From 820621baa27362efbee9be748f7a9c8f55bf7a54 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 19:54:35 +0200 Subject: qemu mode readme update --- qemu_mode/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'qemu_mode/README.md') diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 610f6860..afa2595a 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -63,6 +63,19 @@ opened (e.g. way after command line parsing and config file loading, etc) which can be a huge speed improvement. Note that the specified address must be an address of a basic block. +QEMU mode support also persistent mode for x86 and x86_64 targets. +The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=. +In this variable you must specify the address of the function that must be +the body of the persistent loop. +The return address on stack is patched like in WinAFL in order to repeat the +execution of such function. +Another modality to execute the persistent loop is to specify also the +AFL_QEMU_PERSISTENT_RET= env variable. +With this variable assigned, instead of patching the return address, the +specified instruction is transformed to a jump towards . + +Note that the base address of PIE binaries in QEMU user is 0x4000000000. + ## 4) Notes on linking The feature is supported only on Linux. Supporting BSD may amount to porting -- cgit 1.4.1 From 5d5ee85928fe710127a6341622f706e691daea08 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 19:56:12 +0200 Subject: qemu mode readme update --- qemu_mode/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'qemu_mode/README.md') diff --git a/qemu_mode/README.md b/qemu_mode/README.md index afa2595a..3b714a6a 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -64,15 +64,16 @@ which can be a huge speed improvement. Note that the specified address must be an address of a basic block. QEMU mode support also persistent mode for x86 and x86_64 targets. -The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=. +The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=`start addr`. In this variable you must specify the address of the function that must be the body of the persistent loop. The return address on stack is patched like in WinAFL in order to repeat the execution of such function. Another modality to execute the persistent loop is to specify also the -AFL_QEMU_PERSISTENT_RET= env variable. +AFL_QEMU_PERSISTENT_RET=`end addr` env variable. With this variable assigned, instead of patching the return address, the -specified instruction is transformed to a jump towards . +specified instruction is transformed to a jump towards `start addr`. +Note that the format of the addresses in such variables is hex. Note that the base address of PIE binaries in QEMU user is 0x4000000000. -- cgit 1.4.1 From 9690bb4b9c8c051289dd805ecafefc42eaa4083b Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 20:00:47 +0200 Subject: qemu mode readme update --- qemu_mode/README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'qemu_mode/README.md') diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 3b714a6a..212b31cd 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -65,8 +65,9 @@ must be an address of a basic block. QEMU mode support also persistent mode for x86 and x86_64 targets. The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=`start addr`. -In this variable you must specify the address of the function that must be -the body of the persistent loop. +In this variable you must specify the address of the function that +have to be the body of the persistent loop. +The code in this function must be stateless like in the LLVM persistent mode. The return address on stack is patched like in WinAFL in order to repeat the execution of such function. Another modality to execute the persistent loop is to specify also the @@ -77,6 +78,10 @@ Note that the format of the addresses in such variables is hex. Note that the base address of PIE binaries in QEMU user is 0x4000000000. +Warning: in x86_64 parameters are passed via registers and so if the target +function of persistent mode cannot make use of arguments. An option to restore +the state of each GPR each iteration of the loop is planned. + ## 4) Notes on linking The feature is supported only on Linux. Supporting BSD may amount to porting -- cgit 1.4.1 From 924f3025f9e9bc062b80d4ca3a47d283267ba18c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 12 Sep 2019 20:01:45 +0200 Subject: typo --- qemu_mode/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'qemu_mode/README.md') diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 212b31cd..54fbf874 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -78,7 +78,7 @@ Note that the format of the addresses in such variables is hex. Note that the base address of PIE binaries in QEMU user is 0x4000000000. -Warning: in x86_64 parameters are passed via registers and so if the target +Warning: in x86_64 parameters are passed via registers and so the target function of persistent mode cannot make use of arguments. An option to restore the state of each GPR each iteration of the loop is planned. -- cgit 1.4.1