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
+	AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
+	AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
+	AFL_DEBUG_CHILD=1 \
+	LD_PRELOAD=$(ROOT)afl-frida-trace.so \
+		$(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
diff --git a/frida_mode/test/persistent_ret/Makefile b/frida_mode/test/persistent_ret/Makefile
new file mode 100644
index 00000000..e3deddbd
--- /dev/null
+++ b/frida_mode/test/persistent_ret/Makefile
@@ -0,0 +1,22 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+32:
+	@echo trying to use GNU make...
+	@gmake 32 || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+frida:
+	@gmake frida
+
+frida_ret:
+	@gmake frida_ret
+
+debug:
+	@gmake debug
+
+run:
+	@gmake run
diff --git a/frida_mode/test/persistent_ret/get_symbol_addr.py b/frida_mode/test/persistent_ret/get_symbol_addr.py
new file mode 100755
index 00000000..1c46e010
--- /dev/null
+++ b/frida_mode/test/persistent_ret/get_symbol_addr.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+import argparse
+from elftools.elf.elffile import ELFFile
+
+def process_file(file, symbol, base):
+    with open(file, 'rb') as f:
+        elf = ELFFile(f)
+        symtab = elf.get_section_by_name('.symtab')
+        mains = symtab.get_symbol_by_name(symbol)
+        if len(mains) != 1:
+            print ("Failed to find main")
+            return 1
+
+        main_addr = mains[0]['st_value']
+        main = base + main_addr
+        print ("0x%016x" % main)
+        return 0
+
+def hex_value(x):
+    return int(x, 16)
+
+def main():
+    parser = argparse.ArgumentParser(description='Process some integers.')
+    parser.add_argument('-f', '--file', dest='file', type=str,
+                    help='elf file name', required=True)
+    parser.add_argument('-s', '--symbol', dest='symbol', type=str,
+                    help='symbol name', required=True)
+    parser.add_argument('-b', '--base', dest='base', type=hex_value,
+                    help='elf base address', required=True)
+
+    args = parser.parse_args()
+    return process_file (args.file, args.symbol, args.base)
+
+if __name__ == "__main__":
+    ret = main()
+    exit(ret)
diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c
new file mode 100644
index 00000000..6cb88a50
--- /dev/null
+++ b/frida_mode/test/persistent_ret/testinstr.c
@@ -0,0 +1,120 @@
+/*
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef __APPLE__
+  #define TESTINSTR_SECTION
+#else
+  #define TESTINSTR_SECTION __attribute__((section(".testinstr")))
+#endif
+
+void testinstr(char *buf, int len) {
+
+  if (len < 1) return;
+  buf[len] = 0;
+
+  // we support three input cases
+  if (buf[0] == '0')
+    printf("Looks like a zero to me!\n");
+  else if (buf[0] == '1')
+    printf("Pretty sure that is a one!\n");
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+void slow() {
+
+  usleep(100000);
+
+}
+
+TESTINSTR_SECTION int main(int argc, char **argv) {
+
+  char * file;
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  if (argc != 2) { return 1; }
+
+  do {
+
+    file = argv[1];
+
+    dprintf(STDERR_FILENO, "Running: %s\n", file);
+
+    fd = open(file, O_RDONLY);
+    if (fd < 0) {
+
+      perror("open");
+      break;
+
+    }
+
+    len = lseek(fd, 0, SEEK_END);
+    if (len < 0) {
+
+      perror("lseek (SEEK_END)");
+      break;
+
+    }
+
+    if (lseek(fd, 0, SEEK_SET) != 0) {
+
+      perror("lseek (SEEK_SET)");
+      break;
+
+    }
+
+    buf = malloc(len);
+    if (buf == NULL) {
+
+      perror("malloc");
+      break;
+
+    }
+
+    n_read = read(fd, buf, len);
+    if (n_read != len) {
+
+      perror("read");
+      break;
+
+    }
+
+    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
+
+    testinstr(buf, len);
+    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
+
+    slow();
+
+    result = 0;
+
+  } while (false);
+
+  if (buf != NULL) { free(buf); }
+
+  if (fd != -1) { close(fd); }
+
+  return result;
+
+}
+
diff --git a/include/envs.h b/include/envs.h
index e7162c0f..73cd82a8 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -62,7 +62,10 @@ static char *afl_environment_variables[] = {
     "AFL_FRIDA_INST_TRACE",
     "AFL_FRIDA_PERSISTENT_ADDR",
     "AFL_FRIDA_PERSISTENT_CNT",
+    "AFL_FRIDA_PERSISTENT_DEBUG",
     "AFL_FRIDA_PERSISTENT_HOOK",
+    "AFL_FRIDA_PERSISTENT_RET",
+    "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET",
     "AFL_FUZZER_ARGS",  // oss-fuzz
     "AFL_GDB",
     "AFL_GCC_ALLOWLIST",
-- 
cgit 1.4.1


From b8092c62274d4b746290b44736cba0f7f4cc5400 Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Thu, 10 Jun 2021 09:07:21 +0100
Subject: FRIDA - Remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET (#970)

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/README.md                         |  4 +--
 frida_mode/src/persistent/persistent.c       | 13 -------
 frida_mode/src/persistent/persistent_arm64.c | 12 +++----
 frida_mode/src/persistent/persistent_x64.c   | 53 +++++++++++++++++++++++-----
 frida_mode/src/persistent/persistent_x86.c   | 40 ++++++++++++++++-----
 frida_mode/test/persistent_ret/GNUmakefile   |  5 ---
 include/envs.h                               |  1 -
 7 files changed, 81 insertions(+), 47 deletions(-)

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/README.md b/frida_mode/README.md
index d7dd72a0..9b316cb9 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -75,7 +75,6 @@ following options are currently supported:
 * `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT`
 * `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK`
 * `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET`
-* `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` - See `AFL_QEMU_PERSISTENT_RETADDR_OFFSET`
 
 To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`.
 
