The response has been limited to 50k tokens of the smallest files in the repo. You can remove this limitation by removing the max tokens filter. 
├── .clang-format
├── .custom-format.py
├── .dockerignore
├── .github
    ├── FUNDING.yml
    ├── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   └── feature_request.md
    └── workflows
    │   ├── ci.yml
    │   ├── code-format.yml
    │   ├── codeql-analysis.yml
    │   ├── container.yml
    │   └── rust_custom_mutator.yml
├── .gitignore
├── .gitmodules
├── Android.bp
├── CITATION.cff
├── CONTRIBUTING.md
├── Changelog.md
├── Dockerfile
├── GNUmakefile
├── GNUmakefile.gcc_plugin
├── GNUmakefile.llvm
├── LICENSE
├── Makefile
├── README.md
├── TODO.md
├── afl-addseeds
├── afl-cmin
├── afl-cmin.bash
├── afl-cmin.py
├── afl-persistent-config
├── afl-plot
├── afl-system-config
├── afl-whatsup
├── afl-wine-trace
├── benchmark
    ├── COMPARISON.md
    ├── README.md
    ├── benchmark-results.jsonl
    ├── benchmark.ipynb
    └── benchmark.py
├── config.h
├── coresight_mode
    ├── .gitignore
    ├── GNUmakefile
    ├── Makefile
    ├── README.md
    └── patches
    │   └── 0001-Add-AFL-forkserver.patch
├── custom_mutators
    ├── Android.bp
    ├── README.md
    ├── aflpp
    │   ├── Makefile
    │   ├── README.md
    │   ├── aflpp.c
    │   └── standalone
    │   │   ├── Makefile
    │   │   ├── README.md
    │   │   └── aflpp-standalone.c
    ├── aflpp_tritondse
    │   ├── README.md
    │   └── aflpp_tritondse.py
    ├── atnwalk
    │   ├── Makefile
    │   ├── README.md
    │   └── atnwalk.c
    ├── autotokens
    │   ├── Makefile
    │   ├── README
    │   ├── autotokens.cpp
    │   └── standalone
    │   │   ├── Makefile
    │   │   ├── README.md
    │   │   └── autotokens-standalone.c
    ├── custom_send_tcp
    │   ├── Makefile
    │   ├── README.md
    │   └── custom_send_tcp.c
    ├── examples
    │   ├── Makefile
    │   ├── README.md
    │   ├── XmlMutatorMin.py
    │   ├── common.py
    │   ├── custom_post_run.c
    │   ├── custom_send.c
    │   ├── elf_header_mutator.c
    │   ├── example.c
    │   ├── example.py
    │   ├── post_library_gif.so.c
    │   ├── post_library_png.so.c
    │   ├── simple-chunk-replace.py
    │   ├── simple_example.c
    │   └── wrapper_afl_min.py
    ├── gramatron
    │   ├── JSONC_VERSION
    │   ├── README.md
    │   ├── build_gramatron_mutator.sh
    │   ├── gramfuzz-helpers.c
    │   ├── gramfuzz-mutators.c
    │   ├── gramfuzz-util.c
    │   ├── gramfuzz.c
    │   ├── gramfuzz.h
    │   ├── grammars
    │   │   ├── js
    │   │   │   ├── source.json
    │   │   │   └── source_automata.json
    │   │   ├── php
    │   │   │   ├── source.json
    │   │   │   └── source_automata.json
    │   │   └── ruby
    │   │   │   ├── source.json
    │   │   │   └── source_automata.json
    │   ├── hashmap.c
    │   ├── hashmap.h
    │   ├── preprocess
    │   │   ├── construct_automata.py
    │   │   ├── gnf_converter.py
    │   │   └── prep_automaton.sh
    │   ├── test.c
    │   ├── test.h
    │   ├── utarray.h
    │   └── uthash.h
    ├── grammar_mutator
    │   ├── GRAMMAR_VERSION
    │   ├── README.md
    │   ├── build_grammar_mutator.sh
    │   └── update_grammar_ref.sh
    ├── honggfuzz
    │   ├── Makefile
    │   ├── README.md
    │   ├── honggfuzz.c
    │   ├── honggfuzz.h
    │   ├── input.h
    │   ├── libhfcommon
    │   │   ├── common.h
    │   │   ├── log.h
    │   │   └── util.h
    │   ├── mangle.c
    │   └── mangle.h
    ├── libafl_base
    │   ├── .gitignore
    │   ├── Cargo.toml
    │   ├── Makefile
    │   ├── README.md
    │   └── src
    │   │   └── lib.rs
    ├── libfuzzer
    │   ├── FuzzerBuiltins.h
    │   ├── FuzzerBuiltinsMsvc.h
    │   ├── FuzzerCommand.h
    │   ├── FuzzerCorpus.h
    │   ├── FuzzerCrossOver.cpp
    │   ├── FuzzerDataFlowTrace.cpp
    │   ├── FuzzerDataFlowTrace.h
    │   ├── FuzzerDefs.h
    │   ├── FuzzerDictionary.h
    │   ├── FuzzerDriver.cpp
    │   ├── FuzzerExtFunctions.def
    │   ├── FuzzerExtFunctions.h
    │   ├── FuzzerExtFunctionsDlsym.cpp
    │   ├── FuzzerExtFunctionsWeak.cpp
    │   ├── FuzzerExtFunctionsWindows.cpp
    │   ├── FuzzerExtraCounters.cpp
    │   ├── FuzzerFlags.def
    │   ├── FuzzerFork.cpp
    │   ├── FuzzerFork.h
    │   ├── FuzzerIO.cpp
    │   ├── FuzzerIO.h
    │   ├── FuzzerIOPosix.cpp
    │   ├── FuzzerIOWindows.cpp
    │   ├── FuzzerInterceptors.cpp
    │   ├── FuzzerInterface.h
    │   ├── FuzzerInternal.h
    │   ├── FuzzerLoop.cpp
    │   ├── FuzzerMain.cpp
    │   ├── FuzzerMerge.cpp
    │   ├── FuzzerMerge.h
    │   ├── FuzzerMutate.cpp
    │   ├── FuzzerMutate.h
    │   ├── FuzzerOptions.h
    │   ├── FuzzerPlatform.h
    │   ├── FuzzerRandom.h
    │   ├── FuzzerSHA1.cpp
    │   ├── FuzzerSHA1.h
    │   ├── FuzzerTracePC.cpp
    │   ├── FuzzerTracePC.h
    │   ├── FuzzerUtil.cpp
    │   ├── FuzzerUtil.h
    │   ├── FuzzerUtilDarwin.cpp
    │   ├── FuzzerUtilFuchsia.cpp
    │   ├── FuzzerUtilLinux.cpp
    │   ├── FuzzerUtilPosix.cpp
    │   ├── FuzzerUtilWindows.cpp
    │   ├── FuzzerValueBitMap.h
    │   ├── Makefile
    │   ├── README.md
    │   ├── libfuzzer.cpp
    │   └── libfuzzer.inc
    ├── libprotobuf-mutator-example
    │   ├── Android.bp
    │   ├── README.md
    │   ├── lpm_aflpp_custom_mutator_input.cc
    │   ├── lpm_aflpp_custom_mutator_input.h
    │   ├── test.proto
    │   └── vuln.c
    ├── radamsa
    │   ├── GNUmakefile
    │   ├── LICENSE
    │   ├── README.md
    │   ├── libradamsa-test.c
    │   ├── libradamsa.c
    │   ├── radamsa-mutator.c
    │   └── radamsa.h
    ├── rust
    │   ├── .gitignore
    │   ├── Cargo.toml
    │   ├── README.md
    │   ├── custom_mutator-sys
    │   │   ├── Cargo.toml
    │   │   ├── build.rs
    │   │   ├── src
    │   │   │   └── lib.rs
    │   │   └── wrapper.h
    │   ├── custom_mutator
    │   │   ├── Cargo.toml
    │   │   └── src
    │   │   │   └── lib.rs
    │   ├── example
    │   │   ├── Cargo.toml
    │   │   └── src
    │   │   │   └── example_mutator.rs
    │   ├── example_lain
    │   │   ├── Cargo.toml
    │   │   ├── rust-toolchain
    │   │   └── src
    │   │   │   └── lain_mutator.rs
    │   └── example_lain_post_process
    │   │   ├── Cargo.toml
    │   │   ├── rust-toolchain
    │   │   └── src
    │   │       └── lain_mutator.rs
    ├── symcc
    │   ├── Makefile
    │   ├── README.md
    │   ├── symcc.c
    │   └── test_examples
    │   │   ├── file_test.c
    │   │   └── stdin_test.c
    └── symqemu
    │   ├── Makefile
    │   ├── README.md
    │   └── symqemu.c
├── dictionaries
    ├── README.md
    ├── aff.dict
    ├── ass.dict
    ├── atom.dict
    ├── av1_dc.dict
    ├── bash.dict
    ├── bdf.dict
    ├── bmp.dict
    ├── bz2.dict
    ├── creole.dict
    ├── css.dict
    ├── csv.dict
    ├── dds.dict
    ├── djvu.dict
    ├── docommand.dict
    ├── exif.dict
    ├── fbs.dict
    ├── ftp.dict
    ├── gif.dict
    ├── graphviz.dict
    ├── heif.dict
    ├── hoextdown.dict
    ├── html_tags.dict
    ├── http.dict
    ├── icc.dict
    ├── iccprofile.dict
    ├── icns.dict
    ├── initfile.dict
    ├── jbig2.dict
    ├── jpeg.dict
    ├── jpeg2000.dict
    ├── js.dict
    ├── json.dict
    ├── jsonnet.dict
    ├── jsonschema.dict
    ├── markdown.dict
    ├── math.dict
    ├── mathml.dict
    ├── mp4.dict
    ├── mysqld.dict
    ├── ogg.dict
    ├── openexr.dict
    ├── otf.dict
    ├── pbm.dict
    ├── pcap.dict
    ├── pdf.dict
    ├── perl.dict
    ├── png.dict
    ├── proj4.dict
    ├── protobuf.dict
    ├── ps.dict
    ├── psd.dict
    ├── regexp.dict
    ├── riff.dict
    ├── rss.dict
    ├── rst.dict
    ├── rtf.dict
    ├── ruby.dict
    ├── sas.dict
    ├── spss.dict
    ├── sql.dict
    ├── stata.dict
    ├── svg.dict
    ├── tex.dict
    ├── theme-load-fuzz.dict
    ├── tiff.dict
    ├── tokener_parse_ex.dict
    ├── toml.dict
    ├── type42.dict
    ├── url.dict
    ├── utf8.dict
    ├── vcf.dict
    ├── vhd.dict
    ├── vpx_dec.dict
    ├── wav.dict
    ├── webm.dict
    ├── webp.dict
    ├── wkt.dict
    ├── x86.dict
    ├── xml.dict
    ├── xml_UTF_16.dict
    ├── xml_UTF_16BE.dict
    ├── xml_UTF_16LE.dict
    ├── xpath.dict
    ├── xslt.dict
    ├── yaml.dict
    ├── yara.dict
    └── zip.dict
├── docs
    ├── COPYING
    ├── Changelog.md
    ├── FAQ.md
    ├── INSTALL.md
    ├── README.md
    ├── SAND.md
    ├── afl-fuzz_approach.md
    ├── best_practices.md
    ├── custom_mutators.md
    ├── env_variables.md
    ├── features.md
    ├── fuzzing_binary-only_targets.md
    ├── fuzzing_in_depth.md
    ├── ideas.md
    ├── important_changes.md
    ├── resources
    │   ├── 0_fuzzing_process_overview.drawio.svg
    │   ├── 1_instrument_target.drawio.svg
    │   ├── 2_prepare_campaign.drawio.svg
    │   ├── 3_fuzz_target.drawio.svg
    │   ├── 4_manage_campaign.drawio.svg
    │   ├── afl_gzip.png
    │   ├── grafana-afl++.json
    │   ├── screenshot.png
    │   └── statsd-grafana.png
    ├── rpc_statsd.md
    ├── third_party_tools.md
    └── tutorials.md
├── dynamic_list.txt
├── entitlements.plist
├── frida_mode
    ├── .gitignore
    ├── DEBUGGING.md
    ├── GNUmakefile
    ├── Makefile
    ├── MapDensity.md
    ├── README.md
    ├── Scripting.md
    ├── addr
    │   └── addr.c
    ├── frida.map
    ├── hook
    │   ├── frida_hook.c
    │   └── qemu_hook.c
    ├── include
    │   ├── asan.h
    │   ├── ctx.h
    │   ├── entry.h
    │   ├── frida_cmplog.h
    │   ├── instrument.h
    │   ├── intercept.h
    │   ├── js.h
    │   ├── lib.h
    │   ├── module.h
    │   ├── output.h
    │   ├── persistent.h
    │   ├── prefetch.h
    │   ├── ranges.h
    │   ├── seccomp.h
    │   ├── shm.h
    │   ├── stalker.h
    │   ├── stats.h
    │   └── util.h
    ├── many-linux
    │   ├── Dockerfile
    │   ├── GNUmakefile
    │   ├── Makefile
    │   └── README.md
    ├── src
    │   ├── asan
    │   │   ├── asan.c
    │   │   ├── asan_arm32.c
    │   │   ├── asan_arm64.c
    │   │   ├── asan_x64.c
    │   │   └── asan_x86.c
    │   ├── cmplog
    │   │   ├── cmplog.c
    │   │   ├── cmplog_arm32.c
    │   │   ├── cmplog_arm64.c
    │   │   ├── cmplog_x64.c
    │   │   └── cmplog_x86.c
    │   ├── ctx
    │   │   ├── ctx_arm32.c
    │   │   ├── ctx_arm64.c
    │   │   ├── ctx_x64.c
    │   │   └── ctx_x86.c
    │   ├── entry.c
    │   ├── instrument
    │   │   ├── instrument.c
    │   │   ├── instrument_arm32.c
    │   │   ├── instrument_arm64.c
    │   │   ├── instrument_coverage.c
    │   │   ├── instrument_debug.c
    │   │   ├── instrument_x64.c
    │   │   ├── instrument_x64_cache.c
    │   │   └── instrument_x86.c
    │   ├── intercept.c
    │   ├── js
    │   │   ├── api.js
    │   │   ├── js.c
    │   │   └── js_api.c
    │   ├── lib
    │   │   ├── lib.c
    │   │   └── lib_apple.c
    │   ├── main.c
    │   ├── module.c
    │   ├── output.c
    │   ├── persistent
    │   │   ├── persistent.c
    │   │   ├── persistent_arm32.c
    │   │   ├── persistent_arm64.c
    │   │   ├── persistent_x64.c
    │   │   └── persistent_x86.c
    │   ├── prefetch.c
    │   ├── ranges.c
    │   ├── seccomp
    │   │   ├── seccomp.c
    │   │   ├── seccomp_atomic.c
    │   │   ├── seccomp_callback.c
    │   │   ├── seccomp_child.c
    │   │   ├── seccomp_event.c
    │   │   ├── seccomp_filter.c
    │   │   ├── seccomp_print.c
    │   │   ├── seccomp_socket.c
    │   │   └── seccomp_syscall.c
    │   ├── shm.c
    │   ├── stalker.c
    │   ├── stats
    │   │   ├── stats.c
    │   │   ├── stats_arm32.c
    │   │   ├── stats_arm64.c
    │   │   └── stats_x86_64.c
    │   └── util.c
    ├── test
    │   ├── bloaty
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── cache
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── cache.c
    │   ├── cmov
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── cmov.c
    │   ├── cmplog
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── cmplog.c
    │   │   └── get_section_addrs.py
    │   ├── deferred
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── testinstr.c
    │   ├── dynamic
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── testinstr.c
    │   │   └── testinstrlib.c
    │   ├── entry_point
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── testinstr.c
    │   ├── exe
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── testinstr.c
    │   ├── fasan
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── test.c
    │   ├── freetype2
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── jpeg
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── js
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── entry.js
    │   │   ├── fuzz.js
    │   │   ├── main.js
    │   │   ├── patch.js
    │   │   ├── replace.js
    │   │   ├── stalker.js
    │   │   ├── test.c
    │   │   └── test2.c
    │   ├── libpcap
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── libxml
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── libxslt
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── osx-lib
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── harness.c
    │   │   ├── harness2.c
    │   │   ├── harness3.c
    │   │   ├── lib.c
    │   │   └── lib2.c
    │   ├── output
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── frida_stderr.txt
    │   │   ├── frida_stdout.txt
    │   │   └── testinstr.c
    │   ├── perf
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── perf.c
    │   ├── persistent_ret
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   ├── test.js
    │   │   └── testinstr.c
    │   ├── png
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── persistent
    │   │   │   ├── GNUmakefile
    │   │   │   ├── Makefile
    │   │   │   └── hook
    │   │   │       ├── GNUmakefile
    │   │   │       ├── Makefile
    │   │   │       ├── cmodule.js
    │   │   │       └── load.js
    │   ├── proj4
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── python
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── re2
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── sqlite
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    │   ├── testinstr
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── testinstr.c
    │   ├── unstable
    │   │   ├── GNUmakefile
    │   │   ├── Makefile
    │   │   └── unstable.c
    │   └── vorbis
    │   │   ├── GNUmakefile
    │   │   └── Makefile
    ├── ts
    │   ├── lib
    │   │   └── afl.ts
    │   ├── package-lock.json
    │   ├── package.json
    │   ├── tsconfig.json
    │   └── tslint.json
    ├── ub1804
    │   ├── Dockerfile
    │   ├── GNUmakefile
    │   └── Makefile
    ├── update_frida_version.sh
    └── util
    │   ├── bin2c.c
    │   └── frida_get_symbol_addr.sh
├── include
    ├── afl-fuzz.h
    ├── afl-mutations.h
    ├── afl-persistent-replay.h
    ├── afl-prealloc.h
    ├── afl-record-compat.h
    ├── alloc-inl.h
    ├── android-ashmem.h
    ├── asanfuzz.h
    ├── cmplog.h
    ├── common.h
    ├── config.h
    ├── coverage-32.h
    ├── coverage-64.h
    ├── debug.h
    ├── envs.h
    ├── forkserver.h
    ├── hash.h
    ├── list.h
    ├── sharedmem.h
    ├── snapshot-inl.h
    ├── t1ha.h
    ├── t1ha0_ia32aes_b.h
    ├── t1ha_bits.h
    ├── t1ha_selfcheck.h
    ├── types.h
    └── xxhash.h
├── injections.dic
├── instrumentation
    ├── Makefile
    ├── README.cmplog.md
    ├── README.gcc_plugin.md
    ├── README.injections.md
    ├── README.instrument_list.md
    ├── README.laf-intel.md
    ├── README.llvm.md
    ├── README.lto.md
    ├── README.persistent_mode.md
    ├── SanitizerCoverageLTO.so.cc
    ├── SanitizerCoveragePCGUARD.so.cc
    ├── afl-compiler-rt.o.c
    ├── afl-gcc-cmplog-pass.so.cc
    ├── afl-gcc-cmptrs-pass.so.cc
    ├── afl-gcc-common.h
    ├── afl-gcc-pass.so.cc
    ├── afl-llvm-common.cc
    ├── afl-llvm-common.h
    ├── afl-llvm-dict2file.so.cc
    ├── afl-llvm-lto-instrumentlist.so.cc
    ├── afl-llvm-pass.so.cc
    ├── afl-llvm-rt-lto.o.c
    ├── cmplog-instructions-pass.cc
    ├── cmplog-routines-pass.cc
    ├── cmplog-switches-pass.cc
    ├── compare-transform-pass.so.cc
    ├── gcc_plugin.COPYING3
    ├── injection-pass.cc
    ├── llvm-alternative-coverage.h
    ├── split-compares-pass.so.cc
    └── split-switches-pass.so.cc
├── nyx_mode
    ├── LIBNYX_VERSION
    ├── PACKER_VERSION
    ├── QEMU_NYX_VERSION
    ├── README.md
    ├── build_nyx_support.sh
    ├── custom_harness
    │   ├── example.c
    │   ├── fuzz.sh
    │   └── fuzz_no_pt.sh
    └── update_ref.sh
├── qemu_mode
    ├── QEMUAFL_VERSION
    ├── README.deferred_initialization_example.md
    ├── README.md
    ├── README.persistent.md
    ├── README.wine.md
    ├── build_qemu_support.sh
    ├── fastexit
    │   ├── Makefile
    │   ├── README.md
    │   └── fastexit.c
    ├── hooking_bridge
    │   ├── Makefile
    │   ├── README.md
    │   ├── inc
    │   │   ├── common.h
    │   │   └── exports.h
    │   └── src
    │   │   ├── main.c
    │   │   └── patching.c
    ├── libcompcov
    │   ├── Makefile
    │   ├── README.md
    │   ├── compcovtest.cc
    │   ├── libcompcov.so.c
    │   └── pmparser.h
    ├── libqasan
    │   ├── Makefile
    │   ├── README.md
    │   ├── dlmalloc.c
    │   ├── hooks.c
    │   ├── libqasan.c
    │   ├── libqasan.h
    │   ├── malloc.c
    │   ├── map_macro.h
    │   ├── patch.c
    │   ├── string.c
    │   └── uninstrument.c
    ├── unsigaction
    │   ├── Makefile
    │   ├── README.md
    │   └── unsigaction.c
    ├── update_ref.sh
    └── util
    │   └── qemu_get_symbol_addr.sh
├── src
    ├── README.md
    ├── afl-analyze.c
    ├── afl-cc.c
    ├── afl-common.c
    ├── afl-forkserver.c
    ├── afl-fuzz-bitmap.c
    ├── afl-fuzz-cmplog.c
    ├── afl-fuzz-extras.c
    ├── afl-fuzz-init.c
    ├── afl-fuzz-mutators.c
    ├── afl-fuzz-one.c
    ├── afl-fuzz-python.c
    ├── afl-fuzz-queue.c
    ├── afl-fuzz-redqueen.c
    ├── afl-fuzz-run.c
    ├── afl-fuzz-sanfuzz.c
    ├── afl-fuzz-skipdet.c
    ├── afl-fuzz-state.c
    ├── afl-fuzz-stats.c
    ├── afl-fuzz-statsd.c
    ├── afl-fuzz.c
    ├── afl-gotcpu.c
    ├── afl-ld-lto.c
    ├── afl-performance.c
    ├── afl-sharedmem.c
    ├── afl-showmap.c
    ├── afl-tmin.c
    └── hashmap.c
├── test-instr.c
├── test
    ├── checkcommit.sh
    ├── test-all.sh
    ├── test-basic.sh
    ├── test-cmplog.c
    ├── test-compcov.c
    ├── test-compilers.sh
    ├── test-custom-mutator.c
    ├── test-custom-mutators.sh
    ├── test-dlopen.c
    ├── test-floatingpoint.c
    ├── test-fpExtra.sh
    ├── test-fp_Infcases.c
    ├── test-fp_NaNcases.c
    ├── test-fp_cases.c
    ├── test-fp_minusZerocases.c
    ├── test-frida-mode.sh
    ├── test-gcc-plugin.sh
    ├── test-int_cases.c
    ├── test-libextensions.sh
    ├── test-llvm-lto.sh
    ├── test-llvm.sh
    ├── test-multiple-mutators.c
    ├── test-nyx-mode.sh
    ├── test-performance.sh
    ├── test-post.sh
    ├── test-pre.sh
    ├── test-qemu-mode.sh
    ├── test-uint_cases.c
    ├── test-unicorn-mode.sh
    ├── test-unittests.sh
    ├── test-unsigaction.c
    └── unittests
    │   ├── unit_hash.c
    │   ├── unit_list.c
    │   ├── unit_maybe_alloc.c
    │   ├── unit_preallocable.c
    │   └── unit_rand.c
├── testcases
    ├── README.md
    ├── archives
    │   ├── common
    │   │   ├── ar
    │   │   │   └── small_archive.a
    │   │   ├── bzip2
    │   │   │   └── small_archive.bz2
    │   │   ├── cab
    │   │   │   └── small_archive.cab
    │   │   ├── compress
    │   │   │   └── small_archive.Z
    │   │   ├── cpio
    │   │   │   └── small_archive.cpio
    │   │   ├── gzip
    │   │   │   └── small_archive.gz
    │   │   ├── lzo
    │   │   │   └── small_archive.lzo
    │   │   ├── rar
    │   │   │   └── small_archive.rar
    │   │   ├── tar
    │   │   │   └── small_archive.tar
    │   │   ├── xz
    │   │   │   └── small_archive.xz
    │   │   └── zip
    │   │   │   └── small_archive.zip
    │   └── exotic
    │   │   ├── arj
    │   │       └── small_archive.arj
    │   │   ├── lha
    │   │       └── small_archive.lha
    │   │   ├── lrzip
    │   │       └── small_archive.lrz
    │   │   ├── lzip
    │   │       └── small_archive.lz
    │   │   ├── lzma
    │   │       └── small_archive.lzma
    │   │   ├── rzip
    │   │       └── small_archive.rz
    │   │   └── zoo
    │   │       └── small_archive.zoo
    ├── images
    │   ├── bmp
    │   │   └── not_kitty.bmp
    │   ├── gif
    │   │   └── not_kitty.gif
    │   ├── ico
    │   │   └── not_kitty.ico
    │   ├── jp2
    │   │   └── not_kitty.jp2
    │   ├── jpeg
    │   │   └── not_kitty.jpg
    │   ├── jxr
    │   │   └── not_kitty.jxr
    │   ├── png
    │   │   ├── not_kitty.png
    │   │   ├── not_kitty_alpha.png
    │   │   ├── not_kitty_gamma.png
    │   │   └── not_kitty_icc.png
    │   ├── tiff
    │   │   └── not_kitty.tiff
    │   └── webp
    │   │   └── not_kitty.webp
    ├── multimedia
    │   └── h264
    │   │   └── small_movie.mp4
    └── others
    │   ├── elf
    │       └── small_exec.elf
    │   ├── js
    │       └── small_script.js
    │   ├── pcap
    │       └── small_capture.pcap
    │   ├── pdf
    │       └── small.pdf
    │   ├── rtf
    │       └── small_document.rtf
    │   ├── sql
    │       └── simple_queries.sql
    │   ├── text
    │       └── hello_world.txt
    │   └── xml
    │       └── small_document.xml
├── types.h
├── unicorn_mode
    ├── README.md
    ├── UNICORNAFL_VERSION
    ├── build_unicorn_support.sh
    ├── helper_scripts
    │   ├── ida_context_loader.py
    │   ├── unicorn_dumper_gdb.py
    │   ├── unicorn_dumper_ida.py
    │   ├── unicorn_dumper_lldb.py
    │   ├── unicorn_dumper_pwndbg.py
    │   └── unicorn_loader.py
    ├── samples
    │   ├── c
    │   │   ├── .gitignore
    │   │   ├── COMPILE.md
    │   │   ├── Makefile
    │   │   ├── harness.c
    │   │   ├── persistent_target.c
    │   │   ├── persistent_target_x86_64
    │   │   ├── sample_all.sh
    │   │   ├── sample_inputs
    │   │   │   ├── sample1.bin
    │   │   │   ├── sample2.bin
    │   │   │   ├── sample3.bin
    │   │   │   ├── sample4.bin
    │   │   │   └── sample5.bin
    │   │   └── simple_target_x86_64
    │   ├── compcov_x64
    │   │   ├── COMPILE.md
    │   │   ├── compcov_target.bin
    │   │   ├── compcov_target.c
    │   │   ├── compcov_target.elf
    │   │   ├── compcov_test_harness.py
    │   │   └── sample_inputs
    │   │   │   └── sample1.bin
    │   ├── persistent
    │   │   ├── .gitignore
    │   │   ├── COMPILE.md
    │   │   ├── Makefile
    │   │   ├── harness.c
    │   │   ├── persistent_target
    │   │   ├── persistent_target.c
    │   │   ├── persistent_target_x86_64
    │   │   ├── sample_all.sh
    │   │   ├── sample_inputs
    │   │   │   ├── sample1.bin
    │   │   │   ├── sample2.bin
    │   │   │   ├── sample3.bin
    │   │   │   ├── sample4.bin
    │   │   │   └── sample5.bin
    │   │   ├── simple_target_noncrashing.c
    │   │   └── simple_target_x86_64
    │   ├── python_simple
    │   │   ├── COMPILE.md
    │   │   ├── sample_inputs
    │   │   │   ├── sample1.bin
    │   │   │   ├── sample2.bin
    │   │   │   ├── sample3.bin
    │   │   │   ├── sample4.bin
    │   │   │   └── sample5.bin
    │   │   ├── simple_target.bin
    │   │   ├── simple_target.c
    │   │   ├── simple_test_harness.py
    │   │   └── simple_test_harness_alt.py
    │   └── speedtest
    │   │   ├── .gitignore
    │   │   ├── Makefile
    │   │   ├── README.md
    │   │   ├── c
    │   │       ├── Makefile
    │   │       └── harness.c
    │   │   ├── get_offsets.py
    │   │   ├── python
    │   │       ├── Makefile
    │   │       └── harness.py
    │   │   ├── rust
    │   │       ├── .gitignore
    │   │       ├── Cargo.toml
    │   │       ├── Makefile
    │   │       └── src
    │   │       │   └── main.rs
    │   │   ├── sample_inputs
    │   │       └── a
    │   │   └── target.c
    └── update_uc_ref.sh
└── utils
    ├── README.md
    ├── afl_network_proxy
        ├── GNUmakefile
        ├── Makefile
        ├── README.md
        ├── afl-network-client.c
        └── afl-network-server.c
    ├── afl_proxy
        ├── Makefile
        ├── README.md
        └── afl-proxy.c
    ├── afl_untracer
        ├── Makefile
        ├── README.md
        ├── TODO
        ├── afl-untracer.c
        ├── ghidra_get_patchpoints.java
        ├── ida_get_patchpoints.py
        ├── libtestinstr.c
        └── patches.txt
    ├── aflpp_driver
        ├── GNUmakefile
        ├── Makefile
        ├── README.md
        ├── aflpp_driver.c
        ├── aflpp_driver_test.c
        ├── aflpp_qemu_driver.c
        └── aflpp_qemu_driver_hook.c
    ├── analysis_scripts
        └── queue2csv.sh
    ├── argv_fuzzing
        ├── Makefile
        ├── README.md
        ├── argv-fuzz-inl.h
        ├── argv_fuzz_demo.c
        ├── argv_fuzz_persistent_demo.c
        └── argvfuzz.c
    ├── asan_cgroups
        └── limit_memory.sh
    ├── autodict_ql
        ├── autodict-ql.py
        ├── build-codeql.sh
        ├── litan.py
        ├── litool.ql
        ├── memcmp-str.ql
        ├── memcmp-strings.py
        ├── qlpack.yml
        ├── readme.md
        ├── stan-strings.py
        ├── strcmp-str.ql
        ├── strcmp-strings.py
        ├── strncmp-str.ql
        ├── strncmp-strings.py
        └── strtool.ql
    ├── bash_shellshock
        └── shellshock-fuzz.diff
    ├── bench
        ├── Makefile
        ├── README.md
        └── hash.c
    ├── canvas_harness
        └── canvas_harness.html
    ├── clang_asm_normalize
        └── as
    ├── crash_triage
        └── triage_crashes.sh
    ├── defork
        ├── Makefile
        ├── README.md
        ├── defork.c
        └── forking_target.c
    ├── distributed_fuzzing
        └── sync_script.sh
    ├── dynamic_covfilter
        ├── README.md
        └── make_symbol_list.py
    ├── libaflppdesock
        ├── Makefile
        ├── README.md
        └── libaflppdesock.c
    ├── libdislocator
        ├── Makefile
        ├── README.md
        └── libdislocator.so.c
    ├── libpng_no_checksum
        └── libpng-nocrc.patch
    ├── libtokencap
        ├── Makefile
        ├── README.md
        ├── generate_libtoken_dict.sh
        └── libtokencap.so.c
    ├── mutation_chain
        └── mutation_chain.py
    ├── persistent_mode
        ├── Makefile
        ├── persistent_demo.c
        ├── persistent_demo_new.c
        └── test-instr.c
    ├── plot_ui
        ├── Makefile
        ├── README.md
        └── afl-plot-ui.c
    ├── qbdi_mode
        ├── README.md
        ├── assets
        │   └── screen1.png
        ├── build.sh
        ├── demo-so.c
        └── template.cpp
    ├── qemu_persistent_hook
        ├── Makefile
        ├── README.md
        ├── mipsel_read_into_a0.c
        ├── read_into_rdi.c
        └── test.c
    ├── replay_record
        ├── Makefile
        ├── README.md
        └── persistent_demo_replay.c
    ├── socket_fuzzing
        ├── Makefile
        ├── README.md
        └── socketfuzz.c
    └── target_intelligence
        └── README.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | github: AFLplusplus
 5 | patreon: # Replace with a single Patreon username
 6 | open_collective: AFLplusplusEU
 7 | ko_fi: # Replace with a single Ko-fi username
 8 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 9 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
10 | liberapay: # Replace with a single Liberapay username
11 | issuehunt: # Replace with a single IssueHunt username
12 | otechie: # Replace with a single Otechie username
13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
14 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **IMPORTANT**
11 | 1. You have verified that the issue to be present in the current `dev` branch.
12 | 2. Please supply the command line options and relevant environment variables,
13 |    e.g., a copy-paste of the contents of `out/default/fuzzer_setup`.
14 | 
15 | Thank you for making AFL++ better!
16 | 
17 | **Describe the bug**
18 | A clear and concise description of what the bug is.
19 | 
20 | **To Reproduce**
21 | Steps to reproduce the behavior:
22 | 1. ...
23 | 2. ...
24 | 
25 | **Expected behavior**
26 | A clear and concise description of what you expected to happen.
27 | 
28 | **Screen output/Screenshots**
29 | If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in **English** and not in Chinese, Russian, German, etc.
30 | 
31 | **Additional context**
32 | Add any other context about the problem here.
33 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 | 
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 | 
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 | 
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 | 


