From 682b4f6b8a0d3244775e1c32563031cbd9277e24 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 14 Mar 2018 16:32:35 +0100 Subject: added -E and -D switches, -S switch repeatable, dyninst version check --- README.txt | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) (limited to 'README.txt') diff --git a/README.txt b/README.txt index b8a4b07..d9cb3f0 100644 --- a/README.txt +++ b/README.txt @@ -12,17 +12,20 @@ callback either at _init or at specified entry point. Commandline options ------------------- -Usage: ./afl-dyninst -i -o -l -e
-s - -i: Input binary - -o: Output binary - -l: Library to instrument (repeat for more than one) - -e: Entry point address to patch (required for stripped binaries) - -r: Runtime library to instrument (path to, repeat for more than one) - -s: Number of basic blocks to skip - -m: minimum size of a basic bock to instrument (default: 1) - -f: fix dyninst bug to sometimes not save edi/rdi register - -S: do not instrument this function (can be specified only once) - -v: Verbose output +Usage: ./afl-dyninst-dfvD -i -o -l -e
-E
-s -S -m + -i: input binary + -o: output binary + -d: do not instrument the binary, only supplied libraries + -l: linked library to instrument (repeat for more than one) + -r: runtime library to instrument (path to, repeat for more than one) + -e: entry point address to patch (required for stripped binaries) + -E: exit point - force exit(0) at this address (repeat for more than one) + -s: number of initial basic blocks to skip in binary + -m: minimum size of a basic bock to instrument (default: 1) + -f: try to fix a dyninst bug that leads to crashes + -S: do not instrument this function (repeat for more than one) + -D: instrument fork server and forced exit functions but no basic blocks + -v: verbose output Switch -l is used to supply the names of the libraries that should be instrumented along the binary. Instrumented libraries will be copied @@ -37,6 +40,9 @@ this option is required and is best set to the address of main which can easily be determined by disassembling the binary and looking for an argument to __libc_start_main. +Switch -E is used to specify addresses that should force a clean exit +when reached. This can speed up the fuzzing tremendously. + Switch -s instructs afl-dyninst to skip the first of basic blocks. Currently, it is used to work around a bug in Dyninst but doubles as an optimization option, as skipping the basic blocks @@ -58,8 +64,12 @@ uses the edi/rdi. However dyninst does not always saves and restores it when instrumenting that function leading to crashes and changed program behaviour when the register is used for function parameters. -Switch -S allows you to not instrument a specific function. -This options is mainly to hunt down bugs in dyninst. It can only be set once. +Switch -S allows you to not instrument specific functions. +This options is mainly to hunt down bugs in dyninst. + +Switch -D installs the afl fork server and forced exit functions but no +basic block instrumentation. That would serve no purpose - unless there is +another interesting tool coming up ... Compiling: -- cgit 1.4.1