@@ -164,8 +163,7 @@ application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`)
 application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`)
 * `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code
 at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the user
-to determine the value of `AFL_FRIDA_PERSISTENT_RETADDR_OFFSET` using a
-debugger.
+to detect issues in the persistent loop using a debugger.
 
 ```
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 2ec5b9cc..243d501d 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -13,7 +13,6 @@ afl_persistent_hook_fn hook = NULL;
 guint64                persistent_start = 0;
 guint64                persistent_count = 0;
 guint64                persistent_ret = 0;
-guint64                persistent_ret_offset = 0;
 gboolean               persistent_debug = FALSE;
 
 void persistent_init(void) {
@@ -23,8 +22,6 @@ void persistent_init(void) {
   persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR");
   persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT");
   persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET");
-  persistent_ret_offset =
-      util_read_address("AFL_FRIDA_PERSISTENT_RETADDR_OFFSET");
 
   if (getenv("AFL_FRIDA_PERSISTENT_DEBUG") != NULL) { persistent_debug = TRUE; }
 
@@ -44,14 +41,6 @@ void persistent_init(void) {
 
   }
 
-  if (persistent_ret_offset != 0 && persistent_ret == 0) {
-
-    FATAL(
-        "AFL_FRIDA_PERSISTENT_RET must be specified if "
-        "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET is");
-
-  }
-
   if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
 
   if (persistent_count != 0 && persistent_count < 100)
@@ -68,8 +57,6 @@ void persistent_init(void) {
 
   OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
       persistent_ret == 0 ? ' ' : 'X', persistent_ret);
-  OKF("Instrumentation - persistent ret offset [%c] (%" G_GINT64_MODIFIER "d)",
-      persistent_ret_offset == 0 ? ' ' : 'X', persistent_ret_offset);
 
   if (hook_name != NULL) {
 
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index b23693fe..d7c6c76b 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -268,13 +268,15 @@ static void instrument_persitent_restore_regs(GumArm64Writer *   cw,
                                               ARM64_REG_X0, (16 * 14),
                                               GUM_INDEX_SIGNED_OFFSET);
 
-  /* Don't restore RIP or RSP, use x1-x3 as clobber */
-
-  /* LR & Adjusted SP (clobber x1) */
+  /* LR & Adjusted SP (use x1 as clobber) */
   gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X1,
                                               ARM64_REG_X0, (16 * 15),
                                               GUM_INDEX_SIGNED_OFFSET);
 
+  gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_SP, ARM64_REG_X1);
+
+  /* Don't restore RIP use x1-x3 as clobber */
+
   /* PC (x2) & CPSR (x1) */
   gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1,
                                               ARM64_REG_X0, (16 * 16),
@@ -404,7 +406,6 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
-  /* Stack must be 16-byte aligned per ABI */
   instrument_persitent_save_regs(cw, &saved_regs);
 
   /* loop: */
@@ -450,9 +451,6 @@ void persistent_epilogue(GumStalkerOutput *output) {
 
   if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); }
 
-  gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP,
-                                       persistent_ret_offset);
-
   gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X0,
                                        GUM_ADDRESS(&saved_lr));
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 858ad38e..653acefe 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -43,6 +43,7 @@ struct x86_64_regs {
 typedef struct x86_64_regs arch_api_regs;
 
 static arch_api_regs saved_regs = {0};
+static gpointer      saved_ret = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -104,7 +105,7 @@ static void instrument_persitent_save_regs(GumX86Writer *      cw,
 
   /* RED_ZONE + Saved flags, RAX, alignment */
   gum_x86_writer_put_add_reg_imm(cw, GUM_REG_RBX,
-                                 GUM_RED_ZONE_SIZE + (0x8 * 3));
+                                 GUM_RED_ZONE_SIZE + (0x8 * 2));
   gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 16),
                                             GUM_REG_RBX);
 
@@ -159,7 +160,9 @@ static void instrument_persitent_restore_regs(GumX86Writer *      cw,
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R15, GUM_REG_RAX,
                                             (0x8 * 14));
 
-  /* Don't restore RIP or RSP */
+  /* Don't restore RIP */
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSP, GUM_REG_RAX,
+                                            (0x8 * 16));
 
   /* Restore RBX, RAX & Flags */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
@@ -242,6 +245,31 @@ static void persistent_prologue_hook(GumX86Writer *      cw,
 
 }
 
+static void instrument_persitent_save_ret(GumX86Writer *cw) {
+
+  /* Stack usage by this function */
+  gssize offset = GUM_RED_ZONE_SIZE + (3 * 8);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+                                        -(GUM_RED_ZONE_SIZE));
+
+  gum_x86_writer_put_pushfx(cw);
+  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
+  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
+
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP,
+                                            offset);
+  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_RAX, GUM_REG_RBX);
+
+  gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX);
+  gum_x86_writer_put_popfx(cw);
+
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+                                        (GUM_RED_ZONE_SIZE));
+
+}
+
 void persistent_prologue(GumStalkerOutput *output) {
 
   /*
@@ -268,11 +296,10 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
-  /* Stack must be 16-byte aligned per ABI */
-  instrument_persitent_save_regs(cw, &saved_regs);
+  /* Pop the return value */
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8);
 
-  /* pop the return value */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (8));
+  instrument_persitent_save_regs(cw, &saved_regs);
 
   /* loop: */
   gum_x86_writer_put_label(cw, loop);
@@ -304,6 +331,8 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* original: */
   gum_x86_writer_put_label(cw, original);
 
+  instrument_persitent_save_ret(cw);
+
   if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
 
 }
@@ -314,9 +343,15 @@ void persistent_epilogue(GumStalkerOutput *output) {
 
   if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
 
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        persistent_ret_offset);
-  gum_x86_writer_put_ret(cw);
+  /* The stack should be aligned when we re-enter our loop */
+  gconstpointer zero = cw->code + 1;
+  gum_x86_writer_put_test_reg_u32(cw, GUM_REG_RSP, 0xF);
+  gum_x86_writer_put_jcc_near_label(cw, X86_INS_JE, zero, GUM_NO_HINT);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -8);
+  gum_x86_writer_put_label(cw, zero);
+
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_REG_RAX);
 
 }
 
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 0675edf4..7add6e99 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -39,6 +39,7 @@ struct x86_regs {
 typedef struct x86_regs arch_api_regs;
 
 static arch_api_regs saved_regs = {0};
+static gpointer      saved_ret = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -117,7 +118,9 @@ static void instrument_persitent_restore_regs(GumX86Writer *   cw,
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBP, GUM_REG_EAX,
                                             (0x4 * 6));
 
-  /* Don't restore RIP or RSP */
+  /* Don't restore RIP */
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESP, GUM_REG_EAX,
+                                            (0x4 * 8));
 
   /* Restore RBX, RAX & Flags */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
@@ -184,6 +187,26 @@ static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) {
 
 }
 
+static void instrument_persitent_save_ret(GumX86Writer *cw) {
+
+  /* Stack usage by this function */
+  gssize offset = (3 * 4);
+
+  gum_x86_writer_put_pushfx(cw);
+  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
+  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
+
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP,
+                                            offset);
+  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_EAX, GUM_REG_EBX);
+
+  gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX);
+  gum_x86_writer_put_popfx(cw);
+
+}
+
 void persistent_prologue(GumStalkerOutput *output) {
 
   /*
@@ -210,11 +233,10 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
-  /* Stack must be 16-byte aligned per ABI */
-  instrument_persitent_save_regs(cw, &saved_regs);
-
   /* Pop the return value */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, (4));
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4);
+
+  instrument_persitent_save_regs(cw, &saved_regs);
 
   /* loop: */
   gum_x86_writer_put_label(cw, loop);
@@ -244,6 +266,8 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* original: */
   gum_x86_writer_put_label(cw, original);
 
+  instrument_persitent_save_ret(cw);
+
   if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
 
 }
@@ -254,10 +278,8 @@ void persistent_epilogue(GumStalkerOutput *output) {
 
   if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }
 
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP,
-                                        persistent_ret_offset);
-
-  gum_x86_writer_put_ret(cw);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_REG_EAX);
 
 }
 
diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile
index 4c9d8a19..2de51d86 100644
--- a/frida_mode/test/persistent_ret/GNUmakefile
+++ b/frida_mode/test/persistent_ret/GNUmakefile
@@ -38,8 +38,6 @@ ifeq "$(ARCH)" "x86"
  AFL_FRIDA_PERSISTENT_RET=$(shell $(PWD)get_symbol_addr.py -f $(TESTINSTBIN) -s slow -b 0x56555000)
 endif
 
-AFL_FRIDA_PERSISTENT_RETADDR_OFFSET:=0x50
-
 .PHONY: all 32 clean qemu frida
 
 all: $(TESTINSTBIN)
@@ -76,7 +74,6 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
-	AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
 	$(ROOT)afl-fuzz \
 		-D \
 		-O \
@@ -89,7 +86,6 @@ debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	gdb \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET)' \
-		--ex 'set environment AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET)' \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \
 		--ex 'set environment AFL_DEBUG_CHILD=1' \
 		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
@@ -99,7 +95,6 @@ debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 run: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
-	AFL_FRIDA_PERSISTENT_RETADDR_OFFSET=$(AFL_FRIDA_PERSISTENT_RETADDR_OFFSET) \
 	AFL_DEBUG_CHILD=1 \
 	LD_PRELOAD=$(ROOT)afl-frida-trace.so \
 		$(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
diff --git a/include/envs.h b/include/envs.h
index 15116fc1..ea912a25 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -67,7 +67,6 @@ static char *afl_environment_variables[] = {
     "AFL_FRIDA_PERSISTENT_DEBUG",
     "AFL_FRIDA_PERSISTENT_HOOK",
     "AFL_FRIDA_PERSISTENT_RET",
-    "AFL_FRIDA_PERSISTENT_RETADDR_OFFSET",
     "AFL_FRIDA_STATS_FILE",
     "AFL_FRIDA_STATS_INTERVAL",
     "AFL_FRIDA_STATS_TRANSITIONS",
-- 
cgit 1.4.1


From f348a35ec6cece54796599865c683505a475fe88 Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Thu, 24 Jun 2021 18:46:08 +0100
Subject: Added JS support (#992)

* Added JS support

* Added some documentation

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/GNUmakefile                       |  40 +++--
 frida_mode/README.md                         |   4 +
 frida_mode/Scripting.md                      | 240 +++++++++++++++++++++++++++
 frida_mode/include/asan.h                    |   3 +-
 frida_mode/include/ctx.h                     |   2 +-
 frida_mode/include/entry.h                   |   8 +-
 frida_mode/include/frida_cmplog.h            |   1 +
 frida_mode/include/instrument.h              |  16 +-
 frida_mode/include/intercept.h               |  11 ++
 frida_mode/include/interceptor.h             |  11 --
 frida_mode/include/js.h                      |  18 ++
 frida_mode/include/lib.h                     |   4 +-
 frida_mode/include/output.h                  |   6 +-
 frida_mode/include/persistent.h              |   7 +-
 frida_mode/include/prefetch.h                |   5 +-
 frida_mode/include/ranges.h                  |   9 +-
 frida_mode/include/stalker.h                 |   3 +-
 frida_mode/include/stats.h                   |   7 +-
 frida_mode/include/util.h                    |   2 +-
 frida_mode/src/asan/asan.c                   |  21 ++-
 frida_mode/src/asan/asan_arm32.c             |   2 +-
 frida_mode/src/asan/asan_arm64.c             |   2 +-
 frida_mode/src/asan/asan_x64.c               |   2 +-
 frida_mode/src/asan/asan_x86.c               |   2 +-
 frida_mode/src/cmplog/cmplog.c               |  16 +-
 frida_mode/src/cmplog/cmplog_arm32.c         |   2 +-
 frida_mode/src/cmplog/cmplog_arm64.c         |   2 +-
 frida_mode/src/cmplog/cmplog_x64.c           |   2 +-
 frida_mode/src/cmplog/cmplog_x86.c           |   2 +-
 frida_mode/src/ctx/ctx_arm32.c               |   2 +-
 frida_mode/src/ctx/ctx_arm64.c               |   2 +-
 frida_mode/src/ctx/ctx_x64.c                 |   2 +-
 frida_mode/src/ctx/ctx_x86.c                 |   2 +-
 frida_mode/src/entry.c                       |  19 ++-
 frida_mode/src/instrument/instrument.c       |  66 ++++----
 frida_mode/src/instrument/instrument_arm32.c |   2 +-
 frida_mode/src/instrument/instrument_arm64.c |   4 +-
 frida_mode/src/instrument/instrument_debug.c |  23 ++-
 frida_mode/src/instrument/instrument_x64.c   |   4 +-
 frida_mode/src/instrument/instrument_x86.c   |   4 +-
 frida_mode/src/intercept.c                   |  35 ++++
 frida_mode/src/interceptor.c                 |  35 ----
 frida_mode/src/js/api.js                     | 201 ++++++++++++++++++++++
 frida_mode/src/js/js.c                       | 113 +++++++++++++
 frida_mode/src/js/js_api.c                   | 142 ++++++++++++++++
 frida_mode/src/lib/lib.c                     |   6 +-
 frida_mode/src/lib/lib_apple.c               |   6 +-
 frida_mode/src/main.c                        |  53 +++---
 frida_mode/src/output.c                      |  28 +++-
 frida_mode/src/persistent/persistent.c       |  57 +++----
 frida_mode/src/persistent/persistent_arm32.c |   2 +-
 frida_mode/src/persistent/persistent_arm64.c |   8 +-
 frida_mode/src/persistent/persistent_x64.c   |   8 +-
 frida_mode/src/persistent/persistent_x86.c   |   8 +-
 frida_mode/src/prefetch.c                    |  37 ++++-
 frida_mode/src/ranges.c                      | 120 +++++++-------
 frida_mode/src/stalker.c                     |  31 +++-
 frida_mode/src/stats/stats.c                 |  33 ++--
 frida_mode/src/stats/stats_arm32.c           |   2 +-
 frida_mode/src/stats/stats_arm64.c           |   2 +-
 frida_mode/src/stats/stats_x64.c             |   2 +-
 frida_mode/src/stats/stats_x86.c             |   2 +-
 frida_mode/test/deferred/GNUmakefile         |   2 +-
 frida_mode/test/js/GNUmakefile               |  44 +++++
 frida_mode/test/js/Makefile                  |  16 ++
 frida_mode/test/js/test.js                   |  20 +++
 frida_mode/test/js/testinstr.c               | 121 ++++++++++++++
 frida_mode/test/persistent_ret/GNUmakefile   |  10 ++
 frida_mode/test/persistent_ret/test.js       |  38 +++++
 include/envs.h                               |   3 +-
 70 files changed, 1460 insertions(+), 305 deletions(-)
 create mode 100644 frida_mode/Scripting.md
 create mode 100644 frida_mode/include/intercept.h
 delete mode 100644 frida_mode/include/interceptor.h
 create mode 100644 frida_mode/include/js.h
 create mode 100644 frida_mode/src/intercept.c
 delete mode 100644 frida_mode/src/interceptor.c
 create mode 100644 frida_mode/src/js/api.js
 create mode 100644 frida_mode/src/js/js.c
 create mode 100644 frida_mode/src/js/js_api.c
 create mode 100644 frida_mode/test/js/GNUmakefile
 create mode 100644 frida_mode/test/js/Makefile
 create mode 100644 frida_mode/test/js/test.js
 create mode 100644 frida_mode/test/js/testinstr.c
 create mode 100644 frida_mode/test/persistent_ret/test.js

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 2f637412..fdacff62 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -6,6 +6,11 @@ INCLUDES:=$(wildcard $(INC_DIR)*.h)
 BUILD_DIR:=$(PWD)build/
 OBJ_DIR:=$(BUILD_DIR)obj/
 
+JS_DIR:=$(SRC_DIR)js/
+JS_NAME:=api.js
+JS:=$(JS_DIR)$(JS_NAME)
+JS_SRC:=$(BUILD_DIR)api.c
+JS_OBJ:=$(BUILD_DIR)api.o
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
 CFLAGS+=-fPIC \
@@ -71,25 +76,25 @@ ifndef OS
 endif
 
 GUM_DEVKIT_VERSION=14.2.18
-GUM_DEVKIT_FILENAME=frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
+GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"
 
 GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
-GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a
-GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h
+GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gumjs.a
+GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gumjs.h
 
 FRIDA_DIR:=$(PWD)build/frida-source/
 FRIDA_MAKEFILE:=$(FRIDA_DIR)Makefile
-FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gum-1.0.a
+FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gumjs-1.0.a
 FRIDA_GUM_DEVKIT_DIR:=$(FRIDA_DIR)build/gum-devkit/
-FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gum.h
-FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar
+FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gumjs.h
+FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar
 FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
 
 AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
 AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
-.PHONY: all 32 clean format $(FRIDA_GUM)
+.PHONY: all 32 clean format $(FRIDA_GUM) quickjs
 
 ############################## ALL #############################################
 
@@ -113,7 +118,7 @@ $(FRIDA_GUM): $(FRIDA_MAKEFILE)
 	cd $(FRIDA_DIR) && make gum-linux-$(ARCH)
 
 $(FRIDA_GUM_DEVKIT_HEADER): $(FRIDA_GUM)
-	$(FRIDA_DIR)releng/devkit.py frida-gum linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/
+	$(FRIDA_DIR)releng/devkit.py frida-gumjs linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/
 
 $(FRIDA_GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_HEADER)
 	cd $(FRIDA_GUM_DEVKIT_DIR) && tar cvf $(FRIDA_GUM_DEVKIT_TARBALL) .
@@ -150,6 +155,20 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
 		-o $@ \
 		-c $<
 
+############################### JS #############################################
+
+$(JS_SRC): $(JS) | $(BUILD_DIR)
+	cd $(JS_DIR) && xxd -i $(JS_NAME) $@
+
+$(JS_OBJ): $(JS_SRC)
+	$(CC) \
+		$(CFLAGS) \
+		-I $(ROOT)include \
+		-I $(FRIDA_BUILD_DIR) \
+		-I $(INC_DIR) \
+		-c $< \
+		-o $@
+
 ############################# SOURCE ###########################################
 
 define BUILD_SOURCE
@@ -167,9 +186,10 @@ $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $(
 
 ######################## AFL-FRIDA-TRACE #######################################
 
-$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR)
-	$(CC) \
+$(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR)
+	$(CXX) \
 		$(OBJS) \
+		$(JS_OBJ) \
 		$(GUM_DEVIT_LIBRARY) \
 		$(AFL_COMPILER_RT_OBJ) \
 		$(LDFLAGS) \
diff --git a/frida_mode/README.md b/frida_mode/README.md
index 296e6405..6bed52b7 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -78,6 +78,10 @@ following options are currently supported:
 
 To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`.
 
+## Scripting
+
+One of the more powerful features of FRIDA mode is it's support for configuration by JavaScript, rather than using environment variables. For details of how this works see [here](Scripting.md).
+
 ## Performance
 
 Additionally, the intention is to be able to make a direct performance
diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md
new file mode 100644
index 00000000..8b961e18
--- /dev/null
+++ b/frida_mode/Scripting.md
@@ -0,0 +1,240 @@
+# Scripting
+FRIDA now supports the ability to configure itself using JavaScript. This allows
+the user to make use of the convenience of FRIDA's scripting engine (along with
+it's support for debug symbols and exports) to configure all of the things which
+were traditionally configured using environment variables.
+
+By default FRIDA mode will look for the file `afl.js` in the current working
+directory of the target. Alternatively, a script file can be configured using
+the environment variable `AFL_FRIDA_JS_SCRIPT`.
+
+This script can make use of all of the standard [frida api functions](https://frida.re/docs/javascript-api/), but FRIDA mode adds some additional functions to allow
+you to interact with FRIDA mode itself. These can all be accessed via the global
+`Afl` parameter. e.g. `Afl.print("HELLO WORLD");`,
+
+If you encounter a problem with your script, then you should set the environment
+variable `AFL_DEBUG_CHILD=1` to view any diagnostic information.
+
+
+# Example
+Most of the time, users will likely be wanting to call the functions which configure an address (e.g. for the entry point, or the persistent address).
+
+The example below uses the API [`DebugSymbol.fromName()`](https://frida.re/docs/javascript-api/#debugsymbol). Another use API is [`Module.getExportByName()`](https://frida.re/docs/javascript-api/#module).
+
+```js
+/* Use Afl.print instead of console.log */
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+/* Print some useful diagnostics stuff */
+Afl.print(`PID: ${Process.id}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+/*
+ * Configure entry-point, persistence etc. This will be what most
+ * people want to do.
+ */
+const persistent_addr = DebugSymbol.fromName('main');
+Afl.print(`persistent_addr: ${persistent_addr.address}`);
+
+if (persistent_addr.address.equals(ptr(0))) {
+    Afl.error('Cannot find symbol main');
+}
+
+const persistent_ret = DebugSymbol.fromName('slow');
+Afl.print(`persistent_ret: ${persistent_ret.address}`);
+
+if (persistent_ret.address.equals(ptr(0))) {
+    Afl.error('Cannot find symbol slow');
+}
+
+Afl.setPersistentAddress(persistent_addr.address);
+Afl.setPersistentReturn(persistent_ret.address);
+Afl.setPersistentCount(1000000);
+
+/* Control instrumentation, you may want to do this too */
+Afl.setInstrumentLibraries();
+const mod = Process.findModuleByName("libc-2.31.so")
+Afl.addExcludedRange(mod.base, mod.size);
+
+/* Some useful options to configure logging */
+Afl.setStdOut("/tmp/stdout.txt");
+Afl.setStdErr("/tmp/stderr.txt");
+
+/* Show the address layout. Sometimes helpful */
+Afl.setDebugMaps();
+
+/*
+ * If you are using these options, then things aren't going
+ * very well for you.
+ */
+Afl.setInstrumentDebugFile("/tmp/instr.log");
+Afl.setPrefetchDisable();
+Afl.setInstrumentNoOptimize();
+Afl.setInstrumentEnableTracing();
+Afl.setInstrumentTracingUnique();
+Afl.setStatsFile("/tmp/stats.txt");
+Afl.setStatsInterval(1);
+Afl.setStatsTransitions();
+
+/* *ALWAYS* call this when you have finished all your configuration */
+Afl.done();
+Afl.print("done");
+```
+
+# Stripped Binaries
+
+Lastly, if the binary you attempting to fuzz has no symbol information, and no
+exports, then the following approach can be used.
+
+```js
+const module = Process.getModuleByName('target.exe');
+/* Hardcoded offset within the target image */
+const address = module.base.add(0xdeadface);
+Afl.setPersistentAddress(address);
+```
+
+# API
+```js
+/*
+ * Print a message to the STDOUT. This should be preferred to
+ * FRIDA's `console.log` since FRIDA will queue it's log messages.
+ * If `console.log` is used in a callback in particular, then there
+ * may no longer be a thread running to service this queue.
+ */
+Afl.print(msg);
+
+/*
+ * This must always be called at the end of your script. This lets
+ * FRIDA mode know that your configuration is finished and that
+ * execution has reached the end of your script. Failure to call
+ * this will result in a fatal error.
+ */
+Afl.done();
+
+/*
+ * This function can be called within your script to cause FRIDA
+ * mode to trigger a fatal error. This is useful if for example you
+ * discover a problem you weren't expecting and want everything to
+ * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
+ * this error message.
+ */
+Afl.error();
+
+/*
+ * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
+ * convenience of allowing you to use FRIDAs APIs to determine the
+ * address you would like to configure, rather than having to grep
+ * the output of `readelf` or something similarly ugly. This
+ * function should be called with a `NativePointer` as its
+ * argument.
+ */
+Afl.setEntryPoint(address);
+
+/*
+ * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
+ * `NativePointer` should be provided as it's argument.
+ */
+Afl.setPersistentAddress(address);
+
+/*
+ * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
+ * `NativePointer` should be provided as it's argument.
+ */
+Afl.setPersistentReturn(address);
+
+/*
+ * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
+ * `number` should be provided as it's argument.
+ */
+Afl.setPersistentCount(count);
+
+/*
+ * See `AFL_FRIDA_PERSISTENT_DEBUG`.
+ */
+Afl.setPersistentDebug();
+
+/*
+ * See `AFL_FRIDA_DEBUG_MAPS`.
+ */
+Afl.setDebugMaps();
+
+/*
+ * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
+ * it takes as arguments a `NativePointer` and a `number`. It can be
+ * called multiple times to include several ranges.
+ */
+Afl.addIncludedRange(address, size);
+
+/*
+ * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
+ * it takes as arguments a `NativePointer` and a `number`. It can be
+ * called multiple times to exclude several ranges.
+ */
+Afl.addExcludedRange(address, size);
+
+/*
+ * See `AFL_INST_LIBS`.
+ */
+Afl.setInstrumentLibraries();
+
+/*
+ * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
+ * an argument.
+ */
+Afl.setInstrumentDebugFile(file);
+
+/*
+ * See `AFL_FRIDA_INST_NO_PREFETCH`.
+ */
+Afl.setPrefetchDisable();
+
+/*
+ * See `AFL_FRIDA_INST_NO_OPTIMIZE`
+ */
+Afl.setInstrumentNoOptimize();
+
+/*
+ * See `AFL_FRIDA_INST_TRACE`.
+ */
+Afl.setInstrumentEnableTracing();
+
+/*
+ * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
+ */
+Afl.setInstrumentTracingUnique()
+
+/*
+ * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
+ * an argument.
+ */
+Afl.setStdOut(file);
+
+/*
+ * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
+ * an argument.
+ */
+Afl.setStdErr(file);
+
+/*
+ * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
+ * an argument.
+ */
+Afl.setStatsFile(file);
+
+/*
+ * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
+ * argument
+ */
+Afl.setStatsInterval(interval);
+
+/*
+ * See `AFL_FRIDA_STATS_TRANSITIONS`
+ */
+Afl.setStatsTransitions()
+```
diff --git a/frida_mode/include/asan.h b/frida_mode/include/asan.h
index 7a8726e0..67d33591 100644
--- a/frida_mode/include/asan.h
+++ b/frida_mode/include/asan.h
@@ -1,10 +1,11 @@
 #ifndef _ASAN_H
 #define _ASAN_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 extern gboolean asan_initialized;
 
+void asan_config(void);
 void asan_init(void);
 void asan_arch_init(void);
 void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
diff --git a/frida_mode/include/ctx.h b/frida_mode/include/ctx.h
index 67274aee..c669478e 100644
--- a/frida_mode/include/ctx.h
+++ b/frida_mode/include/ctx.h
@@ -1,7 +1,7 @@
 #ifndef _CTX_H
 #define _CTX_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #if defined(__x86_64__)
 gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg);
diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h
index 967831af..801c2bbe 100644
--- a/frida_mode/include/entry.h
+++ b/frida_mode/include/entry.h
@@ -1,13 +1,15 @@
 #ifndef _ENTRY_H
 #define _ENTRY_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
-extern guint64 entry_start;
+extern guint64 entry_point;
+
+void entry_config(void);
 
 void entry_init(void);
 
-void entry_run(void);
+void entry_start(void);
 
 void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output);
 
diff --git a/frida_mode/include/frida_cmplog.h b/frida_mode/include/frida_cmplog.h
index b620a472..a665e970 100644
--- a/frida_mode/include/frida_cmplog.h
+++ b/frida_mode/include/frida_cmplog.h
@@ -3,6 +3,7 @@
 
 extern struct cmp_map *__afl_cmp_map;
 
+void cmplog_config(void);
 void cmplog_init(void);
 
 /* Functions to be implemented by the different architectures */
diff --git a/frida_mode/include/instrument.h b/frida_mode/include/instrument.h
index 577481d1..9c8d3a5d 100644
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@@ -1,13 +1,20 @@
 #ifndef _INSTRUMENT_H
 #define _INSTRUMENT_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 
-extern __thread uint64_t previous_pc;
-extern uint8_t *         __afl_area_ptr;
-extern uint32_t          __afl_map_size;
+extern char *            instrument_debug_filename;
+extern gboolean          instrument_tracing;
+extern gboolean          instrument_optimize;
+extern gboolean          instrument_unique;
+extern __thread uint64_t instrument_previous_pc;
+
+extern uint8_t *__afl_area_ptr;
+extern uint32_t __afl_map_size;
+
+void instrument_config(void);
 
 void instrument_init(void);
 
@@ -19,6 +26,7 @@ gboolean instrument_is_coverage_optimize_supported(void);
 void instrument_coverage_optimize(const cs_insn *   instr,
                                   GumStalkerOutput *output);
 
+void     instrument_debug_config(void);
 void     instrument_debug_init(void);
 void     instrument_debug_start(uint64_t address, GumStalkerOutput *output);
 void     instrument_debug_instruction(uint64_t address, uint16_t size);
diff --git a/frida_mode/include/intercept.h b/frida_mode/include/intercept.h
new file mode 100644
index 00000000..8fe93b10
--- /dev/null
+++ b/frida_mode/include/intercept.h
@@ -0,0 +1,11 @@
+#ifndef _INTERCEPTOR_H
+#define _INTERCEPTOR_H
+
+#include "frida-gumjs.h"
+
+void intercept_hook(void *address, gpointer replacement, gpointer user_data);
+void intercept_unhook(void *address);
+void intercept_unhook_self(void);
+
+#endif
+
diff --git a/frida_mode/include/interceptor.h b/frida_mode/include/interceptor.h
deleted file mode 100644
index 0ff754a4..00000000
--- a/frida_mode/include/interceptor.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _INTERCEPTOR_H
-#define _INTERCEPTOR_H
-
-#include "frida-gum.h"
-
-void intercept(void *address, gpointer replacement, gpointer user_data);
-void unintercept(void *address);
-void unintercept_self(void);
-
-#endif
-
diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h
new file mode 100644
index 00000000..77237d55
--- /dev/null
+++ b/frida_mode/include/js.h
@@ -0,0 +1,18 @@
+#ifndef _JS_H
+#define _JS_H
+
+#include "frida-gumjs.h"
+
+extern unsigned char api_js[];
+extern unsigned int  api_js_len;
+
+extern gboolean js_done;
+
+/* Frida Mode */
+
+void js_config(void);
+
+void js_start(void);
+
+#endif
+
diff --git a/frida_mode/include/lib.h b/frida_mode/include/lib.h
index 237aecb0..a9d56e4e 100644
--- a/frida_mode/include/lib.h
+++ b/frida_mode/include/lib.h
@@ -1,7 +1,9 @@
 #ifndef _LIB_H
 #define _LIB_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
+
+void lib_config(void);
 
 void lib_init(void);
 
diff --git a/frida_mode/include/output.h b/frida_mode/include/output.h
index 53a9fdd3..743b2fe6 100644
--- a/frida_mode/include/output.h
+++ b/frida_mode/include/output.h
@@ -1,8 +1,12 @@
 #ifndef _OUTPUT_H
 #define _OUTPUT_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
+extern char *output_stdout;
+extern char *output_stderr;
+
+void output_config(void);
 void output_init(void);
 
 #endif
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index 25b44ab0..8f00196c 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -2,7 +2,7 @@
 #ifndef _PERSISTENT_H
 #define _PERSISTENT_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 #include "config.h"
 
 typedef struct arch_api_regs api_regs;
@@ -19,9 +19,10 @@ extern unsigned char *__afl_fuzz_ptr;
 extern guint64                persistent_start;
 extern guint64                persistent_count;
 extern guint64                persistent_ret;
-extern guint64                persistent_ret_offset;
 extern gboolean               persistent_debug;
-extern afl_persistent_hook_fn hook;
+extern afl_persistent_hook_fn persistent_hook;
+
+void persistent_config(void);
 
 void persistent_init(void);
 
diff --git a/frida_mode/include/prefetch.h b/frida_mode/include/prefetch.h
index 8f0cee68..835d5e8a 100644
--- a/frida_mode/include/prefetch.h
+++ b/frida_mode/include/prefetch.h
@@ -1,8 +1,11 @@
 #ifndef _PREFETCH_H
 #define _PREFETCH_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
+extern gboolean prefetch_enable;
+
+void prefetch_config(void);
 void prefetch_init(void);
 void prefetch_write(void *addr);
 void prefetch_read(void);
diff --git a/frida_mode/include/ranges.h b/frida_mode/include/ranges.h
index c623f473..a667fb76 100644
--- a/frida_mode/include/ranges.h
+++ b/frida_mode/include/ranges.h
@@ -1,13 +1,20 @@
 #ifndef _RANGES_H
 #define _RANGES_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
+extern gboolean ranges_debug_maps;
+extern gboolean ranges_inst_libs;
+
+void ranges_config(void);
 void ranges_init(void);
 
 gboolean range_is_excluded(gpointer address);
 
 void ranges_exclude();
 
+void ranges_add_include(GumMemoryRange *range);
+void ranges_add_exclude(GumMemoryRange *range);
+
 #endif
 
diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h
index 186ead11..2136fe52 100644
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@@ -1,8 +1,9 @@
 #ifndef _STALKER_H
 #define _STALKER_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
+void        stalker_config(void);
 void        stalker_init(void);
 GumStalker *stalker_get(void);
 void        stalker_start(void);
diff --git a/frida_mode/include/stats.h b/frida_mode/include/stats.h
index 4271132a..1cfd6b8f 100644
--- a/frida_mode/include/stats.h
+++ b/frida_mode/include/stats.h
@@ -1,7 +1,7 @@
 #ifndef _STATS_H
 #define _STATS_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 typedef struct {
 
@@ -15,6 +15,11 @@ typedef struct {
 
 extern stats_data_header_t *stats_data;
 
+extern char *   stats_filename;
+extern guint64  stats_interval;
+extern gboolean stats_transitions;
+
+void stats_config(void);
 void stats_init(void);
 void stats_collect(const cs_insn *instr, gboolean begin);
 void stats_print(char *format, ...);
diff --git a/frida_mode/include/util.h b/frida_mode/include/util.h
index 7b443b5e..525e9d40 100644
--- a/frida_mode/include/util.h
+++ b/frida_mode/include/util.h
@@ -1,7 +1,7 @@
 #ifndef _UTIL_H
 #define _UTIL_H
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #define UNUSED_PARAMETER(x) (void)(x)
 #define IGNORED_RETURN(x) (void)!(x)
diff --git a/frida_mode/src/asan/asan.c b/frida_mode/src/asan/asan.c
index f78f690c..b2e763ca 100644
--- a/frida_mode/src/asan/asan.c
+++ b/frida_mode/src/asan/asan.c
@@ -1,18 +1,18 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
 #include "asan.h"
 
-gboolean asan_initialized = FALSE;
+static gboolean asan_enabled = FALSE;
+gboolean        asan_initialized = FALSE;
 
-void asan_init(void) {
+void asan_config(void) {
 
   if (getenv("AFL_USE_FASAN") != NULL) {
 
     OKF("Frida ASAN mode enabled");
-    asan_arch_init();
-    asan_initialized = TRUE;
+    asan_enabled = TRUE;
 
   } else {
 
@@ -22,3 +22,14 @@ void asan_init(void) {
 
 }
 
+void asan_init(void) {
+
+  if (asan_enabled) {
+
+    asan_arch_init();
+    asan_initialized = TRUE;
+
+  }
+
+}
+
diff --git a/frida_mode/src/asan/asan_arm32.c b/frida_mode/src/asan/asan_arm32.c
index 79475ced..f5fa4713 100644
--- a/frida_mode/src/asan/asan_arm32.c
+++ b/frida_mode/src/asan/asan_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/asan/asan_arm64.c b/frida_mode/src/asan/asan_arm64.c
index 66138e42..65524e03 100644
--- a/frida_mode/src/asan/asan_arm64.c
+++ b/frida_mode/src/asan/asan_arm64.c
@@ -1,5 +1,5 @@
 #include <dlfcn.h>
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/asan/asan_x64.c b/frida_mode/src/asan/asan_x64.c
index a2eabe3c..5c12669f 100644
--- a/frida_mode/src/asan/asan_x64.c
+++ b/frida_mode/src/asan/asan_x64.c
@@ -1,5 +1,5 @@
 #include <dlfcn.h>
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/asan/asan_x86.c b/frida_mode/src/asan/asan_x86.c
index 8490b490..6d2f9e2b 100644
--- a/frida_mode/src/asan/asan_x86.c
+++ b/frida_mode/src/asan/asan_x86.c
@@ -1,5 +1,5 @@
 #include <dlfcn.h>
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/cmplog/cmplog.c b/frida_mode/src/cmplog/cmplog.c
index 8814f7f3..a2609c8e 100644
--- a/frida_mode/src/cmplog/cmplog.c
+++ b/frida_mode/src/cmplog/cmplog.c
@@ -5,7 +5,7 @@
 #include <sys/syscall.h>
 #include <unistd.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
@@ -50,6 +50,10 @@ static void cmplog_get_ranges(void) {
 
 }
 
+void cmplog_config(void) {
+
+}
+
 void cmplog_init(void) {
 
   if (__afl_cmp_map != NULL) { OKF("CMPLOG mode enabled"); }
@@ -94,10 +98,10 @@ static gboolean cmplog_contains(GumAddress inner_base, GumAddress inner_limit,
 
 gboolean cmplog_test_addr(guint64 addr, size_t size) {
 
-  if (g_hash_table_contains(hash_yes, (gpointer)addr)) { return true; }
-  if (g_hash_table_contains(hash_no, (gpointer)addr)) { return false; }
+  if (g_hash_table_contains(hash_yes, GSIZE_TO_POINTER(addr))) { return true; }
+  if (g_hash_table_contains(hash_no, GSIZE_TO_POINTER(addr))) { return false; }
 
-  void * page_addr = (void *)(addr & page_mask);
+  void * page_addr = GSIZE_TO_POINTER(addr & page_mask);
   size_t page_offset = addr & page_offset_mask;
 
   /* If it spans a page, then bail */
@@ -109,7 +113,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) {
    */
   if (msync(page_addr, page_offset + size, MS_ASYNC) < 0) {
 
-    if (!g_hash_table_add(hash_no, (gpointer)addr)) {
+    if (!g_hash_table_add(hash_no, GSIZE_TO_POINTER(addr))) {
 
       FATAL("Failed - g_hash_table_add");
 
@@ -119,7 +123,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) {
 
   } else {
 
-    if (!g_hash_table_add(hash_yes, (gpointer)addr)) {
+    if (!g_hash_table_add(hash_yes, GSIZE_TO_POINTER(addr))) {
 
       FATAL("Failed - g_hash_table_add");
 
diff --git a/frida_mode/src/cmplog/cmplog_arm32.c b/frida_mode/src/cmplog/cmplog_arm32.c
index 5af28f3f..ac703408 100644
--- a/frida_mode/src/cmplog/cmplog_arm32.c
+++ b/frida_mode/src/cmplog/cmplog_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c
index 04631ff8..dd97f38d 100644
--- a/frida_mode/src/cmplog/cmplog_arm64.c
+++ b/frida_mode/src/cmplog/cmplog_arm64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 #include "cmplog.h"
diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c
index ba16445d..0d18767a 100644
--- a/frida_mode/src/cmplog/cmplog_x64.c
+++ b/frida_mode/src/cmplog/cmplog_x64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 #include "cmplog.h"
diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c
index a27df0af..dd666c34 100644
--- a/frida_mode/src/cmplog/cmplog_x86.c
+++ b/frida_mode/src/cmplog/cmplog_x86.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 #include "cmplog.h"
diff --git a/frida_mode/src/ctx/ctx_arm32.c b/frida_mode/src/ctx/ctx_arm32.c
index a5c6f6d4..a354c117 100644
--- a/frida_mode/src/ctx/ctx_arm32.c
+++ b/frida_mode/src/ctx/ctx_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/ctx/ctx_arm64.c b/frida_mode/src/ctx/ctx_arm64.c
index d09896af..a735401b 100644
--- a/frida_mode/src/ctx/ctx_arm64.c
+++ b/frida_mode/src/ctx/ctx_arm64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/ctx/ctx_x64.c b/frida_mode/src/ctx/ctx_x64.c
index 1772a252..da5cb13a 100644
--- a/frida_mode/src/ctx/ctx_x64.c
+++ b/frida_mode/src/ctx/ctx_x64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/ctx/ctx_x86.c b/frida_mode/src/ctx/ctx_x86.c
index 9b50cb52..1a587702 100644
--- a/frida_mode/src/ctx/ctx_x86.c
+++ b/frida_mode/src/ctx/ctx_x86.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c
index e71386a0..186d5098 100644
--- a/frida_mode/src/entry.c
+++ b/frida_mode/src/entry.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
@@ -9,27 +9,32 @@
 
 extern void __afl_manual_init();
 
-guint64 entry_start = 0;
+guint64 entry_point = 0;
 
 static void entry_launch(void) {
 
   __afl_manual_init();
 
   /* Child here */
-  previous_pc = 0;
+  instrument_previous_pc = 0;
+
+}
+
+void entry_config(void) {
+
+  entry_point = util_read_address("AFL_ENTRYPOINT");
 
 }
 
 void entry_init(void) {
 
-  entry_start = util_read_address("AFL_ENTRYPOINT");
-  OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_start);
+  OKF("entry_point: 0x%016" G_GINT64_MODIFIER "X", entry_point);
 
 }
 
-void entry_run(void) {
+void entry_start(void) {
 
-  if (entry_start == 0) { entry_launch(); }
+  if (entry_point == 0) { entry_launch(); }
 
 }
 
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index ba82b89f..d6ae505d 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -2,7 +2,7 @@
 #include <sys/shm.h>
 #include <sys/mman.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -18,12 +18,13 @@
 #include "stats.h"
 #include "util.h"
 
-static gboolean               tracing = false;
-static gboolean               optimize = false;
-static gboolean               unique = false;
+gboolean instrument_tracing = false;
+gboolean instrument_optimize = false;
+gboolean instrument_unique = false;
+
 static GumStalkerTransformer *transformer = NULL;
 
-__thread uint64_t previous_pc = 0;
+__thread uint64_t instrument_previous_pc = 0;
 
 static GumAddress previous_rip = 0;
 static u8 *       edges_notified = NULL;
@@ -61,7 +62,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
   current_pc = (current_rip >> 4) ^ (current_rip << 8);
   current_pc &= MAP_SIZE - 1;
 
-  edge = current_pc ^ previous_pc;
+  edge = current_pc ^ instrument_previous_pc;
 
   cursor = &__afl_area_ptr[edge];
   value = *cursor;
@@ -77,11 +78,11 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
   }
 
   *cursor = value;
-  previous_pc = current_pc >> 1;
+  instrument_previous_pc = current_pc >> 1;
 
-  if (unlikely(tracing)) {
+  if (unlikely(instrument_tracing)) {
 
-    if (!unique || edges_notified[edge] == 0) {
+    if (!instrument_unique || edges_notified[edge] == 0) {
 
       trace_debug("TRACE: edge: %10" G_GINT64_MODIFIER
                   "d, current_rip: 0x%016" G_GINT64_MODIFIER
@@ -90,7 +91,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
 
     }
 
-    if (unique) { edges_notified[edge] = 1; }
+    if (instrument_unique) { edges_notified[edge] = 1; }
 
     previous_rip = current_rip;
 
@@ -98,8 +99,9 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
 
 }
 
-static void instr_basic_block(GumStalkerIterator *iterator,
-                              GumStalkerOutput *output, gpointer user_data) {
+static void instrument_basic_block(GumStalkerIterator *iterator,
+                                   GumStalkerOutput *  output,
+                                   gpointer            user_data) {
 
   UNUSED_PARAMETER(user_data);
 
@@ -111,7 +113,7 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
     if (unlikely(begin)) { instrument_debug_start(instr->address, output); }
 
-    if (instr->address == entry_start) { entry_prologue(iterator, output); }
+    if (instr->address == entry_point) { entry_prologue(iterator, output); }
     if (instr->address == persistent_start) { persistent_prologue(output); }
     if (instr->address == persistent_ret) { persistent_epilogue(output); }
 
@@ -150,7 +152,7 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
       if (likely(!excluded)) {
 
-        if (likely(optimize)) {
+        if (likely(instrument_optimize)) {
 
           instrument_coverage_optimize(instr, output);
 
@@ -185,31 +187,39 @@ static void instr_basic_block(GumStalkerIterator *iterator,
 
 }
 
-void instrument_init(void) {
+void instrument_config(void) {
+
+  instrument_optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL);
+  instrument_tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL);
+  instrument_unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL);
+
+  instrument_debug_config();
+  asan_config();
+  cmplog_config();
 
-  optimize = (getenv("AFL_FRIDA_INST_NO_OPTIMIZE") == NULL);
-  tracing = (getenv("AFL_FRIDA_INST_TRACE") != NULL);
-  unique = (getenv("AFL_FRIDA_INST_TRACE_UNIQUE") != NULL);
+}
+
+void instrument_init(void) {
 
-  if (!instrument_is_coverage_optimize_supported()) optimize = false;
+  if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false;
 
-  OKF("Instrumentation - optimize [%c]", optimize ? 'X' : ' ');
-  OKF("Instrumentation - tracing [%c]", tracing ? 'X' : ' ');
-  OKF("Instrumentation - unique [%c]", unique ? 'X' : ' ');
+  OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' ');
+  OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' ');
+  OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' ');
 
-  if (tracing && optimize) {
+  if (instrument_tracing && instrument_optimize) {
 
     FATAL("AFL_FRIDA_INST_TRACE requires AFL_FRIDA_INST_NO_OPTIMIZE");
 
   }
 
-  if (unique && optimize) {
+  if (instrument_unique && instrument_optimize) {
 
     FATAL("AFL_FRIDA_INST_TRACE_UNIQUE requires AFL_FRIDA_INST_NO_OPTIMIZE");
 
   }
 
-  if (unique) { tracing = TRUE; }
+  if (instrument_unique) { instrument_tracing = TRUE; }
 
   if (__afl_map_size != 0x10000) {
 
@@ -217,10 +227,10 @@ void instrument_init(void) {
 
   }
 
-  transformer =
-      gum_stalker_transformer_make_from_callback(instr_basic_block, NULL, NULL);
+  transformer = gum_stalker_transformer_make_from_callback(
+      instrument_basic_block, NULL, NULL);
 
-  if (unique) {
+  if (instrument_unique) {
 
     int shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);
     if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); }
diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c
index 450a69a3..0e15940a 100644
--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index 49ee86a2..17f97c97 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -72,7 +72,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
     gum_arm64_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code));
 
     uint8_t **afl_area_ptr_ptr = &__afl_area_ptr;
-    uint64_t *afl_prev_loc_ptr = &previous_pc;
+    uint64_t *afl_prev_loc_ptr = &instrument_previous_pc;
     gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr,
                                sizeof(afl_area_ptr_ptr));
     gum_arm64_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr,
diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c
index 0ce26a1c..b8cca634 100644
--- a/frida_mode/src/instrument/instrument_debug.c
+++ b/frida_mode/src/instrument/instrument_debug.c
@@ -3,7 +3,7 @@
 #include <stdio.h>
 #include <unistd.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
@@ -13,6 +13,8 @@
 static int      debugging_fd = -1;
 static gpointer instrument_gen_start = NULL;
 
+char *instrument_debug_filename = NULL;
+
 static void instrument_debug(char *format, ...) {
 
   va_list ap;
@@ -79,18 +81,25 @@ static void instrument_disasm(guint8 *start, guint8 *end) {
 
 }
 
+void instrument_debug_config(void) {
+
+  instrument_debug_filename = getenv("AFL_FRIDA_INST_DEBUG_FILE");
+
+}
+
 void instrument_debug_init(void) {
 
-  char *filename = getenv("AFL_FRIDA_INST_DEBUG_FILE");
-  OKF("Instrumentation debugging - enabled [%c]", filename == NULL ? ' ' : 'X');
+  OKF("Instrumentation debugging - enabled [%c]",
+      instrument_debug_filename == NULL ? ' ' : 'X');
 
-  if (filename == NULL) { return; }
+  if (instrument_debug_filename == NULL) { return; }
 
-  OKF("Instrumentation debugging - file [%s]", filename);
+  OKF("Instrumentation debugging - file [%s]", instrument_debug_filename);
 
-  if (filename == NULL) { return; }
+  if (instrument_debug_filename == NULL) { return; }
 
-  char *path = g_canonicalize_filename(filename, g_get_current_dir());
+  char *path =
+      g_canonicalize_filename(instrument_debug_filename, g_get_current_dir());
 
   OKF("Instrumentation debugging - path [%s]", path);
 
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index 7000e65d..a38b5b14 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 
@@ -68,7 +68,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,
     current_log_impl = cw->pc;
     gum_x86_writer_put_bytes(cw, afl_log_code, sizeof(afl_log_code));
 
-    uint64_t *afl_prev_loc_ptr = &previous_pc;
+    uint64_t *afl_prev_loc_ptr = &instrument_previous_pc;
     gum_x86_writer_put_bytes(cw, (const guint8 *)&__afl_area_ptr,
                              sizeof(__afl_area_ptr));
     gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr,
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index 04a19e08..3c3dc272 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
@@ -16,7 +16,7 @@ static void instrument_coverage_function(GumX86Writer *cw) {
   gum_x86_writer_put_push_reg(cw, GUM_REG_EDX);
 
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX,
-                                     GUM_ADDRESS(&previous_pc));
+                                     GUM_ADDRESS(&instrument_previous_pc));
   gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_EDX, GUM_REG_ECX);
   gum_x86_writer_put_xor_reg_reg(cw, GUM_REG_EDX, GUM_REG_EDI);
 
diff --git a/frida_mode/src/intercept.c b/frida_mode/src/intercept.c
new file mode 100644
index 00000000..ed8d27bd
--- /dev/null
+++ b/frida_mode/src/intercept.c
@@ -0,0 +1,35 @@
+#include "frida-gumjs.h"
+
+#include "debug.h"
+
+#include "intercept.h"
+
+void intercept_hook(void *address, gpointer replacement, gpointer user_data) {