--------------------------------------------------------------------------------
/.github/workflows/code-format.yml:
--------------------------------------------------------------------------------
 1 | name: Formatting
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - stable
 7 |       - dev
 8 |   pull_request:
 9 |     branches:
10 |       - dev # No need for stable-pull-request, as that equals dev-push
11 | 
12 | concurrency:
13 |   group: ${{ github.workflow }}-${{ github.ref }}
14 |   cancel-in-progress: true
15 | 
16 | jobs:
17 |   code-format-check:
18 |     name: Check code format
19 |     if: ${{ 'false' == 'true' }} # Disable the job
20 |     runs-on: ubuntu-22.04
21 |     container: docker.io/aflplusplus/aflplusplus:dev
22 |     steps:
23 |       - name: Checkout
24 |         uses: actions/checkout@v3
25 |       - name: Format
26 |         run: |
27 |           git config --global --add safe.directory /__w/AFLplusplus/AFLplusplus
28 |           apt-get update
29 |           apt-get install -y clang-format-${LLVM_VERSION}
30 |           make code-format
31 |       - name: Check if code needed formatting
32 |         run: |
33 |           git --no-pager -c color.ui=always diff HEAD
34 |           if ! git diff HEAD --quiet; then
35 |             echo "[!] Please run 'make code-format' and push its changes."
36 |             exit 1
37 |           fi
38 | 


--------------------------------------------------------------------------------
/.github/workflows/codeql-analysis.yml:
--------------------------------------------------------------------------------
 1 | name: "CodeQL"
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - stable
 7 |       - dev
 8 |   pull_request:
 9 |     branches:
10 |       - dev # No need for stable-pull-request, as that equals dev-push
11 | 
12 | concurrency:
13 |   group: ${{ github.workflow }}-${{ github.ref }}
14 |   cancel-in-progress: true
15 | 
16 | jobs:
17 |   analyze:
18 |     name: Analyze
19 |     runs-on: ubuntu-latest
20 |     container: # We use a previous image as it's expected to have all the dependencies
21 |       image: docker.io/aflplusplus/aflplusplus:dev
22 |     steps:
23 |       - name: Fix for using external repo in container build # https://github.com/actions/checkout/issues/760
24 |         run: git config --global --add safe.directory /__w/AFLplusplus/AFLplusplus
25 |       - name: Checkout
26 |         uses: actions/checkout@v3
27 |       - name: Initialize CodeQL
28 |         uses: github/codeql-action/init@v2
29 |         with:
30 |           languages: cpp, python
31 |       - name: Build AFLplusplus # Rebuild because CodeQL needs to monitor the build process
32 |         env:
33 |           CC: gcc # These are symlinked to the version used in the container build
34 |           CXX: g++
35 |         run: make -i all # Best effort using -i
36 |       - name: Perform CodeQL Analysis
37 |         uses: github/codeql-action/analyze@v2
38 | 


--------------------------------------------------------------------------------
/.github/workflows/rust_custom_mutator.yml:
--------------------------------------------------------------------------------
 1 | name: Rust Custom Mutators
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - stable
 7 |       - dev
 8 |   pull_request:
 9 |     branches:
10 |       - dev # No need for stable-pull-request, as that equals dev-push
11 | 
12 | concurrency:
13 |   group: ${{ github.workflow }}-${{ github.ref }}
14 |   cancel-in-progress: true
15 | 
16 | jobs:
17 |   test:
18 |     name: Test Rust Custom Mutator Support
19 |     runs-on: '${{ matrix.os }}'
20 |     defaults:
21 |       run:
22 |         working-directory: custom_mutators/rust
23 |     strategy:
24 |       matrix:
25 |         os: [ubuntu-22.04]
26 |     steps:
27 |       - uses: actions/checkout@v3
28 |       - name: Install Rust Toolchain
29 |         uses: actions-rs/toolchain@v1
30 |         with:
31 |           toolchain: stable
32 |       - name: Check Code Compiles
33 |         run: cargo check
34 |       - name: Run General Tests
35 |         run: cargo test
36 |       - name: Run Tests for afl_internals feature flag
37 |         run: cd custom_mutator && cargo test --features=afl_internals
38 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
 1 | [submodule "unicorn_mode/unicornafl"]
 2 | 	path = unicorn_mode/unicornafl
 3 | 	url = https://github.com/AFLplusplus/unicornafl
 4 | [submodule "custom_mutators/grammar_mutator"]
 5 | 	path = custom_mutators/grammar_mutator/grammar_mutator
 6 | 	url = https://github.com/AFLplusplus/Grammar-Mutator
 7 | [submodule "qemu_mode/qemuafl"]
 8 | 	path = qemu_mode/qemuafl
 9 | 	url = https://github.com/AFLplusplus/qemuafl
10 | [submodule "custom_mutators/gramatron/json-c"]
11 | 	path = custom_mutators/gramatron/json-c
12 | 	url = https://github.com/json-c/json-c
13 | [submodule "coresight_mode/patchelf"]
14 | 	path = coresight_mode/patchelf
15 | 	url = https://github.com/NixOS/patchelf.git
16 | [submodule "coresight_mode/coresight-trace"]
17 | 	path = coresight_mode/coresight-trace
18 | 	url = https://github.com/RICSecLab/coresight-trace.git
19 | [submodule "nyx_mode/libnyx"]
20 | 	path = nyx_mode/libnyx
21 | 	url = https://github.com/nyx-fuzz/libnyx.git
22 | [submodule "nyx_mode/packer"]
23 | 	path = nyx_mode/packer
24 | 	url = https://github.com/nyx-fuzz/packer.git
25 | [submodule "nyx_mode/QEMU-Nyx"]
26 | 	path = nyx_mode/QEMU-Nyx
27 | 	url = https://github.com/nyx-fuzz/QEMU-Nyx
28 | 


--------------------------------------------------------------------------------
/CITATION.cff:
--------------------------------------------------------------------------------
 1 | cff-version: 1.2.0
 2 | message: "If you use this software, please cite it as below."
 3 | authors:
 4 |   - given-names: Marc
 5 |     family-names: Heuse
 6 |     email: mh@mh-sec.de
 7 |   - given-names: Heiko
 8 |     family-names: Eißfeldt
 9 |     email: heiko.eissfeldt@hexco.de
10 |   - given-names: Andrea
11 |     family-names: Fioraldi
12 |     email: andreafioraldi@gmail.com
13 |   - given-names: Dominik
14 |     family-names: Maier
15 |     email: mail@dmnk.co
16 | title: "AFL++"
17 | version: 4.00c
18 | type: software
19 | date-released: 2022-01-26
20 | url: "https://github.com/AFLplusplus/AFLplusplus"
21 | keywords:
22 |   - fuzzing
23 |   - fuzzer
24 |   - fuzz-testing
25 |   - instrumentation
26 |   - afl-fuzz
27 |   - qemu
28 |   - llvm
29 |   - unicorn-emulator
30 |   - security
31 | license: AGPL-3.0-or-later
32 | 


--------------------------------------------------------------------------------
/Changelog.md:
--------------------------------------------------------------------------------
1 | docs/Changelog.md


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | source-only:
 6 | 	@gmake source-only
 7 | 
 8 | binary-only:
 9 | 	@gmake binary-only
10 | 
11 | distrib:
12 | 	@gmake distrib
13 | 
14 | man:
15 | 	@gmake man
16 | 
17 | install:
18 | 	@gmake install
19 | 
20 | document:
21 | 	@gmake document
22 | 
23 | deepclean:
24 | 	@gmake deepclean
25 | 
26 | code-format:
27 | 	@gmake code-format
28 | 
29 | help:
30 | 	@gmake help
31 | 
32 | tests:
33 | 	@gmake tests
34 | 
35 | unit:
36 | 	@gmake unit
37 | 
38 | unit_clean:
39 | 	@gmake unit_clean
40 | 
41 | clean:
42 | 	@gmake clean
43 | 


--------------------------------------------------------------------------------
/config.h:
--------------------------------------------------------------------------------
1 | include/config.h


--------------------------------------------------------------------------------
/coresight_mode/.gitignore:
--------------------------------------------------------------------------------
1 | .local
2 | glibc*
3 | 


--------------------------------------------------------------------------------
/coresight_mode/Makefile:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env make
 2 | # SPDX-License-Identifier: Apache-2.0
 3 | # Copyright 2021 Ricerca Security, Inc. All rights reserved.
 4 | 
 5 | all:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake all || echo please install GNUmake
 8 | 
 9 | build:
10 | 	@echo trying to use GNU make...
11 | 	@gmake build || echo please install GNUmake
12 | 
13 | patch:
14 | 	@echo trying to use GNU make...
15 | 	@gmake patch || echo please install GNUmake
16 | 
17 | clean:
18 | 	@echo trying to use GNU make...
19 | 	@gmake clean || echo please install GNUmake
20 | 
21 | .PHONY: all build patch clean
22 | 


--------------------------------------------------------------------------------
/custom_mutators/aflpp/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
 3 | 
 4 | all: aflpp-mutator.so
 5 | 
 6 | aflpp-mutator.so:	aflpp.c
 7 | 	$(CC) $(CFLAGS) -I../../include -I. -shared -o aflpp-mutator.so aflpp.c ../../src/afl-performance.c
 8 | 
 9 | clean:
10 | 	rm -f *.o *~ *.so core
11 | 


--------------------------------------------------------------------------------
/custom_mutators/aflpp/README.md:
--------------------------------------------------------------------------------
1 | # custom mutator: AFL++
2 | 
3 | this is the AFL++ havoc mutator as a custom mutator module for AFL++.
4 | 
5 | just type `make` to build
6 | 
7 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/aflpp/aflpp-mutator.so afl-fuzz ...```
8 | 
9 | 


--------------------------------------------------------------------------------
/custom_mutators/aflpp/standalone/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | CFLAGS = -O3 -funroll-loops -fPIC
 3 | 
 4 | all: aflpp-standalone
 5 | 
 6 | aflpp-standalone:	aflpp-standalone.c
 7 | 	$(CC) $(CFLAGS) -w -DBIN_PATH=\"foo\" -I../../../include -I. -o aflpp-standalone aflpp-standalone.c ../../../src/afl-performance.c ../../../src/afl-fuzz-extras.c ../../../src/afl-common.c
 8 | 
 9 | clean:
10 | 	rm -f *.o *~ aflpp-standalone core
11 | 


--------------------------------------------------------------------------------
/custom_mutators/aflpp/standalone/README.md:
--------------------------------------------------------------------------------
 1 | # AFL++ standalone mutator
 2 | 
 3 | this is the AFL++ havoc mutator as a standalone mutator
 4 | 
 5 | just type `make` to build.
 6 | 
 7 | ```
 8 | aflpp-standalone -h # to see all parameteres
 9 | cat file | aflpp-standalone -m 4 -x foo.dict - outputfile splicefile # example
10 | ```
11 | 


--------------------------------------------------------------------------------
/custom_mutators/aflpp_tritondse/README.md:
--------------------------------------------------------------------------------
 1 | # An AFL++ custom mutator using TritonDSE
 2 | 
 3 | ## Installing the requirements
 4 | 
 5 | `pip3 install tritondse`
 6 | 
 7 | ## How to run with an example
 8 | 
 9 | ```
10 | ../../afl-cc -o ../../test-instr ../../test-instr.c
11 | mkdir -p in
12 | echo aaaa > in/in
13 | AFL_DISABLE_TRIM=1 AFL_CUSTOM_MUTATOR_ONLY=1 AFL_SYNC_TIME=1 AFL_PYTHON_MODULE=aflpp_tritondse PYTHONPATH=. ../../afl-fuzz -i in -o out -- ../../test-instr
14 | ```
15 | 
16 | Note that this custom mutator works differently, new finds are synced
17 | after 10-60 seconds to the fuzzing instance. This is necessary because only
18 | C/C++ custom mutators have access to the internal AFL++ state.
19 | 
20 | Note that you should run first with `AFL_DEBUG` for 5-10 minutes and see if
21 | all important libraries and syscalls are hooked (look at `WARNING` and `CRITICAL`
22 | output during the run, best use with `AFL_NO_UI=1`)
23 | 


--------------------------------------------------------------------------------
/custom_mutators/atnwalk/Makefile:
--------------------------------------------------------------------------------
1 | all:	atnwalk.so
2 | 
3 | atnwalk.so:	atnwalk.c
4 | 	$(CC) -I ../../include/ -shared -fPIC -O3 -o atnwalk.so atnwalk.c
5 | 
6 | clean:
7 | 	rm -f *.so *.o *~ core
8 | 


--------------------------------------------------------------------------------
/custom_mutators/autotokens/Makefile:
--------------------------------------------------------------------------------
 1 | ifdef debug
 2 | 	CPPLAGS += -fsanitize=address
 3 | 	CXXFLAGS += -Wall
 4 | 	CC := clang
 5 | 	CXX := clang++
 6 | endif
 7 | ifdef DEBUG
 8 | 	CPPFLAGS += -fsanitize=address
 9 | 	CXXFLAGS += -Wall
10 | 	CC := clang
11 | 	CXX := clang++
12 | endif
13 | 
14 | all:	autotokens.so
15 | 
16 | afl-fuzz-queue.o:	../../src/afl-fuzz-queue.c
17 | 	$(CC) -D_STANDALONE_MODULE=1 -I../../include -g -O3 $(CPPFLAGS) -fPIC -c -o ./afl-fuzz-queue.o ../../src/afl-fuzz-queue.c
18 | 
19 | afl-common.o:	../../src/afl-common.c
20 | 	$(CC) -I../../include -g -O3 $(CPPFLAGS) -DBIN_PATH=\"dummy\" -Wno-pointer-sign -fPIC -c -o ./afl-common.o ../../src/afl-common.c
21 | 
22 | autotokens.so:	afl-fuzz-queue.o afl-common.o autotokens.cpp
23 | 	$(CXX) -Wno-deprecated -g -O3 $(CXXFLAGS) $(CPPFLAGS) -shared -fPIC -o autotokens.so -I../../include autotokens.cpp  ./afl-fuzz-queue.o ../../src/afl-performance.o ./afl-common.o
24 | 
25 | clean:
26 | 	rm -f autotokens.so *.o *~ core
27 | 


--------------------------------------------------------------------------------
/custom_mutators/autotokens/standalone/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | CFLAGS = -g -O3 -funroll-loops -fPIC -D_STANDALONE_MODULE=1 -Wno-pointer-sign
 3 | CXXFLAGS= -g -O3 -funroll-loops -fPIC -D_STANDALONE_MODULE=1
 4 | 
 5 | all: autotokens-standalone
 6 | 
 7 | autotokens.o:	../autotokens.cpp
 8 | 	$(CXX) $(CXXFLAGS) -g -I../../../include -I. -I../.. -c ../autotokens.cpp
 9 | 
10 | autotokens-standalone:	autotokens-standalone.c	autotokens.o
11 | 	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c autotokens-standalone.c
12 | 	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-performance.c
13 | 	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-fuzz-extras.c
14 | 	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-fuzz-queue.c
15 | 	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-common.c
16 | 	$(CXX) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -o autotokens-standalone *.o
17 | 	@rm -f ../../../src/afl-common.o ../../../src/afl-fuzz-queue.o ../../../src/afl-fuzz-extras.o ../../../src/afl-performance.o
18 | 
19 | clean:
20 | 	rm -f *.o *~ autotokens-standalone core
21 | 


--------------------------------------------------------------------------------
/custom_mutators/autotokens/standalone/README.md:
--------------------------------------------------------------------------------
 1 | # Autotokens standalone mutator
 2 | 
 3 | this is a standalone version of the AFL++ autotokens custom mutator.
 4 | 
 5 | just type `make` to build.
 6 | 
 7 | You *MUST* use a dictionary file to have an effective grammarless grammar fuzzer!
 8 | 
 9 | ```
10 | autotokens-standalone -h # to see all parameters
11 | autotokens-standalone -x foo.dict inputfile outputfile # example
12 | ```
13 | 


--------------------------------------------------------------------------------
/custom_mutators/custom_send_tcp/Makefile:
--------------------------------------------------------------------------------
1 | all:	custom_send_tcp.so
2 | 
3 | custom_send_tcp.so:
4 | 	$(CC) -Wno-unused-result -g -O3 -shared -fPIC -o custom_send_tcp.so -I../../include custom_send_tcp.c
5 | 
6 | clean:
7 | 	rm -f custom_send_tcp.so *.o *~ core
8 | 


--------------------------------------------------------------------------------
/custom_mutators/custom_send_tcp/README.md:
--------------------------------------------------------------------------------
 1 | # Send testcases via TCP custom mutator
 2 | 
 3 | This custom mutator sends the fuzzing testcases via TCP.
 4 | 
 5 | `AFL_CUSTOM_MUTATOR_LATE_SEND` - MUST be set!
 6 | `CUSTOM_SEND_IP` - the IP address to send to (basically only 127.0.0.1 makes sense)
 7 | `CUSTOM_SEND_PORT` - the TCP port to send to
 8 | `CUSTOM_SEND_READ` - if the custom mutator should wait for a reply from the target
 9 | 
10 | Example:
11 | ```
12 | CUSTOM_SEND_IP=127.0.0.1 CUSTOM_SEND_PORT=8000 CUSTOM_SEND_READ=1 AFL_CUSTOM_MUTATOR_LATE_SEND=1 AFL_CUSTOM_MUTATOR_LIBRARY=custom_send_tcp.so ./afl-fuzz ...
13 | ```
14 | 


--------------------------------------------------------------------------------
/custom_mutators/examples/Makefile:
--------------------------------------------------------------------------------
1 | all: libexamplemutator.so
2 | 
3 | libexamplemutator.so:
4 | 	$(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so
5 | 
6 | clean:
7 | 	rm -rf libexamplemutator.so
8 | 


--------------------------------------------------------------------------------
/custom_mutators/examples/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # encoding: utf-8
 3 | """
 4 | Module containing functions shared between multiple AFL modules
 5 | 
 6 | @author:     Christian Holler (:decoder)
 7 | 
 8 | @license:
 9 | 
10 | This Source Code Form is subject to the terms of the Mozilla Public
11 | License, v. 2.0. If a copy of the MPL was not distributed with this
12 | file, You can obtain one at http://mozilla.org/MPL/2.0/.
13 | 
14 | @contact:    choller@mozilla.com
15 | """
16 | 
17 | from __future__ import print_function
18 | import random
19 | import os
20 | import re
21 | 
22 | 
23 | def randel(l):
24 |     if not l:
25 |         return None
26 |     return l[random.randint(0, len(l) - 1)]
27 | 
28 | 
29 | def randel_pop(l):
30 |     if not l:
31 |         return None
32 |     return l.pop(random.randint(0, len(l) - 1))
33 | 
34 | 
35 | def write_exc_example(data, exc):
36 |     exc_name = re.sub(r"[^a-zA-Z0-9]", "_", repr(exc))
37 | 
38 |     if not os.path.exists(exc_name):
39 |         with open(exc_name, "w") as f:
40 |             f.write(data)
41 | 


--------------------------------------------------------------------------------
/custom_mutators/examples/custom_post_run.c:
--------------------------------------------------------------------------------
 1 | //
 2 | // This is an example on how to use afl_custom_post_run
 3 | // It executes custom code each time after AFL++ executes the target
 4 | //
 5 | // cc -O3 -fPIC -shared -g -o custom_post_run.so -I../../include custom_post_run.c
 6 | // cd ../..
 7 | // afl-cc -o test-instr test-instr.c
 8 | // AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/examples/custom_post_run.so \
 9 | //   afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo
10 | //
11 | 
12 | 
13 | #include "afl-fuzz.h"
14 | 
15 | #include <stdint.h>
16 | #include <stdlib.h>
17 | #include <string.h>
18 | #include <stdio.h>
19 | 
20 | typedef struct my_mutator {
21 | 
22 |   afl_state_t *afl;
23 | 
24 | } my_mutator_t;
25 | 
26 | my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
27 | 
28 |   my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
29 |   if (!data) {
30 | 
31 |     perror("afl_custom_init alloc");
32 |     return NULL;
33 | 
34 |   }
35 | 
36 |   data->afl = afl;
37 | 
38 |   return data;
39 | 
40 | }
41 | 
42 | void afl_custom_post_run(my_mutator_t *data) {
43 | 
44 |   printf("hello from afl_custom_post_run\n");
45 |   return;
46 | }
47 | 
48 | 
49 | void afl_custom_deinit(my_mutator_t *data) {
50 | 
51 |   free(data);
52 | 
53 | }


--------------------------------------------------------------------------------
/custom_mutators/gramatron/JSONC_VERSION:
--------------------------------------------------------------------------------
1 | af8dd4a307e7b837f9fa2959549548ace4afe08b
2 | 