+
+  GumInterceptor *interceptor = gum_interceptor_obtain();
+  gum_interceptor_begin_transaction(interceptor);
+  GumReplaceReturn ret =
+      gum_interceptor_replace(interceptor, address, replacement, user_data);
+  if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); }
+  gum_interceptor_end_transaction(interceptor);
+
+}
+
+void intercept_unhook(void *address) {
+
+  GumInterceptor *interceptor = gum_interceptor_obtain();
+
+  gum_interceptor_begin_transaction(interceptor);
+  gum_interceptor_revert(interceptor, address);
+  gum_interceptor_end_transaction(interceptor);
+  gum_interceptor_flush(interceptor);
+
+}
+
+void intercept_unhook_self(void) {
+
+  GumInvocationContext *ctx = gum_interceptor_get_current_invocation();
+  intercept_unhook(ctx->function);
+
+}
+
diff --git a/frida_mode/src/interceptor.c b/frida_mode/src/interceptor.c
deleted file mode 100644
index d2802752..00000000
--- a/frida_mode/src/interceptor.c
+++ /dev/null
@@ -1,35 +0,0 @@
-#include "frida-gum.h"
-
-#include "debug.h"
-
-#include "interceptor.h"
-
-void intercept(void *address, gpointer replacement, gpointer user_data) {
-
-  GumInterceptor *interceptor = gum_interceptor_obtain();
-  gum_interceptor_begin_transaction(interceptor);
-  GumReplaceReturn ret =
-      gum_interceptor_replace(interceptor, address, replacement, user_data);
-  if (ret != GUM_REPLACE_OK) { FATAL("gum_interceptor_attach: %d", ret); }
-  gum_interceptor_end_transaction(interceptor);
-
-}
-
-void unintercept(void *address) {
-
-  GumInterceptor *interceptor = gum_interceptor_obtain();
-
-  gum_interceptor_begin_transaction(interceptor);
-  gum_interceptor_revert(interceptor, address);
-  gum_interceptor_end_transaction(interceptor);
-  gum_interceptor_flush(interceptor);
-
-}
-
-void unintercept_self(void) {
-
-  GumInvocationContext *ctx = gum_interceptor_get_current_invocation();
-  unintercept(ctx->function);
-
-}
-
diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js
new file mode 100644
index 00000000..983f1efa
--- /dev/null
+++ b/frida_mode/src/js/api.js
@@ -0,0 +1,201 @@
+const write = new NativeFunction(
+    Module.getExportByName(null, 'write'),
+    'int',
+    ['int', 'pointer', 'int']
+);
+
+const afl_frida_trace = Process.findModuleByName('afl-frida-trace.so');
+
+function get_api(name, ret, args) {
+    const addr = afl_frida_trace.findExportByName(name);
+    return new NativeFunction(addr, ret, args);
+}
+
+const js_api_done = get_api(
+    'js_api_done',
+    'void',
+    []);
+
+const js_api_error = get_api(
+    'js_api_error',
+    'void',
+    ['pointer']);
+
+const js_api_set_entrypoint = get_api(
+    'js_api_set_entrypoint',
+    'void',
+    ['pointer']);
+
+const js_api_set_persistent_address = get_api(
+    'js_api_set_persistent_address',
+    'void',
+    ['pointer']);
+
+const js_api_set_persistent_return = get_api(
+    'js_api_set_persistent_return',
+    'void',
+    ['pointer']);
+
+const js_api_set_persistent_count = get_api(
+    'js_api_set_persistent_count',
+    'void',
+    ['uint64']);
+
+const js_api_set_persistent_debug = get_api(
+    'js_api_set_persistent_debug',
+    'void',
+    []);
+
+const js_api_set_debug_maps = get_api(
+    'js_api_set_debug_maps',
+    'void',
+    []);
+
+const js_api_add_include_range = get_api(
+    'js_api_add_include_range',
+    'void',
+    ['pointer', 'size_t']);
+
+const js_api_add_exclude_range = get_api(
+    'js_api_add_exclude_range',
+    'void',
+    ['pointer', 'size_t']);
+
+const js_api_set_instrument_libraries = get_api(
+    'js_api_set_instrument_libraries',
+    'void',
+    []);
+
+const js_api_set_instrument_debug_file = get_api(
+    'js_api_set_instrument_debug_file',
+    'void',
+    ['pointer']);
+
+const js_api_set_prefetch_disable = get_api(
+    'js_api_set_prefetch_disable',
+    'void',
+    []);
+
+const js_api_set_instrument_no_optimize = get_api(
+    'js_api_set_instrument_no_optimize',
+    'void',
+    []);
+
+const js_api_set_instrument_trace = get_api(
+    'js_api_set_instrument_trace',
+    'void',
+    []);
+
+const js_api_set_instrument_trace_unique = get_api(
+    'js_api_set_instrument_trace_unique',
+    'void',
+    []);
+
+const js_api_set_stdout = get_api(
+    'js_api_set_stdout',
+    'void',
+    ['pointer']);
+
+const js_api_set_stderr = get_api(
+    'js_api_set_stderr',
+    'void',
+    ['pointer']);
+
+const js_api_set_stats_file = get_api(
+    'js_api_set_stats_file',
+    'void',
+    ['pointer']);
+
+const js_api_set_stats_interval = get_api(
+    'js_api_set_stats_interval',
+    'void',
+    ['uint64']);
+
+const js_api_set_stats_transitions = get_api(
+    'js_api_set_stats_transitions',
+    'void',
+    []);
+
+const afl = {
+    print: function (msg) {
+        const STDOUT_FILENO = 2;
+        const log = `${msg}\n`;
+        const buf = Memory.allocUtf8String(log);
+        write(STDOUT_FILENO, buf, log.length);
+    },
+    done: function() {
+        js_api_done();
+    },
+    error: function(msg) {
+        const buf = Memory.allocUtf8String(msg);
+        js_api_error(buf);
+    },
+    setEntryPoint: function(addr) {
+        js_api_set_entrypoint(addr);
+    },
+    setPersistentAddress: function(addr) {
+        js_api_set_persistent_address(addr);
+    },
+    setPersistentReturn: function(addr) {
+        js_api_set_persistent_return(addr);
+    },
+    setPersistentCount: function(addr) {
+        js_api_set_persistent_count(addr);
+    },
+    setPersistentDebug: function() {
+        js_api_set_persistent_debug();
+    },
+    setDebugMaps: function() {
+        js_api_set_debug_maps();
+    },
+    addIncludedRange: function(address, size) {
+        js_api_add_include_range(address, size);
+    },
+    addExcludedRange: function(address, size) {
+        js_api_add_exclude_range(address, size);
+    },
+    setInstrumentLibraries: function() {
+        js_api_set_instrument_libraries();
+    },
+    setInstrumentDebugFile: function(file) {
+        const buf = Memory.allocUtf8String(file);
+        js_api_set_instrument_debug_file(buf)
+    },
+    setPrefetchDisable: function() {
+        js_api_set_prefetch_disable();
+    },
+    setInstrumentNoOptimize: function() {
+        js_api_set_instrument_no_optimize();
+    },
+    setInstrumentEnableTracing: function() {
+        js_api_set_instrument_trace();
+    },
+    setInstrumentTracingUnique: function() {
+        js_api_set_instrument_trace_unique();
+    },
+    setStdOut: function(file) {
+        const buf = Memory.allocUtf8String(file);
+        js_api_set_stdout(buf)
+    },
+    setStdErr: function(file) {
+        const buf = Memory.allocUtf8String(file);
+        js_api_set_stderr(buf)
+    },
+    setStatsFile: function(file) {
+        const buf = Memory.allocUtf8String(file);
+        js_api_set_stats_file(buf)
+    },
+    setStatsInterval: function(interval) {
+        js_api_set_stats_interval(interval);
+    },
+    setStatsTransitions: function() {
+        js_api_set_stats_transitions();
+    }
+
+};
+
+Object.defineProperty(global, 'Afl', {value: afl, writeable: false});
+
+////////////////////////////////////////////////////////////////////////////////
+//                          END OF API                                        //
+////////////////////////////////////////////////////////////////////////////////
diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c
new file mode 100644
index 00000000..79e716ad
--- /dev/null
+++ b/frida_mode/src/js/js.c
@@ -0,0 +1,113 @@
+#include "frida-gumjs.h"
+
+#include "debug.h"
+
+#include "js.h"
+#include "util.h"
+
+static char *js_script = NULL;
+gboolean     js_done = FALSE;
+
+static gchar *           filename = "afl.js";
+static gchar *           contents;
+static GumScriptBackend *backend;
+static GCancellable *    cancellable = NULL;
+static GError *          error = NULL;
+static GumScript *       script;
+
+static void js_msg(GumScript *script, const gchar *message, GBytes *data,
+                   gpointer user_data) {
+
+  UNUSED_PARAMETER(script);
+  UNUSED_PARAMETER(data);
+  UNUSED_PARAMETER(user_data);
+  OKF("%s", message);
+
+}
+
+void js_config(void) {
+
+  js_script = getenv("AFL_FRIDA_JS_SCRIPT");
+
+}
+
+static gchar *js_get_script() {
+
+  gsize length;
+  if (js_script != NULL) { filename = js_script; }
+
+  filename = g_canonicalize_filename(filename, g_get_current_dir());
+
+  if (!g_file_get_contents(filename, &contents, &length, NULL)) {
+
+    if (js_script == NULL) {
+
+      return NULL;
+
+    } else {
+
+      FATAL("Could not load script file: %s", filename);
+
+    }
+
+  } else {
+
+    OKF("Loaded AFL script: %s, %" G_GSIZE_MODIFIER "d bytes", filename,
+        length);
+
+    gchar *source = g_malloc0(api_js_len + length + 1);
+    memcpy(source, api_js, api_js_len);
+    memcpy(&source[api_js_len], contents, length);
+
+    return source;
+
+  }
+
+}
+
+static void js_print_script(gchar *source) {
+
+  gchar **split = g_strsplit(source, "\n", 0);
+
+  for (size_t i = 0; split[i] != NULL; i++) {
+
+    OKF("%3" G_GSIZE_MODIFIER "d. %s", i + 1, split[i]);
+
+  }
+
+  g_strfreev(split);
+
+}
+
+void js_start(void) {
+
+  GMainContext *context;
+
+  gchar *source = js_get_script();
+  if (source == NULL) { return; }
+  js_print_script(source);
+
+  backend = gum_script_backend_obtain_qjs();
+
+  script = gum_script_backend_create_sync(backend, "example", source,
+                                          cancellable, &error);
+
+  if (error != NULL) {
+
+    g_printerr("%s\n", error->message);
+    FATAL("Error processing script");
+
+  }
+
+  gum_script_set_message_handler(script, js_msg, NULL, NULL);
+
+  gum_script_load_sync(script, cancellable);
+
+  context = g_main_context_get_thread_default();
+  while (g_main_context_pending(context))
+    g_main_context_iteration(context, FALSE);
+
+  if (!js_done) { FATAL("Script didn't call Afl.done()"); }
+
+}
+
diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c
new file mode 100644
index 00000000..018c0b9a
--- /dev/null
+++ b/frida_mode/src/js/js_api.c
@@ -0,0 +1,142 @@
+#include "debug.h"
+
+#include "entry.h"
+#include "instrument.h"
+#include "js.h"
+#include "output.h"
+#include "persistent.h"
+#include "prefetch.h"
+#include "ranges.h"
+#include "stats.h"
+#include "util.h"
+
+void js_api_done() {
+
+  js_done = TRUE;
+
+}
+
+void js_api_error(char *msg) {
+
+  FATAL("%s", msg);
+
+}
+
+void js_api_set_entrypoint(void *address) {
+
+  entry_point = GPOINTER_TO_SIZE(address);
+
+}
+
+void js_api_set_persistent_address(void *address) {
+
+  persistent_start = GPOINTER_TO_SIZE(address);
+
+}
+
+void js_api_set_persistent_return(void *address) {
+
+  persistent_ret = GPOINTER_TO_SIZE(address);
+
+}
+
+void js_api_set_persistent_count(uint64_t count) {
+
+  persistent_count = count;
+
+}
+
+void js_api_set_persistent_debug() {
+
+  persistent_debug = TRUE;
+
+}
+
+void js_api_set_debug_maps() {
+
+  ranges_debug_maps = TRUE;
+
+}
+
+void js_api_add_include_range(void *address, gsize size) {
+
+  GumMemoryRange range = {.base_address = GUM_ADDRESS(address), .size = size};
+  ranges_add_include(&range);
+
+}
+
+void js_api_add_exclude_range(void *address, gsize size) {
+
+  GumMemoryRange range = {.base_address = GUM_ADDRESS(address), .size = size};
+  ranges_add_exclude(&range);
+
+}
+
+void js_api_set_instrument_libraries() {
+
+  ranges_inst_libs = TRUE;
+
+}
+
+void js_api_set_instrument_debug_file(char *path) {
+
+  instrument_debug_filename = g_strdup(path);
+
+}
+
+void js_api_set_prefetch_disable(void) {
+
+  prefetch_enable = FALSE;
+
+}
+
+void js_api_set_instrument_no_optimize(void) {
+
+  instrument_optimize = FALSE;
+
+}
+
+void js_api_set_instrument_trace(void) {
+
+  instrument_tracing = TRUE;
+
+}
+
+void js_api_set_instrument_trace_unique(void) {
+
+  instrument_unique = TRUE;
+
+}
+
+void js_api_set_stdout(char *file) {
+
+  output_stdout = g_strdup(file);
+
+}
+
+void js_api_set_stderr(char *file) {
+
+  output_stderr = g_strdup(file);
+
+}
+
+void js_api_set_stats_file(char *file) {
+
+  stats_filename = g_strdup(file);
+
+}
+
+void js_api_set_stats_interval(uint64_t interval) {
+
+  stats_interval = interval;
+
+}
+
+void js_api_set_stats_transitions() {
+
+  stats_transitions = TRUE;
+
+}
+
+// "AFL_FRIDA_PERSISTENT_HOOK",
+
diff --git a/frida_mode/src/lib/lib.c b/frida_mode/src/lib/lib.c
index 13a7d1e7..59a3fcf9 100644
--- a/frida_mode/src/lib/lib.c
+++ b/frida_mode/src/lib/lib.c
@@ -6,7 +6,7 @@
   #include <sys/mman.h>
   #include <unistd.h>
 
-  #include "frida-gum.h"
+  #include "frida-gumjs.h"
 
   #include "debug.h"
 
@@ -151,6 +151,10 @@ static void lib_get_text_section(lib_details_t *details) {
 
 }
 
+void lib_config(void) {
+
+}
+
 void lib_init(void) {
 
   lib_details_t lib_details;
diff --git a/frida_mode/src/lib/lib_apple.c b/frida_mode/src/lib/lib_apple.c
index 8f863861..2aa48a13 100644
--- a/frida_mode/src/lib/lib_apple.c
+++ b/frida_mode/src/lib/lib_apple.c
@@ -1,5 +1,5 @@
 #ifdef __APPLE__
-  #include "frida-gum.h"
+  #include "frida-gumjs.h"
 
   #include "debug.h"
 
@@ -56,6 +56,10 @@ gboolean lib_get_text_section(const GumDarwinSectionDetails *details,
 
 }
 
+void lib_config(void) {
+
+}
+
 void lib_init(void) {
 
   GumDarwinModule *module = NULL;
diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c
index b17d9f49..85b0bbf3 100644
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@@ -11,14 +11,15 @@
   #include <sys/personality.h>
 #endif
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
 
 #include "entry.h"
 #include "instrument.h"
-#include "interceptor.h"
+#include "intercept.h"
+#include "js.h"
 #include "lib.h"
 #include "output.h"
 #include "persistent.h"
@@ -44,13 +45,6 @@ typedef int *(*main_fn_t)(int argc, char **argv, char **envp);
 
 static main_fn_t main_fn = NULL;
 
-static int on_fork(void) {
-
-  prefetch_read();
-  return fork();
-
-}
-
 #ifdef __APPLE__
 static void on_main_os(int argc, char **argv, char **envp) {
 
@@ -174,23 +168,36 @@ void afl_frida_start(void) {
   afl_print_cmdline();
   afl_print_env();
 
+  /* Configure */
+  entry_config();
+  instrument_config();
+  js_config();
+  lib_config();
+  output_config();
+  persistent_config();
+  prefetch_config();
+  ranges_config();
+  stalker_config();
+  stats_config();
+
+  js_start();
+
+  /* Initialize */
+  output_init();
+
   embedded_init();
-  stalker_init();
-  lib_init();
   entry_init();
   instrument_init();
-  output_init();
+  lib_init();
   persistent_init();
   prefetch_init();
+  stalker_init();
   ranges_init();
   stats_init();
 
-  void *fork_addr =
-      GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork"));
-  intercept(fork_addr, on_fork, NULL);
-
+  /* Start */
   stalker_start();
-  entry_run();
+  entry_start();
 
 }
 
@@ -198,7 +205,7 @@ static int *on_main(int argc, char **argv, char **envp) {
 
   on_main_os(argc, argv, envp);
 
-  unintercept_self();
+  intercept_unhook_self();
 
   afl_frida_start();
 
@@ -212,7 +219,7 @@ extern int *main(int argc, char **argv, char **envp);
 static void intercept_main(void) {
 
   main_fn = main;
-  intercept(main, on_main, NULL);
+  intercept_hook(main, on_main, NULL);
 
 }
 
@@ -225,7 +232,7 @@ static void intercept_main(void) {
   OKF("Entry Point: 0x%016" G_GINT64_MODIFIER "x", entry);
   void *main = GSIZE_TO_POINTER(entry);
   main_fn = main;
-  intercept(main, on_main, NULL);
+  intercept_hook(main, on_main, NULL);
 
 }
 
@@ -236,8 +243,8 @@ static int on_libc_start_main(int *(main)(int, char **, char **), int argc,
                               void(*stack_end)) {
 
   main_fn = main;
-  unintercept_self();
-  intercept(main, on_main, NULL);
+  intercept_unhook_self();
+  intercept_hook(main, on_main, NULL);
   return __libc_start_main(main, argc, ubp_av, init, fini, rtld_fini,
                            stack_end);
 
@@ -245,7 +252,7 @@ static int on_libc_start_main(int *(main)(int, char **, char **), int argc,
 
 static void intercept_main(void) {
 
-  intercept(__libc_start_main, on_libc_start_main, NULL);
+  intercept_hook(__libc_start_main, on_libc_start_main, NULL);
 
 }
 
diff --git a/frida_mode/src/output.c b/frida_mode/src/output.c
index 8a222b25..e2b744e7 100644
--- a/frida_mode/src/output.c
+++ b/frida_mode/src/output.c
@@ -2,17 +2,17 @@
 #include <fcntl.h>
 #include <unistd.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
 #include "output.h"
 
-static int output_fd = -1;
+char *output_stdout = NULL;
+char *output_stderr = NULL;
 
-static void output_redirect(int fd, char *variable) {
+static void output_redirect(int fd, char *filename) {
 
-  char *filename = getenv(variable);
   char *path = NULL;
 
   if (filename == NULL) { return; }
@@ -21,8 +21,8 @@ static void output_redirect(int fd, char *variable) {
 
   OKF("Redirect %d -> '%s'", fd, path);
 
-  output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
-                   S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+  int output_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
+                       S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
 
   g_free(path);
 
@@ -34,12 +34,24 @@ static void output_redirect(int fd, char *variable) {
 
   }
 
+  close(output_fd);
+
+}
+
+void output_config(void) {
+
+  output_stdout = getenv("AFL_FRIDA_OUTPUT_STDOUT");
+  output_stderr = getenv("AFL_FRIDA_OUTPUT_STDERR");
+
 }
 
 void output_init(void) {
 
-  output_redirect(STDOUT_FILENO, "AFL_FRIDA_OUTPUT_STDOUT");
-  output_redirect(STDERR_FILENO, "AFL_FRIDA_OUTPUT_STDERR");
+  OKF("Output - StdOut: %s", output_stdout);
+  OKF("Output - StdErr: %s", output_stderr);
+
+  output_redirect(STDOUT_FILENO, output_stdout);
+  output_redirect(STDERR_FILENO, output_stderr);
 
 }
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index 243d501d..e3e0b0ca 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -1,6 +1,6 @@
 #include <dlfcn.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -8,17 +8,18 @@
 #include "persistent.h"
 #include "util.h"
 
-int                    __afl_sharedmem_fuzzing = 0;
-afl_persistent_hook_fn hook = NULL;
+int          __afl_sharedmem_fuzzing = 0;
+static char *hook_name = NULL;
+
+afl_persistent_hook_fn persistent_hook = NULL;
 guint64                persistent_start = 0;
 guint64                persistent_count = 0;
 guint64                persistent_ret = 0;
 gboolean               persistent_debug = FALSE;
 
-void persistent_init(void) {
-
-  char *hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK");
+void persistent_config(void) {
 
+  hook_name = getenv("AFL_FRIDA_PERSISTENT_HOOK");
   persistent_start = util_read_address("AFL_FRIDA_PERSISTENT_ADDR");
   persistent_count = util_read_num("AFL_FRIDA_PERSISTENT_CNT");
   persistent_ret = util_read_address("AFL_FRIDA_PERSISTENT_RET");
@@ -33,6 +34,11 @@ void persistent_init(void) {
 
   }
 
+  if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
+
+  if (persistent_start != 0 && !persistent_is_supported())
+    FATAL("Persistent mode not supported on this architecture");
+
   if (persistent_ret != 0 && persistent_start == 0) {
 
     FATAL(
@@ -41,13 +47,9 @@ void persistent_init(void) {
 
   }
 
-  if (persistent_start != 0 && persistent_count == 0) persistent_count = 1000;
-
-  if (persistent_count != 0 && persistent_count < 100)
-    WARNF("Persistent count out of recommended range (<100)");
+}
 
-  if (persistent_start != 0 && !persistent_is_supported())
-    FATAL("Persistent mode not supported on this architecture");
+void persistent_init(void) {
 
   OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)",
       persistent_start == 0 ? ' ' : 'X', persistent_start);
@@ -58,27 +60,26 @@ void persistent_init(void) {
   OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
       persistent_ret == 0 ? ' ' : 'X', persistent_ret);
 
-  if (hook_name != NULL) {
+  if (hook_name == NULL) { return; }
 
-    void *hook_obj = dlopen(hook_name, RTLD_NOW);
-    if (hook_obj == NULL)
-      FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name);
+  void *hook_obj = dlopen(hook_name, RTLD_NOW);
+  if (hook_obj == NULL)
+    FATAL("Failed to load AFL_FRIDA_PERSISTENT_HOOK (%s)", hook_name);
 
-    int (*afl_persistent_hook_init_ptr)(void) =
-        dlsym(hook_obj, "afl_persistent_hook_init");
-    if (afl_persistent_hook_init_ptr == NULL)
-      FATAL("Failed to find afl_persistent_hook_init in %s", hook_name);
+  int (*afl_persistent_hook_init_ptr)(void) =
+      dlsym(hook_obj, "afl_persistent_hook_init");
+  if (afl_persistent_hook_init_ptr == NULL)
+    FATAL("Failed to find afl_persistent_hook_init in %s", hook_name);
 
-    if (afl_persistent_hook_init_ptr() == 0)
-      FATAL("afl_persistent_hook_init returned a failure");
+  if (afl_persistent_hook_init_ptr() == 0)
+    FATAL("afl_persistent_hook_init returned a failure");
 
-    hook = (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook");
-    if (hook == NULL)
-      FATAL("Failed to find afl_persistent_hook in %s", hook_name);
+  persistent_hook =
+      (afl_persistent_hook_fn)dlsym(hook_obj, "afl_persistent_hook");
+  if (persistent_hook == NULL)
+    FATAL("Failed to find afl_persistent_hook in %s", hook_name);
 
-    __afl_sharedmem_fuzzing = 1;
-
-  }
+  __afl_sharedmem_fuzzing = 1;
 
 }
 
diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c
index 6a3c06fa..f12f1af8 100644
--- a/frida_mode/src/persistent/persistent_arm32.c
+++ b/frida_mode/src/persistent/persistent_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index d7c6c76b..e618fbac 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -1,5 +1,5 @@
 #include <unistd.h>
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -318,7 +318,7 @@ static void instrument_exit(GumArm64Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  previous_pc = 0;
+  instrument_previous_pc = 0;
   return ret;
 
 }
@@ -337,7 +337,7 @@ static void instrument_afl_persistent_loop(GumArm64Writer *cw) {
 static void persistent_prologue_hook(GumArm64Writer *   cw,
                                      struct arm64_regs *regs) {
 
-  if (hook == NULL) return;
+  if (persistent_hook == NULL) return;
 
   gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP,
                                        GUM_RED_ZONE_SIZE);
@@ -354,7 +354,7 @@ static void persistent_prologue_hook(GumArm64Writer *   cw,
   gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0);
 
   gum_arm64_writer_put_call_address_with_arguments(
-      cw, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs),
+      cw, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs),
       GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2,
       GUM_ARG_REGISTER, ARM64_REG_X3);
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 653acefe..a91abc1c 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -1,5 +1,5 @@
 #include <unistd.h>
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -199,7 +199,7 @@ static void instrument_exit(GumX86Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  previous_pc = 0;
+  instrument_previous_pc = 0;
   return ret;
 
 }
@@ -220,7 +220,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 static void persistent_prologue_hook(GumX86Writer *      cw,
                                      struct x86_64_regs *regs) {
 
-  if (hook == NULL) return;
+  if (persistent_hook == NULL) return;
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         -(GUM_RED_ZONE_SIZE));
 
@@ -236,7 +236,7 @@ static void persistent_prologue_hook(GumX86Writer *      cw,
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
 
   gum_x86_writer_put_call_address_with_arguments(
-      cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 4, GUM_ARG_ADDRESS,
+      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS,
       GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER,
       GUM_REG_RDX, GUM_ARG_REGISTER, GUM_REG_RCX);
 
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 7add6e99..1d01d8e4 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 
@@ -152,7 +152,7 @@ static void instrument_exit(GumX86Writer *cw) {
 static int instrument_afl_persistent_loop_func(void) {
 
   int ret = __afl_persistent_loop(persistent_count);
-  previous_pc = 0;
+  instrument_previous_pc = 0;
   return ret;
 
 }
@@ -167,7 +167,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 
 static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) {
 
-  if (hook == NULL) return;
+  if (persistent_hook == NULL) return;
 
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX,
                                      GUM_ADDRESS(&__afl_fuzz_len));
@@ -180,7 +180,7 @@ static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) {
 
   /* Base address is 64-bits (hence two zero arguments) */
   gum_x86_writer_put_call_address_with_arguments(
-      cw, GUM_CALL_CAPI, GUM_ADDRESS(hook), 5, GUM_ARG_ADDRESS,
+      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 5, GUM_ARG_ADDRESS,
       GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS,
       GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER,
       GUM_REG_ECX);
diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c
index 65c09fba..50d10c9e 100644
--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@@ -2,10 +2,11 @@
 #include <sys/shm.h>
 #include <sys/mman.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
+#include "intercept.h"
 #include "prefetch.h"
 #include "stalker.h"
 
@@ -20,9 +21,10 @@ typedef struct {
 
 } prefetch_data_t;
 
-static prefetch_data_t *prefetch_data = NULL;
+gboolean prefetch_enable = TRUE;
 
-static int prefetch_shm_id = -1;
+static prefetch_data_t *prefetch_data = NULL;
+static int              prefetch_shm_id = -1;
 
 /*
  * We do this from the transformer since we need one anyway for coverage, this
@@ -72,14 +74,33 @@ void prefetch_read(void) {
 
 }
 
+void prefetch_config(void) {
+
+  prefetch_enable = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL);
+
+}
+
+static int prefetch_on_fork(void) {
+
+  prefetch_read();
+  return fork();
+
+}
+
+static void prefetch_hook_fork(void) {
+
+  void *fork_addr =
+      GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork"));
+  intercept_hook(fork_addr, prefetch_on_fork, NULL);
+
+}
+
 void prefetch_init(void) {
 
   g_assert_cmpint(sizeof(prefetch_data_t), ==, PREFETCH_SIZE);
-  gboolean prefetch = (getenv("AFL_FRIDA_INST_NO_PREFETCH") == NULL);
+  OKF("Instrumentation - prefetch [%c]", prefetch_enable ? 'X' : ' ');
 
-  OKF("Instrumentation - prefetch [%c]", prefetch ? 'X' : ' ');
-
-  if (!prefetch) { return; }
+  if (!prefetch_enable) { return; }
   /*
    * Make our shared memory, we can attach before we fork, just like AFL does
    * with the coverage bitmap region and fork will take care of ensuring both
@@ -108,5 +129,7 @@ void prefetch_init(void) {
   /* Clear it, not sure it's necessary, just seems like good practice */
   memset(prefetch_data, '\0', sizeof(prefetch_data_t));
 
+  prefetch_hook_fork();
+
 }
 
diff --git a/frida_mode/src/ranges.c b/frida_mode/src/ranges.c
index ef25b371..534f202b 100644
--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
@@ -17,11 +17,14 @@ typedef struct {
 
 } convert_name_ctx_t;
 
-GArray *module_ranges = NULL;
-GArray *libs_ranges = NULL;
-GArray *include_ranges = NULL;
-GArray *exclude_ranges = NULL;
-GArray *ranges = NULL;
+gboolean ranges_debug_maps = FALSE;
+gboolean ranges_inst_libs = FALSE;
+
+static GArray *module_ranges = NULL;
+static GArray *libs_ranges = NULL;
+static GArray *include_ranges = NULL;
+static GArray *exclude_ranges = NULL;
+static GArray *ranges = NULL;
 
 static void convert_address_token(gchar *token, GumMemoryRange *range) {
 
@@ -225,6 +228,43 @@ static GArray *collect_module_ranges(void) {
 
 }
 
+static void check_for_overlaps(GArray *array) {
+
+  for (guint i = 1; i < array->len; i++) {
+
+    GumMemoryRange *prev = &g_array_index(array, GumMemoryRange, i - 1);
+    GumMemoryRange *curr = &g_array_index(array, GumMemoryRange, i);
+    GumAddress      prev_limit = prev->base_address + prev->size;
+    GumAddress      curr_limit = curr->base_address + curr->size;
+    if (prev_limit > curr->base_address) {
+
+      FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER
+            "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER
+            "x-0x%016" G_GINT64_MODIFIER "x",
+            prev->base_address, prev_limit, curr->base_address, curr_limit);
+
+    }
+
+  }
+
+}
+
+void ranges_add_include(GumMemoryRange *range) {
+
+  g_array_append_val(include_ranges, *range);
+  g_array_sort(include_ranges, range_sort);
+  check_for_overlaps(include_ranges);
+
+}
+
+void ranges_add_exclude(GumMemoryRange *range) {
+
+  g_array_append_val(exclude_ranges, *range);
+  g_array_sort(exclude_ranges, range_sort);
+  check_for_overlaps(exclude_ranges);
+
+}
+
 static GArray *collect_ranges(char *env_key) {
 
   char *         env_val;
@@ -253,23 +293,7 @@ static GArray *collect_ranges(char *env_key) {
 
   g_array_sort(result, range_sort);
 
-  /* Check for overlaps */
-  for (i = 1; i < token_count; i++) {
-
-    GumMemoryRange *prev = &g_array_index(result, GumMemoryRange, i - 1);
-    GumMemoryRange *curr = &g_array_index(result, GumMemoryRange, i);
-    GumAddress      prev_limit = prev->base_address + prev->size;
-    GumAddress      curr_limit = curr->base_address + curr->size;
-    if (prev_limit > curr->base_address) {
-
-      FATAL("OVerlapping ranges 0x%016" G_GINT64_MODIFIER
-            "x-0x%016" G_GINT64_MODIFIER "x 0x%016" G_GINT64_MODIFIER
-            "x-0x%016" G_GINT64_MODIFIER "x",
-            prev->base_address, prev_limit, curr->base_address, curr_limit);
-
-    }
-
-  }
+  check_for_overlaps(result);
 
   print_ranges(env_key, result);
 
@@ -285,15 +309,15 @@ static GArray *collect_libs_ranges(void) {
   GumMemoryRange range;
   result = g_array_new(false, false, sizeof(GumMemoryRange));
 
-  if (getenv("AFL_INST_LIBS") == NULL) {
+  if (ranges_inst_libs) {
 
-    range.base_address = lib_get_text_base();
-    range.size = lib_get_text_limit() - lib_get_text_base();
+    range.base_address = 0;
+    range.size = G_MAXULONG;
 
   } else {
 
-    range.base_address = 0;
-    range.size = G_MAXULONG;
+    range.base_address = lib_get_text_base();
+    range.size = lib_get_text_limit() - lib_get_text_base();
 
   }
 
@@ -480,30 +504,13 @@ static GArray *merge_ranges(GArray *a) {
 
 }
 
-static gboolean exclude_ranges_callback(const GumRangeDetails *details,
-                                        gpointer               user_data) {
+void ranges_config(void) {
 
-  UNUSED_PARAMETER(user_data);
-  gchar *     name;
-  gboolean    found;
-  GumStalker *stalker;
-  if (details->file == NULL) { return TRUE; }
-  name = g_path_get_basename(details->file->path);
-
-  found = (g_strcmp0(name, "afl-frida-trace.so") == 0);
-  g_free(name);
-  if (!found) { return TRUE; }
-
-  stalker = stalker_get();
-  gum_stalker_exclude(stalker, details->range);
-
-  return FALSE;
+  if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) { ranges_debug_maps = TRUE; }
+  if (getenv("AFL_INST_LIBS") != NULL) { ranges_inst_libs = TRUE; }
 
-}
-
-static void ranges_exclude_self(void) {
-
-  gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, exclude_ranges_callback, NULL);
+  include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES");
+  exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES");
 
 }
 
@@ -515,16 +522,20 @@ void ranges_init(void) {
   GArray *       step3;
   GArray *       step4;
 
-  if (getenv("AFL_FRIDA_DEBUG_MAPS") != NULL) {
+  if (ranges_debug_maps) {
 
     gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, print_ranges_callback,
                                  NULL);
 
   }
 
+  OKF("Ranges - Instrument libraries [%c]", ranges_inst_libs ? 'X' : ' ');
+
+  print_ranges("AFL_FRIDA_INST_RANGES", include_ranges);
+  print_ranges("AFL_FRIDA_EXCLUDE_RANGES", exclude_ranges);
+
   module_ranges = collect_module_ranges();
   libs_ranges = collect_libs_ranges();
-  include_ranges = collect_ranges("AFL_FRIDA_INST_RANGES");
 
   /* If include ranges is empty, then assume everything is included */
   if (include_ranges->len == 0) {
@@ -535,8 +546,6 @@ void ranges_init(void) {
 
   }
 
-  exclude_ranges = collect_ranges("AFL_FRIDA_EXCLUDE_RANGES");
-
   /* Intersect with .text section of main executable unless AFL_INST_LIBS */
   step1 = intersect_ranges(module_ranges, libs_ranges);
   print_ranges("step1", step1);
@@ -565,9 +574,6 @@ void ranges_init(void) {
   g_array_free(step2, TRUE);
   g_array_free(step1, TRUE);
 
-  /* *NEVER* stalk the stalker, only bad things will ever come of this! */
-  ranges_exclude_self();
-
   ranges_exclude();
 
 }
diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c
index 63f3c529..98483cde 100644
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@@ -2,18 +2,47 @@
 
 #include "instrument.h"
 #include "stalker.h"
+#include "util.h"
 
 static GumStalker *stalker = NULL;
 
-void stalker_init(void) {
+void stalker_config(void) {
 
   if (!gum_stalker_is_supported()) { FATAL("Failed to initialize embedded"); }
 
+}
+
+static gboolean stalker_exclude_self(const GumRangeDetails *details,
+                                     gpointer               user_data) {
+
+  UNUSED_PARAMETER(user_data);
+  gchar *     name;
+  gboolean    found;
+  GumStalker *stalker;
+  if (details->file == NULL) { return TRUE; }
+  name = g_path_get_basename(details->file->path);
+
+  found = (g_strcmp0(name, "afl-frida-trace.so") == 0);
+  g_free(name);
+  if (!found) { return TRUE; }
+
+  stalker = stalker_get();
+  gum_stalker_exclude(stalker, details->range);
+
+  return FALSE;
+
+}
+
+void stalker_init(void) {
+
   stalker = gum_stalker_new();
   if (stalker == NULL) { FATAL("Failed to initialize stalker"); }
 
   gum_stalker_set_trust_threshold(stalker, 0);
 
+  /* *NEVER* stalk the stalker, only bad things will ever come of this! */
+  gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, stalker_exclude_self, NULL);
+
 }
 
 GumStalker *stalker_get(void) {
diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c
index 0d7b9fb0..0dd8be70 100644
--- a/frida_mode/src/stats/stats.c
+++ b/frida_mode/src/stats/stats.c
@@ -5,7 +5,7 @@
 #include <sys/shm.h>
 #include <sys/mman.h>
 
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "config.h"
 #include "debug.h"
@@ -17,15 +17,16 @@
 
 stats_data_header_t *stats_data = NULL;
 
-static int      stats_parent_pid = -1;
-static int      stats_fd = -1;
-static gboolean stats_transitions = FALSE;
-static guint64  stats_interval = 0;
+static int stats_parent_pid = -1;
+static int stats_fd = -1;
 
-void stats_init(void) {
+char *   stats_filename = NULL;
+guint64  stats_interval = 0;
+gboolean stats_transitions = FALSE;
 
-  stats_parent_pid = getpid();
-  char *filename = getenv("AFL_FRIDA_STATS_FILE");
+void stats_config(void) {
+
+  stats_filename = getenv("AFL_FRIDA_STATS_FILE");
   stats_interval = util_read_num("AFL_FRIDA_STATS_INTERVAL");
   if (getenv("AFL_FRIDA_STATS_TRANSITIONS") != NULL) {
 
@@ -33,10 +34,16 @@ void stats_init(void) {
 
   }
 
-  OKF("Stats - file [%s]", filename);
+}
+
+void stats_init(void) {
+
+  stats_parent_pid = getpid();
+
+  OKF("Stats - file [%s]", stats_filename);
   OKF("Stats - interval [%" G_GINT64_MODIFIER "u]", stats_interval);
 
-  if (stats_interval != 0 && filename == NULL) {
+  if (stats_interval != 0 && stats_filename == NULL) {
 
     FATAL(
         "AFL_FRIDA_STATS_FILE must be specified if "
@@ -46,7 +53,7 @@ void stats_init(void) {
 
   if (stats_interval == 0) { stats_interval = 10; }
 
-  if (filename == NULL) { return; }
+  if (stats_filename == NULL) { return; }
 
   if (!stats_is_supported_arch()) {
 
@@ -56,11 +63,11 @@ void stats_init(void) {
 
   char *path = NULL;
 
-  if (filename == NULL) { return; }
+  if (stats_filename == NULL) { return; }
 
   if (stats_transitions) { gum_stalker_set_counters_enabled(TRUE); }
 
-  path = g_canonicalize_filename(filename, g_get_current_dir());
+  path = g_canonicalize_filename(stats_filename, g_get_current_dir());
 
   OKF("Stats - path [%s]", path);
 
diff --git a/frida_mode/src/stats/stats_arm32.c b/frida_mode/src/stats/stats_arm32.c
index 7eea7f91..71953af3 100644
--- a/frida_mode/src/stats/stats_arm32.c
+++ b/frida_mode/src/stats/stats_arm32.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/stats/stats_arm64.c b/frida_mode/src/stats/stats_arm64.c
index 592af87a..d9d374a4 100644
--- a/frida_mode/src/stats/stats_arm64.c
+++ b/frida_mode/src/stats/stats_arm64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c
index c3e8742a..7c3a90d7 100644
--- a/frida_mode/src/stats/stats_x64.c
+++ b/frida_mode/src/stats/stats_x64.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/src/stats/stats_x86.c b/frida_mode/src/stats/stats_x86.c
index 1906e809..d9c4f652 100644
--- a/frida_mode/src/stats/stats_x86.c
+++ b/frida_mode/src/stats/stats_x86.c
@@ -1,4 +1,4 @@
-#include "frida-gum.h"
+#include "frida-gumjs.h"
 
 #include "debug.h"
 
diff --git a/frida_mode/test/deferred/GNUmakefile b/frida_mode/test/deferred/GNUmakefile
index c268ef66..ae580e3f 100644
--- a/frida_mode/test/deferred/GNUmakefile
+++ b/frida_mode/test/deferred/GNUmakefile
@@ -37,7 +37,7 @@ ifeq "$(ARCH)" "x86"
  AFL_ENTRYPOINT=$(shell $(GET_SYMBOL_ADDR) -f $(TESTINSTBIN) -s run -b 0x56555000)
 endif
 
-.PHONY: all clean qemu frida
+.PHONY: all clean frida
 
 all: $(TESTINSTBIN)
 	make -C $(ROOT)frida_mode/
diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile
new file mode 100644
index 00000000..8ea71656
--- /dev/null
+++ b/frida_mode/test/js/GNUmakefile
@@ -0,0 +1,44 @@
+PWD:=$(shell pwd)/
+ROOT:=$(shell realpath $(PWD)../../..)/
+BUILD_DIR:=$(PWD)build/
+TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
+TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
+
+TESTINSTBIN:=$(BUILD_DIR)testinstr
+TESTINSTSRC:=$(PWD)testinstr.c
+
+QEMU_OUT:=$(BUILD_DIR)qemu-out
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+
+.PHONY: all 32 clean qemu frida
+
+all: $(TESTINSTBIN)
+	make -C $(ROOT)frida_mode/
+
+32:
+	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
+
+$(BUILD_DIR):
+	mkdir -p $@
+
+$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
+$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
+	echo -n "000" > $@
+
+$(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=test.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
diff --git a/frida_mode/test/js/Makefile b/frida_mode/test/js/Makefile
new file mode 100644
index 00000000..7a237f99
--- /dev/null
+++ b/frida_mode/test/js/Makefile
@@ -0,0 +1,16 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+32:
+	@echo trying to use GNU make...
+	@gmake 32 || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+frida:
+	@gmake frida
+
+debug:
+	@gmake debug
diff --git a/frida_mode/test/js/test.js b/frida_mode/test/js/test.js
new file mode 100644
index 00000000..f10ef2d1
--- /dev/null
+++ b/frida_mode/test/js/test.js
@@ -0,0 +1,20 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const entry_point = DebugSymbol.fromName('run');
+Afl.print(`entry_point: ${entry_point.address}`);
+
+Afl.setEntryPoint(entry_point.address);
+
+// Afl.error('HARD NOPE');
+
+Afl.done();
+Afl.print("done");
diff --git a/frida_mode/test/js/testinstr.c b/frida_mode/test/js/testinstr.c
new file mode 100644
index 00000000..bd605c52
--- /dev/null
+++ b/frida_mode/test/js/testinstr.c
@@ -0,0 +1,121 @@
+/*
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef __APPLE__
+  #define TESTINSTR_SECTION
+#else
+  #define TESTINSTR_SECTION __attribute__((section(".testinstr")))
+#endif
+
+void testinstr(char *buf, int len) {
+
+  if (len < 1) return;
+  buf[len] = 0;
+
+  // we support three input cases
+  if (buf[0] == '0')
+    printf("Looks like a zero to me!\n");
+  else if (buf[0] == '1')
+    printf("Pretty sure that is a one!\n");
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+int run(char *file) {
+
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  do {
+
+    dprintf(STDERR_FILENO, "Running: %s\n", file);
+
+    fd = open(file, O_RDONLY);
+    if (fd < 0) {
+
+      perror("open");
+      break;
+
+    }
+
+    len = lseek(fd, 0, SEEK_END);
+    if (len < 0) {
+
+      perror("lseek (SEEK_END)");
+      break;
+
+    }
+
+    if (lseek(fd, 0, SEEK_SET) != 0) {
+
+      perror("lseek (SEEK_SET)");
+      break;
+
+    }
+
+    buf = malloc(len);
+    if (buf == NULL) {
+
+      perror("malloc");
+      break;
+
+    }
+
+    n_read = read(fd, buf, len);
+    if (n_read != len) {
+
+      perror("read");
+      break;
+
+    }
+
+    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
+
+    testinstr(buf, len);
+    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
+
+    result = 0;
+
+  } while (false);
+
+  if (buf != NULL) { free(buf); }
+
+  if (fd != -1) { close(fd); }
+
+  return result;
+
+}
+
+void slow() {
+
+  usleep(100000);
+
+}
+
+int main(int argc, char **argv) {
+
+  if (argc != 2) { return 1; }
+  slow();
+  return run(argv[1]);
+
+}
+
diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile
index 2de51d86..81fdd069 100644
--- a/frida_mode/test/persistent_ret/GNUmakefile
+++ b/frida_mode/test/persistent_ret/GNUmakefile
@@ -82,6 +82,16 @@ frida_ret: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		-- \
 			$(TESTINSTBIN) @@
 
+frida_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=test.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TESTINSTR_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
+
 debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	gdb \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js
new file mode 100644
index 00000000..43c6ad7c
--- /dev/null
+++ b/frida_mode/test/persistent_ret/test.js
@@ -0,0 +1,38 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const persistent_addr = DebugSymbol.fromName('main');
+Afl.print(`persistent_addr: ${persistent_addr.address}`);
+
+const persistent_ret = DebugSymbol.fromName('slow');
+Afl.print(`persistent_ret: ${persistent_ret.address}`);
+
+Afl.setPersistentAddress(persistent_addr.address);
+Afl.setPersistentReturn(persistent_ret.address);
+Afl.setPersistentCount(1000000);
+
+Afl.setDebugMaps();
+
+const mod = Process.findModuleByName("libc-2.31.so")
+Afl.addExcludedRange(mod.base, mod.size);
+Afl.setInstrumentLibraries();
+Afl.setInstrumentDebugFile("/tmp/instr.log");
+Afl.setPrefetchDisable();
+Afl.setInstrumentNoOptimize();
+Afl.setInstrumentEnableTracing();
+Afl.setInstrumentTracingUnique();
+Afl.setStdOut("/tmp/stdout.txt");
+Afl.setStdErr("/tmp/stderr.txt");
+Afl.setStatsFile("/tmp/stats.txt");
+Afl.setStatsInterval(1);
+Afl.setStatsTransitions();
+Afl.done();
+Afl.print("done");
diff --git a/include/envs.h b/include/envs.h
index 54bb6597..f89e8e62 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -60,7 +60,8 @@ static char *afl_environment_variables[] = {
     "AFL_FRIDA_INST_NO_PREFETCH",
     "AFL_FRIDA_INST_RANGES",
     "AFL_FRIDA_INST_TRACE",
-    "AFL_FRIDA_INST_UNSTABLE",
+    "AFL_FRIDA_INST_TRACE_UNIQUE",
+    "AFL_FRIDA_JS_SCRIPT",
     "AFL_FRIDA_OUTPUT_STDOUT",
     "AFL_FRIDA_OUTPUT_STDERR",
     "AFL_FRIDA_PERSISTENT_ADDR",
-- 
cgit 1.4.1


From 6a3877dcd35d31eb79bebbc30ffe70ac0342743e Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Fri, 25 Jun 2021 22:14:27 +0100
Subject: Improved FRIDA mode scripting support (#994)

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/.gitignore                              |   2 +
 frida_mode/GNUmakefile                             |  17 +-
 frida_mode/Makefile                                |   3 +
 frida_mode/Scripting.md                            | 828 ++++++++++++++++++---
 frida_mode/hook/hook.c                             |  50 ++
 frida_mode/include/js.h                            |  10 +-
 frida_mode/src/entry.c                             |   1 +
 frida_mode/src/instrument/instrument.c             |  11 +-
 frida_mode/src/js/api.js                           | 430 ++++++-----
 frida_mode/src/js/js.c                             |  13 +-
 frida_mode/src/js/js_api.c                         |  12 +-
 frida_mode/src/persistent/persistent.c             |  28 +-
 frida_mode/src/persistent/persistent_arm64.c       | 399 ++++------
 frida_mode/src/persistent/persistent_x64.c         | 174 ++---
 frida_mode/src/persistent/persistent_x86.c         | 111 ++-
 frida_mode/test/jpeg/GNUmakefile                   |  10 +-
 frida_mode/test/jpeg/Makefile                      |   3 -
 frida_mode/test/jpeg/aflpp_qemu_driver_hook.c      |  97 ---
 frida_mode/test/js/GNUmakefile                     |  56 +-
 frida_mode/test/js/Makefile                        |  13 +-
 frida_mode/test/js/entry.js                        |  20 +
 frida_mode/test/js/patch.js                        |  34 +
 frida_mode/test/js/replace.js                      |  43 ++
 frida_mode/test/js/stalker.js                      | 109 +++
 frida_mode/test/js/test.c                          | 115 +++
 frida_mode/test/js/test.js                         |  20 -
 frida_mode/test/js/test2.c                         | 177 +++++
 frida_mode/test/js/testinstr.c                     | 121 ---
 frida_mode/test/libpcap/GNUmakefile                |  10 +-
 frida_mode/test/libpcap/aflpp_qemu_driver_hook.c   |  97 ---
 frida_mode/test/persistent_ret/GNUmakefile         |  11 +-
 frida_mode/test/persistent_ret/test.js             |  62 +-
 frida_mode/test/persistent_ret/testinstr.c         |  11 +-
 frida_mode/test/png/persistent/hook/GNUmakefile    |  30 +-
 frida_mode/test/png/persistent/hook/Makefile       |   3 +
 .../png/persistent/hook/aflpp_qemu_driver_hook.c   | 193 -----
 frida_mode/test/png/persistent/hook/cmodule.js     |  39 +
 frida_mode/test/png/persistent/hook/load.js        |  27 +
 frida_mode/test/proj4/GNUmakefile                  |  10 +-
 frida_mode/test/proj4/Makefile                     |   2 -
 frida_mode/test/proj4/aflpp_qemu_driver_hook.c     |  97 ---
 frida_mode/test/re2/GNUmakefile                    |  10 +-
 frida_mode/test/re2/Makefile                       |   2 -
 frida_mode/test/re2/aflpp_qemu_driver_hook.c       |  97 ---
 frida_mode/ts/lib/afl.ts                           | 373 ++++++++++
 frida_mode/ts/package-lock.json                    |  12 +
 frida_mode/ts/package.json                         |  32 +
 frida_mode/ts/tsconfig.json                        |  14 +
 frida_mode/ts/tslint.json                          | 256 +++++++
 49 files changed, 2749 insertions(+), 1546 deletions(-)
 create mode 100644 frida_mode/hook/hook.c
 delete mode 100644 frida_mode/test/jpeg/aflpp_qemu_driver_hook.c
 create mode 100644 frida_mode/test/js/entry.js
 create mode 100644 frida_mode/test/js/patch.js
 create mode 100644 frida_mode/test/js/replace.js
 create mode 100644 frida_mode/test/js/stalker.js
 create mode 100644 frida_mode/test/js/test.c
 delete mode 100644 frida_mode/test/js/test.js
 create mode 100644 frida_mode/test/js/test2.c
 delete mode 100644 frida_mode/test/js/testinstr.c
 delete mode 100644 frida_mode/test/libpcap/aflpp_qemu_driver_hook.c
 delete mode 100644 frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c
 create mode 100644 frida_mode/test/png/persistent/hook/cmodule.js
 create mode 100644 frida_mode/test/png/persistent/hook/load.js
 delete mode 100644 frida_mode/test/proj4/aflpp_qemu_driver_hook.c
 delete mode 100644 frida_mode/test/re2/aflpp_qemu_driver_hook.c
 create mode 100644 frida_mode/ts/lib/afl.ts
 create mode 100644 frida_mode/ts/package-lock.json
 create mode 100644 frida_mode/ts/package.json
 create mode 100644 frida_mode/ts/tsconfig.json
 create mode 100644 frida_mode/ts/tslint.json

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/.gitignore b/frida_mode/.gitignore
index 956b9911..32cca51f 100644
--- a/frida_mode/.gitignore
+++ b/frida_mode/.gitignore
@@ -3,3 +3,5 @@ frida_test.dat
 qemu_test.dat
 frida_out/**
 qemu_out/**
+ts/dist/
+ts/node_modules/
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index fdacff62..f5a96501 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -94,11 +94,15 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
 AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
 AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
-.PHONY: all 32 clean format $(FRIDA_GUM) quickjs
+HOOK_DIR:=$(PWD)hook/
+AFLPP_DRIVER_HOOK_SRC=$(HOOK_DIR)hook.c
+AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)hook.so
+
+.PHONY: all 32 clean format hook $(FRIDA_GUM)
 
 ############################## ALL #############################################
 
-all: $(FRIDA_TRACE)
+all: $(FRIDA_TRACE) $(AFLPP_DRIVER_HOOK_OBJ)
 
 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
@@ -197,13 +201,20 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL
 
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
+############################# HOOK #############################################
+
+$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@
+
+hook: $(AFLPP_DRIVER_HOOK_OBJ)
+
 ############################# CLEAN ############################################
 clean:
 	rm -rf $(BUILD_DIR)
 
 ############################# FORMAT ###########################################
 format:
-	cd $(ROOT) && echo $(SOURCES) | xargs -L1 ./.custom-format.py -i
+	cd $(ROOT) && echo $(SOURCES) $(AFLPP_DRIVER_HOOK_SRC) | xargs -L1 ./.custom-format.py -i
 	cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i
 
 ############################# RUN #############################################
diff --git a/frida_mode/Makefile b/frida_mode/Makefile
index 6cd1a64e..1922c7e6 100644
--- a/frida_mode/Makefile
+++ b/frida_mode/Makefile
@@ -11,3 +11,6 @@ clean:
 
 format:
 	@gmake format
+
+hook:
+	@gmake hook
diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md
index 8b961e18..4c6fe6b2 100644
--- a/frida_mode/Scripting.md
+++ b/frida_mode/Scripting.md
@@ -99,142 +99,752 @@ const address = module.base.add(0xdeadface);
 Afl.setPersistentAddress(address);
 ```
 
-# API
+# Persisent Hook
+A persistent hook can be implemented using a conventional shared object, sample
+source code for a hook suitable for the prototype of `LLVMFuzzerTestOneInput`
+can be found [here](hook/hook.c). This can be configured using code similar to
+the following.
+
 ```js
-/*
- * Print a message to the STDOUT. This should be preferred to
- * FRIDA's `console.log` since FRIDA will queue it's log messages.
- * If `console.log` is used in a callback in particular, then there
- * may no longer be a thread running to service this queue.
- */
-Afl.print(msg);
+const path = Afl.module.path;
+const dir = path.substring(0, path.lastIndexOf("/"));
+const mod = Module.load(`${dir}/frida_mode/build/hook.so`);
+const hook = mod.getExportByName('afl_persistent_hook');
+Afl.setPersistentHook(hook);
+```
 
-/*
- * This must always be called at the end of your script. This lets
- * FRIDA mode know that your configuration is finished and that
- * execution has reached the end of your script. Failure to call
- * this will result in a fatal error.
- */
+Alternatively, the hook can be provided by using FRIDAs built in support for `CModule`, powered by TinyCC.
+
+```js
+const cm = new CModule(`
+
+    #include <string.h>
+    #include <gum/gumdefs.h>
+
+    void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
+      uint32_t input_buf_len) {
+
+      memcpy((void *)regs->rdi, input_buf, input_buf_len);
+      regs->rsi = input_buf_len;
+
+    }
+    `,
+    {
+        memcpy: Module.getExportByName(null, 'memcpy')
+    });
+Afl.setPersistentHook(cm.afl_persistent_hook);
+```
+
+# Advanced Persistence
+Consider the following target code...
+```c
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void LLVMFuzzerTestOneInput(char *buf, int len) {
+
+  if (len < 1) return;
+  buf[len] = 0;
+
+  // we support three input cases
+  if (buf[0] == '0')
+    printf("Looks like a zero to me!\n");
+  else if (buf[0] == '1')
+    printf("Pretty sure that is a one!\n");
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+int run(char *file) {
+
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  do {
+
+    dprintf(STDERR_FILENO, "Running: %s\n", file);
+
+    fd = open(file, O_RDONLY);
+    if (fd < 0) {
+
+      perror("open");
+      break;
+
+    }
+
+    len = lseek(fd, 0, SEEK_END);
+    if (len < 0) {
+
+      perror("lseek (SEEK_END)");
+      break;
+
+    }
+
+    if (lseek(fd, 0, SEEK_SET) != 0) {
+
+      perror("lseek (SEEK_SET)");
+      break;
+
+    }
+
+    buf = malloc(len);
+    if (buf == NULL) {
+
+      perror("malloc");
+      break;
+
+    }
+
+    n_read = read(fd, buf, len);
+    if (n_read != len) {
+
+      perror("read");
+      break;
+
+    }
+
+    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
+
+    LLVMFuzzerTestOneInput(buf, len);
+    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
+
+    result = 0;
+
+  } while (false);
+
+  if (buf != NULL) { free(buf); }
+
+  if (fd != -1) { close(fd); }
+
+  return result;
+
+}
+
+void slow() {
+
+  usleep(100000);
+
+}
+
+int main(int argc, char **argv) {
+
+  if (argc != 2) { return 1; }
+  slow();
+  return run(argv[1]);
+
+}
+```
+
+FRIDA mode supports the replacement of any function, with an implementation
+generated by CModule. This allows for a bespoke harness to be written as
+follows:
+
+```
+const slow = DebugSymbol.fromName('slow').address;
+Afl.print(`slow: ${slow}`);
+
+const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
+
+const cm = new CModule(`
+
+    extern unsigned char * __afl_fuzz_ptr;
+    extern unsigned int * __afl_fuzz_len;
+    extern void LLVMFuzzerTestOneInput(char *buf, int len);
+
+    void slow(void) {
+
+      LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
+    }
+    `,
+    {
+        LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
+        __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
+        __afl_fuzz_len: Afl.getAflFuzzLen()
+    });
+
+Afl.setEntryPoint(cm.slow);
+Afl.setPersistentAddress(cm.slow);
+Afl.setInMemoryFuzzing();
+Interceptor.replace(slow, cm.slow);
+Afl.print("done");
 Afl.done();
+```
 
-/*
- * This function can be called within your script to cause FRIDA
- * mode to trigger a fatal error. This is useful if for example you
- * discover a problem you weren't expecting and want everything to
- * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
- * this error message.
- */
-Afl.error();
+Here, we replace the function `slow` with our own code. This code is then
+selected as the entry point as well as the persistent loop address.
 
-/*
- * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
- * convenience of allowing you to use FRIDAs APIs to determine the
- * address you would like to configure, rather than having to grep
- * the output of `readelf` or something similarly ugly. This
- * function should be called with a `NativePointer` as its
- * argument.
- */
-Afl.setEntryPoint(address);
+**WARNING** There are two key limitations in replacing a function in this way:
+- The function which is to be replaced must not be `main` this is because this
+is the point at which FRIDA mode is initialized and at the point the the JS has
+been run, the start of the `main` function has already been instrumented and
+cached.
+- The replacement function must not call itself. e.g. in this example we
+couldn't replace `LLVMFuzzerTestOneInput` and call itself.
 
-/*
- * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
- * `NativePointer` should be provided as it's argument.
- */
-Afl.setPersistentAddress(address);
+# Patching
+Consider the [following](test/js/test2.c) test code...
 
+```c
 /*
- * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
- * `NativePointer` should be provided as it's argument.
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
  */
-Afl.setPersistentReturn(address);
 
-/*
- * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
- * `number` should be provided as it's argument.
- */
-Afl.setPersistentCount(count);
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+const uint32_t crc32_tab[] = {
+	0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
+
+  ...
+
+	0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
+};
+
+uint32_t
+crc32(const void *buf, size_t size)
+{
+	const uint8_t *p = buf;
+	uint32_t crc;
+ 	crc = ~0U;
+	while (size--)
+		crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
+	return crc ^ ~0U;
+}
 
 /*
- * See `AFL_FRIDA_PERSISTENT_DEBUG`.
+ * Don't you hate those contrived examples which CRC their data. We can use
+ * FRIDA to patch this function out and always return success. Otherwise, we
+ * could change it to actually correct the checksum.
  */
-Afl.setPersistentDebug();
+int crc32_check (char * buf, int len) {
+  if (len < sizeof(uint32_t)) { return 0; }
+  uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)];
+  uint32_t calculated = crc32(buf, len - sizeof(uint32_t));
+  return expected == calculated;
+}
 
 /*
- * See `AFL_FRIDA_DEBUG_MAPS`.
+ * So you've found a really boring bug in an earlier campaign which results in
+ * a NULL dereference or something like that. That bug can get in the way,
+ * causing the persistent loop to exit whenever it is triggered, and can also
+ * cloud your output unnecessarily. Again, we can use FRIDA to patch it out.
  */
-Afl.setDebugMaps();
+void some_boring_bug(char c) {
+  switch (c) {
+    case 'A'...'Z':
+    case 'a'...'z':
+      __builtin_trap();
+      break;
+  }
+}
 
-/*
- * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
- * it takes as arguments a `NativePointer` and a `number`. It can be
- * called multiple times to include several ranges.
- */
-Afl.addIncludedRange(address, size);
+void LLVMFuzzerTestOneInput(char *buf, int len) {
+
+  if (!crc32_check(buf, len)) return;
+
+  some_boring_bug(buf[0]);
+
+  if (buf[0] == '0') {
+    printf("Looks like a zero to me!\n");
+  }
+  else if (buf[0] == '1') {
+    printf("Pretty sure that is a one!\n");
+  }
+  else if (buf[0] == '2') {
+    if (buf[1] == '3') {
+      if (buf[2] == '4') {
+        printf("Oh we, weren't expecting that!");
+        __builtin_trap();
+      }
+    }
+  }
+  else
+    printf("Neither one or zero? How quaint!\n");
 
-/*
- * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
- * it takes as arguments a `NativePointer` and a `number`. It can be
- * called multiple times to exclude several ranges.
- */
-Afl.addExcludedRange(address, size);
+}
 
-/*
- * See `AFL_INST_LIBS`.
- */
-Afl.setInstrumentLibraries();
+int main(int argc, char **argv) {
 
-/*
- * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
- * an argument.
- */
-Afl.setInstrumentDebugFile(file);
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
 
-/*
- * See `AFL_FRIDA_INST_NO_PREFETCH`.
- */
-Afl.setPrefetchDisable();
+  if (argc != 2) { return 1; }
 
-/*
- * See `AFL_FRIDA_INST_NO_OPTIMIZE`
- */
-Afl.setInstrumentNoOptimize();
+  printf("Running: %s\n", argv[1]);
 
-/*
- * See `AFL_FRIDA_INST_TRACE`.
- */
-Afl.setInstrumentEnableTracing();
+  fd = open(argv[1], O_RDONLY);
+  if (fd < 0) { return 1; }
 
-/*
- * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
- */
-Afl.setInstrumentTracingUnique()
+  len = lseek(fd, 0, SEEK_END);
+  if (len < 0) { return 1; }
 
-/*
- * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
- * an argument.
- */
-Afl.setStdOut(file);
+  if (lseek(fd, 0, SEEK_SET) != 0) { return 1; }
 
-/*
- * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
- * an argument.
- */
-Afl.setStdErr(file);
+  buf = malloc(len);
+  if (buf == NULL) { return 1; }
 
-/*
- * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
- * an argument.
- */
-Afl.setStatsFile(file);
+  n_read = read(fd, buf, len);
+  if (n_read != len) { return 1; }
 
-/*
- * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
- * argument
- */
-Afl.setStatsInterval(interval);
+  printf("Running:    %s: (%zd bytes)\n", argv[1], n_read);
+
+  LLVMFuzzerTestOneInput(buf, len);
+  printf("Done:    %s: (%zd bytes)\n", argv[1], n_read);
+
+  return 0;
+}
+```
+
+There are a couple of obstacles with our target application. Unlike when fuzzing
+source code, though, we can't simply edit it and recompile it. The following
+script shows how we can use the normal functionality of FRIDA to modify any
+troublesome behaviour.
+
+```js
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+const main = DebugSymbol.fromName('main').address;
+Afl.print(`main: ${main}`);
+Afl.setEntryPoint(main);
+Afl.setPersistentAddress(main);
+Afl.setPersistentCount(10000000);
+
+const crc32_check = DebugSymbol.fromName('crc32_check').address;
+const crc32_replacement = new NativeCallback(
+    (buf, len) => {
+        Afl.print(`len: ${len}`);
+        if (len < 4) {
+            return 0;
+        }
+
+        return 1;
+    },
+    'int',
+    ['pointer', 'int']);
+Interceptor.replace(crc32_check, crc32_replacement);
+
+const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
+const boring_replacement = new NativeCallback(
+    (c) => { },
+    'void',
+    ['char']);
+Interceptor.replace(some_boring_bug, boring_replacement);
+
+Afl.done();
+Afl.print("done");
+```
+
+# Advanced Patching
+Consider the following code fragment...
+```c
+extern void some_boring_bug2(char c);
+
+__asm__ (
+      ".text                                 \n"
+      "some_boring_bug2:                     \n"
+      ".global some_boring_bug2              \n"
+      ".type some_boring_bug2, @function     \n"
+      "mov %edi, %eax                        \n"
+      "cmp $0xb4, %al                        \n"
+      "jne ok                                \n"
+      "ud2                                   \n"
+      "ok:                                   \n"
+      "ret                                   \n");
+
+void LLVMFuzzerTestOneInput(char *buf, int len) {
+
+  ...
+
+  some_boring_bug2(buf[0]);
+
+  ...
+
+}
+```
+
+Rather than using FRIDAs `Interceptor.replace` or `Interceptor.attach` APIs, it
+is possible to apply much more fine grained modification to the target
+application by means of using the Stalker APIs.
+
+The following code locates the function of interest and patches out the UD2
+instruction signifying a crash.
+
+```js
+/* Modify the instructions */
+const some_boring_bug2 = DebugSymbol.fromName('some_boring_bug2').address
+const pid = Memory.alloc(4);
+pid.writeInt(Process.id);
+
+const cm = new CModule(`
+    #include <stdio.h>
+    #include <gum/gumstalker.h>
+
+    typedef int pid_t;
+
+    #define STDERR_FILENO 2
+    #define BORING2_LEN 10
+
+    extern int dprintf(int fd, const char *format, ...);
+    extern void some_boring_bug2(char c);
+    extern pid_t getpid(void);
+    extern pid_t pid;
+
+    gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
+        gboolean excluded, GumStalkerOutput *output)
+    {
+        pid_t my_pid = getpid();
+        GumX86Writer *cw = output->writer.x86;
+
+        if (GUM_ADDRESS(insn->address) < GUM_ADDRESS(some_boring_bug2)) {
+
+            return TRUE;
+
+        }
+
+        if (GUM_ADDRESS(insn->address) >=
+            GUM_ADDRESS(some_boring_bug2) + BORING2_LEN) {
+
+            return TRUE;
+
+        }
+
+        if (my_pid == pid) {
+
+            if (begin) {
+
+                dprintf(STDERR_FILENO, "\n> 0x%016lX: %s %s\n", insn->address,
+                        insn->mnemonic, insn->op_str);
+
+            } else {
+
+                dprintf(STDERR_FILENO, "  0x%016lX: %s %s\n", insn->address,
+                        insn->mnemonic, insn->op_str);
+
+            }
+
+        }
+
+        if (insn->id == X86_INS_UD2) {
+
+            gum_x86_writer_put_nop(cw);
+            return FALSE;
+
+        } else {
+
+            return TRUE;
+
+        }
+    }
+    `,
+    {
+        dprintf: Module.getExportByName(null, 'dprintf'),
+        getpid: Module.getExportByName(null, 'getpid'),
+        some_boring_bug2: some_boring_bug2,
+        pid: pid
+    });
+Afl.setStalkerCallback(cm.js_stalker_callback)
+Afl.setStdErr("/tmp/stderr.txt");
+```
+
+Note that you will more likely want to find the
+patch address by using:
+
+```js
+const module = Process.getModuleByName('target.exe');
+/* Hardcoded offset within the target image */
+const address = module.base.add(0xdeadface);
+```
+OR
+```
+const address = DebugSymbol.fromName("my_function").address.add(0xdeadface);
+```
+OR
+```
+const address = Module.getExportByName(null, "my_function").add(0xdeadface);
+```
+
+The function `js_stalker_callback` should return `TRUE` if the original
+instruction should be emitted in the instrumented code, or `FALSE` otherwise.
+In the example above, we can see it is replaced with a `NOP`.
+
+Lastly, note that the same callback will be called when compiling instrumented
+code both in the child of the forkserver (as it is executed) and also in the
+parent of the forserver (when prefetching is enabled) so that it can be
+inherited by the next forked child. It is **VERY** important that the same
+instructions be generated in both the parent and the child, or if prefetching is
+disabled that the same instructions are generated every time the block is
+compiled. Failure to do so will likely lead to bugs which are incredibly
+difficult to diagnose. The code above only prints the instructions when running
+in the parent process (the one provided by `Process.id` when the JS script is
+executed).
+
+# API
+```js
+class Afl {
+
+  /**
+   * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode
+   * implementation).
+   */
+  public static module: Module = Process.getModuleByName("afl-frida-trace.so");
+
+  /**
+   * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
+   * it takes as arguments a `NativePointer` and a `number`. It can be
+   * called multiple times to exclude several ranges.
+   */
+  public static addExcludedRange(addressess: NativePointer, size: number): void {
+    Afl.jsApiAddExcludeRange(addressess, size);
+  }
+
+  /**
+   * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
+   * it takes as arguments a `NativePointer` and a `number`. It can be
+   * called multiple times to include several ranges.
+   */
+  public static addIncludedRange(addressess: NativePointer, size: number): void {
+    Afl.jsApiAddIncludeRange(addressess, size);
+  }
+
+  /**
+   * This must always be called at the end of your script. This lets
+   * FRIDA mode know that your configuration is finished and that
+   * execution has reached the end of your script. Failure to call
+   * this will result in a fatal error.
+   */
+  public static done(): void {
+    Afl.jsApiDone();
+  }
+
+  /**
+   * This function can be called within your script to cause FRIDA
+   * mode to trigger a fatal error. This is useful if for example you
+   * discover a problem you weren't expecting and want everything to
+   * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
+   * this error message.
+   */
+  public static error(msg: string): void {
+    const buf = Memory.allocUtf8String(msg);
+    Afl.jsApiError(buf);
+  }
+
+  /**
+   * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of
+   * fuzzing data when using in-memory test case fuzzing.
+   */
+  public static getAflFuzzLen(): NativePointer {
+
+    return Afl.jsApiGetSymbol("__afl_fuzz_len");
+  }
+
+  /**
+   * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing
+   * data when using in-memory test case fuzzing.
+   */
+  public static getAflFuzzPtr(): NativePointer {
+
+    return Afl.jsApiGetSymbol("__afl_fuzz_ptr");
+  }
+
+  /**
+   * Print a message to the STDOUT. This should be preferred to
+   * FRIDA's `console.log` since FRIDA will queue it's log messages.
+   * If `console.log` is used in a callback in particular, then there
+   * may no longer be a thread running to service this queue.
+   */
+  public static print(msg: string): void {
+    const STDOUT_FILENO = 2;
+    const log = `${msg}\n`;
+    const buf = Memory.allocUtf8String(log);
+    Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
+  }
+
+  /**
+   * See `AFL_FRIDA_DEBUG_MAPS`.
+   */
+  public static setDebugMaps(): void {
+    Afl.jsApiSetDebugMaps();
+  }
+
+  /**
+   * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
+   * convenience of allowing you to use FRIDAs APIs to determine the
+   * address you would like to configure, rather than having to grep
+   * the output of `readelf` or something similarly ugly. This
+   * function should be called with a `NativePointer` as its
+   * argument.
+   */
+  public static setEntryPoint(address: NativePointer): void {
+    Afl.jsApiSetEntryPoint(address);
+  }
+
+  /**
+   * Function used to enable in-memory test cases for fuzzing.
+   */
+  public static setInMemoryFuzzing(): void {
+    Afl.jsApiAflSharedMemFuzzing.writeInt(1);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setInstrumentDebugFile(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetInstrumentDebugFile(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_TRACE`.
+   */
+  public static setInstrumentEnableTracing(): void {
+    Afl.jsApiSetInstrumentTrace();
+  }
+
+  /**
+   * See `AFL_INST_LIBS`.
+   */
+  public static setInstrumentLibraries(): void {
+    Afl.jsApiSetInstrumentLibraries();
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_NO_OPTIMIZE`
+   */
+  public static setInstrumentNoOptimize(): void {
+    Afl.jsApiSetInstrumentNoOptimize();
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
+   */
+  public static setInstrumentTracingUnique(): void {
+    Afl.jsApiSetInstrumentTraceUnique();
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
+   * `NativePointer` should be provided as it's argument.
+   */
+  public static setPersistentAddress(address: NativePointer): void {
+    Afl.jsApiSetPersistentAddress(address);
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
+   * `number` should be provided as it's argument.
+   */
+  public static setPersistentCount(count: number): void {
+    Afl.jsApiSetPersistentCount(count);
+  }
+
+  /**
+   * See `AFL_FRIDA_PERSISTENT_DEBUG`.
+   */
+  public static setPersistentDebug(): void {
+    Afl.jsApiSetPersistentDebug();
+  }
+
+  /**
+   * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an
+   * argument. See above for examples of use.
+   */
+  public static setPersistentHook(address: NativePointer): void {
+    Afl.jsApiSetPersistentHook(address);
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
+   * `NativePointer` should be provided as it's argument.
+   */
+  public static setPersistentReturn(address: NativePointer): void {
+    Afl.jsApiSetPersistentReturn(address);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_NO_PREFETCH`.
+   */
+  public static setPrefetchDisable(): void {
+    Afl.jsApiSetPrefetchDisable();
+  }
+
+  /*
+   * Set a function to be called for each instruction which is instrumented
+   * by AFL FRIDA mode.
+   */
+  public static setStalkerCallback(callback: NativePointer): void {
+    Afl.jsApiSetStalkerCallback(callback);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStatsFile(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStatsFile(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
+   * argument
+   */
+  public static setStatsInterval(interval: number): void {
+    Afl.jsApiSetStatsInterval(interval);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_TRANSITIONS`
+   */
+  public static setStatsTransitions(): void {
+    Afl.jsApiSetStatsTransitions();
+  }
+
+  /**
+   * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStdErr(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStdErr(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStdOut(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStdOut(buf);
+  }
+
+}
 
-/*
- * See `AFL_FRIDA_STATS_TRANSITIONS`
- */
-Afl.setStatsTransitions()
 ```
diff --git a/frida_mode/hook/hook.c b/frida_mode/hook/hook.c
new file mode 100644
index 00000000..7d08101f
--- /dev/null
+++ b/frida_mode/hook/hook.c
@@ -0,0 +1,50 @@
+#include <stdint.h>
+#include <string.h>
+
+#include "frida-gumjs.h"
+
+#if defined(__x86_64__)
+
+void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
+                         uint32_t input_buf_len) {
+
+  memcpy((void *)regs->rdi, input_buf, input_buf_len);
+  regs->rsi = input_buf_len;
+
+}
+
+#elif defined(__i386__)
+
+void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
+                         uint32_t input_buf_len) {
+
+  void **esp = (void **)regs->esp;
+  void * arg1 = esp[0];
+  void **arg2 = &esp[1];
+  memcpy(arg1, input_buf, input_buf_len);
+  *arg2 = (void *)input_buf_len;
+
+}
+
+#elif defined(__aarch64__)
+
+void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
+                         uint32_t input_buf_len) {
+
+  memcpy((void *)regs->x[0], input_buf, input_buf_len);
+  regs->x[1] = input_buf_len;
+
+}
+
+#else
+  #pragma error "Unsupported architecture"
+#endif
+
+int afl_persistent_hook_init(void) {
+
+  // 1 for shared memory input (faster), 0 for normal input (you have to use
+  // read(), input_buf will be NULL)
+  return 1;
+
+}
+
diff --git a/frida_mode/include/js.h b/frida_mode/include/js.h
index 77237d55..a5ecb712 100644
--- a/frida_mode/include/js.h
+++ b/frida_mode/include/js.h
@@ -3,10 +3,15 @@
 