--------------------------------------------------------------------------------
/custom_mutators/gramatron/preprocess/prep_automaton.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script creates a FSA describing the input grammar *.g4
 4 | 
 5 | if [ ! "$#" -lt 4 ]; then
 6 |   echo "Usage: ./prep_pda.sh <grammar_file> <start> [stack_limit]"         
 7 |   exit 1
 8 | fi
 9 | 
10 | GRAMMAR_FILE=$1
11 | GRAMMAR_DIR="$(dirname $GRAMMAR_FILE)"
12 | START="$2"
13 | STACK_LIMIT="$3"
14 | 
15 | # Get filename
16 | FILE=$(basename -- "$GRAMMAR_FILE")
17 | echo "File:$FILE"
18 | FILENAME="${FILE%.*}"
19 | echo "Name:$FILENAME"
20 | 
21 | 
22 | # Create the GNF form of the grammar
23 | CMD="python gnf_converter.py --gf $GRAMMAR_FILE --out ${FILENAME}.json --start $START"
24 | $CMD
25 | 
26 | # Generate grammar automaton 
27 | # Check if user provided a stack limit
28 | if [ -z "${STACK_LIMIT}" ]; then
29 | CMD="python3 construct_automata.py --gf ${FILENAME}.json" 
30 | else
31 | CMD="python construct_automata.py --gf ${FILENAME}.json --limit ${STACK_LIMIT}" 
32 | fi
33 | echo $CMD
34 | $CMD
35 | 
36 | # Move PDA to the source dir of the grammar
37 | echo "Copying ${FILENAME}_automata.json to $GRAMMAR_DIR"
38 | mv "${FILENAME}_automata.json" $GRAMMAR_DIR/  
39 | 


--------------------------------------------------------------------------------
/custom_mutators/gramatron/test.h:
--------------------------------------------------------------------------------
 1 | #include <stdint.h>
 2 | #include <stdlib.h>
 3 | #include <string.h>
 4 | #include <stdio.h>
 5 | #include <json-c/json.h>
 6 | #include <unistd.h>
 7 | #include "hashmap.h"
 8 | #include "uthash.h"
 9 | #include "utarray.h"
10 | 
11 | #define INIT_SIZE 100  // Initial size of the dynamic array holding the input
12 | 
13 | typedef struct terminal {
14 | 
15 |   int    state;
16 |   int    trigger_idx;
17 |   size_t symbol_len;
18 |   char * symbol;
19 | 
20 | } terminal;
21 | 
22 | typedef struct trigger {
23 | 
24 |   char * id;
25 |   int    dest;
26 |   char * term;
27 |   size_t term_len;
28 | 
29 | } trigger;
30 | 
31 | typedef struct state {
32 | 
33 |   int      state_name;   // Integer State name
34 |   int      trigger_len;  // Number of triggers associated with this state
35 |   trigger *ptr;          // Pointer to beginning of the list of triggers
36 | 
37 | } state;
38 | 
39 | typedef struct {
40 | 
41 |   size_t    used;
42 |   size_t    size;
43 |   size_t    inputlen;
44 |   terminal *start;
45 | 
46 | } Array;
47 | 
48 | int init_state;
49 | int curr_state;
50 | int final_state;
51 | 
52 | state *create_pda(char *);
53 | Array *gen_input(state *, Array *);
54 | void   print_repr(Array *, char *);
55 | void   initArray(Array *, size_t);
56 | void   insertArray(Array *, int, char *, size_t, int);
57 | 
58 | 


--------------------------------------------------------------------------------
/custom_mutators/grammar_mutator/GRAMMAR_VERSION:
--------------------------------------------------------------------------------
1 | 05d8f53
2 | 


--------------------------------------------------------------------------------
/custom_mutators/grammar_mutator/README.md:
--------------------------------------------------------------------------------
1 | # Grammar-Mutator
2 | 
3 | This is just a stub directory that will clone the real grammar mutator
4 | directory.
5 | 
6 | Execute `./build_grammar_mutator.sh` to set everything up.
7 | 


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
 3 | 
 4 | all: honggfuzz-mutator.so
 5 | 
 6 | honggfuzz-mutator.so:	honggfuzz.c input.h mangle.c ../../src/afl-performance.c
 7 | 	$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz-mutator.so honggfuzz.c mangle.c ../../src/afl-performance.c
 8 | 
 9 | update:
10 | 	@# seriously? --unlink is a dud option? sigh ...
11 | 	rm -f mangle.c mangle.h honggfuzz.h
12 | 	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
13 | 	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
14 | 	wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h
15 | 
16 | clean:
17 | 	rm -f *.o *~ *.so core
18 | 


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/README.md:
--------------------------------------------------------------------------------
 1 | # custom mutator: honggfuzz mangle
 2 | 
 3 | this is the honggfuzz mutator in mangle.c as a custom mutator
 4 | module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h
 5 | with a lot of mocking around it :-)
 6 | 
 7 | just type `make` to build
 8 | 
 9 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz-mutator.so afl-fuzz ...```
10 | 
11 | > Original repository: https://github.com/google/honggfuzz
12 | > Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5
13 | 


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/libhfcommon/common.h:
--------------------------------------------------------------------------------
1 | #ifndef LOG_E
2 |   #define LOG_E LOG_F
3 | #endif
4 | 


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/libhfcommon/log.h:
--------------------------------------------------------------------------------
1 | common.h


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/libhfcommon/util.h:
--------------------------------------------------------------------------------
1 | common.h


--------------------------------------------------------------------------------
/custom_mutators/honggfuzz/mangle.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  *
 3 |  * honggfuzz - buffer mangling routines
 4 |  * -----------------------------------------
 5 |  *
 6 |  * Author: Robert Swiecki <swiecki@google.com>
 7 |  *
 8 |  * Copyright 2010-2018 by Google Inc. All Rights Reserved.
 9 |  *
10 |  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 |  * not use this file except in compliance with the License. You may obtain
12 |  * a copy of the License at
13 |  *
14 |  * http://www.apache.org/licenses/LICENSE-2.0
15 |  *
16 |  * Unless required by applicable law or agreed to in writing, software
17 |  * distributed under the License is distributed on an "AS IS" BASIS,
18 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
19 |  * implied. See the License for the specific language governing
20 |  * permissions and limitations under the License.
21 |  *
22 |  */
23 | 
24 | #ifndef _HF_MANGLE_H_
25 | #define _HF_MANGLE_H_
26 | 
27 | #include "honggfuzz.h"
28 | 
29 | extern void mangle_mangleContent(run_t* run, int speed_factor);
30 | 
31 | #endif
32 | 


--------------------------------------------------------------------------------
/custom_mutators/libafl_base/.gitignore:
--------------------------------------------------------------------------------
 1 | # Generated by Cargo
 2 | # will have compiled files and executables
 3 | /target/
 4 | 
 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 7 | Cargo.lock
 8 | 
 9 | # These are backup files generated by rustfmt
10 | **/*.rs.bk
11 | 


--------------------------------------------------------------------------------
/custom_mutators/libafl_base/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "libafl_base"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | 
 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 7 | 
 8 | [dependencies]
 9 | libafl = { git = "https://github.com/AFLplusplus/LibAFL.git", rev = "266677bb88abe75165430f34e7de897c35560504" }
10 | custom_mutator = { path = "../rust/custom_mutator", features = ["afl_internals"] }
11 | serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
12 | 
13 | [lib]
14 | crate-type = ["cdylib"]
15 | 


--------------------------------------------------------------------------------
/custom_mutators/libafl_base/Makefile:
--------------------------------------------------------------------------------
 1 | all: target/release/liblibafl_base.so
 2 | 	cp target/release/liblibafl_base.so libafl_base.so
 3 | 
 4 | target/release/liblibafl_base.so: src/lib.rs
 5 | 	cargo build --release
 6 | 
 7 | clean:
 8 | 	cargo clean
 9 | 	rm -f libafl_base.so
10 | 


--------------------------------------------------------------------------------
/custom_mutators/libafl_base/README.md:
--------------------------------------------------------------------------------
 1 | # libafl basic havoc + token mutator
 2 | 
 3 | This uses the [libafl](https://github.com/AFLplusplus/libafl) StdScheduledMutator with `havoc_mutations` and `token_mutations`.
 4 | 
 5 | Make sure to have [cargo installed](https://rustup.rs/) and just type `make` to build.
 6 | 
 7 | Run with:
 8 | 
 9 | ```
10 | AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libafl_base/libafl_base.so AFL_CUSTOM_MUTATOR_ONLY=1 afl-fuzz ...
11 | ```
12 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/FuzzerExtFunctions.h:
--------------------------------------------------------------------------------
 1 | //===- FuzzerExtFunctions.h - Interface to external functions ---*- C++ -* ===//
 2 | //
 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 4 | // See https://llvm.org/LICENSE.txt for license information.
 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 6 | //
 7 | //===----------------------------------------------------------------------===//
 8 | // Defines an interface to (possibly optional) functions.
 9 | //===----------------------------------------------------------------------===//
10 | 
11 | #ifndef LLVM_FUZZER_EXT_FUNCTIONS_H
12 | #define LLVM_FUZZER_EXT_FUNCTIONS_H
13 | 
14 | #include <stddef.h>
15 | #include <stdint.h>
16 | 
17 | namespace fuzzer {
18 | 
19 | struct ExternalFunctions {
20 |   // Initialize function pointers. Functions that are not available will be set
21 |   // to nullptr.  Do not call this constructor  before ``main()`` has been
22 |   // entered.
23 |   ExternalFunctions();
24 | 
25 | #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                            \
26 |   RETURN_TYPE(*NAME) FUNC_SIG = nullptr
27 | 
28 | #include "FuzzerExtFunctions.def"
29 | 
30 | #undef EXT_FUNC
31 | };
32 | } // namespace fuzzer
33 | 
34 | #endif
35 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/FuzzerFork.h:
--------------------------------------------------------------------------------
 1 | //===- FuzzerFork.h - run fuzzing in sub-processes --------------*- C++ -* ===//
 2 | //
 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 4 | // See https://llvm.org/LICENSE.txt for license information.
 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 6 | //
 7 | //===----------------------------------------------------------------------===//
 8 | 
 9 | #ifndef LLVM_FUZZER_FORK_H
10 | #define LLVM_FUZZER_FORK_H
11 | 
12 | #include "FuzzerDefs.h"
13 | #include "FuzzerOptions.h"
14 | #include "FuzzerRandom.h"
15 | 
16 | #include <string>
17 | 
18 | namespace fuzzer {
19 | void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
20 |                   const Vector<std::string> &Args,
21 |                   const Vector<std::string> &CorpusDirs, int NumJobs);
22 | } // namespace fuzzer
23 | 
24 | #endif // LLVM_FUZZER_FORK_H
25 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/FuzzerMain.cpp:
--------------------------------------------------------------------------------
 1 | //===- FuzzerMain.cpp - main() function and flags -------------------------===//
 2 | //
 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 4 | // See https://llvm.org/LICENSE.txt for license information.
 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 6 | //
 7 | //===----------------------------------------------------------------------===//
 8 | // main() and flags.
 9 | //===----------------------------------------------------------------------===//
10 | 
11 | #include "FuzzerDefs.h"
12 | #include "FuzzerPlatform.h"
13 | 
14 | extern "C" {
15 | 
16 | // This function should be defined by the user.
17 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
18 | 
19 | }  // extern "C"
20 | 
21 | ATTRIBUTE_INTERFACE int main(int argc, char **argv) {
22 | 
23 |   return fuzzer::FuzzerDriver(&argc, &argv, LLVMFuzzerTestOneInput);
24 | 
25 | }
26 | 
27 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/FuzzerSHA1.h:
--------------------------------------------------------------------------------
 1 | //===- FuzzerSHA1.h - Internal header for the SHA1 utils --------*- C++ -* ===//
 2 | //
 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 4 | // See https://llvm.org/LICENSE.txt for license information.
 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 6 | //
 7 | //===----------------------------------------------------------------------===//
 8 | // SHA1 utils.
 9 | //===----------------------------------------------------------------------===//
10 | 
11 | #ifndef LLVM_FUZZER_SHA1_H
12 | #define LLVM_FUZZER_SHA1_H
13 | 
14 | #include "FuzzerDefs.h"
15 | #include <cstddef>
16 | #include <stdint.h>
17 | 
18 | namespace fuzzer {
19 | 
20 | // Private copy of SHA1 implementation.
21 | static const int kSHA1NumBytes = 20;
22 | 
23 | // Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
24 | void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
25 | 
26 | std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]);
27 | 
28 | std::string Hash(const Unit &U);
29 | 
30 | }  // namespace fuzzer
31 | 
32 | #endif  // LLVM_FUZZER_SHA1_H
33 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp:
--------------------------------------------------------------------------------
 1 | //===- FuzzerUtilLinux.cpp - Misc utils for Linux. ------------------------===//
 2 | //
 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 4 | // See https://llvm.org/LICENSE.txt for license information.
 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 6 | //
 7 | //===----------------------------------------------------------------------===//
 8 | // Misc utils for Linux.
 9 | //===----------------------------------------------------------------------===//
10 | #include "FuzzerPlatform.h"
11 | #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
12 |     LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
13 |   #include "FuzzerCommand.h"
14 | 
15 |   #include <stdlib.h>
16 |   #include <sys/types.h>
17 |   #include <sys/wait.h>
18 |   #include <unistd.h>
19 | 
20 | namespace fuzzer {
21 | 
22 | int ExecuteCommand(const Command &Cmd) {
23 | 
24 |   std::string CmdLine = Cmd.toString();
25 |   int         exit_code = system(CmdLine.c_str());
26 |   if (WIFEXITED(exit_code)) return WEXITSTATUS(exit_code);
27 |   return exit_code;
28 | 
29 | }
30 | 
31 | void DiscardOutput(int Fd) {
32 | 
33 |   FILE *Temp = fopen("/dev/null", "w");
34 |   if (!Temp) return;
35 |   dup2(fileno(Temp), Fd);
36 |   fclose(Temp);
37 | 
38 | }
39 | 
40 | }  // namespace fuzzer
41 | 
42 | #endif
43 | 
44 | 


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/README.md:
--------------------------------------------------------------------------------
 1 | # custom mutator: libfuzzer LLVMFuzzerMutate()
 2 | 
 3 | This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.
 4 | 
 5 | just type `make` to build
 6 | 
 7 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libfuzzer/libfuzzer-mutator.so afl-fuzz ...```
 8 | 
 9 | Note that this is currently a simple implementation and it is missing two features:
10 |   * Splicing ("Crossover")
11 |   * Dictionary support
12 | 
13 | To update the source, all that is needed is that FuzzerDriver.cpp has to receive
14 | 
15 | ```
16 | #include "libfuzzer.inc"
17 | ```
18 | 
19 | before the closing namespace bracket.
20 | 
21 | It is also libfuzzer.inc where the configuration of the libfuzzer mutations
22 | are done.
23 | 
24 | > Original repository: https://github.com/llvm/llvm-project
25 | > Path: compiler-rt/lib/fuzzer/*.{h|cpp}
26 | > Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb


--------------------------------------------------------------------------------
/custom_mutators/libfuzzer/libfuzzer.inc:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | extern "C" ATTRIBUTE_INTERFACE void
 4 | LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
 5 |   auto *Rand = new Random(Seed);
 6 |   FuzzingOptions Options;
 7 |   Options.Verbosity = 3;
 8 |   Options.MaxLen = 1024000;
 9 |   Options.LenControl = true;
10 |   Options.DoCrossOver = false;
11 |   Options.MutateDepth = 6;
12 |   Options.UseCounters = false;
13 |   Options.UseMemmem = false;
14 |   Options.UseCmp = false;
15 |   Options.UseValueProfile = false;
16 |   Options.Shrink = false;
17 |   Options.ReduceInputs = false;
18 |   Options.PreferSmall = false;
19 |   Options.ReloadIntervalSec = 0;
20 |   Options.OnlyASCII = false;
21 |   Options.DetectLeaks = false;
22 |   Options.PurgeAllocatorIntervalSec = 0;
23 |   Options.TraceMalloc = false;
24 |   Options.RssLimitMb = 100;
25 |   Options.MallocLimitMb = 100;
26 |   Options.MaxNumberOfRuns = 0;
27 |   Options.ReportSlowUnits = false;
28 |   Options.Entropic = false;
29 |   
30 |   struct EntropicOptions Entropic;
31 |   Entropic.Enabled = Options.Entropic;
32 |   EF = new ExternalFunctions();
33 |   auto *MD = new MutationDispatcher(*Rand, Options);
34 |   auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
35 |   auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
36 | }
37 | 


--------------------------------------------------------------------------------
/custom_mutators/libprotobuf-mutator-example/Android.bp:
--------------------------------------------------------------------------------
 1 | cc_library_shared {
 2 |   name: "libprotobuf-mutator-example-afl",
 3 |   vendor_available: true,
 4 |   host_supported: true,
 5 | 
 6 |   cflags: [
 7 |     "-g",
 8 |     "-O0",
 9 |     "-fPIC",
10 |     "-Wall",
11 |     "-Wno-unused-parameter",
12 |   ],
13 | 
14 |   srcs: [
15 |     "lpm_aflpp_custom_mutator_input.cc",
16 |     "test.proto",
17 |   ],
18 | 
19 |   shared_libs: [
20 |     "libprotobuf-cpp-full",
21 |     "libprotobuf-mutator",
22 |   ],
23 | }
24 | 
25 | cc_binary {
26 |   name: "libprotobuf-mutator-vuln",
27 |   vendor_available: true,
28 |   host_supported: true,
29 | 
30 |   srcs: [
31 |     "vuln.c",
32 |   ],
33 | 
34 |   cflags: [
35 |     "-Wno-unused-result",
36 |     "-Wno-unused-parameter",
37 |   ],
38 | }
39 | 


--------------------------------------------------------------------------------
/custom_mutators/libprotobuf-mutator-example/README.md:
--------------------------------------------------------------------------------
1 | Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)
2 | 


--------------------------------------------------------------------------------
/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h:
--------------------------------------------------------------------------------
 1 | #include <src/mutator.h>
 2 | #include "test.pb.h"
 3 | 
 4 | class MyMutator : public protobuf_mutator::Mutator {
 5 | public:
 6 |     uint8_t *mutated_out = nullptr; 
 7 |     ~MyMutator() {
 8 |         delete[] mutated_out;
 9 |     }
10 | };
11 | 


--------------------------------------------------------------------------------
/custom_mutators/libprotobuf-mutator-example/test.proto:
--------------------------------------------------------------------------------
1 | syntax = "proto2";
2 | 
3 | message TEST {
4 |   required uint32 a = 1;
5 |   required string b = 2;
6 | }
7 | 
8 | 


--------------------------------------------------------------------------------
/custom_mutators/libprotobuf-mutator-example/vuln.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <math.h>
 4 | #include <stdlib.h>
 5 | #include <unistd.h>
 6 | 
 7 | int main(int argc, char *argv[])
 8 | {
 9 |     char str[100]={};
10 |     read(0, str, 100);
11 |     int *ptr = NULL;
12 |     if( str[0] == '\x02' || str[0] == '\xe8') {
13 |         *ptr = 123; 
14 |     }
15 |     return 0;
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/custom_mutators/radamsa/GNUmakefile:
--------------------------------------------------------------------------------
 1 | CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 2 | 
 3 | all: radamsa-mutator.so
 4 | 
 5 | # These can be overridden:
 6 | CFLAGS	?= $(CFLAGS_FLTO)
 7 | 
 8 | # These are required: (otherwise radamsa gets very very slooooow)
 9 | CFLAGS	+= -O3 -funroll-loops
10 | 
11 | #libradamsa.so: libradamsa.a
12 | #	$(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so
13 | 
14 | libradamsa.a: libradamsa.c radamsa.h
15 | 	@echo " ***************************************************************"
16 | 	@echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *"
17 | 	@echo " ***************************************************************"
18 | 	$(CC) -fPIC $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c
19 | 
20 | radamsa-mutator.so: radamsa-mutator.c libradamsa.a
21 | 	$(CC) $(CFLAGS) $(CPPFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c
22 | 	$(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a
23 | 
24 | test: libradamsa.a libradamsa-test.c
25 | 	$(CC) $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a
26 | 	./libradamsa-test libradamsa-test.c | grep "library test passed"
27 | 	rm /tmp/libradamsa-*.fuzz
28 | 
29 | clean:
30 | 	rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core
31 | 


--------------------------------------------------------------------------------
/custom_mutators/radamsa/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2013 Aki Helin
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy
 4 | of this software and associated documentation files (the "Software"), to deal
 5 | in the Software without restriction, including without limitation the rights
 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 7 | copies of the Software, and to permit persons to whom the Software is
 8 | furnished to do so, subject to the following conditions:
 9 | 
10 | The above copyright notice and this permission notice shall be included in
11 | all copies or substantial portions of the Software.
12 | 
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19 | THE SOFTWARE.
20 | 


--------------------------------------------------------------------------------
/custom_mutators/radamsa/README.md:
--------------------------------------------------------------------------------
 1 | # custom mutator: libradamsa
 2 | 
 3 | Pretranslated radamsa library. This code belongs to the radamsa author.
 4 | 
 5 | > Original repository: https://gitlab.com/akihe/radamsa
 6 | 
 7 | > Source commit: 7b2cc2d0
 8 | 
 9 | > The code here is adapted for AFL++ with minor changes respect the original version
10 | 


--------------------------------------------------------------------------------
/custom_mutators/radamsa/radamsa.h:
--------------------------------------------------------------------------------
 1 | #include <inttypes.h>
 2 | #include <stddef.h>
 3 | 
 4 | void radamsa_init(void);
 5 | 
 6 | size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max,
 7 |                unsigned int seed);
 8 | 
 9 | size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed);
10 | 
11 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/.gitignore:
--------------------------------------------------------------------------------
 1 | # Generated by Cargo
 2 | # will have compiled files and executables
 3 | /target/
 4 | 
 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 7 | Cargo.lock
 8 | 
 9 | # These are backup files generated by rustfmt
10 | **/*.rs.bk
11 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [workspace]
 2 | members = [
 3 |     "custom_mutator-sys",
 4 |     "custom_mutator",
 5 |     "example",
 6 |     # Lain needs a nightly toolchain
 7 |     # "example_lain",
 8 |     # "example_lain_post_process",
 9 | ]
10 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/README.md:
--------------------------------------------------------------------------------
 1 | # Rust Custom Mutators
 2 | 
 3 | Bindings to create custom mutators in Rust.
 4 | 
 5 | These bindings are documented with rustdoc. To view the documentation run
 6 | ```cargo doc -p custom_mutator --open```.
 7 | 
 8 | A minimal example can be found in `example`. Build it using `cargo build --example example_mutator`.
 9 | 
10 | An example using [lain](https://github.com/microsoft/lain) for structured fuzzing can be found in `example_lain`.
11 | Since lain requires a nightly rust toolchain, you need to set one up before you can play with it.
12 | 
13 | An example for the use of the post_process function, using [lain](https://github.com/microsoft/lain) with [serde](https://github.com/serde-rs/serde) and [bincode](https://github.com/bincode-org/bincode) can be found in `example_lain_post_process`.
14 | In order for it to work you need to:
15 | 
16 | - disable input trimming with `AFL_DISABLE_TRIM=1`
17 | - provide an initial instance serialized with `bincode` or use the `AFL_NO_STARTUP_CALIBRATION=1` environment variable.
18 | 
19 | Note that `bincode` can also be used to serialize/deserialize the lain-generated structure and mutate it rather than generating a new one at each iteration, but it requires some structure serialized with `bincode` as input seed.
20 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/custom_mutator-sys/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "custom_mutator-sys"
 3 | version = "0.1.1"
 4 | authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
 5 | edition = "2021"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | 
11 | [build-dependencies]
12 | bindgen = "0.63"
13 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/custom_mutator-sys/src/lib.rs:
--------------------------------------------------------------------------------
1 | #![allow(non_upper_case_globals)]
2 | #![allow(non_camel_case_types)]
3 | #![allow(non_snake_case)]
4 | #![allow(clippy::too_many_lines)]
5 | #![allow(clippy::used_underscore_binding)]
6 | 
7 | include!(concat!(env!("OUT_DIR"), "/bindings.rs"));
8 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/custom_mutator-sys/wrapper.h:
--------------------------------------------------------------------------------
1 | #include "../../../include/afl-fuzz.h"
2 | #include "../../../include/common.h"
3 | #include "../../../include/config.h"
4 | #include "../../../include/debug.h"
5 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/custom_mutator/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "custom_mutator"
 3 | version = "0.1.0"
 4 | authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
 5 | edition = "2021"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [features]
10 | afl_internals = ["custom_mutator-sys"]
11 | 
12 | [dependencies]
13 | custom_mutator-sys = { path = "../custom_mutator-sys", optional=true }
14 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/example/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "example_mutator"
 3 | version = "0.1.0"
 4 | authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
 5 | edition = "2021"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | custom_mutator = { path = "../custom_mutator" }
11 | 
12 | [[example]]
13 | name = "example_mutator"
14 | path = "./src/example_mutator.rs"
15 | crate-type = ["cdylib"]


--------------------------------------------------------------------------------
/custom_mutators/rust/example/src/example_mutator.rs:
--------------------------------------------------------------------------------
 1 | #![cfg(unix)]
 2 | #![allow(unused_variables)]
 3 | 
 4 | use custom_mutator::{export_mutator, CustomMutator};
 5 | 
 6 | struct ExampleMutator;
 7 | 
 8 | impl CustomMutator for ExampleMutator {
 9 |     type Error = ();
10 | 
11 |     fn init(seed: u32) -> Result<Self, Self::Error> {
12 |         Ok(Self)
13 |     }
14 | 
15 |     fn fuzz<'b, 's: 'b>(
16 |         &'s mut self,
17 |         buffer: &'b mut [u8],
18 |         add_buff: Option<&[u8]>,
19 |         max_size: usize,
20 |     ) -> Result<Option<&'b [u8]>, Self::Error> {
21 |         buffer.reverse();
22 |         Ok(Some(buffer))
23 |     }
24 | }
25 | 
26 | struct OwnBufferExampleMutator {
27 |     own_buffer: Vec<u8>,
28 | }
29 | 
30 | impl CustomMutator for OwnBufferExampleMutator {
31 |     type Error = ();
32 | 
33 |     fn init(seed: u32) -> Result<Self, Self::Error> {
34 |         Ok(Self {
35 |             own_buffer: Vec::new(),
36 |         })
37 |     }
38 | 
39 |     fn fuzz<'b, 's: 'b>(
40 |         &'s mut self,
41 |         buffer: &'b mut [u8],
42 |         add_buff: Option<&[u8]>,
43 |         max_size: usize,
44 |     ) -> Result<Option<&'b [u8]>, ()> {
45 |         self.own_buffer.reverse();
46 |         Ok(Some(self.own_buffer.as_slice()))
47 |     }
48 | }
49 | 
50 | export_mutator!(ExampleMutator);
51 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/example_lain/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "example_lain"
 3 | version = "0.1.0"
 4 | authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
 5 | edition = "2021"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | custom_mutator = { path = "../custom_mutator" }
11 | lain = { git = "https://github.com/AFLplusplus/lain.git" }
12 | 
13 | [[example]]
14 | name = "example_lain"
15 | path = "./src/lain_mutator.rs"
16 | crate-type = ["cdylib"]
17 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/example_lain/rust-toolchain:
--------------------------------------------------------------------------------
1 | nightly


--------------------------------------------------------------------------------
/custom_mutators/rust/example_lain_post_process/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "example_lain_post_process"
 3 | version = "0.1.0"
 4 | authors = [
 5 |     "Julius Hohnerlein <julihoh@users.noreply.github.com>",
 6 |     "jma <94166787+jma-qb@users.noreply.github.com>",
 7 | ]
 8 | edition = "2021"
 9 | 
10 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
11 | 
12 | [dependencies]
13 | custom_mutator = { path = "../custom_mutator" }
14 | lain = { git = "https://github.com/AFLplusplus/lain.git" }
15 | bincode = "1.3.3"
16 | serde = { version = "1.0.214", features = ["derive"] }
17 | 
18 | [[example]]
19 | name = "example_lain_post_process"
20 | path = "./src/lain_mutator.rs"
21 | crate-type = ["cdylib"]
22 | 


--------------------------------------------------------------------------------
/custom_mutators/rust/example_lain_post_process/rust-toolchain:
--------------------------------------------------------------------------------
1 | nightly