 #include "frida-gumjs.h"
 
+typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn,
+                                              gboolean begin, gboolean excluded,
+                                              GumStalkerOutput *output);
+
 extern unsigned char api_js[];
 extern unsigned int  api_js_len;
 
-extern gboolean js_done;
+extern gboolean                  js_done;
+extern js_api_stalker_callback_t js_user_callback;
 
 /* Frida Mode */
 
@@ -14,5 +19,8 @@ void js_config(void);
 
 void js_start(void);
 
+gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
+                             gboolean excluded, GumStalkerOutput *output);
+
 #endif
 
diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c
index 186d5098..e95b923b 100644
--- a/frida_mode/src/entry.c
+++ b/frida_mode/src/entry.c
@@ -13,6 +13,7 @@ guint64 entry_point = 0;
 
 static void entry_launch(void) {
 
+  OKF("Entry point reached");
   __afl_manual_init();
 
   /* Child here */
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index d6ae505d..2a217d96 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -11,6 +11,7 @@
 #include "entry.h"
 #include "frida_cmplog.h"
 #include "instrument.h"
+#include "js.h"
 #include "persistent.h"
 #include "prefetch.h"
 #include "ranges.h"
@@ -165,8 +166,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
 
       }
 
-      begin = FALSE;
-
     }
 
     instrument_debug_instruction(instr->address, instr->size);
@@ -178,7 +177,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
 
     }
 
-    gum_stalker_iterator_keep(iterator);
+    if (js_stalker_callback(instr, begin, excluded, output)) {
+
+      gum_stalker_iterator_keep(iterator);
+
+    }
+
+    begin = FALSE;
 
   }
 
diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js
index 983f1efa..4cb04704 100644
--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@@ -1,201 +1,243 @@
-const write = new NativeFunction(
-    Module.getExportByName(null, 'write'),
-    'int',
-    ['int', 'pointer', 'int']
-);
-
-const afl_frida_trace = Process.findModuleByName('afl-frida-trace.so');
-
-function get_api(name, ret, args) {
-    const addr = afl_frida_trace.findExportByName(name);
-    return new NativeFunction(addr, ret, args);
-}
-
-const js_api_done = get_api(
-    'js_api_done',
-    'void',
-    []);
-
-const js_api_error = get_api(
-    'js_api_error',
-    'void',
-    ['pointer']);
-
-const js_api_set_entrypoint = get_api(
-    'js_api_set_entrypoint',
-    'void',
-    ['pointer']);
-
-const js_api_set_persistent_address = get_api(
-    'js_api_set_persistent_address',
-    'void',
-    ['pointer']);
-
-const js_api_set_persistent_return = get_api(
-    'js_api_set_persistent_return',
-    'void',
-    ['pointer']);
-
-const js_api_set_persistent_count = get_api(
-    'js_api_set_persistent_count',
-    'void',
-    ['uint64']);
-
-const js_api_set_persistent_debug = get_api(
-    'js_api_set_persistent_debug',
-    'void',
-    []);
-
-const js_api_set_debug_maps = get_api(
-    'js_api_set_debug_maps',
-    'void',
-    []);
-
-const js_api_add_include_range = get_api(
-    'js_api_add_include_range',
-    'void',
-    ['pointer', 'size_t']);
-
-const js_api_add_exclude_range = get_api(
-    'js_api_add_exclude_range',
-    'void',
-    ['pointer', 'size_t']);
-
-const js_api_set_instrument_libraries = get_api(
-    'js_api_set_instrument_libraries',
-    'void',
-    []);
-
-const js_api_set_instrument_debug_file = get_api(
-    'js_api_set_instrument_debug_file',
-    'void',
-    ['pointer']);
-
-const js_api_set_prefetch_disable = get_api(
-    'js_api_set_prefetch_disable',
-    'void',
-    []);
-
-const js_api_set_instrument_no_optimize = get_api(
-    'js_api_set_instrument_no_optimize',
-    'void',
-    []);
-
-const js_api_set_instrument_trace = get_api(
-    'js_api_set_instrument_trace',
-    'void',
-    []);
-
-const js_api_set_instrument_trace_unique = get_api(
-    'js_api_set_instrument_trace_unique',
-    'void',
-    []);
-
-const js_api_set_stdout = get_api(
-    'js_api_set_stdout',
-    'void',
-    ['pointer']);
-
-const js_api_set_stderr = get_api(
-    'js_api_set_stderr',
-    'void',
-    ['pointer']);
-
-const js_api_set_stats_file = get_api(
-    'js_api_set_stats_file',
-    'void',
-    ['pointer']);
-
-const js_api_set_stats_interval = get_api(
-    'js_api_set_stats_interval',
-    'void',
-    ['uint64']);
-
-const js_api_set_stats_transitions = get_api(
-    'js_api_set_stats_transitions',
-    'void',
-    []);
-
-const afl = {
-    print: function (msg) {
+"use strict";
+class Afl {
+    /**
+     * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
+     * it takes as arguments a `NativePointer` and a `number`. It can be
+     * called multiple times to exclude several ranges.
+     */
+    static addExcludedRange(addressess, size) {
+        Afl.jsApiAddExcludeRange(addressess, size);
+    }
+    /**
+     * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
+     * it takes as arguments a `NativePointer` and a `number`. It can be
+     * called multiple times to include several ranges.
+     */
+    static addIncludedRange(addressess, size) {
+        Afl.jsApiAddIncludeRange(addressess, size);
+    }
+    /**
+     * This must always be called at the end of your script. This lets
+     * FRIDA mode know that your configuration is finished and that
+     * execution has reached the end of your script. Failure to call
+     * this will result in a fatal error.
+     */
+    static done() {
+        Afl.jsApiDone();
+    }
+    /**
+     * This function can be called within your script to cause FRIDA
+     * mode to trigger a fatal error. This is useful if for example you
+     * discover a problem you weren't expecting and want everything to
+     * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
+     * this error message.
+     */
+    static error(msg) {
+        const buf = Memory.allocUtf8String(msg);
+        Afl.jsApiError(buf);
+    }
+    /**
+     * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of
+     * fuzzing data when using in-memory test case fuzzing.
+     */
+    static getAflFuzzLen() {
+        return Afl.jsApiGetSymbol("__afl_fuzz_len");
+    }
+    /**
+     * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing
+     * data when using in-memory test case fuzzing.
+     */
+    static getAflFuzzPtr() {
+        return Afl.jsApiGetSymbol("__afl_fuzz_ptr");
+    }
+    /**
+     * Print a message to the STDOUT. This should be preferred to
+     * FRIDA's `console.log` since FRIDA will queue it's log messages.
+     * If `console.log` is used in a callback in particular, then there
+     * may no longer be a thread running to service this queue.
+     */
+    static print(msg) {
         const STDOUT_FILENO = 2;
         const log = `${msg}\n`;
         const buf = Memory.allocUtf8String(log);
-        write(STDOUT_FILENO, buf, log.length);
-    },
-    done: function() {
-        js_api_done();
-    },
-    error: function(msg) {
-        const buf = Memory.allocUtf8String(msg);
-        js_api_error(buf);
-    },
-    setEntryPoint: function(addr) {
-        js_api_set_entrypoint(addr);
-    },
-    setPersistentAddress: function(addr) {
-        js_api_set_persistent_address(addr);
-    },
-    setPersistentReturn: function(addr) {
-        js_api_set_persistent_return(addr);
-    },
-    setPersistentCount: function(addr) {
-        js_api_set_persistent_count(addr);
-    },
-    setPersistentDebug: function() {
-        js_api_set_persistent_debug();
-    },
-    setDebugMaps: function() {
-        js_api_set_debug_maps();
-    },
-    addIncludedRange: function(address, size) {
-        js_api_add_include_range(address, size);
-    },
-    addExcludedRange: function(address, size) {
-        js_api_add_exclude_range(address, size);
-    },
-    setInstrumentLibraries: function() {
-        js_api_set_instrument_libraries();
-    },
-    setInstrumentDebugFile: function(file) {
+        Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
+    }
+    /**
+     * See `AFL_FRIDA_DEBUG_MAPS`.
+     */
+    static setDebugMaps() {
+        Afl.jsApiSetDebugMaps();
+    }
+    /**
+     * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
+     * convenience of allowing you to use FRIDAs APIs to determine the
+     * address you would like to configure, rather than having to grep
+     * the output of `readelf` or something similarly ugly. This
+     * function should be called with a `NativePointer` as its
+     * argument.
+     */
+    static setEntryPoint(address) {
+        Afl.jsApiSetEntryPoint(address);
+    }
+    /**
+     * Function used to enable in-memory test cases for fuzzing.
+     */
+    static setInMemoryFuzzing() {
+        Afl.jsApiAflSharedMemFuzzing.writeInt(1);
+    }
+    /**
+     * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
+     * an argument.
+     */
+    static setInstrumentDebugFile(file) {
         const buf = Memory.allocUtf8String(file);
-        js_api_set_instrument_debug_file(buf)
-    },
-    setPrefetchDisable: function() {
-        js_api_set_prefetch_disable();
-    },
-    setInstrumentNoOptimize: function() {
-        js_api_set_instrument_no_optimize();
-    },
-    setInstrumentEnableTracing: function() {
-        js_api_set_instrument_trace();
-    },
-    setInstrumentTracingUnique: function() {
-        js_api_set_instrument_trace_unique();
-    },
-    setStdOut: function(file) {
+        Afl.jsApiSetInstrumentDebugFile(buf);
+    }
+    /**
+     * See `AFL_FRIDA_INST_TRACE`.
+     */
+    static setInstrumentEnableTracing() {
+        Afl.jsApiSetInstrumentTrace();
+    }
+    /**
+     * See `AFL_INST_LIBS`.
+     */
+    static setInstrumentLibraries() {
+        Afl.jsApiSetInstrumentLibraries();
+    }
+    /**
+     * See `AFL_FRIDA_INST_NO_OPTIMIZE`
+     */
+    static setInstrumentNoOptimize() {
+        Afl.jsApiSetInstrumentNoOptimize();
+    }
+    /**
+     * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
+     */
+    static setInstrumentTracingUnique() {
+        Afl.jsApiSetInstrumentTraceUnique();
+    }
+    /**
+     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
+     * `NativePointer` should be provided as it's argument.
+     */
+    static setPersistentAddress(address) {
+        Afl.jsApiSetPersistentAddress(address);
+    }
+    /**
+     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
+     * `number` should be provided as it's argument.
+     */
+    static setPersistentCount(count) {
+        Afl.jsApiSetPersistentCount(count);
+    }
+    /**
+     * See `AFL_FRIDA_PERSISTENT_DEBUG`.
+     */
+    static setPersistentDebug() {
+        Afl.jsApiSetPersistentDebug();
+    }
+    /**
+     * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an
+     * argument. See above for examples of use.
+     */
+    static setPersistentHook(address) {
+        Afl.jsApiSetPersistentHook(address);
+    }
+    /**
+     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
+     * `NativePointer` should be provided as it's argument.
+     */
+    static setPersistentReturn(address) {
+        Afl.jsApiSetPersistentReturn(address);
+    }
+    /**
+     * See `AFL_FRIDA_INST_NO_PREFETCH`.
+     */
+    static setPrefetchDisable() {
+        Afl.jsApiSetPrefetchDisable();
+    }
+    /*
+     * Set a function to be called for each instruction which is instrumented
+     * by AFL FRIDA mode.
+     */
+    static setStalkerCallback(callback) {
+        Afl.jsApiSetStalkerCallback(callback);
+    }
+    /**
+     * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
+     * an argument.
+     */
+    static setStatsFile(file) {
         const buf = Memory.allocUtf8String(file);
-        js_api_set_stdout(buf)
-    },
-    setStdErr: function(file) {
+        Afl.jsApiSetStatsFile(buf);
+    }
+    /**
+     * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
+     * argument
+     */
+    static setStatsInterval(interval) {
+        Afl.jsApiSetStatsInterval(interval);
+    }
+    /**
+     * See `AFL_FRIDA_STATS_TRANSITIONS`
+     */
+    static setStatsTransitions() {
+        Afl.jsApiSetStatsTransitions();
+    }
+    /**
+     * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
+     * an argument.
+     */
+    static setStdErr(file) {
         const buf = Memory.allocUtf8String(file);
-        js_api_set_stderr(buf)
-    },
-    setStatsFile: function(file) {
+        Afl.jsApiSetStdErr(buf);
+    }
+    /**
+     * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
+     * an argument.
+     */
+    static setStdOut(file) {
         const buf = Memory.allocUtf8String(file);
-        js_api_set_stats_file(buf)
-    },
-    setStatsInterval: function(interval) {
-        js_api_set_stats_interval(interval);
-    },
-    setStatsTransitions: function() {
-        js_api_set_stats_transitions();
-    }
-
-};
-
-Object.defineProperty(global, 'Afl', {value: afl, writeable: false});
-
-////////////////////////////////////////////////////////////////////////////////
-//                          END OF API                                        //
-////////////////////////////////////////////////////////////////////////////////
+        Afl.jsApiSetStdOut(buf);
+    }
+    static jsApiGetFunction(name, retType, argTypes) {
+        const addr = Afl.module.getExportByName(name);
+        return new NativeFunction(addr, retType, argTypes);
+    }
+    static jsApiGetSymbol(name) {
+        return Afl.module.getExportByName(name);
+    }
+}
+/**
+ * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode
+ * implementation).
+ */
+Afl.module = Process.getModuleByName("afl-frida-trace.so");
+Afl.jsApiAddExcludeRange = Afl.jsApiGetFunction("js_api_add_exclude_range", "void", ["pointer", "size_t"]);
+Afl.jsApiAddIncludeRange = Afl.jsApiGetFunction("js_api_add_include_range", "void", ["pointer", "size_t"]);
+Afl.jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing");
+Afl.jsApiDone = Afl.jsApiGetFunction("js_api_done", "void", []);
+Afl.jsApiError = Afl.jsApiGetFunction("js_api_error", "void", ["pointer"]);
+Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []);
+Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]);
+Afl.jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction("js_api_set_instrument_debug_file", "void", ["pointer"]);
+Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []);
+Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []);
+Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []);
+Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []);
+Afl.jsApiSetPersistentAddress = Afl.jsApiGetFunction("js_api_set_persistent_address", "void", ["pointer"]);
+Afl.jsApiSetPersistentCount = Afl.jsApiGetFunction("js_api_set_persistent_count", "void", ["uint64"]);
+Afl.jsApiSetPersistentDebug = Afl.jsApiGetFunction("js_api_set_persistent_debug", "void", []);
+Afl.jsApiSetPersistentHook = Afl.jsApiGetFunction("js_api_set_persistent_hook", "void", ["pointer"]);
+Afl.jsApiSetPersistentReturn = Afl.jsApiGetFunction("js_api_set_persistent_return", "void", ["pointer"]);
+Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []);
+Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]);
+Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]);
+Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]);
+Afl.jsApiSetStatsTransitions = Afl.jsApiGetFunction("js_api_set_stats_transitions", "void", []);
+Afl.jsApiSetStdErr = Afl.jsApiGetFunction("js_api_set_stderr", "void", ["pointer"]);
+Afl.jsApiSetStdOut = Afl.jsApiGetFunction("js_api_set_stdout", "void", ["pointer"]);
+Afl.jsApiWrite = new NativeFunction(
+/* tslint:disable-next-line:no-null-keyword */
+Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]);
diff --git a/frida_mode/src/js/js.c b/frida_mode/src/js/js.c
index 79e716ad..ed378d2c 100644
--- a/frida_mode/src/js/js.c
+++ b/frida_mode/src/js/js.c
@@ -5,8 +5,9 @@
 #include "js.h"
 #include "util.h"
 
-static char *js_script = NULL;
-gboolean     js_done = FALSE;
+static char *             js_script = NULL;
+gboolean                  js_done = FALSE;
+js_api_stalker_callback_t js_user_callback = NULL;
 
 static gchar *           filename = "afl.js";
 static gchar *           contents;
@@ -111,3 +112,11 @@ void js_start(void) {
 
 }
 
+gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
+                             gboolean excluded, GumStalkerOutput *output) {
+
+  if (js_user_callback == NULL) { return TRUE; }
+  return js_user_callback(insn, begin, excluded, output);
+
+}
+
diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c
index 018c0b9a..91dccab2 100644
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@@ -138,5 +138,15 @@ void js_api_set_stats_transitions() {
 
 }
 
-// "AFL_FRIDA_PERSISTENT_HOOK",
+void js_api_set_persistent_hook(void *address) {
+
+  persistent_hook = address;
+
+}
+
+void js_api_set_stalker_callback(const js_api_stalker_callback_t callback) {
+
+  js_user_callback = callback;
+
+}
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index e3e0b0ca..bcc59ea7 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -47,19 +47,6 @@ void persistent_config(void) {
 
   }
 
-}
-
-void persistent_init(void) {
-
-  OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)",
-      persistent_start == 0 ? ' ' : 'X', persistent_start);
-  OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)",
-      persistent_start == 0 ? ' ' : 'X', persistent_count);
-  OKF("Instrumentation - hook [%s]", hook_name);
-
-  OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
-      persistent_ret == 0 ? ' ' : 'X', persistent_ret);
-
   if (hook_name == NULL) { return; }
 
   void *hook_obj = dlopen(hook_name, RTLD_NOW);
@@ -79,7 +66,20 @@ void persistent_init(void) {
   if (persistent_hook == NULL)
     FATAL("Failed to find afl_persistent_hook in %s", hook_name);
 
-  __afl_sharedmem_fuzzing = 1;
+}
+
+void persistent_init(void) {
+
+  OKF("Instrumentation - persistent mode [%c] (0x%016" G_GINT64_MODIFIER "X)",
+      persistent_start == 0 ? ' ' : 'X', persistent_start);
+  OKF("Instrumentation - persistent count [%c] (%" G_GINT64_MODIFIER "d)",
+      persistent_start == 0 ? ' ' : 'X', persistent_count);
+  OKF("Instrumentation - hook [%s]", hook_name);
+
+  OKF("Instrumentation - persistent ret [%c] (0x%016" G_GINT64_MODIFIER "X)",
+      persistent_ret == 0 ? ' ' : 'X', persistent_ret);
+
+  if (persistent_hook != NULL) { __afl_sharedmem_fuzzing = 1; }
 
 }
 
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index e618fbac..003f058a 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -9,99 +9,15 @@
 #include "util.h"
 
 #if defined(__aarch64__)
+typedef struct {
 
-struct arm64_regs {
+  GumCpuContext ctx;
+  uint64_t      rflags;
 
-  uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10;
+} persistent_ctx_t;
 
-  union {
-
-    uint64_t x11;
-    uint32_t fp_32;
-
-  };
-
-  union {
-
-    uint64_t x12;
-    uint32_t ip_32;
-
-  };
-
-  union {
-
-    uint64_t x13;
-    uint32_t sp_32;
-
-  };
-
-  union {
-
-    uint64_t x14;
-    uint32_t lr_32;
-
-  };
-
-  union {
-
-    uint64_t x15;
-    uint32_t pc_32;
-
-  };
-
-  union {
-
-    uint64_t x16;
-    uint64_t ip0;
-
-  };
-
-  union {
-
-    uint64_t x17;
-    uint64_t ip1;
-
-  };
-
-  uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28;
-
-  union {
-
-    uint64_t x29;
-    uint64_t fp;
-
-  };
-
-  union {
-
-    uint64_t x30;
-    uint64_t lr;
-
-  };
-
-  union {
-
-    uint64_t x31;
-    uint64_t sp;
-
-  };
-
-  // the zero register is not saved here ofc
-
-  uint64_t pc;
-
-  uint32_t cpsr;
-
-  uint8_t  vfp_zregs[32][16 * 16];
-  uint8_t  vfp_pregs[17][32];
-  uint32_t vfp_xregs[16];
-
-};
-
-typedef struct arm64_regs arch_api_regs;
-
-static arch_api_regs saved_regs = {0};
-static gpointer      saved_lr = NULL;
+static persistent_ctx_t saved_regs = {0};
+static gpointer         saved_lr = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -109,8 +25,8 @@ gboolean persistent_is_supported(void) {
 
 }
 
-static void instrument_persitent_save_regs(GumArm64Writer *   cw,
-                                           struct arm64_regs *regs) {
+static void instrument_persitent_save_regs(GumArm64Writer *  cw,
+                                           persistent_ctx_t *regs) {
 
   GumAddress    regs_address = GUM_ADDRESS(regs);
   const guint32 mrs_x1_nzcv = 0xd53b4201;
@@ -129,83 +45,87 @@ static void instrument_persitent_save_regs(GumArm64Writer *   cw,
 
   /* Skip x0 & x1 we'll do that later */
 
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3,
-                                              ARM64_REG_X0, (16 * 1),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5,
-                                              ARM64_REG_X0, (16 * 2),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7,
-                                              ARM64_REG_X0, (16 * 3),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9,
-                                              ARM64_REG_X0, (16 * 4),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11,
-                                              ARM64_REG_X0, (16 * 5),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13,
-                                              ARM64_REG_X0, (16 * 6),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15,
-                                              ARM64_REG_X0, (16 * 7),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17,
-                                              ARM64_REG_X0, (16 * 8),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19,
-                                              ARM64_REG_X0, (16 * 9),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21,
-                                              ARM64_REG_X0, (16 * 10),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23,
-                                              ARM64_REG_X0, (16 * 11),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25,
-                                              ARM64_REG_X0, (16 * 12),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27,
-                                              ARM64_REG_X0, (16 * 13),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29,
-                                              ARM64_REG_X0, (16 * 14),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[2]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X4, ARM64_REG_X5, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[4]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X6, ARM64_REG_X7, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[6]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X8, ARM64_REG_X9, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[8]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X10, ARM64_REG_X11, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[10]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X12, ARM64_REG_X13, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[12]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X14, ARM64_REG_X15, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[14]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X16, ARM64_REG_X17, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[16]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X18, ARM64_REG_X19, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[18]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X20, ARM64_REG_X21, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[20]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X22, ARM64_REG_X23, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[22]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X24, ARM64_REG_X25, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[24]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X26, ARM64_REG_X27, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[26]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X28, ARM64_REG_X29, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[28]), GUM_INDEX_SIGNED_OFFSET);
 
-  /* LR & Adjusted SP */
-  gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_SP,
-                                       (GUM_RED_ZONE_SIZE + 32));
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X2,
-                                              ARM64_REG_X0, (16 * 15),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  /* LR (x30) */
+  gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0,
+                                          offsetof(GumCpuContext, x[30]));
 
-  /* PC & CPSR */
+  /* PC & Adjusted SP (31) */
   gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2,
                                        GUM_ADDRESS(persistent_start));
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1,
-                                              ARM64_REG_X0, (16 * 16),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_SP,
+                                       (GUM_RED_ZONE_SIZE + 32));
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0, offsetof(GumCpuContext, pc),
+      GUM_INDEX_SIGNED_OFFSET);
 
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1,
-                                              ARM64_REG_X0, (16 * 17),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3,
-                                              ARM64_REG_X0, (16 * 18),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5,
-                                              ARM64_REG_X0, (16 * 19),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7,
-                                              ARM64_REG_X0, (16 * 20),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  /* CPSR */
+  gum_arm64_writer_put_str_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0,
+                                          offsetof(persistent_ctx_t, rflags));
+
+  /* Q */
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET);
 
   /* x0 & x1 */
   gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3,
                                               ARM64_REG_SP, 16,
                                               GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3,
-                                              ARM64_REG_X0, (16 * 0),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_stp_reg_reg_reg_offset(
+      cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[0]), GUM_INDEX_SIGNED_OFFSET);
 
   /* Pop the saved values */
   gum_arm64_writer_put_ldp_reg_reg_reg_offset(
@@ -217,8 +137,8 @@ static void instrument_persitent_save_regs(GumArm64Writer *   cw,
 
 }
 
-static void instrument_persitent_restore_regs(GumArm64Writer *   cw,
-                                              struct arm64_regs *regs) {
+static void instrument_persitent_restore_regs(GumArm64Writer *  cw,
+                                              persistent_ctx_t *regs) {
 
   GumAddress    regs_address = GUM_ADDRESS(regs);
   const guint32 msr_nzcv_x1 = 0xd51b4201;
@@ -228,82 +148,81 @@ static void instrument_persitent_restore_regs(GumArm64Writer *   cw,
 
   /* Skip x0 - x3 we'll do that last */
 
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X4, ARM64_REG_X5,
-                                              ARM64_REG_X0, (16 * 2),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X6, ARM64_REG_X7,
-                                              ARM64_REG_X0, (16 * 3),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X8, ARM64_REG_X9,
-                                              ARM64_REG_X0, (16 * 4),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X10, ARM64_REG_X11,
-                                              ARM64_REG_X0, (16 * 5),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X12, ARM64_REG_X13,
-                                              ARM64_REG_X0, (16 * 6),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X14, ARM64_REG_X15,
-                                              ARM64_REG_X0, (16 * 7),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X16, ARM64_REG_X17,
-                                              ARM64_REG_X0, (16 * 8),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X18, ARM64_REG_X19,
-                                              ARM64_REG_X0, (16 * 9),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X20, ARM64_REG_X21,
-                                              ARM64_REG_X0, (16 * 10),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X22, ARM64_REG_X23,
-                                              ARM64_REG_X0, (16 * 11),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X24, ARM64_REG_X25,
-                                              ARM64_REG_X0, (16 * 12),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X26, ARM64_REG_X27,
-                                              ARM64_REG_X0, (16 * 13),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X28, ARM64_REG_X29,
-                                              ARM64_REG_X0, (16 * 14),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X4, ARM64_REG_X5, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[4]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X6, ARM64_REG_X7, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[6]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X8, ARM64_REG_X9, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[8]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X10, ARM64_REG_X11, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[10]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X12, ARM64_REG_X13, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[12]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X14, ARM64_REG_X15, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[14]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X16, ARM64_REG_X17, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[16]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X18, ARM64_REG_X19, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[18]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X20, ARM64_REG_X21, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[20]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X22, ARM64_REG_X23, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[22]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X24, ARM64_REG_X25, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[24]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X26, ARM64_REG_X27, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[26]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X28, ARM64_REG_X29, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[28]), GUM_INDEX_SIGNED_OFFSET);
 
-  /* LR & Adjusted SP (use x1 as clobber) */
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X1,
-                                              ARM64_REG_X0, (16 * 15),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  /* LR (x30) */
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X30, ARM64_REG_X0,
+                                          offsetof(GumCpuContext, x[30]));
 