--------------------------------------------------------------------------------
/custom_mutators/symcc/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | ifdef DEBUG
 3 |   CFLAGS += -DDEBUG
 4 | endif
 5 | 
 6 | all: symcc-mutator.so
 7 | 
 8 | CFLAGS	+= -O3 -funroll-loops
 9 | 
10 | symcc-mutator.so: symcc.c
11 | 	$(CC) $(CFLAGS) $(CPPFLAGS) -g -I../../include -shared -fPIC -o symcc-mutator.so symcc.c
12 | 
13 | clean:
14 | 	rm -f symcc-mutator.so *.o *~ core
15 | 


--------------------------------------------------------------------------------
/custom_mutators/symcc/README.md:
--------------------------------------------------------------------------------
 1 | # custom mutator: symcc
 2 | 
 3 | This uses the symcc to find new paths into the target.
 4 | 
 5 | Note that this is a just a proof of concept example! It is better to use
 6 | the fuzzing helpers of symcc, symqemu, Fuzzolic, etc. rather than this.
 7 | 
 8 | Also the symqemu custom mutator is better than this.
 9 | 
10 | To use this custom mutator follow the steps in the symcc repository 
11 | [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) 
12 | on how to build symcc and how to instrument a target binary (the same target
13 | that you are fuzzing).
14 | 
15 | The target program compiled with symcc has to be pointed to with the
16 | `SYMCC_TARGET` environment variable.
17 | 
18 | just type `make` to build this custom mutator.
19 | 
20 | ```SYMCC_TARGET=/prg/to/symcc/compiled/target AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symcc/symcc-mutator.so afl-fuzz ...```
21 | 


--------------------------------------------------------------------------------
/custom_mutators/symcc/test_examples/file_test.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdint.h>
 3 | #include <stdlib.h>
 4 | #include <unistd.h>
 5 | #include <fcntl.h>
 6 | 
 7 | int main(int argc, char **argv) {
 8 | 
 9 |   if (argc < 2) {
10 | 
11 |     printf("Need a file argument\n");
12 |     return 1;
13 | 
14 |   }
15 | 
16 |   int fd = open(argv[1], O_RDONLY);
17 |   if (fd < 0) {
18 | 
19 |     printf("Couldn't open file\n");
20 |     return 1;
21 | 
22 |   }
23 | 
24 |   uint32_t value = 0;
25 | 
26 |   read(fd, &value, sizeof(value));
27 |   close(fd);
28 | 
29 |   value = value ^ 0xffffffff;
30 |   if (value == 0x11223344) printf("Value one\n");
31 |   if (value == 0x44332211) printf("Value two\n");
32 |   if (value != 0x0) printf("Not zero\n");
33 |   return 0;
34 | 
35 | }
36 | 
37 | 


--------------------------------------------------------------------------------
/custom_mutators/symcc/test_examples/stdin_test.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdint.h>
 3 | #include <stdlib.h>
 4 | #include <unistd.h>
 5 | 
 6 | int main(int argc, char **argv) {
 7 | 
 8 |   char     input_buffer[16];
 9 |   uint32_t comparisonValue;
10 |   size_t   bytesRead;
11 |   bytesRead = read(STDIN_FILENO, input_buffer, sizeof(input_buffer));
12 |   if (bytesRead < 0) exit(-1);
13 |   comparisonValue = *(uint32_t *)input_buffer;
14 |   comparisonValue = comparisonValue ^ 0xff112233;
15 |   if (comparisonValue == 0x66554493) {
16 | 
17 |     printf("First value\n");
18 | 
19 |   } else {
20 | 
21 |     if (comparisonValue == 0x84444415) printf("Second value\n");
22 | 
23 |   }
24 | 
25 |   return 0;
26 | 
27 | }
28 | 
29 | 


--------------------------------------------------------------------------------
/custom_mutators/symqemu/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | ifdef DEBUG
 3 |   CFLAGS += -DDEBUG
 4 | endif
 5 | 
 6 | all: symqemu-mutator.so
 7 | 
 8 | CFLAGS	+= -O3 -funroll-loops
 9 | 
10 | symqemu-mutator.so: symqemu.c
11 | 	$(CC) -g $(CFLAGS) $(CPPFLAGS) -g -I../../include -shared -fPIC -o symqemu-mutator.so symqemu.c
12 | 
13 | clean:
14 | 	rm -f symqemu-mutator.so *.o *~ core
15 | 


--------------------------------------------------------------------------------
/custom_mutators/symqemu/README.md:
--------------------------------------------------------------------------------
 1 | # custom mutator: symqemu
 2 | 
 3 | This uses the symcc to find new paths into the target.
 4 | 
 5 | ## How to build and use
 6 | 
 7 | To use this custom mutator follow the steps in the symqemu repository 
 8 | [https://github.com/eurecom-s3/symqemu/](https://github.com/eurecom-s3/symqemu/) 
 9 | on how to build symqemu-x86_x64 and put it in your `PATH`.
10 | 
11 | Just type `make` to build this custom mutator.
12 | 
13 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symqemu/symqemu-mutator.so AFL_DISABLE_TRIM=1 afl-fuzz ...```
14 | 
15 | ## Options
16 | 
17 | `SYMQEMU_ALL=1` - use concolic solving on **all** queue items, not only interesting/favorite ones.
18 | 
19 | `SYMQEMU_LATE=1` - use concolic solving only after there have been no finds for 5 minutes.
20 | 


--------------------------------------------------------------------------------
/dictionaries/aff.dict:
--------------------------------------------------------------------------------
 1 | # https://www.systutorials.com/docs/linux/man/4-hunspell/
 2 | 
 3 | # Affix keywords
 4 | "AF"
 5 | "AM"
 6 | "BREAK"
 7 | "CHECKCOMPOUNDCASE"
 8 | "CHECKCOMPOUNDDUP"
 9 | "CHECKCOMPOUNDPATTERN"
10 | "CHECKCOMPOUNDREP"
11 | "CHECKCOMPOUNDTRIPLE"
12 | "COMPLEXPREFIXES"
13 | "COMPOUNDBEGIN"
14 | "COMPOUNDFLAG"
15 | "COMPOUNDFORBIDFLAG"
16 | "COMPOUNDLAST"
17 | "COMPOUNDMIDDLE"
18 | "COMPOUNDMIN"
19 | "COMPOUNDPERMITFLAG"
20 | "COMPOUNDROOT"
21 | "COMPOUNDRULE"
22 | "COMPOUNDSYLLABLE"
23 | "COMPOUNDWORDMAX"
24 | "FLAG"
25 | "FORBIDWARN"
26 | "FORCEUCASE"
27 | "IGNORE"
28 | "KEY"
29 | "LANG"
30 | "MAP"
31 | "MAXCODSUGS"
32 | "MAXDIFF"
33 | "MAXNGRAMSUGS"
34 | "NOSPLITSUGS"
35 | "NOSUGGEST"
36 | "ONLYINCOMPOUND"
37 | "ONLYMAXDIFF"
38 | "PFX"
39 | "PHONE"
40 | "REP"
41 | "SET"
42 | "SFX"
43 | "SIMPLIFIEDTRIPLE"
44 | "SUGWITHDOTS"
45 | "SYLLABLENUM"
46 | "TRY"
47 | "WARN"
48 | "CIRCUMFIX"
49 | "FORBIDDENWORD"
50 | "FULLSTRIP"
51 | "KEEPCASE"
52 | "ICONV"
53 | "OCONV"
54 | "LEMMA_PRESENT"
55 | "NEEDAFFIX"
56 | "PSEUDOROOT"
57 | "SUBSTANDARD"
58 | "WORDCHARS"
59 | "CHECKSHARPS"
60 | 
61 | # Optional data fields
62 | "ph:"
63 | "st:"
64 | "al:"
65 | "po:"
66 | "ds:"
67 | "is:"
68 | "ts:"
69 | "sp:"
70 | "pa:"
71 | "dp:"
72 | "ip:"
73 | "tp:"
74 | 


--------------------------------------------------------------------------------
/dictionaries/atom.dict:
--------------------------------------------------------------------------------
 1 | # https://validator.w3.org/feed/docs/atom.html
 2 | # https://tools.ietf.org/html/rfc4287
 3 | 
 4 | "<?xml version='1.0' encoding='utf-8'?>"
 5 | "<feed xmlns='http://www.w3.org/2005/Atom'>"
 6 | 
 7 | "<alternate>"
 8 | "<author>"
 9 | "<category>"
10 | "<content>"
11 | "<contributor>"
12 | "<email>"
13 | "<entry>"
14 | "<feed>"
15 | "<first>"
16 | "<generator>"
17 | "<icon>"
18 | "<id>"
19 | "<last>"
20 | "<link>"
21 | "<logo>"
22 | "<modified/>
23 | "<name>"
24 | "<next>"
25 | "<previous>"
26 | "<published>"
27 | "<rights>"
28 | "<source>"
29 | "<subtitle>"
30 | "<summary>"
31 | "<title>"
32 | "<updated>"
33 | "<uri>"
34 | 


--------------------------------------------------------------------------------
/dictionaries/av1_dc.dict:
--------------------------------------------------------------------------------
1 | # IVF Signature + version (bytes 0-5)
2 | kw1="DKIF\x00\x00"
3 | 
4 | # AV1 codec fourCC (bytes 8-11)
5 | kw2="AV01"
6 | 


--------------------------------------------------------------------------------
/dictionaries/bdf.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/Glyph_Bitmap_Distribution_Format
 2 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5005.BDF_Spec.pdf
 3 | 
 4 | "STARTFONT"
 5 | "COMMENT"
 6 | "CONTENTVERSION"
 7 | "FONT"
 8 | "SIZE"
 9 | "FONTBOUNDINGBOX"
10 | "METRICSSET"
11 | "SWIDTH"
12 | "DWIDTH"
13 | "SWIDTH1"
14 | "DWIDTH1"
15 | "VVECTOR"
16 | "STARTPROPERTIES"
17 | "ENDPROPERTIES"
18 | "CHARS"
19 | "STARTCHAR"
20 | "ENCODING"
21 | "BBX"
22 | "BITMAP"
23 | "ENDCHAR"
24 | "ENDFONT"
25 | 
26 | # misc
27 | "255"
28 | "-1"
29 | "0"
30 | "2.1"
31 | 


--------------------------------------------------------------------------------
/dictionaries/bmp.dict:
--------------------------------------------------------------------------------
 1 | windows="BM"
 2 | os2_bitmap="BA"
 3 | os2_icon="CI"
 4 | os2_pointer="CP"
 5 | os2_struct="IC"
 6 | os2_ptr="PT"
 7 | windows_color_space="Win "
 8 | srgb="sRGB"
 9 | link="LINK"
10 | mbed="MBED"
11 | 


--------------------------------------------------------------------------------
/dictionaries/bz2.dict:
--------------------------------------------------------------------------------
1 | magic="BZ"
2 | compress_magic="\x31\x41\x59\x26\x53\x59"
3 | eos_magic="\x17\x72\x45\x38\x50\x90"
4 | 


--------------------------------------------------------------------------------
/dictionaries/creole.dict:
--------------------------------------------------------------------------------
 1 | # http://www.wikicreole.org/wiki/Creole1.0
 2 | 
 3 | bold="**"
 4 | italic="//"
 5 | heading="=="
 6 | link1="[[a|b]]"
 7 | link2="[[a:b]]"
 8 | hr="----"
 9 | img=" {{a|b}}"
10 | table_heading="|=a |=b |"
11 | raw="{{{a}}}"
12 | escape="~"
13 | placeholder="<<<x>>>"
14 | line_break="\\\\"
15 | 


--------------------------------------------------------------------------------
/dictionaries/csv.dict:
--------------------------------------------------------------------------------
1 | "\x00"
2 | "\r\n"
3 | ";;"
4 | ",,"
5 | "\t;"
6 | "\n;"
7 | 


--------------------------------------------------------------------------------
/dictionaries/dds.dict:
--------------------------------------------------------------------------------
 1 | # See http://www.mindcontrol.org/~hplus/graphics/dds-info/
 2 | 
 3 | magic="\x20\x53\x44\x44"
 4 | 
 5 | # Headers
 6 | "\x00\x00\x00\x01"
 7 | "\x00\x00\x00\x02"
 8 | "\x00\x00\x00\x04"
 9 | "\x00\x00\x00\x08"
10 | "\x00\x00\x10\x00"
11 | "\x00\x02\x00\x00"
12 | "\x00\x08\x00\x00"
13 | "\x00\x80\x00\x00"
14 | "\x00\x00\x00\x01"
15 | "\x00\x00\x00\x04"
16 | "\x00\x00\x00\x20"
17 | "\x00\x00\x00\x40"
18 | "\x00\x00\x00\x08"
19 | "\x00\x00\x10\x00"
20 | "\x00\x40\x00\x00"
21 | "\x00\x00\x02\x00"
22 | "\x00\x00\x04\x00"
23 | "\x00\x00\x08\x00"
24 | "\x00\x00\x10\x00"
25 | "\x00\x00\x20\x00"
26 | "\x00\x00\x40\x00"
27 | "\x00\x00\x80\x00"
28 | "\x00\x20\x00\x00"
29 | 
30 | #formats
31 | "1TXD"
32 | "2TXD"
33 | "3TXD"
34 | "4TXD"
35 | "5TXD"
36 | 


--------------------------------------------------------------------------------
/dictionaries/djvu.dict:
--------------------------------------------------------------------------------
 1 | "ANTa"
 2 | "ANTz"
 3 | "BG2k"
 4 | "BG44"
 5 | "BGjp"
 6 | "BM44"
 7 | "CELX"
 8 | "DIRM"
 9 | "DJVI"
10 | "DJVM"
11 | "DJVU"
12 | "Djbz"
13 | "FAKE"
14 | "FG2k"
15 | "FG44"
16 | "FGbz"
17 | "FGjp"
18 | "FORM"
19 | "INCL"
20 | "INFO"
21 | "LINK"
22 | "METa"
23 | "METz"
24 | "NAVM"
25 | "NDIR"
26 | "PM44"
27 | "SINF"
28 | "Sjbz"
29 | "Smmr"
30 | "TH44"
31 | "THUM"
32 | "TXTa"
33 | "TXTz"
34 | "WMRM"
35 | 


--------------------------------------------------------------------------------
/dictionaries/fbs.dict:
--------------------------------------------------------------------------------
 1 | # spec: https://google.github.io/flatbuffers/flatbuffers_grammar.html
 2 | 
 3 | attribute="attribute"
 4 | bool="bool"
 5 | byte="byte"
 6 | double="double"
 7 | enum="enum"
 8 | false="false"
 9 | file_extension="file_extension"
10 | float32="float32"
11 | float64="float64"
12 | float="float"
13 | include="include"
14 | inf="inf"
15 | infinity="infinity"
16 | int16="int16"
17 | int32="int32"
18 | int64="int64"
19 | int8="int8"
20 | int="int"
21 | long="long"
22 | namespace="namespace"
23 | nan="nan"
24 | root_type="root_type"
25 | root_type="root_type"
26 | rpc_service="rpc_service"
27 | short="short"
28 | string="string"
29 | struct="struct"
30 | table="table"
31 | true="true"
32 | ubyte="ubyte"
33 | uint16="uint16"
34 | uint32="uint32"
35 | uint64="uint64"
36 | uint="uint"
37 | ulong="ulong"
38 | union="union"
39 | ushort="ushort"
40 | 
41 | separator=":"
42 | eol=";"
43 | 


--------------------------------------------------------------------------------
/dictionaries/gif.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for GIF images
 3 | # -----------------------------
 4 | #
 5 | # Created by Michal Zalewski
 6 | #
 7 | 
 8 | header_87a="87a"
 9 | header_89a="89a"
10 | header_gif="GIF"
11 | 
12 | marker_2c=","
13 | marker_3b=";"
14 | 
15 | section_2101="!\x01\x12"
16 | section_21f9="!\xf9\x04"
17 | section_21fe="!\xfe"
18 | section_21ff="!\xff\x11"
19 | 


--------------------------------------------------------------------------------
/dictionaries/heif.dict:
--------------------------------------------------------------------------------
 1 | # https://standards.iso.org/ittf/PubliclyAvailableStandards/c066067_ISO_IEC_23008-12_2017.zip
 2 | 
 3 | "altr"
 4 | "auxC"
 5 | "auxc"
 6 | "auxi"
 7 | "auxv"
 8 | "avcC"
 9 | "avci"
10 | "avcs"
11 | "ccst"
12 | "cdsc"
13 | "clap"
14 | "colr"
15 | "dimg"
16 | "dinf"
17 | "dref"
18 | "elst"
19 | "equi"
20 | "free"
21 | "frma"
22 | "ftyp"
23 | "grid"
24 | "grp1"
25 | "hdlr"
26 | "heic"
27 | "heim"
28 | "heis"
29 | "heix"
30 | "hevc"
31 | "hevx"
32 | "hvc1"
33 | "hvc2"
34 | "hvcC"
35 | "idat"
36 | "iden"
37 | "iinf"
38 | "iloc"
39 | "imir"
40 | "infe"
41 | "iovl"
42 | "ipro"
43 | "iprp"
44 | "iref"
45 | "irot"
46 | "ispe"
47 | "jpeg"
48 | "jpgC"
49 | "jpgs"
50 | "lhv1"
51 | "lhvC"
52 | "lsel"
53 | "mdat"
54 | "meta"
55 | "mif1"
56 | "mime"
57 | "mjpg"
58 | "msf1"
59 | "oinf"
60 | "pasp"
61 | "pict"
62 | "pitm"
63 | "pixi"
64 | "refs"
65 | "rloc"
66 | "schi"
67 | "schm"
68 | "sgpd"
69 | "sinf"
70 | "skip"
71 | "stsz"
72 | "subs"
73 | "thmb"
74 | "tkhd"
75 | "tols"
76 | "trak"
77 | 


--------------------------------------------------------------------------------
/dictionaries/hoextdown.dict:
--------------------------------------------------------------------------------
 1 | asterisk="*"
 2 | attr_generic=" a=\"1\""
 3 | attr_href=" href=\"1\""
 4 | attr_xml_lang=" xml:lang=\"1\""
 5 | attr_xmlns=" xmlns=\"1\""
 6 | backslash="\\"
 7 | backtick="`"
 8 | colon=":"
 9 | dashes="---"
10 | double_quote="\""
11 | entity_builtin="&lt;"
12 | entity_decimal="&#1;"
13 | entity_external="&a;"
14 | entity_hex="&#x1;"
15 | equals="==="
16 | exclamation="!"
17 | greater_than=">"
18 | hash="#"
19 | hyphen="-"
20 | indent="  "
21 | left_bracket="["
22 | left_paren="("
23 | less_than="<"
24 | plus="+"
25 | right_bracket="]"
26 | right_paren=")"
27 | single_quote="'"
28 | string_any="ANY"
29 | string_brackets="[]"
30 | string_cdata="CDATA"
31 | string_dashes="--"
32 | string_empty_dblquotes="\"\""
33 | string_empty_quotes="''"
34 | string_idrefs="IDREFS"
35 | string_parentheses="()"
36 | string_pcdata="#PCDATA"
37 | tag_cdata="<![CDATA["
38 | tag_close="</a>"
39 | tag_doctype="<!DOCTYPE"
40 | tag_element="<!ELEMENT"
41 | tag_entity="<!ENTITY"
42 | tag_notation="<!NOTATION"
43 | tag_open="<a>"
44 | tag_open_close="<a />"
45 | tag_open_exclamation="<!"
46 | tag_open_q="<?"
47 | tag_sq2_close="]]>"
48 | tag_xml_q="<?xml?>"
49 | underscore="_"
50 | 


--------------------------------------------------------------------------------
/dictionaries/iccprofile.dict:
--------------------------------------------------------------------------------
 1 | # Dict for ICC profiles parsed by skcms.
 2 | 
 3 | "mft1"
 4 | "mft2"
 5 | "mAB "
 6 | "rXYZ"
 7 | "gXYZ"
 8 | "bXYZ"
 9 | "rTRC"
10 | "gTRC"
11 | "bTRC"
12 | "kTRC"
13 | "A2B0"
14 | "curv"
15 | "para"
16 | "mluc"
17 | "XYZ "
18 | "Lab "
19 | "RGB "
20 | "CMYK"
21 | "GRAY"
22 | "mntr"
23 | "scnr"
24 | "prtr"
25 | "spac"
26 | 


--------------------------------------------------------------------------------
/dictionaries/icns.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/Apple_Icon_Image_format
 2 | 
 3 | "ICN#"
 4 | "ICON"
 5 | "TOC "
 6 | "h8mk"
 7 | "ic04"
 8 | "ic05"
 9 | "ic07"
10 | "ic08"
11 | "ic09"
12 | "ic10"
13 | "ic11"
14 | "ic12"
15 | "ic13"
16 | "ic14"
17 | "ich#"
18 | "ich4"
19 | "ich8"
20 | "icl4"
21 | "icl8"
22 | "icm#"
23 | "icm4"
24 | "icm8"
25 | "icnV"
26 | "icns"
27 | "icp4"
28 | "icp5"
29 | "icp6"
30 | "ics#"
31 | "ics4"
32 | "ics8"
33 | "icsB"
34 | "icsb"
35 | "ih32"
36 | "il32"
37 | "info"
38 | "is32"
39 | "it32"
40 | "l8mk"
41 | "name"
42 | "s8mk"
43 | "t8mk"
44 | 


--------------------------------------------------------------------------------
/dictionaries/jpeg.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for JPEG images
 3 | # ------------------------------
 4 | #
 5 | # Created by Michal Zalewski
 6 | #
 7 | 
 8 | header_jfif="JFIF\x00"
 9 | header_jfxx="JFXX\x00"
10 | 
11 | section_ffc0="\xff\xc0"
12 | section_ffc2="\xff\xc2"
13 | section_ffc4="\xff\xc4"
14 | section_ffd0="\xff\xd0"
15 | section_ffd8="\xff\xd8"
16 | section_ffd9="\xff\xd9"
17 | section_ffda="\xff\xda"
18 | section_ffdb="\xff\xdb"
19 | section_ffdd="\xff\xdd"
20 | section_ffe0="\xff\xe0"
21 | section_ffe1="\xff\xe1"
22 | section_fffe="\xff\xfe"
23 | 


--------------------------------------------------------------------------------
/dictionaries/jpeg2000.dict:
--------------------------------------------------------------------------------
 1 | type="jP  "
 2 | ftyp="ftyp"
 3 | subtype1="jp2 "
 4 | subtype2="jp20"
 5 | subtype3="jpm "
 6 | subtype4="jpx "
 7 | subtype5="jp2h"
 8 | subtype6="jpxb"
 9 | subtype7="mjp2"
10 | subtype8="mj2s"
11 | subtype9="jp2c"
12 | subtype10="jpch"
13 | subtype11="jplh"
14 | codestream="\xFF\x4F\xFF\x51"
15 | signature="\x0d\x0a\x87\x0a"
16 | tag1="hdr"
17 | tag2="colr"
18 | tag3="url"
19 | tag4="req"
20 | tag5="res"
21 | tag6="page"
22 | tag7="obj"
23 | 


--------------------------------------------------------------------------------
/dictionaries/json.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for JSON
 3 | # -----------------------
 4 | #
 5 | # Just the very basics.
 6 | #
 7 | # Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
 8 | #
 9 | 
10 | "0"
11 | ",0"
12 | ":0"
13 | "0:"
14 | "-1.2e+3"
15 | 
16 | "true"
17 | "false"
18 | "null"
19 | 
20 | "\"\""
21 | ",\"\""
22 | ":\"\""
23 | "\"\":"
24 | 
25 | "{}"
26 | ",{}"
27 | ":{}"
28 | "{\"\":0}"
29 | "{{}}"
30 | 
31 | "[]"
32 | ",[]"
33 | ":[]"
34 | "[0]"
35 | "[[]]"
36 | 
37 | "''"
38 | "\\"
39 | "\\b"
40 | "\\f"
41 | "\\n"
42 | "\\r"
43 | "\\t"
44 | "\\u0000"
45 | "\\x00"
46 | "\\0"
47 | "\\uD800\\uDC00"
48 | "\\uDBFF\\uDFFF"
49 | 
50 | "\"\":0"
51 | "//"
52 | "/**/"
53 | 
54 | "$ref"
55 | "type"
56 | "coordinates"
57 | "@context"
58 | "@id"
59 | 
60 | ","
61 | ":"
62 | 


--------------------------------------------------------------------------------
/dictionaries/jsonnet.dict:
--------------------------------------------------------------------------------
 1 | # https://jsonnet.org/ref/spec.html
 2 | 
 3 | # Keywords
 4 | "assert"
 5 | "else"
 6 | "error"
 7 | "false"
 8 | "for"
 9 | "function"
10 | "if"
11 | "import"
12 | "importstr"
13 | "in"
14 | "local"
15 | "null"
16 | "self"
17 | "super"
18 | "tailstrict"
19 | "then"
20 | "true"
21 | "super"
22 | "local"
23 | 
24 | # operators
25 | "|||"
26 | "@\""
27 | "@'"
28 | "!="
29 | "=="
30 | "[::]"
31 | "+:::"
32 | 
33 | # functions
34 | "std.acos("
35 | "std.asin("
36 | "std.atan("
37 | "std.ceil("
38 | "std.char("
39 | "std.codepoint("
40 | "std.cos("
41 | "std.equals("
42 | "std.exp("
43 | "std.exponent("
44 | "std.floor("
45 | "std.join("
46 | "std.length("
47 | "std.log("
48 | "std.makeArray("
49 | "std.mantissa("
50 | "std.mod"
51 | "std.modulo("
52 | "std.objectFiledsEx("
53 | "std.objectsHasEx("
54 | "std.pow("
55 | "std.primitiveEquals("
56 | "std.sin("
57 | "std.slice("
58 | "std.sqrt("
59 | "std.tan("
60 | "std.type("
61 | 


--------------------------------------------------------------------------------
/dictionaries/markdown.dict:
--------------------------------------------------------------------------------
 1 | strike="~~"
 2 | list="2."
 3 | link="[a]("
 4 | link_without_ref="[a]["
 5 | image="![b]("
 6 | bold="**"
 7 | separator="---"
 8 | title="# "
 9 | fence="```"
10 | link_bottom="[a]:"
11 | link_inline="<http://"
12 | link_bottom_title="[1]: http://a.com"
13 | checklist="- [x"
14 | toc="[TOC]"
15 | highlight_rst=":::python"
16 | 
17 | 
18 | # GFM - https://github.github.com/gfm/
19 | "| ---"
20 | leaf1="***"
21 | leaf2="___"
22 | code_hl="```html"
23 | task="- [ ]"
24 | 
25 | 
26 | # Extended syntax: https://www.markdownguide.org/extended-syntax/
27 | footnote="[^a]"
28 | title_id="#a {#b}"
29 | 


--------------------------------------------------------------------------------
/dictionaries/math.dict:
--------------------------------------------------------------------------------
 1 | "{"
 2 | "}"
 3 | ","
 4 | "["
 5 | "]"
 6 | ","
 7 | ":"
 8 | "e"
 9 | "e+"
10 | "e-"
11 | "E"
12 | "E+"
13 | "E-"
14 | "\""
15 | "\\"
16 | " "
17 | "null"
18 | "1"
19 | "1.234"
20 | "3e4"
21 | 


--------------------------------------------------------------------------------
/dictionaries/mysqld.dict:
--------------------------------------------------------------------------------
1 | user="root"
2 | 


--------------------------------------------------------------------------------
/dictionaries/ogg.dict:
--------------------------------------------------------------------------------
 1 | # https://xiph.org/vorbis/doc/Vorbis_I_spec.html
 2 | 
 3 | header="OggS"
 4 | 
 5 | # Codecs
 6 | "BBCD\x00"
 7 | "\x7fFLAC"
 8 | "\x80theora"
 9 | "\x01vorbis"
10 | "CELT    "
11 | "CMML\x00\x00\x00\x00"
12 | "\x8bJNG\x0d\x0a\x1a\x0a"
13 | "\x80kate\x00\x00\x00"
14 | "OggMIDI\x00"
15 | "\x8aMNG\x0d\x0a\x1a\x0a"
16 | "PCM     "
17 | "\x89PNG\x0d\x0a\x1a\x0a"
18 | "Speex   "
19 | "YUV4MPEG"
20 | 
21 | # Metadata
22 | "TITLE="
23 | "VERSION="
24 | "ALBUM="
25 | "TRACKNUMBER="
26 | "ARTIST="
27 | "PERFORMER="
28 | "COPYRIGHT="
29 | "LICENSE="
30 | "ORGANIZATION="
31 | "DESCRIPTION="
32 | "GENRE="
33 | "DATE="
34 | "LOCATION="
35 | "CONTACT="
36 | "ISRC="
37 | 


--------------------------------------------------------------------------------
/dictionaries/pbm.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/Netpbm_format
 2 | header1="P1"
 3 | header2="P2"
 4 | header3="P3"
 5 | header4="P4"
 6 | header5="P5"
 7 | header6="P6"
 8 | zero="0"
 9 | one="1"
10 | comment="#"
11 | max="255"
12 | overflow="256"
13 | 
14 | # PAM - https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format
15 | header7="P7"
16 | width="WIDTH"
17 | height="HEIGHT"
18 | depth="DEPTH"
19 | maxval="MAXVAL"
20 | enhdr="ENDHDR"
21 | tupltype="TUPLTYPE"
22 | tupltype1="RGB_ALPHA"
23 | tupltype2="RGB"
24 | typltype3="BLACKANDWHITE"
25 | typltype4="BLACKANDWHITE_ALPHA"
26 | typltype5="GRAYSCALE"
27 | typltype6="GRAYSCALE_ALPHA"
28 | maxval_num="65535"
29 | maxval_overlfow="65536"
30 | 


--------------------------------------------------------------------------------
/dictionaries/pcap.dict:
--------------------------------------------------------------------------------
 1 | # https://www.tcpdump.org/pcap/pcap.html
 2 | 
 3 | # Headers
 4 | "\xa1\xb2\xc3\xd4"
 5 | "\xd4\xc3\xb2\xa1"
 6 | "\xa1\xb2\x3c\x4d"
 7 | "\x4d\x3c\xb2\xa1"
 8 | 
 9 | 
10 | current_version="\x02\x00\x04\x00"
11 | 


--------------------------------------------------------------------------------
/dictionaries/perl.dict:
--------------------------------------------------------------------------------
 1 | 
 2 | #
 3 | # AFL dictionary for fuzzing Perl
 4 | # --------------------------------
 5 | #
 6 | # Created by @RandomDhiraj
 7 | #
 8 | 
 9 | "<:crlf"
10 | "fwrite()"
11 | "fread()"
12 | ":raw:utf8"
13 | ":raw:eol(LF)"
14 | "Perl_invert()"
15 | ":raw:eol(CRLF)"
16 | "Perl_PerlIO_eof()"
17 | 


--------------------------------------------------------------------------------
/dictionaries/png.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for PNG images
 3 | # -----------------------------
 4 | #
 5 | # Just the basic, standard-originating sections; does not include vendor
 6 | # extensions.
 7 | #
 8 | # Created by Michal Zalewski
 9 | #
10 | 
11 | header_png="\x89PNG\x0d\x0a\x1a\x0a"
12 | 
13 | section_IDAT="IDAT"
14 | section_IEND="IEND"
15 | section_IHDR="IHDR"
16 | section_PLTE="PLTE"
17 | section_bKGD="bKGD"
18 | section_cHRM="cHRM"
19 | section_fRAc="fRAc"
20 | section_gAMA="gAMA"
21 | section_gIFg="gIFg"
22 | section_gIFt="gIFt"
23 | section_gIFx="gIFx"
24 | section_hIST="hIST"
25 | section_iCCP="iCCP"
26 | section_iTXt="iTXt"
27 | section_oFFs="oFFs"
28 | section_pCAL="pCAL"
29 | section_pHYs="pHYs"
30 | section_sBIT="sBIT"
31 | section_sCAL="sCAL"
32 | section_sPLT="sPLT"
33 | section_sRGB="sRGB"
34 | section_sTER="sTER"
35 | section_tEXt="tEXt"
36 | section_tIME="tIME"
37 | section_tRNS="tRNS"
38 | section_zTXt="zTXt"
39 | 


--------------------------------------------------------------------------------
/dictionaries/protobuf.dict:
--------------------------------------------------------------------------------
 1 | # Keywords taken from https://developers.google.com/protocol-buffers/docs/reference/proto2-spec
 2 | 
 3 | bool="bool"
 4 | bytes="bytes"
 5 | double="double"
 6 | enum="enum"
 7 | extend="extend"
 8 | extension="extension"
 9 | false="false"
10 | fixed32="fixed32"
11 | fixed64="fixed64"
12 | float="float"
13 | group="group"
14 | import="import"
15 | inner="inner"
16 | int32="int32"
17 | int64="int64"
18 | map="map<"
19 | message="message"
20 | option="option"
21 | optional="optional"
22 | package="package"
23 | public="public"
24 | repeated="repeated"
25 | required="required"
26 | reserved="reserved"
27 | returns="returns"
28 | rpc="rpc"
29 | service="service"
30 | sfixed32="sfixed32"
31 | sfixed64="sfixed64"
32 | sint32="sint32"
33 | sint64="sint64"
34 | stream="stream"
35 | string="string"
36 | syntax="syntax"
37 | true="true"
38 | uint32="uint32"
39 | uint64="uint64"
40 | weak="weak"
41 | 


--------------------------------------------------------------------------------
/dictionaries/riff.dict:
--------------------------------------------------------------------------------
 1 | # https://developers.google.com/speed/webp/docs/riff_container
 2 | 
 3 | # FourCC
 4 | "ALPH"
 5 | "ANIM"
 6 | "ANMF"
 7 | "EXIF"
 8 | "ICCP"
 9 | "RIFF"
10 | "VP8 "
11 | "VP8L"
12 | "VP8X"
13 | "WEBP"
14 | "XMP "
15 | 
16 | # VP8 signature
17 | "\x9D\x01\x2A"
18 | 


--------------------------------------------------------------------------------
/dictionaries/rss.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/RSS
 2 | 
 3 | "<?xml version='1.0' encoding='UTF-8' ?>"
 4 | "<rss version='2.0'>"
 5 | "<author>"
 6 | "<category>"
 7 | "<channel>"
 8 | "<cloud>"
 9 | "<comments>"
10 | "<copyright>"
11 | "<description>"
12 | "<docs>"
13 | "<enclosure>"
14 | "<generator>"
15 | "<guid>"
16 | "<image>"
17 | "<item>"
18 | "<language>"
19 | "<lastBuildDate>"
20 | "<link>"
21 | "<managingEditor>"
22 | "<pubDate>"
23 | "<rating>"
24 | "<skipDays>"
25 | "<skipHours>"
26 | "<source>"
27 | "<textInput>"
28 | "<title>"
29 | "<ttl>"
30 | "<url>"
31 | "<webMaster>"
32 | 


--------------------------------------------------------------------------------
/dictionaries/rst.dict:
--------------------------------------------------------------------------------
 1 | # https://docutils.readthedocs.io/en/sphinx-docs/ref/rst/restructuredtext.html
 2 | 
 3 | bold="**"
 4 | list1="1. "
 5 | list2="(1) "
 6 | list3="1) "
 7 | list4="I. "
 8 | list5="i. "
 9 | list6="* "
10 | list7="- "
11 | list8="+ "
12 | end_of_paragraph="::"
13 | title="====="
14 | image=".. image:: "
15 | image_attr="    :a: 1"
16 | doctest=">>>"
17 | table1="+--+""
18 | table2="+==+""
19 | footnote_and_citation=".. [a] "
20 | hyperlink=".. _a: http://a "
21 | macro=".. |b| a"
22 | 


--------------------------------------------------------------------------------
/dictionaries/sas.dict:
--------------------------------------------------------------------------------
 1 | " "
 2 | "#"
 3 | "
quot;
 4 | "$CHAR"
 5 | "%LET"
 6 | "("
 7 | ")"
 8 | "*/"
 9 | "/*"
10 | ";"
11 | "@"
12 | "ATTRIB"
13 | "CLEAR"
14 | "CONTENTS"
15 | "DATA"
16 | "DATE"
17 | "FILENAME"
18 | "FOOTNOTE"
19 | "FORMAT"
20 | "IF"
21 | "INFILE"
22 | "INPUT"
23 | "INVALUE"
24 | "LABEL"
25 | "LENGTH"
26 | "LIBNAME"
27 | "LIST"
28 | "MISSING"
29 | "OPTIONS"
30 | "OTHER"
31 | "PRINT"
32 | "PROC"
33 | "RUN"
34 | "VALUE"
35 | "_ALL_"
36 | "dlm"
37 | "firstobs"
38 | 


--------------------------------------------------------------------------------
/dictionaries/spss.dict:
--------------------------------------------------------------------------------
 1 | "("
 2 | "(NOMINAL)"
 3 | "(ORDINAL)"
 4 | "(SCALE)"
 5 | ")"
 6 | "."
 7 | "/"
 8 | "/VARIABLES"
 9 | "="
10 | " "
11 | "A"
12 | "ADATE"
13 | "COMMENT"
14 | "DATA"
15 | "DATASET"
16 | "DATE"
17 | "DELIMITERS"
18 | "DICTIONARY"
19 | "DISPLAY"
20 | "END"
21 | "EXECUTE"
22 | "F"
23 | "FILE"
24 | "FIRSTCASE"
25 | "FIXED"
26 | "FORMATS"
27 | "HANDLE"
28 | "IF"
29 | "INPUT"
30 | "LABEL"
31 | "LABELS"
32 | "LEVEL"
33 | "LIST"
34 | "NAME"
35 | "OUTFILE"
36 | "PROGRAM"
37 | "RECODE"
38 | "RECORD"
39 | "SAVE"
40 | "SELECT"
41 | "SET"
42 | "SYSMIS"
43 | "TABLE"
44 | "VALUE"
45 | "VARIABLE"
46 | "WINDOW"
47 | 


--------------------------------------------------------------------------------
/dictionaries/stata.dict:
--------------------------------------------------------------------------------
 1 | " "
 2 | ")"
 3 | "*/"
 4 | "/*"
 5 | "_column("
 6 | "_firstlineoffile("
 7 | "_line("
 8 | "_lines("
 9 | "_lrecl("
10 | "_newline"
11 | "_skip("
12 | "byte"
13 | "dictionary"
14 | "double"
15 | "float"
16 | "infile"
17 | "int"
18 | "long"
19 | "str"
20 | "using"
21 | "{"
22 | "}"
23 | 


--------------------------------------------------------------------------------
/dictionaries/theme-load-fuzz.dict:
--------------------------------------------------------------------------------
 1 | "{"
 2 | "}"
 3 | "\""
 4 | ";"
 5 | "="
 6 | "formats"
 7 | "replaces"
 8 | "abstracts"
 9 | "timestamp"
10 | 


--------------------------------------------------------------------------------
/dictionaries/tiff.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for TIFF images
 3 | # ------------------------------
 4 | #
 5 | # Just the basic, standard-originating sections; does not include vendor
 6 | # extensions.
 7 | #
 8 | # Created by Michal Zalewski
 9 | #
10 | 
11 | header_ii="II*\x00"
12 | header_mm="MM\x00*"
13 | 
14 | section_100="\x00\x01"
15 | section_101="\x01\x01"
16 | section_102="\x02\x01"
17 | section_103="\x03\x01"
18 | section_106="\x06\x01"
19 | section_107="\x07\x01"
20 | section_10D="\x0d\x01"
21 | section_10E="\x0e\x01"
22 | section_10F="\x0f\x01"
23 | section_110="\x10\x01"
24 | section_111="\x11\x01"
25 | section_112="\x12\x01"
26 | section_115="\x15\x01"
27 | section_116="\x16\x01"
28 | section_117="\x17\x01"
29 | section_11A="\x1a\x01"
30 | section_11B="\x1b\x01"
31 | section_11C="\x1c\x01"
32 | section_11D="\x1d\x01"
33 | section_11E="\x1e\x01"
34 | section_11F="\x1f\x01"
35 | section_122="\"\x01"
36 | section_123="#\x01"
37 | section_124="$\x01"
38 | section_125="%\x01"
39 | section_128="(\x01"
40 | section_129=")\x01"
41 | section_12D="-\x01"
42 | section_131="1\x01"
43 | section_132="2\x01"
44 | section_13B=";\x01"
45 | section_13C="<\x01"
46 | section_13D="=\x01"
47 | section_13E=">\x01"
48 | section_13F="?\x01"
49 | section_140="@\x01"
50 | section_FE="\xfe\x00"
51 | section_FF="\xff\x00"
52 | 


--------------------------------------------------------------------------------
/dictionaries/tokener_parse_ex.dict:
--------------------------------------------------------------------------------
 1 | "{"
 2 | "}"
 3 | ","
 4 | "["
 5 | "]"
 6 | ","
 7 | ":"
 8 | "e"
 9 | "e+"
10 | "e-"
11 | "E"
12 | "E+"
13 | "E-"
14 | "\""
15 | "null"
16 | "1"
17 | "1.234"
18 | "3e4"
19 | 


--------------------------------------------------------------------------------
/dictionaries/toml.dict:
--------------------------------------------------------------------------------
 1 | # https://github.com/toml-lang/toml
 2 | 
 3 | key_value="a.b=\"c\""
 4 | unicode="\\u1234"
 5 | unicode_long="\\u12345678"
 6 | true="true"
 7 | false="false"
 8 | multiline_literal="'''"
 9 | multiline="\"\"\""
10 | integer="+1_2_3_4"
11 | negative_integer="-1"
12 | hex="0xde_ad"
13 | oct="0o6"
14 | bin="0b1"
15 | float="-6_3.6e-05"
16 | nan="nan"
17 | inf="inf"
18 | time="1979-05-27T07:32:00Z"
19 | array="[1,2]"
20 | table="[a]"
21 | inline_table="a={1=2,3=4}"
22 | array_table="[[a]]"
23 | 


--------------------------------------------------------------------------------
/dictionaries/type42.dict:
--------------------------------------------------------------------------------
 1 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5012.Type42_Spec.pdf
 2 | # This format is a super-set of postscript, so don't forget to use ps.dict as well
 3 | 
 4 | magic="%!PS-TrueTypeFont"
 5 | "%%VMUsage:"
 6 | "/FontType"
 7 | "/FontMatrix"
 8 | "/FontName"
 9 | "/FontInfo"
10 | "/Encoding"
11 | "/FontBBox"
12 | "/UniqueID"
13 | "/XUID"
14 | "/PaintType"
15 | "/StrokeWidth"
16 | "/Metrics"
17 | "/Metrics2"
18 | "/CDevProc"
19 | "/CharStrings"
20 | "/sfnts"
21 | "/CIDMap"
22 | "/GDBytes"
23 | "/GlyphDirectory"
24 | "/MetricsCount"
25 | "/WMode"
26 | 


--------------------------------------------------------------------------------
/dictionaries/url.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/Uniform_Resource_Identifier
 2 | 
 3 | # scheme
 4 | "aim"
 5 | "callto"
 6 | "cvs"
 7 | "data"
 8 | "facetime"
 9 | "feed"
10 | "file"
11 | "ftp"
12 | "git"
13 | "gopher"
14 | "gtalk"
15 | "h323"
16 | "hdl"
17 | "http"
18 | "https"
19 | "imap"
20 | "irc"
21 | "irc6"
22 | "ircs"
23 | "itms"
24 | "javascript"
25 | "magnet"
26 | "mailto"
27 | "mms"
28 | "msnim"
29 | "news"
30 | "nntp"
31 | "prospero"
32 | "rsync"
33 | "rtsp"
34 | "rtspu"
35 | "sftp"
36 | "shttp"
37 | "sip"
38 | "sips"
39 | "skype"
40 | "smb"
41 | "snews"
42 | "ssh"
43 | "svn"
44 | "svn"
45 | "svn+ssh"
46 | "telnet"
47 | "tel"
48 | "wais"
49 | "ymsg" 
50 | 
51 | # encoded characters
52 | "%2f"
53 | "%40"
54 | "%26"
55 | 
56 | # misc
57 | "://"
58 | "//"
59 | "\\"
60 | "../"
61 | ";type=a"
62 | "xn--"
63 | 


--------------------------------------------------------------------------------
/dictionaries/vhd.dict:
--------------------------------------------------------------------------------
 1 | # https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-VHDX/%5bMS-VHDX%5d.pdf
 2 | 
 3 | magic="\x65\x6C\x69\x66\x78\x64\x68\x76"
 4 | head="\x64\x61\x65\x68"
 5 | regi="\x69\x67\x65\x72"
 6 | loge="\x65\x67\x6F\x6C"
 7 | zero="\x6F\x72\x65\x7A"
 8 | desc="\x63\x73\x65\x64"
 9 | data="\x61\x74\x61\x64"
10 | metadata="\x61\x74\x61\x64\x61\x74\x65\x6D"
11 | 


--------------------------------------------------------------------------------
/dictionaries/vpx_dec.dict:
--------------------------------------------------------------------------------
1 | # IVF Signature + version (bytes 0-5)
2 | kw1="DKIF\x00\x00"
3 | 
4 | # VP9 codec fourCC (bytes 8-11)
5 | kw2="VP90"
6 | 
7 | # VP8 codec fourCC (bytes 8-11)
8 | kw3="VP80"
9 | 


--------------------------------------------------------------------------------
/dictionaries/wav.dict:
--------------------------------------------------------------------------------
 1 | header="RIFF"
 2 | header_id="WAVE"
 3 | 
 4 | fmt_chunk="fmt "
 5 | fact_chunk="fact"
 6 | data_chunk="data"
 7 | cue_chunk="cue "
 8 | playlist_chunk="plst"
 9 | list_chunk="list"
10 | label_chunk="labl"
11 | note_chunk="note"
12 | labeled_text_chunk="ltxt"
13 | sampler_chunk="smpl"
14 | instrument_chunk="inst"
15 | 
16 | # IFF extension: https://web.archive.org/web/20080114200405/http://www.borg.com/~jglatt/tech/aboutiff.htm
17 | "FORM"
18 | "LIST"
19 | "CAT "
20 | "ILBM"
21 | "AIFF"
22 | "ANIM"
23 | "CMAP"
24 | "MIDI"
25 | "MThd"
26 | 


--------------------------------------------------------------------------------
/dictionaries/webp.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for WebP images
 3 | # ------------------------------
 4 | #
 5 | # Created by Michal Zalewski
 6 | #
 7 | 
 8 | header_RIFF="RIFF"
 9 | header_WEBP="WEBP"
10 | 
11 | section_ALPH="ALPH"
12 | section_ANIM="ANIM"
13 | section_ANMF="ANMF"
14 | section_EXIF="EXIF"
15 | section_FRGM="FRGM"
16 | section_ICCP="ICCP"
17 | section_VP8="VP8 "
18 | section_VP8L="VP8L"
19 | section_VP8X="VP8X"
20 | section_XMP="XMP "
21 | 


--------------------------------------------------------------------------------
/dictionaries/wkt.dict:
--------------------------------------------------------------------------------
 1 | # https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry
 2 | 
 3 | "AFFINEPLACEMENT"
 4 | "BREPSOLID"
 5 | "CIRCLE"
 6 | "CIRCULARSTRING"
 7 | "CLOTHOID"
 8 | "COMPOUNDCURVE"
 9 | "CURVE"
10 | "CURVEPOLYGON"
11 | "ELLIPTICALCURVE"
12 | "EMPTY"
13 | "GEODESICSTRING"
14 | "GEOMETRY"
15 | "GEOMETRYCOLLECTION"
16 | "LINESTRING"
17 | "MULTICURVE"
18 | "MULTILINESTRING"
19 | "MULTIPOINT"
20 | "MULTIPOLYGON"
21 | "MULTISURFACE"
22 | "NURBSCURVE"
23 | "POINT"
24 | "PATCHES"
25 | "POLYGON"
26 | "POLYHEDRALSURFACE"
27 | "SPIRALCURVE"
28 | "SRID"
29 | "SURFACE"
30 | "TIN"
31 | "TRIANGLE"
32 | "ZM"
33 | 
34 | # misc
35 | "(1,2)"
36 | 


--------------------------------------------------------------------------------
/dictionaries/xpath.dict:
--------------------------------------------------------------------------------
 1 | # https://developer.mozilla.org/en-US/docs/Web/XPath
 2 | # https://devhints.io/xpath
 3 | 
 4 | # selectors
 5 | "//"
 6 | "./"
 7 | "::"
 8 | "[*]"
 9 | 
10 | 
11 | # functions - https://developer.mozilla.org/en-US/docs/Web/XPath/Functions
12 | "boolean("
13 | "ceiling("
14 | "choose("
15 | "concat("
16 | "contains("
17 | "count("
18 | "current()"
19 | "document("
20 | "element-available("
21 | "ends-with("
22 | "false()"
23 | "floor("
24 | "format-number("
25 | "function-available("
26 | "generate-id("
27 | "id("
28 | "key("
29 | "lang("
30 | "last()"
31 | "local-name("
32 | "name("
33 | "namespace-uri("
34 | "normalize-space("
35 | "not("
36 | "number("
37 | "or"
38 | "position("
39 | "round("
40 | "starts-with("
41 | "string("
42 | "string-length("
43 | "substring("
44 | "substring-after("
45 | "substring-before("
46 | "sum("
47 | "system-property("
48 | "text()"
49 | "translate("
50 | "true()"
51 | "unparsed-entity-url("
52 | 
53 | # axes - https://developer.mozilla.org/en-US/docs/Web/XPath/Axes
54 | "ancestor"
55 | "ancestor-or-self"
56 | "attribute"
57 | "child"
58 | "descendant"
59 | "descendant-or-self"
60 | "following"
61 | "following-sibling"
62 | "namespace"
63 | "parent"
64 | "preceding"
65 | "preceding-sibling"
66 | "self"
67 | 


--------------------------------------------------------------------------------
/dictionaries/zip.dict:
--------------------------------------------------------------------------------
1 | header1="\x50\x4B\x03\x04"
2 | header2="\x50\x4B\x05\x06"
3 | header2="\x50\x4B\x07\x08"
4 | 


--------------------------------------------------------------------------------
/docs/resources/afl_gzip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/docs/resources/afl_gzip.png


--------------------------------------------------------------------------------
/docs/resources/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/docs/resources/screenshot.png


--------------------------------------------------------------------------------
/docs/resources/statsd-grafana.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/docs/resources/statsd-grafana.png


--------------------------------------------------------------------------------
/frida_mode/.gitignore:
--------------------------------------------------------------------------------
1 | build/
2 | frida_test.dat
3 | qemu_test.dat
4 | frida_out/**
5 | qemu_out/**
6 | ts/dist/
7 | ts/node_modules/
8 | 


--------------------------------------------------------------------------------
/frida_mode/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | format:
13 | 	@gmake format
14 | 
15 | hook:
16 | 	@gmake hook
17 | 


--------------------------------------------------------------------------------
/frida_mode/addr/addr.c:
--------------------------------------------------------------------------------
 1 | #include <errno.h>
 2 | #include <link.h>
 3 | #include <stdio.h>
 4 | #include <unistd.h>
 5 | #include <sys/personality.h>
 6 | 
 7 | #define UNUSED_PARAMETER(x) (void)(x)
 8 | 
 9 | int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) {
10 | 
11 |   UNUSED_PARAMETER(size);
12 | 
13 |   ElfW(Addr) *base = data;
14 | 
15 |   if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; }
16 |   return 0;
17 | 
18 | }
19 | 
20 | int main(int argc, char **argv, char **envp) {
21 | 
22 |   UNUSED_PARAMETER(argc);
23 | 
24 |   ElfW(Addr) base = 0;
25 | 
26 |   int persona = personality(ADDR_NO_RANDOMIZE);
27 |   if (persona == -1) {
28 | 
29 |     printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno);
30 |     return 1;
31 | 
32 |   }
33 | 
34 |   if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); }
35 | 
36 |   dl_iterate_phdr(phdr_callback, &base);
37 | 
38 |   printf("%p\n", (void *)base);
39 |   if (base == 0) { return 1; }
40 | 
41 |   return 0;
42 | 
43 | }
44 | 
45 | 


--------------------------------------------------------------------------------
/frida_mode/include/asan.h:
--------------------------------------------------------------------------------
 1 | #ifndef _ASAN_H
 2 | #define _ASAN_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern gboolean asan_initialized;
 7 | 
 8 | void asan_config(void);
 9 | void asan_init(void);
10 | void asan_arch_init(void);
11 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
12 | void asan_exclude_module_by_symbol(gchar *symbol_name);
13 | 
14 | #endif
15 | 
16 | 


--------------------------------------------------------------------------------
/frida_mode/include/ctx.h:
--------------------------------------------------------------------------------
 1 | #ifndef _CTX_H
 2 | #define _CTX_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | #if defined(__x86_64__)
 7 | gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg);
 8 | #elif defined(__i386__)
 9 | gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg);
10 | #elif defined(__aarch64__)
11 | gsize  ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg);
12 | size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand);
13 | #elif defined(__arm__)
14 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg);
15 | #endif
16 | 
17 | #endif
18 | 
19 | 


--------------------------------------------------------------------------------
/frida_mode/include/entry.h:
--------------------------------------------------------------------------------
 1 | #ifndef _ENTRY_H
 2 | #define _ENTRY_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern guint64  entry_point;
 7 | extern gboolean traceable;
 8 | extern gboolean entry_compiled;
 9 | extern gboolean entry_run;
10 | 
11 | void entry_config(void);
12 | 
13 | void entry_init(void);
14 | 
15 | void entry_start(void);
16 | 
17 | void entry_on_fork(void);
18 | 
19 | #endif
20 | 
21 | 


--------------------------------------------------------------------------------
/frida_mode/include/frida_cmplog.h:
--------------------------------------------------------------------------------
 1 | #ifndef _CMPLOG_H
 2 | #define _CMPLOG_H
 3 | 
 4 | extern struct cmp_map *__afl_cmp_map;
 5 | 
 6 | void cmplog_config(void);
 7 | void cmplog_init(void);
 8 | 
 9 | /* Functions to be implemented by the different architectures */
10 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator);
11 | 
12 | gboolean cmplog_is_readable(guint64 addr, size_t size);
13 | 
14 | #endif
15 | 
16 | 


--------------------------------------------------------------------------------
/frida_mode/include/intercept.h:
--------------------------------------------------------------------------------
 1 | #ifndef _INTERCEPTOR_H
 2 | #define _INTERCEPTOR_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | void intercept_hook(void *address, gpointer replacement, gpointer user_data);
 7 | void intercept_unhook(void *address);
 8 | void intercept_unhook_self(void);
 9 | 
10 | #endif
11 | 
12 | 