+  /* Adjusted SP (31) (use x1 as clobber)*/
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0,
+                                          offsetof(GumCpuContext, sp));
   gum_arm64_writer_put_mov_reg_reg(cw, ARM64_REG_SP, ARM64_REG_X1);
 
-  /* Don't restore RIP use x1-x3 as clobber */
-
-  /* PC (x2) & CPSR (x1) */
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X1,
-                                              ARM64_REG_X0, (16 * 16),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  /* CPSR */
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X0,
+                                          offsetof(persistent_ctx_t, rflags));
   gum_arm64_writer_put_instruction(cw, msr_nzcv_x1);
 
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q0, ARM64_REG_Q1,
-                                              ARM64_REG_X0, (16 * 17),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q2, ARM64_REG_Q3,
-                                              ARM64_REG_X0, (16 * 18),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q4, ARM64_REG_Q5,
-                                              ARM64_REG_X0, (16 * 19),
-                                              GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_Q6, ARM64_REG_Q7,
-                                              ARM64_REG_X0, (16 * 20),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0,
+      offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET);
 
   /* x2 & x3 */
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3,
-                                              ARM64_REG_X0, (16 * 1),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X2, ARM64_REG_X3, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[2]), GUM_INDEX_SIGNED_OFFSET);
   /* x0 & x1 */
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X0, ARM64_REG_X1,
-                                              ARM64_REG_X0, (16 * 0),
-                                              GUM_INDEX_SIGNED_OFFSET);
+  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+      cw, ARM64_REG_X0, ARM64_REG_X1, ARM64_REG_X0,
+      offsetof(GumCpuContext, x[0]), GUM_INDEX_SIGNED_OFFSET);
 
 }
 
@@ -334,29 +253,29 @@ static void instrument_afl_persistent_loop(GumArm64Writer *cw) {
 
 }
 
-static void persistent_prologue_hook(GumArm64Writer *   cw,
-                                     struct arm64_regs *regs) {
+static void persistent_prologue_hook(GumArm64Writer *  cw,
+                                     persistent_ctx_t *regs) {
 
   if (persistent_hook == NULL) return;
 
   gum_arm64_writer_put_sub_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP,
                                        GUM_RED_ZONE_SIZE);
-  gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X3,
+  gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2,
                                        GUM_ADDRESS(&__afl_fuzz_len));
-  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0);
-  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X3, ARM64_REG_X3, 0);
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0);
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0);
 
-  gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X3, ARM64_REG_X3,
+  gum_arm64_writer_put_and_reg_reg_imm(cw, ARM64_REG_X2, ARM64_REG_X2,
                                        G_MAXULONG);
 
-  gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X2,
+  gum_arm64_writer_put_ldr_reg_address(cw, ARM64_REG_X1,
                                        GUM_ADDRESS(&__afl_fuzz_ptr));
-  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X2, 0);
+  gum_arm64_writer_put_ldr_reg_reg_offset(cw, ARM64_REG_X1, ARM64_REG_X1, 0);
 
   gum_arm64_writer_put_call_address_with_arguments(
-      cw, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS, GUM_ADDRESS(regs),
-      GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER, ARM64_REG_X2,
-      GUM_ARG_REGISTER, ARM64_REG_X3);
+      cw, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS,
+      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, ARM64_REG_X1, GUM_ARG_REGISTER,
+      ARM64_REG_X2);
 
   gum_arm64_writer_put_add_reg_reg_imm(cw, ARM64_REG_SP, ARM64_REG_SP,
                                        GUM_RED_ZONE_SIZE);
@@ -406,6 +325,8 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
+  OKF("Persistent loop reached");
+
   instrument_persitent_save_regs(cw, &saved_regs);
 
   /* loop: */
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index a91abc1c..b2186db1 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -10,40 +10,15 @@
 
 #if defined(__x86_64__)
 
-struct x86_64_regs {
+typedef struct {
 
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
+  GumCpuContext ctx;
+  uint64_t      rflags;
 
-  union {
+} persistent_ctx_t;
 
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-typedef struct x86_64_regs arch_api_regs;
-
-static arch_api_regs saved_regs = {0};
-static gpointer      saved_ret = NULL;
+static persistent_ctx_t saved_regs = {0};
+static gpointer         saved_ret = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -51,8 +26,8 @@ gboolean persistent_is_supported(void) {
 
 }
 
-static void instrument_persitent_save_regs(GumX86Writer *      cw,
-                                           struct x86_64_regs *regs) {
+static void instrument_persitent_save_regs(GumX86Writer *    cw,
+                                           persistent_ctx_t *regs) {
 
   GumAddress regs_address = GUM_ADDRESS(regs);
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
@@ -64,41 +39,41 @@ static void instrument_persitent_save_regs(GumX86Writer *      cw,
 
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address);
 
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 1),
-                                            GUM_REG_RBX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 2),
-                                            GUM_REG_RCX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 3),
-                                            GUM_REG_RDX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 4),
-                                            GUM_REG_RDI);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 5),
-                                            GUM_REG_RSI);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 6),
-                                            GUM_REG_RBP);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 7),
-                                            GUM_REG_R8);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 8),
-                                            GUM_REG_R9);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 9),
-                                            GUM_REG_R10);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 10),
-                                            GUM_REG_R11);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 11),
-                                            GUM_REG_R12);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 12),
-                                            GUM_REG_R13);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 13),
-                                            GUM_REG_R14);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 14),
-                                            GUM_REG_R15);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rbx), GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rcx), GUM_REG_RCX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rdx), GUM_REG_RDX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rdi), GUM_REG_RDI);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rsi), GUM_REG_RSI);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rbp), GUM_REG_RBP);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r8), GUM_REG_R8);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r9), GUM_REG_R9);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r10), GUM_REG_R10);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r11), GUM_REG_R11);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r12), GUM_REG_R12);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r13), GUM_REG_R13);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r14), GUM_REG_R14);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, r15), GUM_REG_R15);
 
   /* Store RIP */
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RBX,
                                      GUM_ADDRESS(persistent_start));
 
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 15),
-                                            GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rip), GUM_REG_RBX);
 
   /* Store adjusted RSP */
   gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_RBX, GUM_REG_RSP);
@@ -106,18 +81,18 @@ static void instrument_persitent_save_regs(GumX86Writer *      cw,
   /* RED_ZONE + Saved flags, RAX, alignment */
   gum_x86_writer_put_add_reg_imm(cw, GUM_REG_RBX,
                                  GUM_RED_ZONE_SIZE + (0x8 * 2));
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 16),
-                                            GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rsp), GUM_REG_RBX);
 
   /* Save the flags */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x8);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 17),
-                                            GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(persistent_ctx_t, rflags), GUM_REG_RBX);
 
   /* Save the RAX */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x0);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, (0x8 * 0),
-                                            GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_RAX, offsetof(GumCpuContext, rax), GUM_REG_RBX);
 
   /* Pop the saved values */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 0x10);
@@ -127,56 +102,56 @@ static void instrument_persitent_save_regs(GumX86Writer *      cw,
 
 }
 
-static void instrument_persitent_restore_regs(GumX86Writer *      cw,
-                                              struct x86_64_regs *regs) {
+static void instrument_persitent_restore_regs(GumX86Writer *    cw,
+                                              persistent_ctx_t *regs) {
 
   GumAddress regs_address = GUM_ADDRESS(regs);
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address);
 
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RAX,
-                                            (0x8 * 2));
+                                            offsetof(GumCpuContext, rcx));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RAX,
-                                            (0x8 * 3));
+                                            offsetof(GumCpuContext, rdx));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDI, GUM_REG_RAX,
-                                            (0x8 * 4));
+                                            offsetof(GumCpuContext, rdi));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RAX,
-                                            (0x8 * 5));
+                                            offsetof(GumCpuContext, rsi));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBP, GUM_REG_RAX,
-                                            (0x8 * 6));
+                                            offsetof(GumCpuContext, rbp));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R8, GUM_REG_RAX,
-                                            (0x8 * 7));
+                                            offsetof(GumCpuContext, r8));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R9, GUM_REG_RAX,
-                                            (0x8 * 8));
+                                            offsetof(GumCpuContext, r9));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R10, GUM_REG_RAX,
-                                            (0x8 * 9));
+                                            offsetof(GumCpuContext, r10));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R11, GUM_REG_RAX,
-                                            (0x8 * 10));
+                                            offsetof(GumCpuContext, r11));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R12, GUM_REG_RAX,
-                                            (0x8 * 11));
+                                            offsetof(GumCpuContext, r12));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R13, GUM_REG_RAX,
-                                            (0x8 * 12));
+                                            offsetof(GumCpuContext, r13));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R14, GUM_REG_RAX,
-                                            (0x8 * 13));
+                                            offsetof(GumCpuContext, r14));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R15, GUM_REG_RAX,
-                                            (0x8 * 14));
+                                            offsetof(GumCpuContext, r15));
 
   /* Don't restore RIP */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSP, GUM_REG_RAX,
-                                            (0x8 * 16));
+                                            offsetof(GumCpuContext, rsp));
 
   /* Restore RBX, RAX & Flags */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         -(GUM_RED_ZONE_SIZE));
 
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
-                                            (0x8 * 1));
+                                            offsetof(GumCpuContext, rbx));
   gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
 
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
-                                            (0x8 * 0));
+                                            offsetof(GumCpuContext, rax));
   gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
-                                            (0x8 * 17));
+                                            offsetof(persistent_ctx_t, rflags));
   gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
 
   gum_x86_writer_put_popfx(cw);
@@ -217,28 +192,27 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 
 }
 
-static void persistent_prologue_hook(GumX86Writer *      cw,
-                                     struct x86_64_regs *regs) {
+static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) {
 
   if (persistent_hook == NULL) return;
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         -(GUM_RED_ZONE_SIZE));
 
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RCX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX,
                                      GUM_ADDRESS(&__afl_fuzz_len));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RCX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
   gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_RDI, 0xffffffff);
-  gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RCX, GUM_REG_RDI);
+  gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RDX, GUM_REG_RDI);
 
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RSI,
                                      GUM_ADDRESS(&__afl_fuzz_ptr));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RSI, 0);
 
   gum_x86_writer_put_call_address_with_arguments(
-      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 4, GUM_ARG_ADDRESS,
-      GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_REGISTER,
-      GUM_REG_RDX, GUM_ARG_REGISTER, GUM_REG_RCX);
+      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS,
+      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_REG_RSI, GUM_ARG_REGISTER,
+      GUM_REG_RDX);
 
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
                                         (GUM_RED_ZONE_SIZE));
@@ -296,6 +270,8 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
+  OKF("Persistent loop reached");
+
   /* Pop the return value */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8);
 
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index 1d01d8e4..f50bccb0 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -1,45 +1,23 @@
 #include "frida-gumjs.h"
 
 #include "config.h"
+#include "debug.h"
 
 #include "instrument.h"
 #include "persistent.h"
 
 #if defined(__i386__)
 
-struct x86_regs {
+typedef struct {
 
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
+  GumCpuContext ctx;
+  uint32_t      eflags;
 
-  union {
+} persistent_ctx_t;
 
-    uint32_t eip;
-    uint32_t pc;
+static persistent_ctx_t saved_regs = {0};
 
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-typedef struct x86_regs arch_api_regs;
-
-static arch_api_regs saved_regs = {0};
-static gpointer      saved_ret = NULL;
+static gpointer saved_ret = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -47,8 +25,8 @@ gboolean persistent_is_supported(void) {
 
 }
 
-static void instrument_persitent_save_regs(GumX86Writer *   cw,
-                                           struct x86_regs *regs) {
+static void instrument_persitent_save_regs(GumX86Writer *    cw,
+                                           persistent_ctx_t *regs) {
 
   GumAddress regs_address = GUM_ADDRESS(regs);
 
@@ -58,80 +36,80 @@ static void instrument_persitent_save_regs(GumX86Writer *   cw,
 
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address);
 
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 1),
-                                            GUM_REG_EBX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 2),
-                                            GUM_REG_ECX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 3),
-                                            GUM_REG_EDX);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 4),
-                                            GUM_REG_EDI);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 5),
-                                            GUM_REG_ESI);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 6),
-                                            GUM_REG_EBP);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, ebx), GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, ecx), GUM_REG_ECX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, edx), GUM_REG_EDX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, edi), GUM_REG_EDI);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, esi), GUM_REG_ESI);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, ebp), GUM_REG_EBP);
 
   /* Store RIP */
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EBX,
                                      GUM_ADDRESS(persistent_start));
 
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 7),
-                                            GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, eip), GUM_REG_EBX);
 
   /* Store adjusted RSP */
   gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_EBX, GUM_REG_ESP);
 
   /* RED_ZONE + Saved flags, RAX */
   gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EBX, (0x4 * 2));
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 8),
-                                            GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, esp), GUM_REG_EBX);
 
   /* Save the flags */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x4);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 9),
-                                            GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(persistent_ctx_t, eflags), GUM_REG_EBX);
 
   /* Save the RAX */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x0);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, (0x4 * 0),
-                                            GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_offset_ptr_reg(
+      cw, GUM_REG_EAX, offsetof(GumCpuContext, eax), GUM_REG_EBX);
 
   /* Pop the saved values */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 0x8);
 
 }
 
-static void instrument_persitent_restore_regs(GumX86Writer *   cw,
-                                              struct x86_regs *regs) {
+static void instrument_persitent_restore_regs(GumX86Writer *    cw,
+                                              persistent_ctx_t *regs) {
 
   GumAddress regs_address = GUM_ADDRESS(regs);
   gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address);
 
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_EAX,
-                                            (0x4 * 2));
+                                            offsetof(GumCpuContext, ecx));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EAX,
-                                            (0x4 * 3));
+                                            offsetof(GumCpuContext, edx));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDI, GUM_REG_EAX,
-                                            (0x4 * 4));
+                                            offsetof(GumCpuContext, edi));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESI, GUM_REG_EAX,
-                                            (0x4 * 5));
+                                            offsetof(GumCpuContext, esi));
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBP, GUM_REG_EAX,
-                                            (0x4 * 6));
+                                            offsetof(GumCpuContext, ebp));
 
   /* Don't restore RIP */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESP, GUM_REG_EAX,
-                                            (0x4 * 8));
+                                            offsetof(GumCpuContext, esp));
 
   /* Restore RBX, RAX & Flags */
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
-                                            (0x4 * 1));
+                                            offsetof(GumCpuContext, ebx));
   gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
 
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
-                                            (0x4 * 0));
+                                            offsetof(GumCpuContext, eax));
   gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
   gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
-                                            (0x4 * 9));
+                                            offsetof(persistent_ctx_t, eflags));
   gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
 
   gum_x86_writer_put_popfx(cw);
@@ -165,7 +143,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 
 }
 
-static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) {
+static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) {
 
   if (persistent_hook == NULL) return;
 
@@ -180,9 +158,8 @@ static void persistent_prologue_hook(GumX86Writer *cw, struct x86_regs *regs) {
 
   /* Base address is 64-bits (hence two zero arguments) */
   gum_x86_writer_put_call_address_with_arguments(
-      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 5, GUM_ARG_ADDRESS,
-      GUM_ADDRESS(regs), GUM_ARG_ADDRESS, GUM_ADDRESS(0), GUM_ARG_ADDRESS,
-      GUM_ADDRESS(0), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER,
+      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS,
+      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER,
       GUM_REG_ECX);
 
 }
@@ -233,6 +210,8 @@ void persistent_prologue(GumStalkerOutput *output) {
 
   gconstpointer loop = cw->code + 1;
 
+  OKF("Persistent loop reached");
+
   /* Pop the return value */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4);
 
diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile
index 689fce3d..e3a8f321 100644
--- a/frida_mode/test/jpeg/GNUmakefile
+++ b/frida_mode/test/jpeg/GNUmakefile
@@ -2,8 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
 
 LIBJPEG_BUILD_DIR:=$(BUILD_DIR)libjpeg/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -118,11 +117,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(JPEGTEST_OBJ) $(LIBJPEG_LIB)
 		$(LDFLAGS) \
 		$(TEST_BIN_LDFLAGS) \
 
-########## HOOK ########
-
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
-
 ########## DUMMY #######
 
 $(TEST_DATA_DIR): | $(BUILD_DIR)
@@ -133,8 +127,6 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR)
 
 ###### TEST DATA #######
 
-hook: $(AFLPP_DRIVER_HOOK_OBJ)
-
 clean:
 	rm -rf $(BUILD_DIR)
 
diff --git a/frida_mode/test/jpeg/Makefile b/frida_mode/test/jpeg/Makefile
index 863438cf..7a237f99 100644
--- a/frida_mode/test/jpeg/Makefile
+++ b/frida_mode/test/jpeg/Makefile
@@ -14,6 +14,3 @@ frida:
 
 debug:
 	@gmake debug
-
-hook:
-	@gmake hook
diff --git a/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c b/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 059d438d..00000000
--- a/frida_mode/test/jpeg/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,97 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
diff --git a/frida_mode/test/js/GNUmakefile b/frida_mode/test/js/GNUmakefile
index 8ea71656..af40c1c4 100644
--- a/frida_mode/test/js/GNUmakefile
+++ b/frida_mode/test/js/GNUmakefile
@@ -1,18 +1,21 @@
 PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
-TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
-TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
+TEST_DATA_DIR:=$(BUILD_DIR)in/
+TEST_DATA_FILE:=$(TEST_DATA_DIR)in
 
-TESTINSTBIN:=$(BUILD_DIR)testinstr
-TESTINSTSRC:=$(PWD)testinstr.c
+TESTINSTBIN:=$(BUILD_DIR)test
+TESTINSTSRC:=$(PWD)test.c
+
+TESTINSTBIN2:=$(BUILD_DIR)test2
+TESTINSTSRC2:=$(PWD)test2.c
 
 QEMU_OUT:=$(BUILD_DIR)qemu-out
 FRIDA_OUT:=$(BUILD_DIR)frida-out
 
 .PHONY: all 32 clean qemu frida
 
-all: $(TESTINSTBIN)
+all: $(TESTINSTBIN) $(TESTINSTBIN2)
 	make -C $(ROOT)frida_mode/
 
 32:
@@ -21,24 +24,57 @@ all: $(TESTINSTBIN)
 $(BUILD_DIR):
 	mkdir -p $@
 
-$(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
+$(TEST_DATA_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
-$(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
+$(TEST_DATA_FILE): | $(TEST_DATA_DIR)
 	echo -n "000" > $@
 
 $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
 
+$(TESTINSTBIN2): $(TESTINSTSRC2) | $(BUILD_DIR)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+
 clean:
 	rm -rf $(BUILD_DIR)
 
-frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
-	AFL_FRIDA_JS_SCRIPT=test.js \
+frida_js_entry: $(TESTINSTBIN) $(TEST_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=entry.js \
 	$(ROOT)afl-fuzz \
 		-D \
 		-O \
-		-i $(TESTINSTR_DATA_DIR) \
+		-i $(TEST_DATA_DIR) \
 		-o $(FRIDA_OUT) \
 		-- \
 			$(TESTINSTBIN) @@
+
+frida_js_replace: $(TESTINSTBIN) $(TEST_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=replace.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN) @@
+
+frida_js_patch: $(TESTINSTBIN2) $(TEST_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=patch.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN2) @@
+
+frida_js_stalker: $(TESTINSTBIN2) $(TEST_DATA_FILE)
+	AFL_FRIDA_JS_SCRIPT=stalker.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TESTINSTBIN2) @@
diff --git a/frida_mode/test/js/Makefile b/frida_mode/test/js/Makefile
index 7a237f99..8a2b6fb0 100644
--- a/frida_mode/test/js/Makefile
+++ b/frida_mode/test/js/Makefile
@@ -9,8 +9,17 @@ all:
 clean:
 	@gmake clean
 
-frida:
-	@gmake frida
+frida_js_entry:
+	@gmake frida_js_entry
+
+frida_js_replace:
+	@gmake frida_js_replace
+
+frida_js_patch:
+	@gmake frida_js_patch
+
+frida_js_stalker:
+	@gmake frida_js_stalker
 
 debug:
 	@gmake debug
diff --git a/frida_mode/test/js/entry.js b/frida_mode/test/js/entry.js
new file mode 100644
index 00000000..f10ef2d1
--- /dev/null
+++ b/frida_mode/test/js/entry.js
@@ -0,0 +1,20 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const entry_point = DebugSymbol.fromName('run');
+Afl.print(`entry_point: ${entry_point.address}`);
+
+Afl.setEntryPoint(entry_point.address);
+
+// Afl.error('HARD NOPE');
+
+Afl.done();
+Afl.print("done");
diff --git a/frida_mode/test/js/patch.js b/frida_mode/test/js/patch.js
new file mode 100644
index 00000000..485a434f
--- /dev/null
+++ b/frida_mode/test/js/patch.js
@@ -0,0 +1,34 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+const main = DebugSymbol.fromName('main').address;
+Afl.print(`main: ${main}`);
+Afl.setEntryPoint(main);
+Afl.setPersistentAddress(main);
+Afl.setPersistentCount(10000000);
+
+const crc32_check = DebugSymbol.fromName('crc32_check').address;
+const crc32_replacement = new NativeCallback(
+    (buf, len) => {
+        Afl.print(`len: ${len}`);
+        if (len < 4) {
+            return 0;
+        }
+
+        return 1;
+    },
+    'int',
+    ['pointer', 'int']);
+Interceptor.replace(crc32_check, crc32_replacement);
+
+const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
+const boring_replacement = new NativeCallback(
+    (c) => { },
+    'void',
+    ['char']);
+Interceptor.replace(some_boring_bug, boring_replacement);
+
+Afl.done();
+Afl.print("done");
diff --git a/frida_mode/test/js/replace.js b/frida_mode/test/js/replace.js
new file mode 100644
index 00000000..4e1e7eb7
--- /dev/null
+++ b/frida_mode/test/js/replace.js
@@ -0,0 +1,43 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+const name = Process.enumerateModules()[0].name;
+Afl.print(`Name: ${name}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const slow = DebugSymbol.fromName('slow').address;
+Afl.print(`slow: ${slow}`);
+
+const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
+
+const cm = new CModule(`
+
+    extern unsigned char * __afl_fuzz_ptr;
+    extern unsigned int * __afl_fuzz_len;
+    extern void LLVMFuzzerTestOneInput(char *buf, int len);
+
+    void slow(void) {
+
+      LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
+    }
+    `,
+    {
+        LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
+        __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
+        __afl_fuzz_len: Afl.getAflFuzzLen()
+    });
+
+Afl.setEntryPoint(cm.slow);
+Afl.setPersistentAddress(cm.slow);
+Afl.setInMemoryFuzzing();
+Interceptor.replace(slow, cm.slow);
+Afl.print("done");
+Afl.done();
diff --git a/frida_mode/test/js/stalker.js b/frida_mode/test/js/stalker.js
new file mode 100644
index 00000000..33f024f5
--- /dev/null
+++ b/frida_mode/test/js/stalker.js
@@ -0,0 +1,109 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+const main = DebugSymbol.fromName('main').address;
+Afl.print(`main: ${main}`);
+Afl.setEntryPoint(main);
+Afl.setPersistentAddress(main);
+Afl.setPersistentCount(10000000);
+
+/* Replace CRC-32 check */
+const crc32_check = DebugSymbol.fromName('crc32_check').address;
+const crc32_replacement = new NativeCallback(
+    (buf, len) => {
+        if (len < 4) {
+            return 0;
+        }
+
+        return 1;
+    },
+    'int',
+    ['pointer', 'int']);
+Interceptor.replace(crc32_check, crc32_replacement);
+
+/* Patch out the first boring bug */
+const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
+const boring_replacement = new NativeCallback(
+    (c) => { },
+    'void',
+    ['char']);
+Interceptor.replace(some_boring_bug, boring_replacement);
+
+/* Modify the instructions */
+const some_boring_bug2 = DebugSymbol.fromName('some_boring_bug2').address
+const pid = Memory.alloc(4);
+pid.writeInt(Process.id);
+
+const cm = new CModule(`
+    #include <stdio.h>
+    #include <gum/gumstalker.h>
+
+    typedef int pid_t;
+
+    #define STDERR_FILENO 2
+    #define BORING2_LEN 10
+
+    extern int dprintf(int fd, const char *format, ...);
+    extern void some_boring_bug2(char c);
+    extern pid_t getpid(void);
+    extern pid_t pid;
+
+    gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
+        gboolean excluded, GumStalkerOutput *output)
+    {
+        pid_t my_pid = getpid();
+        GumX86Writer *cw = output->writer.x86;
+
+        if (GUM_ADDRESS(insn->address) < GUM_ADDRESS(some_boring_bug2)) {
+
+            return TRUE;
+
+        }
+
+        if (GUM_ADDRESS(insn->address) >=
+            GUM_ADDRESS(some_boring_bug2) + BORING2_LEN) {
+
+            return TRUE;
+
+        }
+
+        if (my_pid == pid) {
+
+            if (begin) {
+
+                dprintf(STDERR_FILENO, "\n> 0x%016lX: %s %s\n", insn->address,
+                        insn->mnemonic, insn->op_str);
+
+            } else {
+
+                dprintf(STDERR_FILENO, "  0x%016lX: %s %s\n", insn->address,
+                        insn->mnemonic, insn->op_str);
+
+            }
+
+        }
+
+        if (insn->id == X86_INS_UD2) {
+
+            gum_x86_writer_put_nop(cw);
+            return FALSE;
+
+        } else {
+
+            return TRUE;
+
+        }
+    }
+    `,
+    {
+        dprintf: Module.getExportByName(null, 'dprintf'),
+        getpid: Module.getExportByName(null, 'getpid'),
+        some_boring_bug2: some_boring_bug2,
+        pid: pid
+    });
+Afl.setStalkerCallback(cm.js_stalker_callback)
+Afl.setStdErr("/tmp/stderr.txt");
+Afl.done();
+Afl.print("done");
diff --git a/frida_mode/test/js/test.c b/frida_mode/test/js/test.c
new file mode 100644
index 00000000..bbda5ccf
--- /dev/null
+++ b/frida_mode/test/js/test.c
@@ -0,0 +1,115 @@
+/*
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void LLVMFuzzerTestOneInput(char *buf, int len) {
+
+  if (len < 1) return;
+  buf[len] = 0;
+
+  // we support three input cases
+  if (buf[0] == '0')
+    printf("Looks like a zero to me!\n");
+  else if (buf[0] == '1')
+    printf("Pretty sure that is a one!\n");
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+int run(char *file) {
+
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  do {
+
+    dprintf(STDERR_FILENO, "Running: %s\n", file);
+
+    fd = open(file, O_RDONLY);
+    if (fd < 0) {
+
+      perror("open");
+      break;
+
+    }
+
+    len = lseek(fd, 0, SEEK_END);
+    if (len < 0) {
+
+      perror("lseek (SEEK_END)");
+      break;
+
+    }
+
+    if (lseek(fd, 0, SEEK_SET) != 0) {
+
+      perror("lseek (SEEK_SET)");
+      break;
+
+    }
+
+    buf = malloc(len);
+    if (buf == NULL) {
+
+      perror("malloc");
+      break;
+
+    }
+
+    n_read = read(fd, buf, len);
+    if (n_read != len) {
+
+      perror("read");
+      break;
+
+    }
+
+    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
+
+    LLVMFuzzerTestOneInput(buf, len);
+    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
+
+    result = 0;
+
+  } while (false);
+
+  if (buf != NULL) { free(buf); }
+
+  if (fd != -1) { close(fd); }
+
+  return result;
+
+}
+
+void slow() {
+
+  usleep(100000);
+
+}
+
+int main(int argc, char **argv) {
+
+  if (argc != 2) { return 1; }
+  slow();
+  return run(argv[1]);
+
+}
+
diff --git a/frida_mode/test/js/test.js b/frida_mode/test/js/test.js
deleted file mode 100644
index f10ef2d1..00000000
--- a/frida_mode/test/js/test.js
+++ /dev/null
@@ -1,20 +0,0 @@
-Afl.print('******************');
-Afl.print('* AFL FRIDA MODE *');
-Afl.print('******************');
-Afl.print('');
-
-Afl.print(`PID: ${Process.id}`);
-
-new ModuleMap().values().forEach(m => {
-    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
-});
-
-const entry_point = DebugSymbol.fromName('run');
-Afl.print(`entry_point: ${entry_point.address}`);
-
-Afl.setEntryPoint(entry_point.address);
-
-// Afl.error('HARD NOPE');
-
-Afl.done();
-Afl.print("done");
diff --git a/frida_mode/test/js/test2.c b/frida_mode/test/js/test2.c
new file mode 100644
index 00000000..d16f35fc
--- /dev/null
+++ b/frida_mode/test/js/test2.c
@@ -0,0 +1,177 @@
+/*
+   american fuzzy lop++ - a trivial program to test the build
+   --------------------------------------------------------
+   Originally written by Michal Zalewski
+   Copyright 2014 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+     http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define IGNORED_RETURN(x) (void)!(x)
+
+const uint32_t crc32_tab[] = {
+	0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
+	0xe963a535, 0x9e6495a3,	0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
+	0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
+	0xf3b97148, 0x84be41de,	0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
+	0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec,	0x14015c4f, 0x63066cd9,
+	0xfa0f3d63, 0x8d080df5,	0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
+	0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,	0x35b5a8fa, 0x42b2986c,
+	0xdbbbc9d6, 0xacbcf940,	0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
+	0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
+	0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
+	0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d,	0x76dc4190, 0x01db7106,
+	0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
+	0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
+	0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
+	0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
+	0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
+	0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
+	0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
+	0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
+	0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
+	0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
+	0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
+	0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
+	0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
+	0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
+	0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
+	0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
+	0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
+	0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
+	0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
+	0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
+	0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
+	0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
+	0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
+	0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
+	0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
+	0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
+	0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
+	0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
+	0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
+	0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
+	0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
+	0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
+};
+
+uint32_t
+crc32(const void *buf, size_t size)
+{
+	const uint8_t *p = buf;
+	uint32_t crc;
+ 	crc = ~0U;
+	while (size--)
+		crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
+	return crc ^ ~0U;
+}
+
+/*
+ * Don't you hate those contrived examples which CRC their data. We can use
+ * FRIDA to patch this function out and always return success. Otherwise, we
+ * could change it to actually correct the checksum.
+ */
+int crc32_check (char * buf, int len) {
+  if (len < sizeof(uint32_t)) { return 0; }
+  uint32_t expected = *(uint32_t *)&buf[len - sizeof(uint32_t)];
+  uint32_t calculated = crc32(buf, len - sizeof(uint32_t));
+  return expected == calculated;
+}
+
+/*
+ * So you've found a really boring bug in an earlier campaign which results in
+ * a NULL dereference or something like that. That bug can get in the way,
+ * causing the persistent loop to exit whenever it is triggered, and can also
+ * cloud your output unnecessarily. Again, we can use FRIDA to patch it out.
+ */
+void some_boring_bug(char c) {
+  switch (c) {
+    case 'A'...'Z':
+    case 'a'...'z':
+      __builtin_trap();
+      break;
+  }
+}
+
+extern void some_boring_bug2(char c);
+
+__asm__ (
+      ".text                                 \n"
+      "some_boring_bug2:                     \n"
+      ".global some_boring_bug2              \n"
+      ".type some_boring_bug2, @function     \n"
+      "mov %edi, %eax                        \n"
+      "cmp $0xb4, %al                        \n"
+      "jne ok                                \n"
+      "ud2                                   \n"
+      "ok:                                   \n"
+      "ret                                   \n");
+
+void LLVMFuzzerTestOneInput(char *buf, int len) {
+
+  if (!crc32_check(buf, len)) return;
+
+  some_boring_bug(buf[0]);
+  some_boring_bug2(buf[0]);
+
+  if (buf[0] == '0') {
+    printf("Looks like a zero to me!\n");
+  }
+  else if (buf[0] == '1') {
+    printf("Pretty sure that is a one!\n");
+  }
+  else if (buf[0] == '2') {
+    printf("Oh we, weren't expecting that!");
+    __builtin_trap();
+  }
+  else
+    printf("Neither one or zero? How quaint!\n");
+
+}
+
+int main(int argc, char **argv) {
+
+  int    fd = -1;
+  off_t  len;
+  char * buf = NULL;
+  size_t n_read;
+  int    result = -1;
+
+  if (argc != 2) { return 1; }
+
+  printf("Running: %s\n", argv[1]);
+
+  fd = open(argv[1], O_RDONLY);
+  if (fd < 0) { return 1; }
+
+  len = lseek(fd, 0, SEEK_END);
+  if (len < 0) { return 1; }
+
+  if (lseek(fd, 0, SEEK_SET) != 0) { return 1; }
+
+  buf = malloc(len);
+  if (buf == NULL) { return 1; }
+
+  n_read = read(fd, buf, len);
+  if (n_read != len) { return 1; }
+
+  printf("Running:    %s: (%zd bytes)\n", argv[1], n_read);
+
+  LLVMFuzzerTestOneInput(buf, len);
+  printf("Done:    %s: (%zd bytes)\n", argv[1], n_read);
+
+  return 0;
+}
+
diff --git a/frida_mode/test/js/testinstr.c b/frida_mode/test/js/testinstr.c
deleted file mode 100644
index bd605c52..00000000
--- a/frida_mode/test/js/testinstr.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
-   american fuzzy lop++ - a trivial program to test the build
-   --------------------------------------------------------
-   Originally written by Michal Zalewski
-   Copyright 2014 Google Inc. All rights reserved.
-   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-     http://www.apache.org/licenses/LICENSE-2.0
- */
-
-#include <fcntl.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#ifdef __APPLE__
-  #define TESTINSTR_SECTION
-#else
-  #define TESTINSTR_SECTION __attribute__((section(".testinstr")))
-#endif
-
-void testinstr(char *buf, int len) {
-
-  if (len < 1) return;
-  buf[len] = 0;
-
-  // we support three input cases
-  if (buf[0] == '0')
-    printf("Looks like a zero to me!\n");
-  else if (buf[0] == '1')
-    printf("Pretty sure that is a one!\n");
-  else
-    printf("Neither one or zero? How quaint!\n");
-
-}
-
-int run(char *file) {
-
-  int    fd = -1;
-  off_t  len;
-  char * buf = NULL;
-  size_t n_read;
-  int    result = -1;
-
-  do {
-
-    dprintf(STDERR_FILENO, "Running: %s\n", file);
-
-    fd = open(file, O_RDONLY);
-    if (fd < 0) {
-
-      perror("open");
-      break;
-
-    }
-
-    len = lseek(fd, 0, SEEK_END);
-    if (len < 0) {
-
-      perror("lseek (SEEK_END)");
-      break;
-
-    }
-
-    if (lseek(fd, 0, SEEK_SET) != 0) {
-
-      perror("lseek (SEEK_SET)");
-      break;
-
-    }
-
-    buf = malloc(len);
-    if (buf == NULL) {
-
-      perror("malloc");
-      break;
-
-    }
-
-    n_read = read(fd, buf, len);
-    if (n_read != len) {
-
-      perror("read");
-      break;
-
-    }
-
-    dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
-
-    testinstr(buf, len);
-    dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
-
-    result = 0;
-
-  } while (false);
-
-  if (buf != NULL) { free(buf); }
-
-  if (fd != -1) { close(fd); }
-
-  return result;
-
-}
-
-void slow() {
-
-  usleep(100000);
-
-}
-
-int main(int argc, char **argv) {
-
-  if (argc != 2) { return 1; }
-  slow();
-  return run(argv[1]);
-
-}
-
diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile
index e30f2049..8a10be07 100644
--- a/frida_mode/test/libpcap/GNUmakefile
+++ b/frida_mode/test/libpcap/GNUmakefile
@@ -2,8 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
 
 LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -137,11 +136,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PCAPTEST_OBJ) $(LIBPCAP_LIB)
 		$(LDFLAGS) \
 		$(TEST_BIN_LDFLAGS) \
 
-########## HOOK ########
-
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
-
 ########## DUMMY #######
 
 $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR)
@@ -149,8 +143,6 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR)
 
 ###### TEST DATA #######
 
-hook: $(AFLPP_DRIVER_HOOK_OBJ)
-
 clean:
 	rm -rf $(BUILD_DIR)
 
diff --git a/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c b/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 059d438d..00000000
--- a/frida_mode/test/libpcap/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,97 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
diff --git a/frida_mode/test/persistent_ret/GNUmakefile b/frida_mode/test/persistent_ret/GNUmakefile
index 81fdd069..f11269e3 100644
--- a/frida_mode/test/persistent_ret/GNUmakefile
+++ b/frida_mode/test/persistent_ret/GNUmakefile
@@ -90,7 +90,7 @@ frida_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		-i $(TESTINSTR_DATA_DIR) \
 		-o $(FRIDA_OUT) \
 		-- \
-			$(TESTINSTBIN) @@
+			$(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 
 debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	gdb \
@@ -102,6 +102,15 @@ debug: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		--ex 'set disassembly-flavor intel' \
 		--args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 
+debug_js: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+	gdb \
+		--ex 'set environment AFL_FRIDA_JS_SCRIPT=test.js' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_DEBUG=1' \
+		--ex 'set environment AFL_DEBUG_CHILD=1' \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+
 run: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_FRIDA_PERSISTENT_RET=$(AFL_FRIDA_PERSISTENT_RET) \
diff --git a/frida_mode/test/persistent_ret/test.js b/frida_mode/test/persistent_ret/test.js
index 43c6ad7c..8adb45b2 100644
--- a/frida_mode/test/persistent_ret/test.js
+++ b/frida_mode/test/persistent_ret/test.js
@@ -5,34 +5,44 @@ Afl.print('');
 
 Afl.print(`PID: ${Process.id}`);
 
+const name = Process.enumerateModules()[0].name;
+Afl.print(`Name: ${name}`);
+
 new ModuleMap().values().forEach(m => {
     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
 });
 
-const persistent_addr = DebugSymbol.fromName('main');
-Afl.print(`persistent_addr: ${persistent_addr.address}`);
-
-const persistent_ret = DebugSymbol.fromName('slow');
-Afl.print(`persistent_ret: ${persistent_ret.address}`);
-
-Afl.setPersistentAddress(persistent_addr.address);
-Afl.setPersistentReturn(persistent_ret.address);
-Afl.setPersistentCount(1000000);
-
-Afl.setDebugMaps();
-
-const mod = Process.findModuleByName("libc-2.31.so")
-Afl.addExcludedRange(mod.base, mod.size);
-Afl.setInstrumentLibraries();
-Afl.setInstrumentDebugFile("/tmp/instr.log");
-Afl.setPrefetchDisable();
-Afl.setInstrumentNoOptimize();
-Afl.setInstrumentEnableTracing();
-Afl.setInstrumentTracingUnique();
-Afl.setStdOut("/tmp/stdout.txt");
-Afl.setStdErr("/tmp/stderr.txt");
-Afl.setStatsFile("/tmp/stats.txt");
-Afl.setStatsInterval(1);
-Afl.setStatsTransitions();
-Afl.done();
+if (name === 'testinstr') {
+    const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+    Afl.print(`persistent_addr: ${persistent_addr}`);
+    Afl.setEntryPoint(persistent_addr);
+    Afl.setPersistentAddress(persistent_addr);
+    Afl.setInstrumentDebugFile("/dev/stdout");
+    Afl.setPersistentDebug();
+    Afl.setInstrumentNoOptimize();
+    Afl.setInstrumentEnableTracing();
+
+    const LLVMFuzzerTestOneInput = new NativeFunction(
+        persistent_addr,
+        'void',
+        ['pointer', 'uint64'],
+        {traps: "all"});
+
+    const persistentHook = new NativeCallback(
+        (data, size) => {
+            const input = Afl.aflFuzzPtr.readPointer();
+            const len = Afl.aflFuzzLen.readPointer().readU32();
+            const hd = hexdump(input, {length: len, header: false, ansi: true});
+            Afl.print(`input: ${hd}`);
+            LLVMFuzzerTestOneInput(input, len);
+        },
+        'void',
+        ['pointer', 'uint64']);
+
+    Afl.aflSharedMemFuzzing.writeInt(1);
+    Interceptor.replace(persistent_addr, persistentHook);
+    Interceptor.flush();
+}
+
 Afl.print("done");
+Afl.done();
diff --git a/frida_mode/test/persistent_ret/testinstr.c b/frida_mode/test/persistent_ret/testinstr.c
index 6cb88a50..42e3519a 100644
--- a/frida_mode/test/persistent_ret/testinstr.c
+++ b/frida_mode/test/persistent_ret/testinstr.c
@@ -17,13 +17,14 @@
 #include <unistd.h>
 
 #ifdef __APPLE__
-  #define TESTINSTR_SECTION
+  #define MAIN_SECTION
 #else
-  #define TESTINSTR_SECTION __attribute__((section(".testinstr")))
+  #define MAIN_SECTION __attribute__((section(".main")))
 #endif
 
-void testinstr(char *buf, int len) {
+void LLVMFuzzerTestOneInput(char *buf, int len) {
 
+  printf (">>> LLVMFuzzerTestOneInput >>>\n");
   if (len < 1) return;
   buf[len] = 0;
 
@@ -43,7 +44,7 @@ void slow() {
 
 }
 
-TESTINSTR_SECTION int main(int argc, char **argv) {
+MAIN_SECTION int main(int argc, char **argv) {
 
   char * file;
   int    fd = -1;
@@ -101,7 +102,7 @@ TESTINSTR_SECTION int main(int argc, char **argv) {
 
     dprintf(STDERR_FILENO, "Running:    %s: (%zd bytes)\n", file, n_read);
 
-    testinstr(buf, len);
+    LLVMFuzzerTestOneInput(buf, len);
     dprintf(STDERR_FILENO, "Done:    %s: (%zd bytes)\n", file, n_read);
 
     slow();
diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile
index b17f3775..0ff9fe86 100644
--- a/frida_mode/test/png/persistent/hook/GNUmakefile
+++ b/frida_mode/test/png/persistent/hook/GNUmakefile
@@ -2,8 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
 
 CFLAGS+=-O3 \
 		-funroll-loops \
@@ -48,7 +47,7 @@ endif
 
 .PHONY: all 32 clean format qemu qemu_entry frida frida_entry debug
 
-all: $(AFLPP_DRIVER_HOOK_OBJ)
+all:
 	make -C $(ROOT)frida_mode/test/png/persistent/
 
 32:
@@ -68,9 +67,6 @@ $(TEST_DATA_DIR): | $(BUILD_DIR)
 $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR)
 	truncate -s 1M $@
 
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
-
 qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
@@ -124,6 +120,28 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
+frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_JS_SCRIPT=load.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-V 30 \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
+frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_JS_SCRIPT=cmodule.js \
+	$(ROOT)afl-fuzz \
+		-D \
+		-V 30 \
+		-O \
+		-i $(TEST_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
+
 debug: $(AFLPP_DRIVER_DUMMY_INPUT)
 	echo $(AFL_FRIDA_PERSISTENT_ADDR)
 	gdb \
diff --git a/frida_mode/test/png/persistent/hook/Makefile b/frida_mode/test/png/persistent/hook/Makefile
index 983d009e..dca51d85 100644
--- a/frida_mode/test/png/persistent/hook/Makefile
+++ b/frida_mode/test/png/persistent/hook/Makefile
@@ -24,5 +24,8 @@ frida:
 frida_entry:
 	@gmake frida_entry
 
+frida_js:
+	@gmake frida_js
+
 debug:
 	@gmake debug
diff --git a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c b/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 1542c0bf..00000000
--- a/frida_mode/test/png/persistent/hook/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,193 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-#elif defined(__aarch64__)
-
-struct arm64_regs {
-
-  uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10;
-
-  union {
-
-    uint64_t x11;
-    uint32_t fp_32;
-
-  };
-
-  union {
-
-    uint64_t x12;
-    uint32_t ip_32;
-
-  };
-
-  union {
-
-    uint64_t x13;
-    uint32_t sp_32;
-
-  };
-
-  union {
-
-    uint64_t x14;
-    uint32_t lr_32;
-
-  };
-
-  union {
-
-    uint64_t x15;
-    uint32_t pc_32;
-
-  };
-
-  union {
-
-    uint64_t x16;
-    uint64_t ip0;
-
-  };
-
-  union {
-
-    uint64_t x17;
-    uint64_t ip1;
-
-  };
-
-  uint64_t x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28;
-
-  union {
-
-    uint64_t x29;
-    uint64_t fp;
-
-  };
-
-  union {
-
-    uint64_t x30;
-    uint64_t lr;
-
-  };
-
-  union {
-
-    uint64_t x31;
-    uint64_t sp;
-
-  };
-
-  // the zero register is not saved here ofc
-
-  uint64_t pc;
-
-  uint32_t cpsr;
-
-  uint8_t  vfp_zregs[32][16 * 16];
-  uint8_t  vfp_pregs[17][32];
-  uint32_t vfp_xregs[16];
-
-};
-
-void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->x0, input_buf, input_buf_len);
-  regs->x1 = input_buf_len;
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
diff --git a/frida_mode/test/png/persistent/hook/cmodule.js b/frida_mode/test/png/persistent/hook/cmodule.js
new file mode 100644
index 00000000..ab8bdc66
--- /dev/null
+++ b/frida_mode/test/png/persistent/hook/cmodule.js
@@ -0,0 +1,39 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+const name = Process.enumerateModules()[0].name;
+Afl.print(`Name: ${name}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+Afl.print(`persistent_addr: ${persistent_addr}`);
+Afl.setEntryPoint(persistent_addr);
+Afl.setPersistentAddress(persistent_addr);
+
+const cm = new CModule(`
+
+    #include <string.h>
+    #include <gum/gumdefs.h>
+
+    void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
+      uint32_t input_buf_len) {
+
+      memcpy((void *)regs->rdi, input_buf, input_buf_len);
+      regs->rsi = input_buf_len;
+
+    }
+    `,
+    {
+        memcpy: Module.getExportByName(null, 'memcpy')
+    });
+Afl.setPersistentHook(cm.afl_persistent_hook);
+
+Afl.print("done");
+Afl.done();
diff --git a/frida_mode/test/png/persistent/hook/load.js b/frida_mode/test/png/persistent/hook/load.js
new file mode 100644
index 00000000..ce4374ae
--- /dev/null
+++ b/frida_mode/test/png/persistent/hook/load.js
@@ -0,0 +1,27 @@
+Afl.print('******************');
+Afl.print('* AFL FRIDA MODE *');
+Afl.print('******************');
+Afl.print('');
+
+Afl.print(`PID: ${Process.id}`);
+
+const name = Process.enumerateModules()[0].name;
+Afl.print(`Name: ${name}`);
+
+new ModuleMap().values().forEach(m => {
+    Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
+});
+
+const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
+Afl.print(`persistent_addr: ${persistent_addr}`);
+Afl.setEntryPoint(persistent_addr);
+Afl.setPersistentAddress(persistent_addr);
+
+const path = Afl.module.path;
+const dir = path.substring(0, path.lastIndexOf("/"));
+const mod = Module.load(`${dir}/frida_mode/build/hook.so`);
+const hook = mod.getExportByName('afl_persistent_hook');
+Afl.setPersistentHook(hook);
+
+Afl.print("done");
+Afl.done();
diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile
index 09112cd5..e324a5d0 100644
--- a/frida_mode/test/proj4/GNUmakefile
+++ b/frida_mode/test/proj4/GNUmakefile
@@ -2,8 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
 
 LIBPROJ4_BUILD_DIR:=$(BUILD_DIR)libproj4/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -118,11 +117,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PROJ4TEST_OBJ) $(LIBPROJ4_LIB)
 		$(LDFLAGS) \
 		$(TEST_BIN_LDFLAGS) \
 
-########## HOOK ########
-
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
-
 ########## DUMMY #######
 
 $(TEST_DATA_DIR): | $(BUILD_DIR)
@@ -133,8 +127,6 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR)
 
 ###### TEST DATA #######
 
-hook: $(AFLPP_DRIVER_HOOK_OBJ)
-
 clean:
 	rm -rf $(BUILD_DIR)
 
diff --git a/frida_mode/test/proj4/Makefile b/frida_mode/test/proj4/Makefile
index 863438cf..f83e2992 100644
--- a/frida_mode/test/proj4/Makefile
+++ b/frida_mode/test/proj4/Makefile
@@ -15,5 +15,3 @@ frida:
 debug:
 	@gmake debug
 
-hook:
-	@gmake hook
diff --git a/frida_mode/test/proj4/aflpp_qemu_driver_hook.c b/frida_mode/test/proj4/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 059d438d..00000000
--- a/frida_mode/test/proj4/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,97 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile
index 9f0b31d3..e1c5347d 100644
--- a/frida_mode/test/re2/GNUmakefile
+++ b/frida_mode/test/re2/GNUmakefile
@@ -2,8 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_SRC=$(PWD)aflpp_qemu_driver_hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)aflpp_qemu_driver_hook.so
+AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
 
 LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -116,11 +115,6 @@ $(TEST_BIN): $(HARNESS_OBJ) $(RE2TEST_OBJ) $(LIBRE2_LIB)
 		$(LDFLAGS) \
 		$(TEST_BIN_LDFLAGS) \
 
-########## HOOK ########
-
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
-	$(CC) -shared $(CFLAGS) $(LDFLAGS) $< -o $@
-
 ########## DUMMY #######
 
 $(TEST_DATA_DIR): | $(BUILD_DIR)
@@ -131,8 +125,6 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR)
 
 ###### TEST DATA #######
 
-hook: $(AFLPP_DRIVER_HOOK_OBJ)
-
 clean:
 	rm -rf $(BUILD_DIR)
 
diff --git a/frida_mode/test/re2/Makefile b/frida_mode/test/re2/Makefile
index 00b2b287..360cdc44 100644
--- a/frida_mode/test/re2/Makefile
+++ b/frida_mode/test/re2/Makefile
@@ -18,5 +18,3 @@ frida:
 debug:
 	@gmake debug
 
-hook:
-	@gmake hook
diff --git a/frida_mode/test/re2/aflpp_qemu_driver_hook.c b/frida_mode/test/re2/aflpp_qemu_driver_hook.c
deleted file mode 100644
index 059d438d..00000000
--- a/frida_mode/test/re2/aflpp_qemu_driver_hook.c
+++ /dev/null
@@ -1,97 +0,0 @@
-#include <stdint.h>
-#include <string.h>
-
-#if defined(__x86_64__)
-
-struct x86_64_regs {
-
-  uint64_t rax, rbx, rcx, rdx, rdi, rsi, rbp, r8, r9, r10, r11, r12, r13, r14,
-      r15;
-
-  union {
-
-    uint64_t rip;
-    uint64_t pc;
-
-  };
-
-  union {
-
-    uint64_t rsp;
-    uint64_t sp;
-
-  };
-
-  union {
-
-    uint64_t rflags;
-    uint64_t flags;
-
-  };
-
-  uint8_t zmm_regs[32][64];
-
-};
-
-void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  memcpy((void *)regs->rdi, input_buf, input_buf_len);
-  regs->rsi = input_buf_len;
-
-}
-
-#elif defined(__i386__)
-
-struct x86_regs {
-
-  uint32_t eax, ebx, ecx, edx, edi, esi, ebp;
-
-  union {
-
-    uint32_t eip;
-    uint32_t pc;
-
-  };
-
-  union {
-
-    uint32_t esp;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t eflags;
-    uint32_t flags;
-
-  };
-
-  uint8_t xmm_regs[8][16];
-
-};
-
-void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,
-                         uint8_t *input_buf, uint32_t input_buf_len) {
-
-  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
-  void **arg2 = &esp[2];
-  memcpy(arg1, input_buf, input_buf_len);
-  *arg2 = (void *)input_buf_len;
-
-}
-
-#else
-  #pragma error "Unsupported architecture"
-#endif
-
-int afl_persistent_hook_init(void) {
-
-  // 1 for shared memory input (faster), 0 for normal input (you have to use
-  // read(), input_buf will be NULL)
-  return 1;
-
-}
-
diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts
new file mode 100644
index 00000000..6da7fabc
--- /dev/null
+++ b/frida_mode/ts/lib/afl.ts
@@ -0,0 +1,373 @@
+class Afl {
+
+  /**
+   * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode
+   * implementation).
+   */
+  public static module: Module = Process.getModuleByName("afl-frida-trace.so");
+
+  /**
+   * This is equivalent to setting a value in `AFL_FRIDA_EXCLUDE_RANGES`,
+   * it takes as arguments a `NativePointer` and a `number`. It can be
+   * called multiple times to exclude several ranges.
+   */
+  public static addExcludedRange(addressess: NativePointer, size: number): void {
+    Afl.jsApiAddExcludeRange(addressess, size);
+  }
+
+  /**
+   * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
+   * it takes as arguments a `NativePointer` and a `number`. It can be
+   * called multiple times to include several ranges.
+   */
+  public static addIncludedRange(addressess: NativePointer, size: number): void {
+    Afl.jsApiAddIncludeRange(addressess, size);
+  }
+
+  /**
+   * This must always be called at the end of your script. This lets
+   * FRIDA mode know that your configuration is finished and that
+   * execution has reached the end of your script. Failure to call
+   * this will result in a fatal error.
+   */
+  public static done(): void {
+    Afl.jsApiDone();
+  }
+
+  /**
+   * This function can be called within your script to cause FRIDA
+   * mode to trigger a fatal error. This is useful if for example you
+   * discover a problem you weren't expecting and want everything to
+   * stop. The user will need to enable `AFL_DEBUG_CHILD=1` to view
+   * this error message.
+   */
+  public static error(msg: string): void {
+    const buf = Memory.allocUtf8String(msg);
+    Afl.jsApiError(buf);
+  }
+
+  /**
+   * Function used to provide access to `__afl_fuzz_ptr`, which contains the length of
+   * fuzzing data when using in-memory test case fuzzing.
+   */
+  public static getAflFuzzLen(): NativePointer {
+
+    return Afl.jsApiGetSymbol("__afl_fuzz_len");
+  }
+
+  /**
+   * Function used to provide access to `__afl_fuzz_ptr`, which contains the fuzzing
+   * data when using in-memory test case fuzzing.
+   */
+  public static getAflFuzzPtr(): NativePointer {
+
+    return Afl.jsApiGetSymbol("__afl_fuzz_ptr");
+  }
+
+  /**
+   * Print a message to the STDOUT. This should be preferred to
+   * FRIDA's `console.log` since FRIDA will queue it's log messages.
+   * If `console.log` is used in a callback in particular, then there
+   * may no longer be a thread running to service this queue.
+   */
+  public static print(msg: string): void {
+    const STDOUT_FILENO = 2;
+    const log = `${msg}\n`;
+    const buf = Memory.allocUtf8String(log);
+    Afl.jsApiWrite(STDOUT_FILENO, buf, log.length);
+  }
+
+  /**
+   * See `AFL_FRIDA_DEBUG_MAPS`.
+   */
+  public static setDebugMaps(): void {
+    Afl.jsApiSetDebugMaps();
+  }
+
+  /**
+   * This has the same effect as setting `AFL_ENTRYPOINT`, but has the
+   * convenience of allowing you to use FRIDAs APIs to determine the
+   * address you would like to configure, rather than having to grep
+   * the output of `readelf` or something similarly ugly. This
+   * function should be called with a `NativePointer` as its
+   * argument.
+   */
+  public static setEntryPoint(address: NativePointer): void {
+    Afl.jsApiSetEntryPoint(address);
+  }
+
+  /**
+   * Function used to enable in-memory test cases for fuzzing.
+   */
+  public static setInMemoryFuzzing(): void {
+    Afl.jsApiAflSharedMemFuzzing.writeInt(1);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_DEBUG_FILE`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setInstrumentDebugFile(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetInstrumentDebugFile(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_TRACE`.
+   */
+  public static setInstrumentEnableTracing(): void {
+    Afl.jsApiSetInstrumentTrace();
+  }
+
+  /**
+   * See `AFL_INST_LIBS`.
+   */
+  public static setInstrumentLibraries(): void {
+    Afl.jsApiSetInstrumentLibraries();
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_NO_OPTIMIZE`
+   */
+  public static setInstrumentNoOptimize(): void {
+    Afl.jsApiSetInstrumentNoOptimize();
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_TRACE_UNIQUE`.
+   */
+  public static setInstrumentTracingUnique(): void {
+    Afl.jsApiSetInstrumentTraceUnique();
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
+   * `NativePointer` should be provided as it's argument.
+   */
+  public static setPersistentAddress(address: NativePointer): void {
+    Afl.jsApiSetPersistentAddress(address);
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
+   * `number` should be provided as it's argument.
+   */
+  public static setPersistentCount(count: number): void {
+    Afl.jsApiSetPersistentCount(count);
+  }
+
+  /**
+   * See `AFL_FRIDA_PERSISTENT_DEBUG`.
+   */
+  public static setPersistentDebug(): void {
+    Afl.jsApiSetPersistentDebug();
+  }
+
+  /**
+   * See `AFL_FRIDA_PERSISTENT_ADDR`. This function takes a NativePointer as an
+   * argument. See above for examples of use.
+   */
+  public static setPersistentHook(address: NativePointer): void {
+    Afl.jsApiSetPersistentHook(address);
+  }
+
+  /**
+   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
+   * `NativePointer` should be provided as it's argument.
+   */
+  public static setPersistentReturn(address: NativePointer): void {
+    Afl.jsApiSetPersistentReturn(address);
+  }
+
+  /**
+   * See `AFL_FRIDA_INST_NO_PREFETCH`.
+   */
+  public static setPrefetchDisable(): void {
+    Afl.jsApiSetPrefetchDisable();
+  }
+
+  /*
+   * Set a function to be called for each instruction which is instrumented
+   * by AFL FRIDA mode.
+   */
+  public static setStalkerCallback(callback: NativePointer): void {
+    Afl.jsApiSetStalkerCallback(callback);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_FILE`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStatsFile(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStatsFile(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_INTERVAL`. This function takes a `number` as an
+   * argument
+   */
+  public static setStatsInterval(interval: number): void {
+    Afl.jsApiSetStatsInterval(interval);
+  }
+
+  /**
+   * See `AFL_FRIDA_STATS_TRANSITIONS`
+   */
+  public static setStatsTransitions(): void {
+    Afl.jsApiSetStatsTransitions();
+  }
+
+  /**
+   * See `AFL_FRIDA_OUTPUT_STDERR`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStdErr(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStdErr(buf);
+  }
+
+  /**
+   * See `AFL_FRIDA_OUTPUT_STDOUT`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setStdOut(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetStdOut(buf);
+  }
+
+  private static readonly jsApiAddExcludeRange = Afl.jsApiGetFunction(
+    "js_api_add_exclude_range",
+    "void",
+    ["pointer", "size_t"]);
+
+  private static readonly jsApiAddIncludeRange = Afl.jsApiGetFunction(
+    "js_api_add_include_range",
+    "void",
+    ["pointer", "size_t"]);
+
+  private static readonly jsApiAflSharedMemFuzzing = Afl.jsApiGetSymbol("__afl_sharedmem_fuzzing");
+
+  private static readonly jsApiDone = Afl.jsApiGetFunction(
+    "js_api_done",
+    "void",
+    []);
+
+  private static readonly jsApiError = Afl.jsApiGetFunction(
+    "js_api_error",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetDebugMaps = Afl.jsApiGetFunction(
+    "js_api_set_debug_maps",
+    "void",
+    []);
+
+  private static readonly jsApiSetEntryPoint = Afl.jsApiGetFunction(
+    "js_api_set_entrypoint",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction(
+    "js_api_set_instrument_debug_file",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetInstrumentLibraries = Afl.jsApiGetFunction(
+    "js_api_set_instrument_libraries",
+    "void",
+    []);
+
+  private static readonly jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction(
+    "js_api_set_instrument_no_optimize",
+    "void",
+    []);
+
+  private static readonly jsApiSetInstrumentTrace = Afl.jsApiGetFunction(
+    "js_api_set_instrument_trace",
+    "void",
+    []);
+
+  private static readonly jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction(
+    "js_api_set_instrument_trace_unique",
+    "void",
+    []);
+
+  private static readonly jsApiSetPersistentAddress = Afl.jsApiGetFunction(
+    "js_api_set_persistent_address",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetPersistentCount = Afl.jsApiGetFunction(
+    "js_api_set_persistent_count",
+    "void",
+    ["uint64"]);
+
+  private static readonly jsApiSetPersistentDebug = Afl.jsApiGetFunction(
+    "js_api_set_persistent_debug",
+    "void",
+    []);
+
+  private static readonly jsApiSetPersistentHook = Afl.jsApiGetFunction(
+    "js_api_set_persistent_hook",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetPersistentReturn = Afl.jsApiGetFunction(
+    "js_api_set_persistent_return",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetPrefetchDisable = Afl.jsApiGetFunction(
+    "js_api_set_prefetch_disable",
+    "void",
+    []);
+
+  private static readonly jsApiSetStalkerCallback = Afl.jsApiGetFunction(
+    "js_api_set_stalker_callback",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetStatsFile = Afl.jsApiGetFunction(
+    "js_api_set_stats_file",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetStatsInterval = Afl.jsApiGetFunction(
+    "js_api_set_stats_interval",
+    "void",
+    ["uint64"]);
+
+  private static readonly jsApiSetStatsTransitions = Afl.jsApiGetFunction(
+    "js_api_set_stats_transitions",
+    "void",
+    []);
+
+  private static readonly jsApiSetStdErr = Afl.jsApiGetFunction(
+    "js_api_set_stderr",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiSetStdOut = Afl.jsApiGetFunction(
+    "js_api_set_stdout",
+    "void",
+    ["pointer"]);
+
+  private static readonly jsApiWrite = new NativeFunction(
+    /* tslint:disable-next-line:no-null-keyword */
+    Module.getExportByName(null, "write"),
+    "int",
+    ["int", "pointer", "int"]);
+
+  private static jsApiGetFunction(name: string, retType: NativeType, argTypes: NativeType[]): NativeFunction {
+    const addr: NativePointer = Afl.module.getExportByName(name);
+
+    return new NativeFunction(addr, retType, argTypes);
+  }
+
+  private static jsApiGetSymbol(name: string): NativePointer {
+
+    return Afl.module.getExportByName(name);
+  }
+
+}
diff --git a/frida_mode/ts/package-lock.json b/frida_mode/ts/package-lock.json
new file mode 100644
index 00000000..e766c2c2
--- /dev/null
+++ b/frida_mode/ts/package-lock.json
@@ -0,0 +1,12 @@
+{
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "tsc": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/tsc/-/tsc-2.0.3.tgz",
+      "integrity": "sha512-SN+9zBUtrpUcOpaUO7GjkEHgWtf22c7FKbKCA4e858eEM7Qz86rRDpgOU2lBIDf0fLCsEg65ms899UMUIB2+Ow==",
+      "dev": true
+    }
+  }
+}
diff --git a/frida_mode/ts/package.json b/frida_mode/ts/package.json
new file mode 100644
index 00000000..47b693ed
--- /dev/null
+++ b/frida_mode/ts/package.json
@@ -0,0 +1,32 @@
+{
+    "name": "@worksbutnottested/aflplusplus-frida",
+    "version": "1.0.0",
+    "description": "AFLplusplus Frida Mode",
+    "main": "./dist/frida.js",
+    "types": "./dist/frida.d.ts",
+    "files": [
+      "/dist/"
+    ],
+    "repository": {
+      "type": "git",
+      "url": "git@github.com:worksbutnottested/AFLplusplus.git"
+    },
+    "publishConfig": {
+      "cache": "~/.npm",
+      "registry": "https://npm.pkg.github.com/@worksbutnottested"
+    },
+    "scripts": {
+      "prepare": "npm run build",
+      "build": "tsc",
+      "lint": "tslint -p tslint.json"
+    },
+    "devDependencies": {
+      "@types/node": "^14.14.2",
+      "typescript": "^4.0.3",
+      "typescript-tslint-plugin": "^0.5.5",
+      "tslint": "^6.1.3"
+    },
+    "dependencies": {
+      "@types/frida-gum": "^16.2.0"
+    }
+  }
diff --git a/frida_mode/ts/tsconfig.json b/frida_mode/ts/tsconfig.json
new file mode 100644
index 00000000..624e4496
--- /dev/null
+++ b/frida_mode/ts/tsconfig.json
@@ -0,0 +1,14 @@
+{
+    "compilerOptions": {
+      "target": "es2020",
+      "lib": ["es2020"],
+      "strict": true,
+      "module": "commonjs",
+      "esModuleInterop": true,
+      "declaration": true,
+      "outDir": "./dist"
+    },
+    "include": [
+      "lib/**/*"
+    ]
+  }
diff --git a/frida_mode/ts/tslint.json b/frida_mode/ts/tslint.json
new file mode 100644
index 00000000..0e7a77ed
--- /dev/null
+++ b/frida_mode/ts/tslint.json
@@ -0,0 +1,256 @@
+{
+    "rules": {
+        "adjacent-overload-signatures": true,
+        "ban-types": {
+            "options": [
+                ["Object", "Avoid using the `Object` type. Did you mean `object`?"],
+                [
+                    "Function",
+                    "Avoid using the `Function` type. Prefer a specific function type, like `() => void`."
+                ],
+                ["Boolean", "Avoid using the `Boolean` type. Did you mean `boolean`?"],
+                ["Number", "Avoid using the `Number` type. Did you mean `number`?"],
+                ["String", "Avoid using the `String` type. Did you mean `string`?"],
+                ["Symbol", "Avoid using the `Symbol` type. Did you mean `symbol`?"]
+            ]
+        },
+        "ban-ts-ignore": true,
+        "member-access": {
+            "options": ["check-accessor", "check-constructor", "check-parameter-property"]
+        },
+        "member-ordering": {
+            "options": {
+                "order": "statics-first",
+                "alphabetize": true
+            }
+        },
+        "no-any": true,
+        "no-empty-interface": true,
+        "no-for-in": true,
+        "no-import-side-effect": true,
+        "no-inferrable-types": { "options": ["ignore-params"] },
+        "no-internal-module": true,
+        "no-magic-numbers": true,
+        "no-namespace": true,
+        "no-non-null-assertion": true,
+        "no-reference": true,
+        "no-restricted-globals": true,
+        "no-this-assignment": true,
+        "no-var-requires": true,
+        "only-arrow-functions": true,
+        "prefer-for-of": true,
+        "prefer-readonly": true,
+        "promise-function-async": true,
+        "typedef": {
+            "options": [
+                "call-signature",
+                "parameter",
+                "property-declaration"
+            ]
+        },
+        "typedef-whitespace": {
+            "options": [
+                {
+                    "call-signature": "nospace",
+                    "index-signature": "nospace",
+                    "parameter": "nospace",
+                    "property-declaration": "nospace",
+                    "variable-declaration": "nospace"
+                },
+                {
+                    "call-signature": "onespace",
+                    "index-signature": "onespace",
+                    "parameter": "onespace",
+                    "property-declaration": "onespace",
+                    "variable-declaration": "onespace"
+                }
+            ]
+        },
+        "unified-signatures": true,
+        "await-promise": true,
+        "ban-comma-operator": true,
+        "curly": true,
+        "forin": true,
+        "function-constructor": true,
+        "label-position": true,
+        "no-arg": true,
+        "no-async-without-await": true,
+        "no-bitwise": true,
+        "no-conditional-assignment": true,
+        "no-console": true,
+        "no-construct": true,
+        "no-debugger": true,
+        "no-duplicate-super": true,
+        "no-duplicate-switch-case": true,
+        "no-duplicate-variable": { "options": ["check-parameters"] },
+        "no-dynamic-delete": true,
+        "no-empty": true,
+        "no-eval": true,
+        "no-floating-promises": true,
+        "no-for-in-array": true,
+        "no-implicit-dependencies": true,
+        "no-inferred-empty-object-type": true,
+        "no-invalid-template-strings": true,
+        "no-misused-new": true,
+        "no-null-keyword": true,
+        "no-null-undefined-union": true,
+        "no-object-literal-type-assertion": true,
+        "no-promise-as-boolean": true,
+        "no-return-await": true,
+        "no-shadowed-variable": true,
+        "no-string-literal": true,
+        "no-string-throw": true,
+        "no-sparse-arrays": true,
+        "no-submodule-imports": true,
+        "no-tautology-expression": true,
+        "no-unbound-method": true,
+        "no-unnecessary-class": { "options": ["allow-empty-class", "allow-static-only"] },
+        "no-unsafe-any": false,
+        "no-unsafe-finally": true,
+        "no-unused-expression": true,
+        "no-var-keyword": true,
+        "no-void-expression": true,
+        "prefer-conditional-expression": true,
+        "radix": true,
+        "restrict-plus-operands": true,
+        "static-this": true,
+        "strict-boolean-expressions": true,
+        "strict-string-expressions": true,
+        "strict-comparisons": true,
+        "strict-type-predicates": true,
+        "switch-default": true,
+        "triple-equals": true,
+        "unnecessary-constructor": true,
+        "use-default-type-parameter": true,
+        "use-isnan": true,
+        "cyclomatic-complexity": true,
+        "eofline": true,
+        "indent": { "options": ["spaces"] },
+        "invalid-void": true,
+        "linebreak-style": { "options": "LF" },
+        "max-classes-per-file": { "options": 1 },
+        "max-file-line-count": { "options": 1000 },
+        "max-line-length": {
+            "options": { "limit": 120 }
+        },
+        "no-default-export": true,
+        "no-default-import": true,
+        "no-duplicate-imports": true,
+        "no-irregular-whitespace": true,
+        "no-mergeable-namespace": true,
+        "no-parameter-reassignment": true,
+        "no-require-imports": true,
+        "no-trailing-whitespace": true,
+        "object-literal-sort-keys": true,
+        "prefer-const": true,
+        "trailing-comma": {
+            "options": {
+                "esSpecCompliant": true,
+                "multiline": "always",
+                "singleline": "never"
+            }
+        },
+        "align": {
+            "options": ["parameters", "arguments", "statements", "elements", "members"]
+        },
+        "array-type": { "options": "array-simple" },
+        "arrow-parens": true,
+        "arrow-return-shorthand": { "options": "multiline" },
+        "binary-expression-operand-order": true,
+        "callable-types": true,
+        "class-name": true,
+        "comment-format": { "options": ["check-space", "check-uppercase"] },
+        "comment-type": { "options": ["singleline", "multiline", "doc", "directive"] },
+        "completed-docs": [
+            true,
+            {
+              "enums": true,
+              "methods": {"locations": "all", "privacies": ["public", "protected"]},
+              "properties": {"locations": "all", "privacies": ["public", "protected"]}
+            }
+          ],
+        "deprecation": true,
+        "encoding": true,
+        "file-name-casing": { "options": "camel-case" },
+        "import-spacing": true,
+        "increment-decrement": true,
+        "interface-name": true,
+        "interface-over-type-literal": true,
+        "jsdoc-format": { "options": "check-multiline-start" },
+        "match-default-export-name": true,
+        "new-parens": true,
+        "newline-before-return": true,
+        "newline-per-chained-call": true,
+        "no-angle-bracket-type-assertion": true,
+        "no-boolean-literal-compare": true,
+        "no-consecutive-blank-lines": true,
+        "no-parameter-properties": true,
+        "no-redundant-jsdoc": true,
+        "no-reference-import": true,
+        "no-unnecessary-callback-wrapper": true,
+        "no-unnecessary-initializer": true,
+        "no-unnecessary-qualifier": true,
+        "no-unnecessary-type-assertion": true,
+        "number-literal-format": true,
+        "object-literal-key-quotes": { "options": "consistent-as-needed" },
+        "object-literal-shorthand": true,
+        "one-line": {
+            "options": [
+                "check-catch",
+                "check-else",
+                "check-finally",
+                "check-open-brace",
+                "check-whitespace"
+            ]
+        },
+        "one-variable-per-declaration": true,
+        "ordered-imports": {
+            "options": {
+                "grouped-imports": true,
+                "import-sources-order": "case-insensitive",
+                "named-imports-order": "case-insensitive",
+                "module-source-path": "full"
+            }
+        },
+        "prefer-function-over-method": true,
+        "prefer-method-signature": true,
+        "prefer-object-spread": true,
+        "prefer-switch": true,
+        "prefer-template": true,
+        "prefer-while": true,
+        "quotemark": {
+            "options": ["double", "avoid-escape", "avoid-template"]
+        },
+        "return-undefined": true,
+        "semicolon": { "options": ["always"] },
+        "space-before-function-paren": {
+            "options": {
+                "anonymous": "never",
+                "asyncArrow": "always",
+                "constructor": "never",
+                "method": "never",
+                "named": "never"
+            }
+        },
+        "space-within-parens": { "options": 0 },
+        "switch-final-break": true,
+        "type-literal-delimiter": true,
+        "unnecessary-bind": true,
+        "unnecessary-else": true,
+        "variable-name": { "options": ["ban-keywords", "check-format", "require-const-for-all-caps"] },
+        "whitespace": {
+            "options": [
+                "check-branch",
+                "check-decl",
+                "check-operator",
+                "check-module",
+                "check-separator",
+                "check-type",
+                "check-typecast",
+                "check-preblock",
+                "check-type-operator",
+                "check-rest-spread"
+            ]
+        }
+    }
+}
-- 
cgit 1.4.1