--------------------------------------------------------------------------------
/frida_mode/include/js.h:
--------------------------------------------------------------------------------
 1 | #ifndef _JS_H
 2 | #define _JS_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn,
 7 |                                               gboolean begin, gboolean excluded,
 8 |                                               GumStalkerOutput *output);
 9 | 
10 | typedef int (*js_main_hook_t)(int argc, char **argv, char **envp);
11 | 
12 | extern unsigned char api_js[];
13 | extern unsigned int  api_js_len;
14 | 
15 | extern gboolean                  js_done;
16 | extern js_api_stalker_callback_t js_user_callback;
17 | extern js_main_hook_t            js_main_hook;
18 | 
19 | /* Frida Mode */
20 | 
21 | void js_config(void);
22 | 
23 | void js_start(void);
24 | 
25 | gboolean js_stalker_callback(const cs_insn *insn, gboolean begin,
26 |                              gboolean excluded, GumStalkerOutput *output);
27 | 
28 | #endif
29 | 
30 | 


--------------------------------------------------------------------------------
/frida_mode/include/lib.h:
--------------------------------------------------------------------------------
 1 | #ifndef _LIB_H
 2 | #define _LIB_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | void lib_config(void);
 7 | 
 8 | void lib_init(void);
 9 | 
10 | guint64 lib_get_text_base(void);
11 | 
12 | guint64 lib_get_text_limit(void);
13 | 
14 | #endif
15 | 
16 | 


--------------------------------------------------------------------------------
/frida_mode/include/module.h:
--------------------------------------------------------------------------------
 1 | #ifndef _MODULE_H
 2 | #define _MODULE_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | void module_config(void);
 7 | 
 8 | void module_init(void);
 9 | 
10 | #endif
11 | 
12 | 


--------------------------------------------------------------------------------
/frida_mode/include/output.h:
--------------------------------------------------------------------------------
 1 | #ifndef _OUTPUT_H
 2 | #define _OUTPUT_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern char *output_stdout;
 7 | extern char *output_stderr;
 8 | 
 9 | void output_config(void);
10 | void output_init(void);
11 | 
12 | #endif
13 | 
14 | 


--------------------------------------------------------------------------------
/frida_mode/include/persistent.h:
--------------------------------------------------------------------------------
 1 | 
 2 | #ifndef _PERSISTENT_H
 3 | #define _PERSISTENT_H
 4 | 
 5 | #include "frida-gumjs.h"
 6 | #include "config.h"
 7 | 
 8 | typedef struct arch_api_regs api_regs;
 9 | 
10 | typedef void (*afl_persistent_hook_fn)(api_regs *regs, uint64_t guest_base,
11 |                                        uint8_t *input_buf,
12 |                                        uint32_t input_buf_len);
13 | 
14 | extern int __afl_persistent_loop(unsigned int max_cnt);
15 | 
16 | extern unsigned int  *__afl_fuzz_len;
17 | extern unsigned char *__afl_fuzz_ptr;
18 | 
19 | extern guint64                persistent_start;
20 | extern guint64                persistent_count;
21 | extern guint64                persistent_ret;
22 | extern gboolean               persistent_debug;
23 | extern afl_persistent_hook_fn persistent_hook;
24 | 
25 | void persistent_config(void);
26 | 
27 | void persistent_init(void);
28 | 
29 | /* Functions to be implemented by the different architectures */
30 | gboolean persistent_is_supported(void);
31 | 
32 | void persistent_prologue(GumStalkerOutput *output);
33 | void persistent_prologue_arch(GumStalkerOutput *output);
34 | 
35 | void persistent_epilogue(GumStalkerOutput *output);
36 | void persistent_epilogue_arch(GumStalkerOutput *output);
37 | 
38 | #endif
39 | 
40 | 


--------------------------------------------------------------------------------
/frida_mode/include/prefetch.h:
--------------------------------------------------------------------------------
 1 | #ifndef _PREFETCH_H
 2 | #define _PREFETCH_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern gboolean prefetch_enable;
 7 | extern gboolean prefetch_backpatch;
 8 | 
 9 | void prefetch_config(void);
10 | void prefetch_init(void);
11 | void prefetch_write(void *addr);
12 | void prefetch_read(void);
13 | 
14 | #endif
15 | 
16 | 


--------------------------------------------------------------------------------
/frida_mode/include/ranges.h:
--------------------------------------------------------------------------------
 1 | #ifndef _RANGES_H
 2 | #define _RANGES_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern gboolean ranges_debug_maps;
 7 | extern gboolean ranges_inst_libs;
 8 | extern gboolean ranges_inst_jit;
 9 | extern gboolean ranges_inst_dynamic_load;
10 | 
11 | void ranges_config(void);
12 | void ranges_init(void);
13 | 
14 | void ranges_print_debug_maps(void);
15 | 
16 | gboolean range_is_excluded(GumAddress address);
17 | 
18 | void ranges_exclude();
19 | 
20 | void ranges_add_include(GumMemoryRange *range);
21 | void ranges_add_exclude(GumMemoryRange *range);
22 | 
23 | #endif
24 | 
25 | 


--------------------------------------------------------------------------------
/frida_mode/include/shm.h:
--------------------------------------------------------------------------------
 1 | #ifndef _SHM_H
 2 | #define _SHM_H
 3 | 
 4 | #include <stddef.h>
 5 | 
 6 | void *shm_create(size_t size);
 7 | 
 8 | #endif
 9 | 
10 | 


--------------------------------------------------------------------------------
/frida_mode/include/stalker.h:
--------------------------------------------------------------------------------
 1 | #ifndef _STALKER_H
 2 | #define _STALKER_H
 3 | 
 4 | #include "frida-gumjs.h"
 5 | 
 6 | extern guint    stalker_ic_entries;
 7 | extern gboolean backpatch_enable;
 8 | extern guint    stalker_adjacent_blocks;
 9 | 
10 | void        stalker_config(void);
11 | void        stalker_init(void);
12 | GumStalker *stalker_get(void);
13 | void        stalker_start(void);
14 | void        stalker_trust(void);
15 | 
16 | GumStalkerObserver *stalker_get_observer(void);
17 | 
18 | #endif
19 | 
20 | 


--------------------------------------------------------------------------------
/frida_mode/many-linux/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM fridadotre/manylinux-x86_64
 2 | 
 3 | RUN yum -y install xz
 4 | 
 5 | WORKDIR /AFLplusplus
 6 | ENV CFLAGS="\
 7 |     -DADDR_NO_RANDOMIZE=0x0040000 \
 8 |     -Wno-implicit-function-declaration \
 9 |     "
10 | ENV CXX=$CC
11 | 


--------------------------------------------------------------------------------
/frida_mode/many-linux/GNUmakefile:
--------------------------------------------------------------------------------
 1 | PWD:=$(shell pwd)/
 2 | ROOT:=$(PWD)../../
 3 | BUILD_DIR:=$(PWD)build/
 4 | 
 5 | .PHONY: all build docker clean shell
 6 | 
 7 | all: docker
 8 | 	docker run --rm \
 9 | 		-v $(ROOT):/AFLplusplus \
10 | 		many-afl-frida \
11 | 		make -C /AFLplusplus/frida_mode clean all
12 | 
13 | build:
14 | 	docker run --rm \
15 | 		-v $(ROOT):/AFLplusplus \
16 | 		many-afl-frida \
17 | 		make -C /AFLplusplus/frida_mode
18 | 
19 | docker:
20 | 	docker build --tag many-afl-frida .
21 | 
22 | clean:
23 | 	docker images --filter 'dangling=true' -q --no-trunc | xargs -L1 docker rmi --force
24 | 
25 | shell:
26 | 	docker run -ti --rm many-afl-frida /bin/bash
27 | 


--------------------------------------------------------------------------------
/frida_mode/many-linux/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | clean:
 6 | 	@gmake clean
 7 | 
 8 | shell:
 9 | 	@gmake shell
10 | 


--------------------------------------------------------------------------------
/frida_mode/many-linux/README.md:
--------------------------------------------------------------------------------
 1 | # many-linux
 2 | 
 3 | This folder contains a Docker image to allow the building of
 4 | `afl-frida-trace.so` using the `many-linux` docker image. This docker image is
 5 | based on CentOS Linux 5. By building `afl-frida-trace.so` for such an old
 6 | version of Linux, given the strong backward compatibility of Linux, this should
 7 | work on the majority of Linux environments. This may be useful for targeting
 8 | Linux distributions other than your development environment. `many-local` builds
 9 | `AFLplusplus` from the local working copy in the `many-linux` environment.
10 | 


--------------------------------------------------------------------------------
/frida_mode/src/asan/asan_arm32.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "asan.h"
 4 | #include "util.h"
 5 | 
 6 | #if defined(__arm__)
 7 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
 8 | 
 9 |   UNUSED_PARAMETER(instr);
10 |   UNUSED_PARAMETER(iterator);
11 |   if (asan_initialized) {
12 | 
13 |     FFATAL("ASAN mode not supported on this architecture");
14 | 
15 |   }
16 | 
17 | }
18 | 
19 | void asan_arch_init(void) {
20 | 
21 |   FFATAL("ASAN mode not supported on this architecture");
22 | 
23 | }
24 | 
25 | #endif
26 | 
27 | 


--------------------------------------------------------------------------------
/frida_mode/src/cmplog/cmplog_arm32.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "frida_cmplog.h"
 4 | #include "util.h"
 5 | 
 6 | #if defined(__arm__)
 7 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
 8 | 
 9 |   UNUSED_PARAMETER(instr);
10 |   UNUSED_PARAMETER(iterator);
11 |   if (__afl_cmp_map == NULL) { return; }
12 |   FFATAL("CMPLOG mode not supported on this architecture");
13 | 
14 | }
15 | 
16 | #endif
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/src/ctx/ctx_arm32.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "ctx.h"
 4 | #include "util.h"
 5 | 
 6 | #if defined(__arm__)
 7 | 
 8 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) {
 9 | 
10 |   UNUSED_PARAMETER(ctx);
11 |   UNUSED_PARAMETER(reg);
12 |   FFATAL("ctx_read_reg unimplemented for this architecture");
13 | 
14 | }
15 | 
16 | #endif
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/src/intercept.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "intercept.h"
 4 | #include "util.h"
 5 | 
 6 | void intercept_hook(void *address, gpointer replacement, gpointer user_data) {
 7 | 
 8 |   GumInterceptor *interceptor = gum_interceptor_obtain();
 9 |   gum_interceptor_begin_transaction(interceptor);
10 |   GumReplaceReturn ret = gum_interceptor_replace(interceptor, address,
11 |                                                  replacement, user_data, NULL);
12 |   if (ret != GUM_REPLACE_OK) { FFATAL("gum_interceptor_attach: %d", ret); }
13 |   gum_interceptor_end_transaction(interceptor);
14 | 
15 | }
16 | 
17 | void intercept_unhook(void *address) {
18 | 
19 |   GumInterceptor *interceptor = gum_interceptor_obtain();
20 | 
21 |   gum_interceptor_begin_transaction(interceptor);
22 |   gum_interceptor_revert(interceptor, address);
23 |   gum_interceptor_end_transaction(interceptor);
24 |   gum_interceptor_flush(interceptor);
25 | 
26 | }
27 | 
28 | void intercept_unhook_self(void) {
29 | 
30 |   GumInvocationContext *ctx = gum_interceptor_get_current_invocation();
31 |   intercept_unhook(ctx->function);
32 | 
33 | }
34 | 
35 | 


--------------------------------------------------------------------------------
/frida_mode/src/seccomp/seccomp.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "seccomp.h"
 4 | #include "util.h"
 5 | 
 6 | char *seccomp_filename = NULL;
 7 | 
 8 | void seccomp_on_fork(void) {
 9 | 
10 |   if (seccomp_filename == NULL) { return; }
11 | 
12 | #ifdef __APPLE__
13 |   FFATAL("Seccomp not supported on OSX");
14 | #elif defined(__ANDROID__)
15 |   FFATAL("Seccomp not supported on Android");
16 | #else
17 |   seccomp_callback_parent();
18 | #endif
19 | 
20 | }
21 | 
22 | void seccomp_config(void) {
23 | 
24 |   seccomp_filename = getenv("AFL_FRIDA_SECCOMP_FILE");
25 | 
26 | }
27 | 
28 | void seccomp_init(void) {
29 | 
30 |   FOKF(cBLU "Seccomp" cRST " - " cGRN "file:" cYEL " [%s]",
31 |        seccomp_filename == NULL ? " " : seccomp_filename);
32 | 
33 |   if (seccomp_filename == NULL) { return; }
34 | 
35 | #ifdef __APPLE__
36 |   FFATAL("Seccomp not supported on OSX");
37 | #elif defined(__ANDROID__)
38 |   FFATAL("Seccomp not supported on Android");
39 | #else
40 |   seccomp_callback_initialize();
41 | #endif
42 | 
43 | }
44 | 
45 | 


--------------------------------------------------------------------------------
/frida_mode/src/seccomp/seccomp_atomic.c:
--------------------------------------------------------------------------------
 1 | #if defined(__linux__) && !defined(__ANDROID__)
 2 | 
 3 |   #include <stdbool.h>
 4 |   #include <stdio.h>
 5 | 
 6 |   #include "util.h"
 7 | 
 8 | void seccomp_atomic_set(volatile bool *ptr, bool val) {
 9 | 
10 |   if (!__sync_bool_compare_and_swap(ptr, !val, val)) {
11 | 
12 |     FFATAL("Failed to set event");
13 | 
14 |   }
15 | 
16 | }
17 | 
18 | bool seccomp_atomic_try_set(volatile bool *ptr, bool val) {
19 | 
20 |   return __sync_bool_compare_and_swap(ptr, !val, val);
21 | 
22 | }
23 | 
24 | void seccomp_atomic_wait(volatile bool *ptr, bool val) {
25 | 
26 |   while (!__sync_bool_compare_and_swap(ptr, val, !val))
27 |     ;
28 | 
29 | }
30 | 
31 | #endif
32 | 
33 | 


--------------------------------------------------------------------------------
/frida_mode/src/seccomp/seccomp_event.c:
--------------------------------------------------------------------------------
 1 | #if defined(__linux__) && !defined(__ANDROID__)
 2 | 
 3 |   #include <stdint.h>
 4 |   #include <stdio.h>
 5 |   #include <sys/syscall.h>
 6 |   #include <unistd.h>
 7 | 
 8 |   #include "seccomp.h"
 9 |   #include "util.h"
10 | 
11 | int seccomp_event_create(void) {
12 | 
13 |   #ifdef SYS_eventfd
14 |   int fd = syscall(SYS_eventfd, 0, 0);
15 |   #else
16 |     #ifdef SYS_eventfd2
17 |   int fd = syscall(SYS_eventfd2, 0, 0);
18 |     #endif
19 |   #endif
20 |   if (fd < 0) { FFATAL("seccomp_event_create"); }
21 |   return fd;
22 | 
23 | }
24 | 
25 | void seccomp_event_signal(int fd) {
26 | 
27 |   uint64_t val = 1;
28 |   if (write(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) {
29 | 
30 |     FFATAL("seccomp_event_signal");
31 | 
32 |   }
33 | 
34 | }
35 | 
36 | void seccomp_event_wait(int fd) {
37 | 
38 |   uint64_t val = 1;
39 |   if (read(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) {
40 | 
41 |     FFATAL("seccomp_event_wait");
42 | 
43 |   }
44 | 
45 | }
46 | 
47 | void seccomp_event_destroy(int fd) {
48 | 
49 |   if (close(fd) < 0) { FFATAL("seccomp_event_destroy"); }
50 | 
51 | }
52 | 
53 | #endif
54 | 
55 | 


--------------------------------------------------------------------------------
/frida_mode/src/seccomp/seccomp_print.c:
--------------------------------------------------------------------------------
 1 | #if defined(__linux__) && !defined(__ANDROID__)
 2 | 
 3 |   #include <stdarg.h>
 4 | 
 5 |   #include "seccomp.h"
 6 |   #include "util.h"
 7 | 
 8 | static void seccomp_print_v(int fd, char *format, va_list ap) {
 9 | 
10 |   char buffer[4096] = {0};
11 |   int  len;
12 | 
13 |   if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; }
14 | 
15 |   len = strnlen(buffer, sizeof(buffer));
16 |   IGNORED_RETURN(write(fd, buffer, len));
17 | 
18 | }
19 | 
20 | void seccomp_print(char *format, ...) {
21 | 
22 |   va_list ap;
23 |   va_start(ap, format);
24 |   seccomp_print_v(SECCOMP_OUTPUT_FILE_FD, format, ap);
25 |   va_end(ap);
26 | 
27 | }
28 | 
29 | #endif
30 | 
31 | 


--------------------------------------------------------------------------------
/frida_mode/src/stats/stats_arm32.c:
--------------------------------------------------------------------------------
 1 | #include "frida-gumjs.h"
 2 | 
 3 | #include "stats.h"
 4 | #include "util.h"
 5 | 
 6 | #if defined(__arm__)
 7 | 
 8 | void starts_arch_init(void) {
 9 | 
10 |   FFATAL("Stats not supported on this architecture");
11 | 
12 | }
13 | 
14 | void stats_write_arch(stats_data_t *data) {
15 | 
16 |   UNUSED_PARAMETER(data);
17 |   FFATAL("Stats not supported on this architecture");
18 | 
19 | }
20 | 
21 | void stats_collect_arch(const cs_insn *instr, gboolean begin) {
22 | 
23 |   UNUSED_PARAMETER(instr);
24 |   UNUSED_PARAMETER(begin);
25 |   FFATAL("Stats not supported on this architecture");
26 | 
27 | }
28 | 
29 | #endif
30 | 
31 | 


--------------------------------------------------------------------------------
/frida_mode/test/bloaty/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/cache/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | frida:
10 | 	@gmake frida
11 | 
12 | frida_nocache:
13 | 	@gmake frida_nocache
14 | 
15 | debug:
16 | 	@gmake debug
17 | 
18 | clean:
19 | 	@gmake clean
20 | 
21 | format:
22 | 	@gmake format
23 | 


--------------------------------------------------------------------------------
/frida_mode/test/cmov/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | format:
16 | 	@gmake format
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/cmplog/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | 
19 | frida-nocmplog:
20 | 	@gmake frida-nocmplog
21 | 
22 | frida-unprefixedpath:
23 | 	@gmake frida-unprefixedpath
24 | 
25 | format:
26 | 	@gmake format
27 | 
28 | debug:
29 | 	@gmake debug
30 | 


--------------------------------------------------------------------------------
/frida_mode/test/deferred/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/dynamic/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/dynamic/testinstrlib.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | void testinstrlib(char *buf, int len) {
 4 | 
 5 |   if (len < 1) return;
 6 |   buf[len] = 0;
 7 | 
 8 |   // we support three input cases
 9 |   if (buf[0] == '0')
10 |     printf("Looks like a zero to me!\n");
11 |   else if (buf[0] == '1')
12 |     printf("Pretty sure that is a one!\n");
13 |   else
14 |     printf("Neither one or zero? How quaint!\n");
15 | 
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/test/entry_point/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | frida_entry:
16 | 	@gmake frida
17 | 


--------------------------------------------------------------------------------
/frida_mode/test/exe/GNUmakefile:
--------------------------------------------------------------------------------
 1 | PWD:=$(shell pwd)/
 2 | ROOT:=$(PWD)../../../
 3 | BUILD_DIR:=$(PWD)build/
 4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
 5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
 6 | 
 7 | TESTINSTBIN:=$(BUILD_DIR)testinstr
 8 | TESTINSTSRC:=$(PWD)testinstr.c
 9 | 
10 | QEMU_OUT:=$(BUILD_DIR)qemu-out
11 | FRIDA_OUT:=$(BUILD_DIR)frida-out
12 | 
13 | .PHONY: all 32 clean qemu frida
14 | 
15 | all: $(TESTINSTBIN)
16 | 	make -C $(ROOT)frida_mode/
17 | 
18 | 32:
19 | 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
20 | 
21 | $(BUILD_DIR):
22 | 	mkdir -p $@
23 | 
24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
25 | 	mkdir -p $@
26 | 
27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
28 | 	echo -n "000" > $@
29 | 
30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
31 | 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ 
lt; -no-pie
32 | 
33 | clean:
34 | 	rm -rf $(BUILD_DIR)
35 | 
36 | 
37 | qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
38 | 	$(ROOT)afl-fuzz \
39 | 		-D \
40 | 		-Q \
41 | 		-i $(TESTINSTR_DATA_DIR) \
42 | 		-o $(QEMU_OUT) \
43 | 		-- \
44 | 			$(TESTINSTBIN) @@
45 | 
46 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
47 | 	$(ROOT)afl-fuzz \
48 | 		-D \
49 | 		-O \
50 | 		-i $(TESTINSTR_DATA_DIR) \
51 | 		-o $(FRIDA_OUT) \
52 | 		-- \
53 | 			$(TESTINSTBIN) @@
54 | 


--------------------------------------------------------------------------------
/frida_mode/test/exe/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 


--------------------------------------------------------------------------------
/frida_mode/test/fasan/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida-noasan:
13 | 	@gmake frida-noasan
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 
21 | run:
22 | 	@gmake run
23 | 


--------------------------------------------------------------------------------
/frida_mode/test/freetype2/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/jpeg/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | debug:
16 | 	@gmake debug
17 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida_js_entry:
13 | 	@gmake frida_js_entry
14 | 
15 | frida_js_replace:
16 | 	@gmake frida_js_replace
17 | 
18 | frida_js_patch:
19 | 	@gmake frida_js_patch
20 | 
21 | frida_js_stalker:
22 | 	@gmake frida_js_stalker
23 | 
24 | debug:
25 | 	@gmake debug
26 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/entry.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | new ModuleMap().values().forEach(m => {
 9 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
10 | });
11 | 
12 | const name = Process.enumerateModules()[0].name;
13 | Afl.print(`Name: ${name}`);
14 | 
15 | if (name === 'test') {
16 | 
17 |     Afl.print('Searching...\n');
18 |     const entry_point = DebugSymbol.fromName('run');
19 |     Afl.print(`entry_point: ${entry_point}`);
20 | 
21 |     Afl.setEntryPoint(entry_point.address);
22 | 
23 | }
24 | 
25 | Afl.done();
26 | Afl.print("done");
27 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/fuzz.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | const name = Process.enumerateModules()[0].name;
 9 | Afl.print(`Name: ${name}`);
10 | 
11 | new ModuleMap().values().forEach(m => {
12 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 | 
15 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
16 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
17 | 
18 | const cm = new CModule(`
19 | 
20 |     extern unsigned char * __afl_fuzz_ptr;
21 |     extern unsigned int * __afl_fuzz_len;
22 |     extern void LLVMFuzzerTestOneInput(char *buf, int len);
23 | 
24 |     void My_LLVMFuzzerTestOneInput(char *buf, int len) {
25 | 
26 |       LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
27 | 
28 |     }
29 |     `,
30 |     {
31 |         LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
32 |         __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
33 |         __afl_fuzz_len: Afl.getAflFuzzLen()
34 |     });
35 | 
36 | Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput);
37 | Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput);
38 | Afl.setInMemoryFuzzing();
39 | Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput);
40 | Afl.print("done");
41 | Afl.done();
42 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/main.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | const name = Process.enumerateModules()[0].name;
 9 | Afl.print(`Name: ${name}`);
10 | 
11 | new ModuleMap().values().forEach(m => {
12 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 | 
15 | const main = DebugSymbol.fromName('main').address;
16 | Afl.print(`main: ${main}`);
17 | 
18 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
19 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
20 | 
21 | const cm = new CModule(`
22 | 
23 |     extern unsigned char * __afl_fuzz_ptr;
24 |     extern unsigned int * __afl_fuzz_len;
25 |     extern void LLVMFuzzerTestOneInput(char *buf, int len);
26 | 
27 |     int main(int argc, char **argv)  {
28 | 
29 |       LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
30 | 
31 |     }
32 |     `,
33 |     {
34 |         LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
35 |         __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
36 |         __afl_fuzz_len: Afl.getAflFuzzLen()
37 |     });
38 | 
39 | Afl.setEntryPoint(cm.main);
40 | Afl.setPersistentAddress(cm.main);
41 | Afl.setInMemoryFuzzing();
42 | Afl.setJsMainHook(cm.main);
43 | Afl.print("done");
44 | Afl.done();
45 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/patch.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | const main = DebugSymbol.fromName('main').address;
 7 | Afl.print(`main: ${main}`);
 8 | Afl.setEntryPoint(main);
 9 | Afl.setPersistentAddress(main);
10 | Afl.setPersistentCount(10000000);
11 | 
12 | const crc32_check = DebugSymbol.fromName('crc32_check').address;
13 | const crc32_replacement = new NativeCallback(
14 |     (buf, len) => {
15 |         Afl.print(`len: ${len}`);
16 |         if (len < 4) {
17 |             return 0;
18 |         }
19 | 
20 |         return 1;
21 |     },
22 |     'int',
23 |     ['pointer', 'int']);
24 | Interceptor.replace(crc32_check, crc32_replacement);
25 | 
26 | const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address
27 | const boring_replacement = new NativeCallback(
28 |     (c) => { },
29 |     'void',
30 |     ['char']);
31 | Interceptor.replace(some_boring_bug, boring_replacement);
32 | 
33 | Afl.done();
34 | Afl.print("done");
35 | 


--------------------------------------------------------------------------------
/frida_mode/test/js/replace.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | const name = Process.enumerateModules()[0].name;
 9 | Afl.print(`Name: ${name}`);
10 | 
11 | new ModuleMap().values().forEach(m => {
12 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 | 
15 | const slow = DebugSymbol.fromName('slow').address;
16 | Afl.print(`slow: ${slow}`);
17 | 
18 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
19 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`);
20 | 
21 | const cm = new CModule(`
22 | 
23 |     extern unsigned char * __afl_fuzz_ptr;
24 |     extern unsigned int * __afl_fuzz_len;
25 |     extern void LLVMFuzzerTestOneInput(char *buf, int len);
26 | 
27 |     void slow(void) {
28 | 
29 |       LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len);
30 |     }
31 |     `,
32 |     {
33 |         LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput,
34 |         __afl_fuzz_ptr: Afl.getAflFuzzPtr(),
35 |         __afl_fuzz_len: Afl.getAflFuzzLen()
36 |     });
37 | 
38 | Afl.setEntryPoint(cm.slow);
39 | Afl.setPersistentAddress(cm.slow);
40 | Afl.setInMemoryFuzzing();
41 | Interceptor.replace(slow, cm.slow);
42 | Afl.print("done");
43 | Afl.done();
44 | 


--------------------------------------------------------------------------------
/frida_mode/test/libxml/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/libxslt/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/osx-lib/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | clean:
 6 | 	@gmake clean
 7 | 
 8 | frida_persistent:
 9 |     @gmake frida_persistent
10 | 
11 | frida_persistent_hook:
12 |     @gmake frida_persistent_hook
13 | 


--------------------------------------------------------------------------------
/frida_mode/test/osx-lib/harness3.c:
--------------------------------------------------------------------------------
 1 | #include <string.h>
 2 | #include <assert.h>
 3 | #include <stdio.h>
 4 | #include <stdlib.h>
 5 | #include <dlfcn.h>
 6 | 
 7 | extern void crashme(const uint8_t *Data, size_t Size);
 8 | 
 9 | int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
10 | 
11 |   crashme(data, size);
12 |   return 0;
13 | 
14 | }
15 | 
16 | void run(int argc, const char *argv[]) {
17 | 
18 |   for (int i = 1; i < argc; i++) {
19 | 
20 |     fprintf(stderr, "Running: %s\n", argv[i]);
21 |     FILE *f = fopen(argv[i], "r");
22 |     assert(f);
23 |     fseek(f, 0, SEEK_END);
24 |     size_t len = ftell(f);
25 |     fseek(f, 0, SEEK_SET);
26 |     unsigned char *buf = (unsigned char *)malloc(len);
27 |     size_t         n_read = fread(buf, 1, len, f);
28 |     fclose(f);
29 |     assert(n_read == len);
30 |     LLVMFuzzerTestOneInput(buf, len);
31 |     free(buf);
32 |     fprintf(stderr, "Done:    %s: (%zd bytes)\n", argv[i], n_read);
33 | 
34 |   }
35 | 
36 | }
37 | 
38 | int main(int argc, const char *argv[]) {
39 | 
40 |   run(argc, argv);
41 | 
42 |   return 0;
43 | 
44 | }
45 | 
46 | 


--------------------------------------------------------------------------------
/frida_mode/test/osx-lib/lib.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <stdint.h>
 4 | 
 5 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
 6 | 
 7 |   if (Size < 5) return;
 8 | 
 9 |   if (Data[0] == 'F')
10 |     if (Data[1] == 'A')
11 |       if (Data[2] == '
#39;)
12 |         if (Data[3] == '
#39;)
13 |           if (Data[4] == '
#39;) abort();
14 | 
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/frida_mode/test/osx-lib/lib2.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <stdint.h>
 4 | #include <string.h>
 5 | 
 6 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
 7 | 
 8 |   if (Size < 1) return;
 9 | 
10 |   char *buf = malloc(10);
11 | 
12 |   if (buf == NULL) return;
13 | 
14 |   switch (Data[0]) {
15 | 
16 |     /* Underflow */
17 |     case 'U':
18 |       printf("Underflow\n");
19 |       buf[-1] = '\0';
20 |       free(buf);
21 |       break;
22 |     /* Overflow */
23 |     case 'O':
24 |       printf("Overflow\n");
25 |       buf[10] = '\0';
26 |       free(buf);
27 |       break;
28 |     /* Double free */
29 |     case 'D':
30 |       printf("Double free\n");
31 |       free(buf);
32 |       free(buf);
33 |       break;
34 |     /* Use after free */
35 |     case 'A':
36 |       printf("Use after free\n");
37 |       free(buf);
38 |       buf[0] = '\0';
39 |       break;
40 |     /* Test Limits (OK) */
41 |     case 'T':
42 |       printf("Test-Limits - No Error\n");
43 |       buf[0] = 'A';
44 |       buf[9] = 'I';
45 |       free(buf);
46 |       break;
47 |     case 'M':
48 |       printf("Memset too many\n");
49 |       memset(buf, '\0', 11);
50 |       free(buf);
51 |       break;
52 |     default:
53 |       printf("Nop - No Error\n");
54 |       break;
55 | 
56 |   }
57 | 
58 | }
59 | 
60 | 


--------------------------------------------------------------------------------
/frida_mode/test/output/GNUmakefile:
--------------------------------------------------------------------------------
 1 | PWD:=$(shell pwd)/
 2 | ROOT:=$(PWD)../../../
 3 | BUILD_DIR:=$(PWD)build/
 4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
 5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in
 6 | 
 7 | TESTINSTBIN:=$(BUILD_DIR)testinstr
 8 | TESTINSTSRC:=$(PWD)testinstr.c
 9 | 
10 | QEMU_OUT:=$(BUILD_DIR)qemu-out
11 | FRIDA_OUT:=$(BUILD_DIR)frida-out
12 | 
13 | .PHONY: all 32 clean qemu frida
14 | 
15 | all: $(TESTINSTBIN)
16 | 	make -C $(ROOT)frida_mode/
17 | 
18 | 32:
19 | 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
20 | 
21 | $(BUILD_DIR):
22 | 	mkdir -p $@
23 | 
24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
25 | 	mkdir -p $@
26 | 
27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR)
28 | 	echo -n "000" > $@
29 | 
30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR)
31 | 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ 
lt;
32 | 
33 | clean:
34 | 	rm -rf $(BUILD_DIR)
35 | 
36 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
37 | 	AFL_FRIDA_OUTPUT_STDOUT=frida_stdout.txt \
38 | 	AFL_FRIDA_OUTPUT_STDERR=frida_stderr.txt \
39 | 	AFL_FRIDA_STATS_FILE=frida_stats.txt \
40 | 	AFL_FRIDA_STATS_INTERVAL=1 \
41 | 	$(ROOT)afl-fuzz \
42 | 		-D \
43 | 		-O \
44 | 		-i $(TESTINSTR_DATA_DIR) \
45 | 		-o $(FRIDA_OUT) \
46 | 		-- \
47 | 			$(TESTINSTBIN) @@
48 | 


--------------------------------------------------------------------------------
/frida_mode/test/output/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/test/perf/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/persistent_ret/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | frida_ret:
16 | 	@gmake frida_ret
17 | 
18 | debug:
19 | 	@gmake debug
20 | 
21 | run:
22 | 	@gmake run
23 | 


--------------------------------------------------------------------------------
/frida_mode/test/png/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/png/persistent/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | qemu_entry:
16 | 	@gmake qemu_entry
17 | 
18 | frida:
19 | 	@gmake frida
20 | 
21 | frida_entry:
22 | 	@gmake frida_entry
23 | 
24 | debug:
25 | 	@gmake debug
26 | 


--------------------------------------------------------------------------------
/frida_mode/test/png/persistent/hook/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | format:
13 | 	@gmake format
14 | 
15 | qemu:
16 | 	@gmake qemu
17 | 
18 | qemu_entry:
19 | 	@gmake qemu_entry
20 | 
21 | frida:
22 | 	@gmake frida
23 | 
24 | frida_entry:
25 | 	@gmake frida_entry
26 | 
27 | frida_js:
28 | 	@gmake frida_js
29 | 
30 | debug:
31 | 	@gmake debug
32 | 


--------------------------------------------------------------------------------
/frida_mode/test/png/persistent/hook/cmodule.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | const name = Process.enumerateModules()[0].name;
 9 | Afl.print(`Name: ${name}`);
10 | 
11 | new ModuleMap().values().forEach(m => {
12 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 | 
15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
16 | Afl.print(`persistent_addr: ${persistent_addr}`);
17 | Afl.setEntryPoint(persistent_addr);
18 | Afl.setPersistentAddress(persistent_addr);
19 | 
20 | const cm = new CModule(`
21 | 
22 |     #include <string.h>
23 |     #include <gum/gumdefs.h>
24 | 
25 |     void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf,
26 |       uint32_t input_buf_len) {
27 | 
28 |       memcpy((void *)regs->rdi, input_buf, input_buf_len);
29 |       regs->rsi = input_buf_len;
30 | 
31 |     }
32 |     `,
33 |     {
34 |         memcpy: Module.getExportByName(null, 'memcpy')
35 |     });
36 | Afl.setPersistentHook(cm.afl_persistent_hook);
37 | 
38 | Afl.print("done");
39 | Afl.done();
40 | 


--------------------------------------------------------------------------------
/frida_mode/test/png/persistent/hook/load.js:
--------------------------------------------------------------------------------
 1 | Afl.print('******************');
 2 | Afl.print('* AFL FRIDA MODE *');
 3 | Afl.print('******************');
 4 | Afl.print('');
 5 | 
 6 | Afl.print(`PID: ${Process.id}`);
 7 | 
 8 | const name = Process.enumerateModules()[0].name;
 9 | Afl.print(`Name: ${name}`);
10 | 
11 | new ModuleMap().values().forEach(m => {
12 |     Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`);
13 | });
14 | 
15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address;
16 | Afl.print(`persistent_addr: ${persistent_addr}`);
17 | Afl.setEntryPoint(persistent_addr);
18 | Afl.setPersistentAddress(persistent_addr);
19 | 
20 | const path = Afl.module.path;
21 | const dir = path.substring(0, path.lastIndexOf("/"));
22 | const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`);
23 | const hook = mod.getExportByName('afl_persistent_hook');
24 | Afl.setPersistentHook(hook);
25 | 
26 | Afl.print("done");
27 | Afl.done();
28 | 


--------------------------------------------------------------------------------
/frida_mode/test/proj4/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | debug:
16 | 	@gmake debug
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/test/python/GNUmakefile:
--------------------------------------------------------------------------------
 1 | PWD:=$(shell pwd)/
 2 | ROOT:=$(PWD)../../../
 3 | BUILD_DIR:=$(PWD)build/
 4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/
 5 | FRIDA_OUT:=$(BUILD_DIR)frida-out
 6 | QEMU_OUT:=$(BUILD_DIR)qemu-out
 7 | 
 8 | .PHONY: all clean run qemu frida
 9 | 
10 | all:
11 | 	make -C $(ROOT)frida_mode/
12 | 
13 | clean:
14 | 	rm -rf $(BUILD_DIR)
15 | 
16 | $(BUILD_DIR):
17 | 	mkdir -p $@
18 | 
19 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR)
20 | 	mkdir -p $@
21 | 
22 | run:
23 | 	date
24 | 	/usr/bin/python -c 'print("hi");'
25 | 	date
26 | 
27 | qemu:
28 | 	date
29 | 	$(ROOT)afl-qemu-trace \
30 | 		/usr/bin/python -c 'print("hi");'
31 | 	date
32 | 
33 | frida:
34 | 	date
35 | 	LD_PRELOAD=$(ROOT)afl-frida-trace.so \
36 | 		python -c 'print("hi");'
37 | 	date
38 | 


--------------------------------------------------------------------------------
/frida_mode/test/python/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | clean:
 6 | 	@gmake clean
 7 | 
 8 | run:
 9 | 	@gmake run
10 | 
11 | qemu:
12 | 	@gmake qemu
13 | 
14 | frida:
15 | 	@gmake frida
16 | 
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/test/re2/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 
21 | 


--------------------------------------------------------------------------------
/frida_mode/test/sqlite/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 
15 | debug:
16 | 	@gmake debug
17 | 
18 | 


--------------------------------------------------------------------------------
/frida_mode/test/testinstr/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/unstable/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | qemu:
13 | 	@gmake qemu
14 | 
15 | frida:
16 | 	@gmake frida
17 | 
18 | debug:
19 | 	@gmake debug
20 | 


--------------------------------------------------------------------------------
/frida_mode/test/vorbis/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | 32:
 6 | 	@echo trying to use GNU make...
 7 | 	@gmake 32 || echo please install GNUmake
 8 | 
 9 | clean:
10 | 	@gmake clean
11 | 
12 | frida:
13 | 	@gmake frida
14 | 


--------------------------------------------------------------------------------
/frida_mode/ts/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "@worksbutnottested/aflplusplus-frida",
 3 |   "version": "1.0.1",
 4 |   "description": "AFLplusplus Frida Mode",
 5 |   "main": "./dist/afl.js",
 6 |   "types": "./dist/afl.d.ts",
 7 |   "files": [
 8 |     "/dist/"
 9 |   ],
10 |   "repository": {
11 |     "type": "git",
12 |     "url": "git@github.com:worksbutnottested/AFLplusplus.git"
13 |   },
14 |   "publishConfig": {
15 |     "cache": "~/.npm",
16 |     "registry": "https://npm.pkg.github.com/@worksbutnottested"
17 |   },
18 |   "scripts": {
19 |     "prepare": "npm run build",
20 |     "build": "tsc",
21 |     "lint": "tslint -p tslint.json"
22 |   },
23 |   "devDependencies": {
24 |     "@types/node": "^14.14.2",
25 |     "typescript": "^4.0.3",
26 |     "typescript-tslint-plugin": "^0.5.5",
27 |     "tslint": "^6.1.3"
28 |   },
29 |   "dependencies": {
30 |     "@types/frida-gum": "^16.2.0"
31 |   }
32 | }
33 | 


--------------------------------------------------------------------------------
/frida_mode/ts/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "compilerOptions": {
 3 |       "target": "es2020",
 4 |       "lib": ["es2020"],
 5 |       "strict": true,
 6 |       "module": "commonjs",
 7 |       "esModuleInterop": true,
 8 |       "declaration": true,
 9 |       "outDir": "./dist"
10 |     },
11 |     "include": [
12 |       "lib/**/*"
13 |     ]
14 |   }
15 | 


--------------------------------------------------------------------------------
/frida_mode/ub1804/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:xenial
2 | 
3 | WORKDIR /AFLplusplus
4 | 
5 | RUN apt-get update
6 | RUN apt-get install -y make gcc g++ xz-utils curl wget clang zlib1g-dev


--------------------------------------------------------------------------------
/frida_mode/ub1804/GNUmakefile:
--------------------------------------------------------------------------------
 1 | PWD:=$(shell pwd)/
 2 | ROOT:=$(PWD)../../
 3 | 
 4 | .PHONY: all build docker clean shell test
 5 | 
 6 | all: docker
 7 | 	docker run --rm \
 8 | 		-v $(ROOT):/AFLplusplus \
 9 | 		ub1804-afl-frida \
10 | 		/bin/sh -c \
11 | 			'make -C /AFLplusplus/ clean all && \
12 | 			make -C /AFLplusplus/frida_mode clean all'
13 | 
14 | test:
15 | 	docker run --rm \
16 | 		-v $(ROOT):/AFLplusplus \
17 | 		ub1804-afl-frida \
18 | 		/bin/sh -c \
19 | 			'make -C /AFLplusplus/frida_mode/test/png clean all && \
20 | 			make -C /AFLplusplus/frida_mode/test/png/persistent/hook frida'
21 | 
22 | build:
23 | 	docker run --rm \
24 | 		-v $(ROOT):/AFLplusplus \
25 | 		ub1804-afl-frida \
26 | 		/bin/sh -c \
27 | 			'make -C /AFLplusplus/ all && \
28 | 			make -C /AFLplusplus/frida_mode all'
29 | 
30 | docker:
31 | 	docker build --tag ub1804-afl-frida .
32 | 
33 | clean:
34 | 	docker images --filter 'dangling=true' -q --no-trunc | xargs -L1 docker rmi --force
35 | 
36 | shell:
37 | 	docker run -ti --rm ub1804-afl-frida /bin/bash
38 | 


--------------------------------------------------------------------------------
/frida_mode/ub1804/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	@echo trying to use GNU make...
 3 | 	@gmake all || echo please install GNUmake
 4 | 
 5 | clean:
 6 | 	@gmake clean
 7 | 
 8 | shell:
 9 | 	@gmake shell
10 | 


--------------------------------------------------------------------------------
/frida_mode/update_frida_version.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | test -n "$1" && { echo This script has no options. It updates the referenced Frida version in GNUmakefile to the most current one. ; exit 1 ; }
 3 | 
 4 | OLD=$(grep -E '^GUM_DEVKIT_VERSION=' GNUmakefile 2>/dev/null|awk -F= '{print$2}')
 5 | NEW=$(curl https://github.com/frida/frida/releases/ 2>/dev/null|grep 'Frida\ [0-9.]*'|head -n 1|sed 's/.*Frida\ //'| sed 's/<\/h2>//')
 6 | 
 7 | echo Current set version: $OLD
 8 | echo Newest available version: $NEW
 9 | 
10 | test -z "$OLD" -o -z "$NEW" -o "$OLD" = "$NEW" && { echo Nothing to be done. ; exit 0 ; }
11 | 
12 | # Determine the correct sed command
13 | case $(sed --help 2>&1) in
14 |   *GNU*) set sed -i;;
15 |   *) set sed -i '';;
16 | esac
17 | 
18 | "$@" "s/=$OLD/=$NEW/" GNUmakefile || exit 1
19 | echo Successfully updated GNUmakefile
20 | 


--------------------------------------------------------------------------------
/include/hash.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    american fuzzy lop++ - hashing function
 3 |    ---------------------------------------
 4 | 
 5 |    Copyright 2016 Google Inc. All rights reserved.
 6 |    Copyright 2019-2024 AFLplusplus Project. All rights reserved.
 7 | 
 8 |    Licensed under the Apache License, Version 2.0 (the "License");
 9 |    you may not use this file except in compliance with the License.
10 |    You may obtain a copy of the License at:
11 | 
12 |      https://www.apache.org/licenses/LICENSE-2.0
13 | 
14 |  */
15 | 
16 | #ifndef _HAVE_HASH_H
17 | #define _HAVE_HASH_H
18 | 
19 | #include "types.h"
20 | 
21 | u32 hash32(u8 *key, u32 len, u32 seed);
22 | u64 hash64(u8 *key, u32 len, u64 seed);
23 | 
24 | #endif                                                     /* !_HAVE_HASH_H */
25 | 
26 | 


--------------------------------------------------------------------------------
/injections.dic:
--------------------------------------------------------------------------------
1 | "1'\" OR \"1\"=\"1"
2 | "1\"' OR '1'='1"
3 | "'\"><FUZZ"
4 | "*)(FUZZ=*))(|"
5 | "\";FUZZ;\""
6 | "';FUZZ;'"
7 | "$(FUZZ)"
8 | 


--------------------------------------------------------------------------------
/instrumentation/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | 	@echo "no need to do make in the instrumentation/ directory :) - it is all done in the main one"
3 | 


--------------------------------------------------------------------------------
/instrumentation/README.cmplog.md:
--------------------------------------------------------------------------------
 1 | # CmpLog instrumentation
 2 | 
 3 | The CmpLog instrumentation enables logging of comparison operands in a shared
 4 | memory.
 5 | 
 6 | These values can be used by various mutators built on top of it. At the moment,
 7 | we support the Redqueen mutator (input-2-state instructions only), for details
 8 | see [the Redqueen paper](https://github.com/RUB-SysSec/redqueen).
 9 | 
10 | ## Build
11 | 
12 | To use CmpLog, you have to build two versions of the instrumented target
13 | program:
14 | 
15 | * The first version is built using the regular AFL++ instrumentation.
16 | * The second one, the CmpLog binary, is built with setting `AFL_LLVM_CMPLOG`
17 |   during the compilation.
18 | 
19 | For example:
20 | 
21 | ```
22 | ./configure --cc=~/path/to/afl-clang-fast
23 | make
24 | cp ./program ./program.afl
25 | make clean
26 | export AFL_LLVM_CMPLOG=1
27 | ./configure --cc=~/path/to/afl-clang-fast
28 | make
29 | cp ./program ./program.cmplog
30 | unset AFL_LLVM_CMPLOG
31 | ```
32 | 
33 | ## Use
34 | 
35 | AFL++ has the new `-c` option that needs to be used to specify the CmpLog binary
36 | (the second build).
37 | 
38 | For example:
39 | 
40 | ```
41 | afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
42 | ```
43 | 
44 | Be careful with the usage of `-m` because CmpLog can map a lot of pages.
45 | 


--------------------------------------------------------------------------------
/instrumentation/afl-llvm-rt-lto.o.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    american fuzzy lop++ - LLVM instrumentation bootstrap
 3 |    -----------------------------------------------------
 4 | 
 5 |    Licensed under the Apache License, Version 2.0 (the "License");
 6 |    you may not use this file except in compliance with the License.
 7 |    You may obtain a copy of the License at:
 8 | 
 9 |      https://www.apache.org/licenses/LICENSE-2.0
10 | 
11 | */
12 | 
13 | #include <stdio.h>
14 | #include <stdlib.h>
15 | 
16 | // to prevent the function from being removed
17 | unsigned char __afl_lto_mode = 0;
18 | 
19 | /* Proper initialization routine. */
20 | 
21 | __attribute__((constructor(0))) void __afl_auto_init_globals(void) {
22 | 
23 |   if (getenv("AFL_DEBUG")) fprintf(stderr, "[__afl_auto_init_globals]\n");
24 |   __afl_lto_mode = 1;
25 | 
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/instrumentation/llvm-alternative-coverage.h:
--------------------------------------------------------------------------------
 1 | #ifndef AFL_NGRAM_CONFIG_H
 2 | #define AFL_NGRAM_CONFIG_H
 3 | 
 4 | #include "types.h"
 5 | 
 6 | #if (MAP_SIZE_POW2 <= 16)
 7 | typedef u16 PREV_LOC_T;
 8 | #elif (MAP_SIZE_POW2 <= 32)
 9 | typedef u32 PREV_LOC_T;
10 | #else
11 | typedef u64 PREV_LOC_T;
12 | #endif
13 | 
14 | /* Maximum ngram size */
15 | #define NGRAM_SIZE_MAX 16U
16 | 
17 | /* Maximum K for top-K context sensitivity */
18 | #define CTX_MAX_K 32U
19 | 
20 | #endif
21 | 
22 | 


--------------------------------------------------------------------------------
/nyx_mode/LIBNYX_VERSION:
--------------------------------------------------------------------------------
1 | f07a41fc
2 | 


--------------------------------------------------------------------------------
/nyx_mode/PACKER_VERSION:
--------------------------------------------------------------------------------
1 | 7967b43
2 | 


--------------------------------------------------------------------------------
/nyx_mode/QEMU_NYX_VERSION:
--------------------------------------------------------------------------------
1 | ff1c897321
2 | 


--------------------------------------------------------------------------------
/nyx_mode/custom_harness/fuzz.sh:
--------------------------------------------------------------------------------
 1 | chmod +x hget
 2 | cp hget /tmp/
 3 | cd /tmp/
 4 | echo 0 > /proc/sys/kernel/randomize_va_space
 5 | echo 0 > /proc/sys/kernel/printk
 6 | ./hget hcat hcat
 7 | ./hget habort habort
 8 | ./hget target target
 9 | chmod +x hcat
10 | chmod +x habort
11 | chmod +x target
12 | ./target
13 | ./habort "Target has terminated without initializing the fuzzing agent ..."
14 | 


--------------------------------------------------------------------------------
/nyx_mode/custom_harness/fuzz_no_pt.sh:
--------------------------------------------------------------------------------
 1 | chmod +x hget
 2 | cp hget /tmp/
 3 | cd /tmp/
 4 | echo 0 > /proc/sys/kernel/randomize_va_space
 5 | echo 0 > /proc/sys/kernel/printk
 6 | ./hget hcat_no_pt hcat
 7 | ./hget habort_no_pt habort
 8 | ./hget target target
 9 | chmod +x hcat
10 | chmod +x habort
11 | chmod +x target
12 | ./target
13 | ./habort "Target has terminated without initializing the fuzzing agent ..."
14 | 


--------------------------------------------------------------------------------
/qemu_mode/QEMUAFL_VERSION:
--------------------------------------------------------------------------------
1 | a93b2934c5
2 | 


--------------------------------------------------------------------------------
/qemu_mode/README.wine.md:
--------------------------------------------------------------------------------
 1 | # How to troubleshoot AFL++'s wine mode
 2 | 
 3 | ## 1) Debugging
 4 | 
 5 | To turn on wine debugging, use the `WINEDEBUG` environment variable, e.g.,
 6 | `WINEDEBUG=+timestamp,+tid,+loaddll`.
 7 | 
 8 | ## 2) LoadLibraryA workaround
 9 | 
10 | The forked process fails to load libraries loaded via `LoadLibrary` if the load
11 | happens after the entry point (error code: 87). To resolve this issue, one needs
12 | to load any external libraries before the fork happens.
13 | 
14 | An early DLL load can be achieved by adding the DLL name into the `Import
15 | Directory` in the PE file. Such an entry can be added manually in any PE editor.
16 | 
17 | Alternatively, one can generate a `.lib` file from the DLL exports and link them
18 | together with the harness to create an entry in the `Import Directory`. Use
19 | `dumpbin /exports <filename>.dll` to extract the exports and paste the exported
20 | function names into a `.def` file. Use `lib /def:<deffile> /OUT:<libfile>` to
21 | generate a `.lib` and add the library to the linker options. Once the usage of
22 | an export is detected (`__declspec(dllimport)`), the linker adds the early DLL
23 | load.


--------------------------------------------------------------------------------
/qemu_mode/fastexit/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # american fuzzy lop++ - fastexit
 3 | # --------------------------------
 4 | #
 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com>
 6 | #
 7 | # Copyright 2019-2024 Andrea Fioraldi. All rights reserved.
 8 | #
 9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | #   http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 | 
16 | TARGETS=fastexit.so fastexit32.so fastexit64.so
17 | 
18 | all:  $(TARGETS)
19 | 
20 | fastexit.so: fastexit.c
21 | 	@if $(CC) -fPIC -shared fastexit.c -o fastexit.so 2>/dev/null ; then echo "fastexit build success"; else echo "fastexit build failure (that's fine)"; fi
22 | 
23 | fastexit32.so: fastexit.c
24 | 	@if $(CC) -fPIC -m32 -shared fastexit.c -o fastexit32.so 2>/dev/null ; then echo "fastexit32 build success"; else echo "fastexit32 build failure (that's fine)"; fi
25 | 
26 | fastexit64.so: fastexit.c
27 | 	@if $(CC) -fPIC -m64 -shared fastexit.c -o fastexit64.so 2>/dev/null ; then echo "fastexit64 build success"; else echo "fastexit64 build failure (that's fine)"; fi
28 | 
29 | clean:
30 | 	rm -f fastexit.so
31 | 


--------------------------------------------------------------------------------
/qemu_mode/fastexit/README.md:
--------------------------------------------------------------------------------
1 | # fastexit
2 | 
3 | This library forces _exit on exit when preloaded to gain speed.
4 | 
5 | Gives speed on complex targets like Android or Wine.
6 | 


--------------------------------------------------------------------------------
/qemu_mode/fastexit/fastexit.c:
--------------------------------------------------------------------------------
1 | #include <unistd.h>
2 | #include <stdlib.h>
3 | 
4 | void exit(int status) {
5 |   _exit(status);
6 | }
7 | 


--------------------------------------------------------------------------------
/qemu_mode/hooking_bridge/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: clean
 2 | 
 3 | all: plugin
 4 | SRC=./src
 5 | BLD=./build
 6 | INC=-I./inc -I../qemuafl/include -I$(GLIB_H) -I$(GLIB_CONFIG_H)
 7 | # CC=gcc
 8 | 
 9 | $(BLD)/patching.o:$(SRC)/patching.c
10 | 	$(CC) -c -fPIC $(INC) -o $(BLD)/patching.o $(SRC)/patching.c
11 | 	
12 | plugin:$(SRC)/main.c $(BLD)/patching.o
13 | 	$(CC) -c -fPIC $(INC) -o $(BLD)/plugin.o $(SRC)/main.c
14 | 	$(CC) -shared -o $(BLD)/plugin.so $(BLD)/plugin.o $(BLD)/patching.o
15 | 
16 | clean:
17 | 	rm -rf $(BLD)/*.o
18 | 	rm -rf $(BLD)/*.so


--------------------------------------------------------------------------------
/qemu_mode/hooking_bridge/inc/common.h:
--------------------------------------------------------------------------------
 1 | #ifndef COMMON_H
 2 | #define COMMON_H
 3 | 
 4 | #include <qemu/qemu-plugin.h>
 5 | 
 6 | void patch_finish_cb(void *userdata);
 7 | void patch_block_trans_cb(struct qemu_plugin_tb *tb);
 8 | void patch_vpu_init_cb(unsigned int vcpu_index);
 9 | void patch_init(char *hook_library);
10 | 
11 | #endif


--------------------------------------------------------------------------------
/qemu_mode/hooking_bridge/inc/exports.h:
--------------------------------------------------------------------------------
 1 | #ifndef API_H
 2 | #define API_H
 3 | 
 4 | //# EXPORTS
 5 | // Returns 0 on success
 6 | int r_mem(unsigned long long addr, unsigned long long len, void *dest);
 7 | // // Returns 0 on success
 8 | int w_mem(unsigned long long addr, unsigned long long len, void *src);
 9 | // Returns num of bytes read; 
10 | int r_reg(unsigned char reg, void *dest);
11 | // // Returns num of bytes written
12 | int w_reg(unsigned char reg, char *src);
13 | 
14 | 
15 | //NOTE hook function must be named hook_<16 hex character at_addr>
16 | //NOTE must define function `struct conf* configure()`
17 | struct conf{
18 |     unsigned char IP_reg_num;
19 |     unsigned long long entry_addr;
20 |     unsigned long long* hooks;
21 |     unsigned long long num_hooks;
22 | }conf;
23 | 
24 | struct ret{
25 |     unsigned long long addr;
26 |     char remove_bp;
27 | };
28 | 
29 | #endif