From 4a02118fdae1ed0bd2cb74a775e7bc0d82d91a81 Mon Sep 17 00:00:00 2001
From: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Date: Tue, 6 Jul 2021 18:30:50 +0100
Subject: Deferred exclusion support (#1008)

* Deferred exclusion support

* Changes to support different hook libraries for QEMU and FRIDA

* Changes to collect more stats

Co-authored-by: Your Name <you@example.com>
---
 frida_mode/GNUmakefile                          | 25 ++++++++++++++++---------
 frida_mode/include/entry.h                      |  3 ++-
 frida_mode/include/persistent.h                 |  3 +++
 frida_mode/include/stalker.h                    |  1 +
 frida_mode/src/entry.c                          | 15 ++++++++++++++-
 frida_mode/src/instrument/instrument.c          |  8 +++++++-
 frida_mode/src/persistent/persistent.c          | 20 ++++++++++++++++++++
 frida_mode/src/persistent/persistent_arm32.c    |  4 ++--
 frida_mode/src/persistent/persistent_arm64.c    |  4 ++--
 frida_mode/src/persistent/persistent_x64.c      |  4 ++--
 frida_mode/src/persistent/persistent_x86.c      |  4 ++--
 frida_mode/src/stalker.c                        |  8 +++++++-
 frida_mode/src/stats/stats_x64.c                | 18 ++++++++++++++++++
 frida_mode/test/jpeg/GNUmakefile                |  6 +++---
 frida_mode/test/libpcap/GNUmakefile             | 11 ++++++-----
 frida_mode/test/png/GNUmakefile                 |  6 ++++++
 frida_mode/test/png/Makefile                    |  3 +++
 frida_mode/test/png/persistent/hook/GNUmakefile | 25 +++++++++++++------------
 frida_mode/test/png/persistent/hook/load.js     |  2 +-
 frida_mode/test/proj4/GNUmakefile               |  6 +++---
 frida_mode/test/re2/GNUmakefile                 | 11 ++++++-----
 frida_mode/test/testinstr/GNUmakefile           |  7 +++++++
 22 files changed, 144 insertions(+), 50 deletions(-)

(limited to 'frida_mode/src/persistent/persistent.c')

diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index 6c17f369..4d8f8507 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -98,9 +98,12 @@ FRIDA_GUM_DEVKIT_COMPRESSED_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
 AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
 AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
-HOOK_DIR:=$(PWD)hook/
-AFLPP_DRIVER_HOOK_SRC=$(HOOK_DIR)hook.c
-AFLPP_DRIVER_HOOK_OBJ=$(BUILD_DIR)hook.so
+FRIDA_HOOK_DIR:=$(PWD)hook/
+AFLPP_FRIDA_DRIVER_HOOK_SRC=$(FRIDA_HOOK_DIR)hook.c
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(BUILD_DIR)frida_hook.so
+
+QEMU_HOOK_DIR:=$(ROOT)utils/aflpp_driver/
+AFLPP_QEMU_DRIVER_HOOK_OBJ:=$(BUILD_DIR)qemu_hook.so
 
 BIN2C:=$(BUILD_DIR)bin2c
 BIN2C_SRC:=$(PWD)util/bin2c.c
@@ -109,7 +112,7 @@ BIN2C_SRC:=$(PWD)util/bin2c.c
 
 ############################## ALL #############################################
 
-all: $(FRIDA_TRACE) $(AFLPP_DRIVER_HOOK_OBJ)
+all: $(FRIDA_TRACE) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)
 
 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
@@ -150,10 +153,10 @@ $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
 	wget -O $@ $(GUM_DEVKIT_URL)
 endif
 
-$(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL)
+$(GUM_DEVIT_LIBRARY): $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
 
-$(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL)
+$(GUM_DEVIT_HEADER): $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
 
 ############################## AFL #############################################
@@ -214,10 +217,14 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL
 
 ############################# HOOK #############################################
 
-$(AFLPP_DRIVER_HOOK_OBJ): $(AFLPP_DRIVER_HOOK_SRC) | $(BUILD_DIR)
+$(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) | $(BUILD_DIR)
 	$(CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@
 
-hook: $(AFLPP_DRIVER_HOOK_OBJ)
+$(AFLPP_QEMU_DRIVER_HOOK_OBJ): | $(QEMU_HOOK_DIR)
+	make -C $(QEMU_HOOK_DIR) aflpp_qemu_driver_hook.so
+	cp $(QEMU_HOOK_DIR)aflpp_qemu_driver_hook.so $@
+
+hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)
 
 ############################# CLEAN ############################################
 clean:
@@ -225,7 +232,7 @@ clean:
 
 ############################# FORMAT ###########################################
 format:
-	cd $(ROOT) && echo $(SOURCES) $(AFLPP_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i
+	cd $(ROOT) && echo $(SOURCES) $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(BIN2C_SRC) | xargs -L1 ./.custom-format.py -i
 	cd $(ROOT) && echo $(INCLUDES) | xargs -L1 ./.custom-format.py -i
 
 ############################# RUN #############################################
diff --git a/frida_mode/include/entry.h b/frida_mode/include/entry.h
index 801c2bbe..cbc5c8c7 100644
--- a/frida_mode/include/entry.h
+++ b/frida_mode/include/entry.h
@@ -3,7 +3,8 @@
 
 #include "frida-gumjs.h"
 
-extern guint64 entry_point;
+extern guint64  entry_point;
+extern gboolean entry_reached;
 
 void entry_config(void);
 
diff --git a/frida_mode/include/persistent.h b/frida_mode/include/persistent.h
index 8f00196c..c79f0143 100644
--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@@ -30,7 +30,10 @@ void persistent_init(void);
 gboolean persistent_is_supported(void);
 
 void persistent_prologue(GumStalkerOutput *output);
+void persistent_prologue_arch(GumStalkerOutput *output);
+
 void persistent_epilogue(GumStalkerOutput *output);
+void persistent_epilogue_arch(GumStalkerOutput *output);
 
 #endif
 
diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h
index 2136fe52..b5e05d5a 100644
--- a/frida_mode/include/stalker.h
+++ b/frida_mode/include/stalker.h
@@ -7,6 +7,7 @@ void        stalker_config(void);
 void        stalker_init(void);
 GumStalker *stalker_get(void);
 void        stalker_start(void);
+void        stalker_trust(void);
 
 #endif
 
diff --git a/frida_mode/src/entry.c b/frida_mode/src/entry.c
index e95b923b..1d3b3e43 100644
--- a/frida_mode/src/entry.c
+++ b/frida_mode/src/entry.c
@@ -4,12 +4,15 @@
 
 #include "entry.h"
 #include "instrument.h"
+#include "persistent.h"
+#include "ranges.h"
 #include "stalker.h"
 #include "util.h"
 
 extern void __afl_manual_init();
 
-guint64 entry_point = 0;
+guint64  entry_point = 0;
+gboolean entry_reached = FALSE;
 
 static void entry_launch(void) {
 
@@ -50,6 +53,16 @@ static void entry_callout(GumCpuContext *cpu_context, gpointer user_data) {
 void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output) {
 
   UNUSED_PARAMETER(output);
+  OKF("AFL_ENTRYPOINT reached");
+
+  if (persistent_start == 0) {
+
+    entry_reached = TRUE;
+    ranges_exclude();
+    stalker_trust();
+
+  }
+
   gum_stalker_iterator_put_callout(iterator, entry_callout, NULL, NULL);
 
 }
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index c646843c..2d857716 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -149,7 +149,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
 
     if (unlikely(begin)) {
 
-      prefetch_write(GSIZE_TO_POINTER(instr->address));
+      instrument_debug_start(instr->address, output);
+
+      if (likely(entry_reached)) {
+
+        prefetch_write(GSIZE_TO_POINTER(instr->address));
+
+      }
 
       if (likely(!excluded)) {
 
diff --git a/frida_mode/src/persistent/persistent.c b/frida_mode/src/persistent/persistent.c
index bcc59ea7..639a694e 100644
--- a/frida_mode/src/persistent/persistent.c
+++ b/frida_mode/src/persistent/persistent.c
@@ -5,7 +5,10 @@
 #include "config.h"
 #include "debug.h"
 
+#include "entry.h"
 #include "persistent.h"
+#include "ranges.h"
+#include "stalker.h"
 #include "util.h"
 
 int          __afl_sharedmem_fuzzing = 0;
@@ -83,3 +86,20 @@ void persistent_init(void) {
 
 }
 
+void persistent_prologue(GumStalkerOutput *output) {
+
+  OKF("AFL_FRIDA_PERSISTENT_ADDR reached");
+  entry_reached = TRUE;
+  ranges_exclude();
+  stalker_trust();
+  persistent_prologue_arch(output);
+
+}
+
+void persistent_epilogue(GumStalkerOutput *output) {
+
+  OKF("AFL_FRIDA_PERSISTENT_RET reached");
+  persistent_epilogue_arch(output);
+
+}
+
diff --git a/frida_mode/src/persistent/persistent_arm32.c b/frida_mode/src/persistent/persistent_arm32.c
index f12f1af8..769f1505 100644
--- a/frida_mode/src/persistent/persistent_arm32.c
+++ b/frida_mode/src/persistent/persistent_arm32.c
@@ -61,14 +61,14 @@ gboolean persistent_is_supported(void) {
 
 }
 
-void persistent_prologue(GumStalkerOutput *output) {
+void persistent_prologue_arch(GumStalkerOutput *output) {
 
   UNUSED_PARAMETER(output);
   FATAL("Persistent mode not supported on this architecture");
 
 }
 
-void persistent_epilogue(GumStalkerOutput *output) {
+void persistent_epilogue_arch(GumStalkerOutput *output) {
 
   UNUSED_PARAMETER(output);
   FATAL("Persistent mode not supported on this architecture");
diff --git a/frida_mode/src/persistent/persistent_arm64.c b/frida_mode/src/persistent/persistent_arm64.c
index 003f058a..4ab7b283 100644
--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@@ -299,7 +299,7 @@ static void instrument_persitent_save_lr(GumArm64Writer *cw) {
 
 }
 
-void persistent_prologue(GumStalkerOutput *output) {
+void persistent_prologue_arch(GumStalkerOutput *output) {
 
   /*
    *  SAVE REGS
@@ -366,7 +366,7 @@ void persistent_prologue(GumStalkerOutput *output) {
 
 }
 
-void persistent_epilogue(GumStalkerOutput *output) {
+void persistent_epilogue_arch(GumStalkerOutput *output) {
 
   GumArm64Writer *cw = output->writer.arm64;
 
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index b2186db1..ce3017e4 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -244,7 +244,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) {
 
 }
 
-void persistent_prologue(GumStalkerOutput *output) {
+void persistent_prologue_arch(GumStalkerOutput *output) {
 
   /*
    *  SAVE REGS
@@ -313,7 +313,7 @@ void persistent_prologue(GumStalkerOutput *output) {
 
 }
 
-void persistent_epilogue(GumStalkerOutput *output) {
+void persistent_epilogue_arch(GumStalkerOutput *output) {
 
   GumX86Writer *cw = output->writer.x86;
 
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index f50bccb0..cc1f1a4f 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -184,7 +184,7 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) {
 
 }
 
-void persistent_prologue(GumStalkerOutput *output) {
+void persistent_prologue_arch(GumStalkerOutput *output) {
 
   /*
    *  SAVE REGS
@@ -251,7 +251,7 @@ void persistent_prologue(GumStalkerOutput *output) {
 
 }
 
-void persistent_epilogue(GumStalkerOutput *output) {
+void persistent_epilogue_arch(GumStalkerOutput *output) {
 
   GumX86Writer *cw = output->writer.x86;
 
diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c
index 98483cde..5df0386f 100644
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@@ -38,7 +38,7 @@ void stalker_init(void) {
   stalker = gum_stalker_new();
   if (stalker == NULL) { FATAL("Failed to initialize stalker"); }
 
-  gum_stalker_set_trust_threshold(stalker, 0);
+  gum_stalker_set_trust_threshold(stalker, -1);
 
   /* *NEVER* stalk the stalker, only bad things will ever come of this! */
   gum_process_enumerate_ranges(GUM_PAGE_EXECUTE, stalker_exclude_self, NULL);
@@ -59,3 +59,9 @@ void stalker_start(void) {
 
 }
 
+void stalker_trust(void) {
+
+  gum_stalker_set_trust_threshold(stalker, 0);
+
+}
+
diff --git a/frida_mode/src/stats/stats_x64.c b/frida_mode/src/stats/stats_x64.c
index 7c3a90d7..11464a2a 100644
--- a/frida_mode/src/stats/stats_x64.c
+++ b/frida_mode/src/stats/stats_x64.c
@@ -31,6 +31,9 @@ typedef struct {
 
   guint64 num_rip_relative;
 
+  guint64 num_rip_relative_type[X86_INS_ENDING];
+  char    name_rip_relative_type[X86_INS_ENDING][CS_MNEMONIC_SIZE];
+
 } stats_data_arch_t;
 
 gboolean stats_is_supported_arch(void) {
@@ -136,6 +139,18 @@ void stats_write_arch(void) {
               stats_data_arch->num_rip_relative,
               (stats_data_arch->num_rip_relative * 100 / num_instructions));
 
+  for (size_t i = 0; i < X86_INS_ENDING; i++) {
+
+    if (stats_data_arch->num_rip_relative_type[i] != 0) {
+
+      stats_print("                     %10d %s\n",
+                  stats_data_arch->num_rip_relative_type[i],
+                  stats_data_arch->name_rip_relative_type[i]);
+
+    }
+
+  }
+
   stats_print("\n");
   stats_print("\n");
 
@@ -256,6 +271,9 @@ static void stats_collect_rip_relative_arch(const cs_insn *instr) {
   if (rm != 5) { return; }
 
   stats_data_arch->num_rip_relative++;
+  stats_data_arch->num_rip_relative_type[instr->id]++;
+  memcpy(stats_data_arch->name_rip_relative_type[instr->id], instr->mnemonic,
+         CS_MNEMONIC_SIZE);
 
 }
 
diff --git a/frida_mode/test/jpeg/GNUmakefile b/frida_mode/test/jpeg/GNUmakefile
index 68469782..1c124743 100644
--- a/frida_mode/test/jpeg/GNUmakefile
+++ b/frida_mode/test/jpeg/GNUmakefile
@@ -2,7 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
 
 LIBJPEG_BUILD_DIR:=$(BUILD_DIR)libjpeg/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR)
 clean:
 	rm -rf $(BUILD_DIR)
 
-frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
+frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
 	AFL_DEBUG_CHILD=1 \
 	AFL_DISABLE_TRIM=1 \
 	AFL_FRIDA_PERSISTENT_CNT=1000000 \
@@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
 	AFL_SKIP_CPUFREQ=1 \
 	AFL_SKIP_CRASHES=1 \
 	AFL_TESTCACHE_SIZE=2 \
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
diff --git a/frida_mode/test/libpcap/GNUmakefile b/frida_mode/test/libpcap/GNUmakefile
index 4d0bc4f1..f1ad06e4 100644
--- a/frida_mode/test/libpcap/GNUmakefile
+++ b/frida_mode/test/libpcap/GNUmakefile
@@ -2,7 +2,8 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so
 
 LIBPCAP_BUILD_DIR:=$(BUILD_DIR)libpcap/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -148,8 +149,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TCPDUMP_TESTS_DIR)
 clean:
 	rm -rf $(BUILD_DIR)
 
-qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
@@ -162,8 +163,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDU
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT) | $(TCPDUMP_TESTS_DIR)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile
index fdb2c318..a1a7f1a5 100644
--- a/frida_mode/test/png/GNUmakefile
+++ b/frida_mode/test/png/GNUmakefile
@@ -112,3 +112,9 @@ frida: $(TEST_BIN)
 		-o $(FRIDA_OUT) \
 		-- \
 			$(TEST_BIN) @@
+
+debug:
+	gdb \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TEST_BIN) $(TEST_DATA_DIR)basn0g01.png
diff --git a/frida_mode/test/png/Makefile b/frida_mode/test/png/Makefile
index 4bef1ccb..f843af19 100644
--- a/frida_mode/test/png/Makefile
+++ b/frida_mode/test/png/Makefile
@@ -14,3 +14,6 @@ qemu:
 
 frida:
 	@gmake frida
+
+debug:
+	@gmake debug
diff --git a/frida_mode/test/png/persistent/hook/GNUmakefile b/frida_mode/test/png/persistent/hook/GNUmakefile
index 8a1a9a60..ddf63a96 100644
--- a/frida_mode/test/png/persistent/hook/GNUmakefile
+++ b/frida_mode/test/png/persistent/hook/GNUmakefile
@@ -2,7 +2,8 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so
 
 CFLAGS+=-O3 \
 		-funroll-loops \
@@ -73,8 +74,8 @@ $(TEST_DATA_DIR): | $(BUILD_DIR)
 $(AFLPP_DRIVER_DUMMY_INPUT): | $(BUILD_DIR)
 	truncate -s 1M $@
 
-qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
 	$(ROOT)/afl-fuzz \
@@ -86,8 +87,8 @@ qemu: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
@@ -100,8 +101,8 @@ qemu_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
 		-D \
@@ -113,8 +114,8 @@ frida: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
 
-frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
@@ -126,7 +127,7 @@ frida_entry: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 	AFL_PRELOAD=$(AFL_PRELOAD) \
 	AFL_FRIDA_JS_SCRIPT=load.js \
 	$(ROOT)afl-fuzz \
@@ -139,7 +140,7 @@ frida_js_load: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DI
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
+frida_js_cmodule: $(AFLPP_DRIVER_DUMMY_INPUT) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) | $(BUILD_DIR)
 	AFL_PRELOAD=$(AFL_PRELOAD) \
 	AFL_FRIDA_JS_SCRIPT=cmodule.js \
 	$(ROOT)afl-fuzz \
@@ -155,7 +156,7 @@ debug: $(AFLPP_DRIVER_DUMMY_INPUT)
 	echo $(AFL_FRIDA_PERSISTENT_ADDR)
 	gdb \
 		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
-		--ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ)' \
+		--ex 'set environment AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ)' \
 		--ex 'set environment AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR)' \
 		--ex 'set disassembly-flavor intel' \
 		--args $(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
diff --git a/frida_mode/test/png/persistent/hook/load.js b/frida_mode/test/png/persistent/hook/load.js
index ce4374ae..ea4d28c3 100644
--- a/frida_mode/test/png/persistent/hook/load.js
+++ b/frida_mode/test/png/persistent/hook/load.js
@@ -19,7 +19,7 @@ Afl.setPersistentAddress(persistent_addr);
 
 const path = Afl.module.path;
 const dir = path.substring(0, path.lastIndexOf("/"));
-const mod = Module.load(`${dir}/frida_mode/build/hook.so`);
+const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`);
 const hook = mod.getExportByName('afl_persistent_hook');
 Afl.setPersistentHook(hook);
 
diff --git a/frida_mode/test/proj4/GNUmakefile b/frida_mode/test/proj4/GNUmakefile
index 6ce03fd3..8555ebad 100644
--- a/frida_mode/test/proj4/GNUmakefile
+++ b/frida_mode/test/proj4/GNUmakefile
@@ -2,7 +2,7 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
 
 LIBPROJ4_BUILD_DIR:=$(BUILD_DIR)libproj4/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -132,7 +132,7 @@ $(TEST_DATA_FILE): | $(TEST_DATA_DIR)
 clean:
 	rm -rf $(BUILD_DIR)
 
-frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
+frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
 	AFL_DEBUG_CHILD=1 \
 	AFL_DISABLE_TRIM=1 \
 	AFL_FRIDA_PERSISTENT_CNT=1000000 \
@@ -144,7 +144,7 @@ frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE)
 	AFL_SKIP_CPUFREQ=1 \
 	AFL_SKIP_CRASHES=1 \
 	AFL_TESTCACHE_SIZE=2 \
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
diff --git a/frida_mode/test/re2/GNUmakefile b/frida_mode/test/re2/GNUmakefile
index ab986190..ce95df3b 100644
--- a/frida_mode/test/re2/GNUmakefile
+++ b/frida_mode/test/re2/GNUmakefile
@@ -2,7 +2,8 @@ PWD:=$(shell pwd)/
 ROOT:=$(shell realpath $(PWD)../../..)/
 BUILD_DIR:=$(PWD)build/
 
-AFLPP_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/hook.so
+AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so
+AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so
 
 LIBRE2_BUILD_DIR:=$(BUILD_DIR)libre2/
 HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
@@ -130,8 +131,8 @@ $(AFLPP_DRIVER_DUMMY_INPUT): | $(TEST_DATA_DIR)
 clean:
 	rm -rf $(BUILD_DIR)
 
-qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
-	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
+	AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \
 	AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
 	AFL_QEMU_PERSISTENT_GPR=1 \
@@ -144,8 +145,8 @@ qemu: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
 		-- \
 			$(TEST_BIN) $(AFLPP_DRIVER_DUMMY_INPUT)
 
-frida: $(TEST_BIN) $(AFLPP_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
-	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_DRIVER_HOOK_OBJ) \
+frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_DRIVER_DUMMY_INPUT)
+	AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \
 	AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \
 	$(ROOT)afl-fuzz \
diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile
index a35073ab..3701ddc8 100644
--- a/frida_mode/test/testinstr/GNUmakefile
+++ b/frida_mode/test/testinstr/GNUmakefile
@@ -52,6 +52,13 @@ frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		-- \
 			$(TESTINSTBIN) @@
 
+debug:
+	echo $(AFL_FRIDA_PERSISTENT_ADDR)
+	gdb \
+		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
+		--ex 'set disassembly-flavor intel' \
+		--args $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+
 debug:
 	gdb \
 		--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
-- 
cgit 1.4.1