--------------------------------------------------------------------------------
/qemu_mode/hooking_bridge/src/main.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include "common.h"
 4 | 
 5 | QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION;
 6 | 
 7 | static void finish_cb(qemu_plugin_id_t id, void *userdata) {
 8 | 
 9 |   patch_finish_cb(userdata);
10 | 
11 | }
12 | 
13 | static void block_trans_cb(qemu_plugin_id_t id, struct qemu_plugin_tb *tb) {
14 | 
15 |   patch_block_trans_cb(tb);
16 | 
17 | }
18 | 
19 | static void vpu_init_cb(qemu_plugin_id_t id, unsigned int vcpu_index) {
20 | 
21 |   patch_vpu_init_cb(vcpu_index);
22 | 
23 | }
24 | 
25 | QEMU_PLUGIN_EXPORT
26 | int qemu_plugin_install(qemu_plugin_id_t id, const qemu_info_t *info, int argc,
27 |                         char **argv) {
28 | 
29 |   patch_init(argv[0]);
30 |   qemu_plugin_register_vcpu_init_cb(id, vpu_init_cb);
31 |   qemu_plugin_register_vcpu_tb_trans_cb(id, block_trans_cb);
32 |   qemu_plugin_register_atexit_cb(id, finish_cb, NULL);
33 |   return 0;
34 | 
35 | }
36 | 
37 | 


--------------------------------------------------------------------------------
/qemu_mode/libqasan/README.md:
--------------------------------------------------------------------------------
 1 | # QEMU AddressSanitizer Runtime
 2 | 
 3 | This library is the injected runtime used by QEMU AddressSanitizer (QASan).
 4 | 
 5 | The original repository is [here](https://github.com/andreafioraldi/qasan).
 6 | 
 7 | The version embedded in qemuafl is an updated version of just the usermode part
 8 | and this runtime is injected via LD_PRELOAD (so works just for dynamically
 9 | linked binaries).
10 | 
11 | The usage is super simple, just set the env var `AFL_USE_QASAN=1` when fuzzing
12 | in QEMU mode (-Q). afl-fuzz will automatically set AFL_PRELOAD to load this
13 | library and enable the QASan instrumentation in afl-qemu-trace.
14 | 
15 | For debugging purposes, we still suggest to run the original QASan as the
16 | stacktrace support for ARM (just a debug feature, it does not affect the bug
17 | finding capabilities during fuzzing) is WIP.
18 | 
19 | ### When should I use QASan?
20 | 
21 | If your target binary is PIC x86_64, you should also give a try to
22 | [RetroWrite](https://github.com/HexHive/retrowrite) for static rewriting.
23 | 
24 | If it fails, or if your binary is for another architecture, or you want to use
25 | persistent and snapshot mode, AFL++ QASan mode is what you want/have to use.
26 | 
27 | Note that the overhead of libdislocator when combined with QEMU mode is much
28 | lower but it can catch less bugs. This is a short blanket, take your choice.
29 | 


--------------------------------------------------------------------------------
/qemu_mode/unsigaction/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # american fuzzy lop++ - unsigaction
 3 | # --------------------------------
 4 | #
 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com>
 6 | #
 7 | # Copyright 2019-2024 Andrea Fioraldi. All rights reserved.
 8 | #
 9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | #   http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 | 
16 | TARGETS=unsigaction.so unsigaction32.so unsigaction64.so
17 | 
18 | all:  $(TARGETS)
19 | 
20 | unsigaction.so: unsigaction.c
21 | 	@if $(CC) -fPIC -shared unsigaction.c -o unsigaction.so 2>/dev/null ; then echo "unsigaction build success"; else echo "unsigaction build failure (that's fine)"; fi
22 | 
23 | unsigaction32.so: unsigaction.c
24 | 	@if $(CC) -fPIC -m32 -shared unsigaction.c -o unsigaction32.so 2>/dev/null ; then echo "unsigaction32 build success"; else echo "unsigaction32 build failure (that's fine)"; fi
25 | 
26 | unsigaction64.so: unsigaction.c
27 | 	@if $(CC) -fPIC -m64 -shared unsigaction.c -o unsigaction64.so 2>/dev/null ; then echo "unsigaction64 build success"; else echo "unsigaction64 build failure (that's fine)"; fi
28 | 
29 | clean:
30 | 	rm -f unsigaction.so
31 | 


--------------------------------------------------------------------------------
/qemu_mode/unsigaction/README.md:
--------------------------------------------------------------------------------
1 | # unsigaction
2 | 
3 | This library disables sigaction handlers when preloaded.
4 | 
5 | Mainly needed by Wine mode but can be used as a separate tool.
6 | 
7 | A similar solution can be found in [preeny](https://github.com/zardus/preeny).
8 | 


--------------------------------------------------------------------------------
/qemu_mode/unsigaction/unsigaction.c:
--------------------------------------------------------------------------------
1 | int sigaction(int signum, void *act, void *oldact) {
2 |   return 0;
3 | }
4 | 


--------------------------------------------------------------------------------
/qemu_mode/update_ref.sh:
--------------------------------------------------------------------------------
 1 | #/bin/sh
 2 | 
 3 | ##################################################
 4 | # AFL++ internal tool to update qemuafl ref.
 5 | # Usage: ./update_ref.sh <new commit hash>
 6 | # If no commit hash was provided, it'll take HEAD.
 7 | ##################################################
 8 | 
 9 | UC_VERSION_FILE='./QEMUAFL_VERSION'
10 | 
11 | NEW_VERSION="$1"
12 | 
13 | if [ "$NEW_VERSION" = "-h" ]; then
14 |   echo "Internal script to update bound qemuafl version."
15 |   echo
16 |   echo "Usage: ./update_ref.sh <new commit hash>"
17 |   echo "If no commit hash is provided, will use HEAD."
18 |   echo "-h to show this help screen."
19 |   exit 1
20 | fi
21 | 
22 | git submodule init && git submodule update || exit 1
23 | cd ./qemuafl || exit 1
24 | git fetch origin master 1>/dev/null || exit 1
25 | git stash 1>/dev/null 2>/dev/null
26 | git stash drop 1>/dev/null 2>/dev/null
27 | git checkout master
28 | git pull origin master 1>/dev/null || exit 1
29 | 
30 | if [ -z "$NEW_VERSION" ]; then
31 |   # No version provided, take HEAD.
32 |   NEW_VERSION=$(git rev-parse --short HEAD)
33 | fi
34 | 
35 | if [ -z "$NEW_VERSION" ]; then
36 |   echo "Error getting version."
37 |   exit 1
38 | fi
39 | 
40 | git checkout "$NEW_VERSION" || exit 1
41 | 
42 | cd ..
43 | 
44 | rm "$UC_VERSION_FILE"
45 | echo "$NEW_VERSION" > "$UC_VERSION_FILE"
46 | 
47 | echo "Done. New qemuafl version is $NEW_VERSION."
48 | 


--------------------------------------------------------------------------------
/test/test-all.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | . ./test-pre.sh
 4 | 
 5 | . ./test-basic.sh
 6 | 
 7 | . ./test-llvm.sh
 8 | 
 9 | . ./test-llvm-lto.sh
10 | 
11 | . ./test-gcc-plugin.sh
12 | 
13 | . ./test-libextensions.sh
14 | 
15 | . ./test-qemu-mode.sh
16 | 
17 | . ./test-frida-mode.sh
18 | 
19 | . ./test-nyx-mode.sh
20 | 
21 | . ./test-unicorn-mode.sh
22 | 
23 | . ./test-custom-mutators.sh
24 | 
25 | . ./test-unittests.sh
26 | 
27 | . ./test-post.sh
28 | 
29 | exit 0


--------------------------------------------------------------------------------
/test/test-cmplog.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <stdint.h>
 4 | #include <stdarg.h>
 5 | #include <stdlib.h>
 6 | #include <stdint.h>
 7 | #include <unistd.h>
 8 | 
 9 | int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) {
10 | 
11 |   if (i < 15) return -1;
12 |   if (buf[0] != 'A') return 0;
13 |   int *icmp = (int *)(buf + 1);
14 |   if (*icmp != 0x69694141) return 0;
15 |   if (memcmp(buf + 5, "1234EF", 6) == 0) abort();
16 |   return 0;
17 | 
18 | }
19 | 
20 | #ifdef __AFL_COMPILER
21 | int main(int argc, char *argv[]) {
22 | 
23 |   unsigned char buf[1024];
24 |   ssize_t       i;
25 |   while (__AFL_LOOP(1000)) {
26 | 
27 |     i = read(0, (char *)buf, sizeof(buf) - 1);
28 |     if (i > 0) buf[i] = 0;
29 |     LLVMFuzzerTestOneInput(buf, i);
30 | 
31 |   }
32 | 
33 |   return 0;
34 | 
35 | }
36 | 
37 | #endif
38 | 
39 | 


--------------------------------------------------------------------------------
/test/test-compilers.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo Testing compilers ...
3 | for cc in afl-cc afl-gcc afl-clang afl-clang-fast afl-clang-lto afl-gcc-fast; do
4 |   test -e ../$cc && { { ../$cc -o t ../test-instr.c >/dev/null 2<&1 && echo Success: $cc ; } || echo Failing: $cc ; } || echo Missing: $cc
5 | done
6 | rm -f t
7 | echo Done!
8 | 


--------------------------------------------------------------------------------
/test/test-custom-mutator.c:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * Reference:
 3 |  * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c
 4 |  */
 5 | 
 6 | #include <stdio.h>
 7 | #include <string.h>
 8 | #include <math.h>
 9 | #include <stdlib.h>
10 | #include <unistd.h>
11 | 
12 | int main(int argc, char *argv[]) {
13 | 
14 |   char str[100];
15 |   read(0, str, 100);
16 |   if (str[6] == 'A') { abort(); }
17 |   return 0;
18 | 
19 | }
20 | 
21 | 


--------------------------------------------------------------------------------
/test/test-dlopen.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <errno.h>
 3 | #include <dlfcn.h>
 4 | #include <stdlib.h>
 5 | 
 6 | int main(int argc, char **argv) {
 7 | 
 8 |   if (!getenv("TEST_DLOPEN_TARGET")) {
 9 | 
10 |     fprintf(stderr, "Error: TEST_DLOPEN_TARGET not set!\n");
11 |     return 1;
12 | 
13 |   }
14 | 
15 |   void *lib = dlopen(getenv("TEST_DLOPEN_TARGET"), RTLD_LAZY);
16 |   if (!lib) {
17 | 
18 |     perror(dlerror());
19 |     return 2;
20 | 
21 |   }
22 | 
23 |   int (*func)(int, char **) = dlsym(lib, "main_exported");
24 |   if (!func) {
25 | 
26 |     fprintf(stderr, "Error: main_exported not found!\n");
27 |     return 3;
28 | 
29 |   }
30 | 
31 |   // must use deferred forkserver as otherwise AFL++ instrumentation aborts
32 |   // because all dlopen() of instrumented libs must be before the forkserver
33 |   __AFL_INIT();
34 | 
35 |   fprintf(stderr, "Running main_exported\n");
36 |   return func(argc, argv);
37 | 
38 | }
39 | 
40 | 


--------------------------------------------------------------------------------
/test/test-floatingpoint.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <unistd.h>
 3 | #include <limits.h>
 4 | #include <stdint.h>
 5 | 
 6 | __AFL_FUZZ_INIT();
 7 | 
 8 | int main(void) {
 9 | 
10 |   ssize_t bytes_read;
11 | 
12 |   __AFL_INIT();
13 |   float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF;
14 | 
15 |   while (__AFL_LOOP(INT_MAX)) {
16 | 
17 |     int len = __AFL_FUZZ_TESTCASE_LEN;
18 |     if (len < sizeof(float)) return 1;
19 | 
20 |     /* 15 + 1/2                      = 15.5  */
21 |     /* 15 + 1/2 + 1/8                = 15.625  */
22 |     /* 15 + 1/2 + 1/8 + 1/32         = 15.65625  */
23 |     /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625  */
24 |     if ((*magic >= 15.0 + 0.5 + 0.125 + 0.03125) &&
25 |         (*magic <= 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125))
26 |       abort();
27 | 
28 |   }
29 | 
30 |   return 0;
31 | 
32 | }
33 | 
34 | 


--------------------------------------------------------------------------------
/test/test-fp_minusZerocases.c:
--------------------------------------------------------------------------------
 1 | /* test cases for floating point comparison transformations
 2 |  * compile with -DFLOAT_TYPE=float
 3 |  *          or  -DFLOAT_TYPE=double
 4 |  *          or  -DFLOAT_TYPE="long double"
 5 |  */
 6 | 
 7 | #include <assert.h>
 8 | #define _GNU_SOURCE
 9 | #include <math.h>                           /* for NaNs and infinity values */
10 | 
11 | int main() {
12 | 
13 |   volatile FLOAT_TYPE a, b;
14 | 
15 |   /* negative zero */
16 |   a = 1.0 / -(1.0 / 0.0);                                     /* negative 0 */
17 |   b = 0.0;                                                    /* positive 0 */
18 |   assert(!(a < b));
19 |   assert((a <= b));
20 |   assert(!(a > b));
21 |   assert((a >= b));
22 |   assert(!(a != b));
23 |   assert((a == b));
24 | 
25 |   a = 1.0 / -(1.0 / 0.0);                                     /* negative 0 */
26 |   b = 1.0 / -(1.0 / 0.0);                                     /* negative 0 */
27 |   assert(!(a < b));
28 |   assert((a <= b));
29 |   assert(!(a > b));
30 |   assert((a >= b));
31 |   assert(!(a != b));
32 |   assert((a == b));
33 | 
34 | }
35 | 
36 | 


--------------------------------------------------------------------------------
/test/test-multiple-mutators.c:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * Test-Case for multiple custom mutators in C
 3 |  * Reference:
 4 |  * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c
 5 |  */
 6 | 
 7 | #include <stdio.h>
 8 | #include <stdlib.h>
 9 | #include <string.h>
10 | #include <unistd.h>
11 | 
12 | int main(int argc, char **argv) {
13 | 
14 |   int  a = 0;
15 |   char s[100];
16 |   read(0, s, 100);
17 | 
18 |   if (s[7] == 'B') { abort(); }
19 | 
20 |   return 0;
21 | 
22 | }
23 | 
24 | 


--------------------------------------------------------------------------------
/test/test-post.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | AFL_TEST_DEPTH=$((AFL_TEST_DEPTH-1))
 3 | 
 4 | if [ $AFL_TEST_DEPTH = 0 ]; then
 5 | # All runs done :)
 6 | 
 7 | $ECHO "$GREY[*] $AFL_TEST_COUNT test cases completed.$RESET"
 8 | test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed"
 9 | test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed"
10 | test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET"
11 | test "$CODE" = "0" || $ECHO "$RED[!] failure in tests :-($RESET"
12 | exit $CODE
13 | 
14 | fi
15 | 


--------------------------------------------------------------------------------
/test/test-unittests.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | . ./test-pre.sh
 4 | 
 5 | $ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY"
 6 | unset AFL_CC
 7 | make -C .. unit || CODE=1 INCOMPLETE=1 :
 8 | rm -rf unittests/unit_hash unittests/unit_rand
 9 | 
10 | . ./test-post.sh
11 | 
12 | 


--------------------------------------------------------------------------------
/test/test-unsigaction.c:
--------------------------------------------------------------------------------
 1 | #include <signal.h>          /* sigemptyset(), sigaction(), kill(), SIGUSR1 */
 2 | #include <stdlib.h>                                               /* exit() */
 3 | #include <unistd.h>                                             /* getpid() */
 4 | #include <errno.h>                                                 /* errno */
 5 | #include <stdio.h>                                             /* fprintf() */
 6 | 
 7 | static void mysig_handler(int sig) {
 8 | 
 9 |   exit(2);
10 | 
11 | }
12 | 
13 | int main() {
14 | 
15 |   /* setup sig handler */
16 |   struct sigaction sa;
17 |   sa.sa_handler = mysig_handler;
18 |   sigemptyset(&sa.sa_mask);
19 |   sa.sa_flags = 0;
20 |   if (sigaction(SIGCHLD, &sa, NULL)) {
21 | 
22 |     fprintf(stderr, "could not set signal handler %d, aborted\n", errno);
23 |     exit(1);
24 | 
25 |   }
26 | 
27 |   kill(getpid(), SIGCHLD);
28 |   return 0;
29 | 
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/testcases/README.md:
--------------------------------------------------------------------------------
 1 | # AFL++ starting test cases
 2 | 
 3 | For the general instruction manual, see [docs/README.md](../docs/README.md).
 4 | 
 5 | The archives/, images/, multimedia/, and others/ subdirectories contain small,
 6 | standalone files that can be used to seed afl-fuzz when testing parsers for a
 7 | variety of common data formats.
 8 | 
 9 | There is probably not much to be said about these files, except that they were
10 | optimized for size and stripped of any non-essential fluff. Some directories
11 | contain several examples that exercise various features of the underlying format.
12 | For example, there is a PNG file with and without a color profile.
13 | 
14 | Additional test cases are always welcome.
15 | 
16 | In addition to well-chosen starting files, many fuzzing jobs benefit from a
17 | small and concise dictionary. See [../dictionaries/README.md](../dictionaries/README.md) for more.
18 | 


--------------------------------------------------------------------------------
/testcases/archives/common/ar/small_archive.a:
--------------------------------------------------------------------------------
1 | !<arch>
2 | limerick/       1415337776  500   500   100640  191       `
3 | There was a young man from Japan
4 | Whose limericks never would scan.
5 | When asked why that was,
6 | He replied "It's because
7 | I always try to cram as many words into the last line as I possibly can."
8 | 
9 | 


--------------------------------------------------------------------------------
/testcases/archives/common/bzip2/small_archive.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/bzip2/small_archive.bz2


--------------------------------------------------------------------------------
/testcases/archives/common/cab/small_archive.cab:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/cab/small_archive.cab


--------------------------------------------------------------------------------
/testcases/archives/common/compress/small_archive.Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/compress/small_archive.Z


--------------------------------------------------------------------------------
/testcases/archives/common/cpio/small_archive.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/cpio/small_archive.cpio


--------------------------------------------------------------------------------
/testcases/archives/common/gzip/small_archive.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/gzip/small_archive.gz


--------------------------------------------------------------------------------
/testcases/archives/common/lzo/small_archive.lzo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/lzo/small_archive.lzo


--------------------------------------------------------------------------------
/testcases/archives/common/rar/small_archive.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/rar/small_archive.rar


--------------------------------------------------------------------------------
/testcases/archives/common/xz/small_archive.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/xz/small_archive.xz


--------------------------------------------------------------------------------
/testcases/archives/common/zip/small_archive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/common/zip/small_archive.zip


--------------------------------------------------------------------------------
/testcases/archives/exotic/arj/small_archive.arj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/arj/small_archive.arj


--------------------------------------------------------------------------------
/testcases/archives/exotic/lha/small_archive.lha:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/lha/small_archive.lha


--------------------------------------------------------------------------------
/testcases/archives/exotic/lrzip/small_archive.lrz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/lrzip/small_archive.lrz


--------------------------------------------------------------------------------
/testcases/archives/exotic/lzip/small_archive.lz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/lzip/small_archive.lz


--------------------------------------------------------------------------------
/testcases/archives/exotic/lzma/small_archive.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/lzma/small_archive.lzma


--------------------------------------------------------------------------------
/testcases/archives/exotic/rzip/small_archive.rz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/rzip/small_archive.rz


--------------------------------------------------------------------------------
/testcases/archives/exotic/zoo/small_archive.zoo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/archives/exotic/zoo/small_archive.zoo


--------------------------------------------------------------------------------
/testcases/images/bmp/not_kitty.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/bmp/not_kitty.bmp


--------------------------------------------------------------------------------
/testcases/images/gif/not_kitty.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/gif/not_kitty.gif


--------------------------------------------------------------------------------
/testcases/images/ico/not_kitty.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/ico/not_kitty.ico


--------------------------------------------------------------------------------
/testcases/images/jp2/not_kitty.jp2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/jp2/not_kitty.jp2


--------------------------------------------------------------------------------
/testcases/images/jpeg/not_kitty.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/jpeg/not_kitty.jpg


--------------------------------------------------------------------------------
/testcases/images/jxr/not_kitty.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/jxr/not_kitty.jxr


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/png/not_kitty.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_alpha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/png/not_kitty_alpha.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/png/not_kitty_gamma.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_icc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/png/not_kitty_icc.png


--------------------------------------------------------------------------------
/testcases/images/tiff/not_kitty.tiff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/tiff/not_kitty.tiff


--------------------------------------------------------------------------------
/testcases/images/webp/not_kitty.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/images/webp/not_kitty.webp


--------------------------------------------------------------------------------
/testcases/multimedia/h264/small_movie.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/multimedia/h264/small_movie.mp4


--------------------------------------------------------------------------------
/testcases/others/elf/small_exec.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/others/elf/small_exec.elf


--------------------------------------------------------------------------------
/testcases/others/js/small_script.js:
--------------------------------------------------------------------------------
1 | if (1==1) eval('1');


--------------------------------------------------------------------------------
/testcases/others/pcap/small_capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/testcases/others/pcap/small_capture.pcap


--------------------------------------------------------------------------------
/testcases/others/pdf/small.pdf:
--------------------------------------------------------------------------------
1 | %PDF-1.0
2 | 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj 3 0 obj<</Type/Page/MediaBox[0 0 3 3]>>endobj trailer<</Size 4/Root 1 0 R>>


--------------------------------------------------------------------------------
/testcases/others/rtf/small_document.rtf:
--------------------------------------------------------------------------------
1 | {\rtf1\pard Test\par}


--------------------------------------------------------------------------------
/testcases/others/sql/simple_queries.sql:
--------------------------------------------------------------------------------
1 | create table t1(one smallint);
2 | insert into t1 values(1);
3 | select * from t1;
4 | 


--------------------------------------------------------------------------------
/testcases/others/text/hello_world.txt:
--------------------------------------------------------------------------------
1 | hello
2 | 


--------------------------------------------------------------------------------
/testcases/others/xml/small_document.xml:
--------------------------------------------------------------------------------
1 | <a b="c">d</a>
2 | 


--------------------------------------------------------------------------------
/types.h:
--------------------------------------------------------------------------------
1 | include/types.h


--------------------------------------------------------------------------------
/unicorn_mode/UNICORNAFL_VERSION:
--------------------------------------------------------------------------------
1 | fb3d2151
2 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/.gitignore:
--------------------------------------------------------------------------------
1 | harness
2 | harness-debug
3 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/COMPILE.md:
--------------------------------------------------------------------------------
 1 | # C Sample
 2 | 
 3 | This shows a simple harness for unicornafl in C
 4 | 
 5 | ## Compiling sample.c
 6 | 
 7 | The target can be built using the `make` command.
 8 | Just make sure you have built unicorn support first:
 9 | 
10 | ```bash
11 | cd /path/to/afl/unicorn_mode
12 | ./build_unicorn_support.sh
13 | ```
14 | 
15 | ## Compiling simple_target.c
16 | 
17 | You shouldn't need to compile simple_target.c since a X86_64 binary version is
18 | pre-built and shipped in this sample folder. This file documents how the binary
19 | was built in case you want to rebuild it or recompile it for any reason.
20 | 
21 | The pre-built binary (persistent_target_x86_64) was built using -g -O0 in gcc.
22 | 
23 | Then load the binary and execute the main function directly.
24 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/persistent_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/c/persistent_target_x86_64


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_all.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | [ -z "${UNAME}" ] && UNAME=$(uname)
 4 | 
 5 | DIR=`dirname $0`
 6 | 
 7 | if [ "$UNAME" = Darwin ]; then
 8 |   export DYLD_LIBRARY_PATH=../../unicorn
 9 | else
10 |   export LD_LIBRARY_PATH=../../unicorn
11 | fi
12 | 
13 | 
14 | 
15 | if [ ! -e $DIR/harness ]; then
16 |   echo "[!] harness not found in $DIR"
17 |   exit 1
18 | fi
19 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/c/simple_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/c/simple_target_x86_64


--------------------------------------------------------------------------------
/unicorn_mode/samples/compcov_x64/COMPILE.md:
--------------------------------------------------------------------------------
 1 | # Compiling compcov_target.c
 2 | 
 3 | compcov_target.c was compiled without optimization, position-independent,
 4 | and without standard libraries using the following command line:
 5 | 
 6 | ```
 7 | gcc -o compcov_target.elf compcov_target.c -fPIC -O0 -nostdlib
 8 | ```
 9 | 
10 | The .text section from the resulting ELF binary was then extracted to create
11 | the raw binary blob that is loaded and emulated by compcov_test_harness.py:
12 | 
13 | ```
14 | objcopy -O binary --only-section=.text compcov_target.elf compcov_target.bin 
15 | ```
16 | 
17 | Note that the output of this is padded with nulls for 16-byte alignment. This is 
18 | important when emulating it, as NOPs will be added after the return of main()
19 | as necessary.
20 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/compcov_x64/compcov_target.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/compcov_x64/compcov_target.bin


--------------------------------------------------------------------------------
/unicorn_mode/samples/compcov_x64/compcov_target.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Sample target file to test afl-unicorn fuzzing capabilities.
 3 |  * This is a very trivial example that will crash pretty easily
 4 |  * in several different exciting ways. 
 5 |  *
 6 |  * Input is assumed to come from a buffer located at DATA_ADDRESS 
 7 |  * (0x00300000), so make sure that your Unicorn emulation of this 
 8 |  * puts user data there.
 9 |  *
10 |  * Written by Andrea Fioraldi
11 |  */
12 | 
13 | // Magic address where mutated data will be placed
14 | #define DATA_ADDRESS 	0x00300000
15 | 
16 | int main(void) {
17 |   unsigned int *data_buf = (unsigned int *) DATA_ADDRESS;
18 | 
19 |   if (((unsigned short*)data_buf)[0] == 0x0100) {
20 |     unsigned char invalid_read = *(unsigned char *) 0x00000000;
21 |   } else if (data_buf[1] == data_buf[2] + 0xfffe) {
22 |     unsigned char invalid_read = *(unsigned char *) 0x00000000;
23 |   }
24 | 
25 |   return 0;
26 | }
27 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/compcov_x64/compcov_target.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/compcov_x64/compcov_target.elf


--------------------------------------------------------------------------------
/unicorn_mode/samples/compcov_x64/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | 00000000000000000000000000000000


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/.gitignore:
--------------------------------------------------------------------------------
1 | harness
2 | harness-debug
3 | out
4 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/COMPILE.md:
--------------------------------------------------------------------------------
 1 | # C Sample
 2 | 
 3 | This shows a simple persistent harness for unicornafl in C.
 4 | In contrast to the normal c harness, this harness manually resets the unicorn
 5 | state on each new input.
 6 | Thanks to this, you can rerun the test case in unicorn multiple times, without
 7 | the need to fork again.
 8 | 
 9 | ## Compiling sample.c
10 | 
11 | The target can be built using the `make` command.
12 | Just make sure you have built unicorn support first:
13 | 
14 | ```bash
15 | cd /path/to/afl/unicorn_mode
16 | ./build_unicorn_support.sh
17 | ```
18 | 
19 | ## Compiling persistent_target.c
20 | 
21 | You don't need to compile persistent_target.c since a X86_64 binary version is
22 | pre-built and shipped in this sample folder. This file documents how the binary
23 | was built in case you want to rebuild it or recompile it for any reason.
24 | 
25 | The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in
26 | gcc.
27 | 
28 | Then load the binary and execute the main function directly.


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/persistent_target:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/persistent/persistent_target


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/persistent_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/persistent/persistent_target_x86_64


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_all.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | [ -z "${UNAME}" ] && UNAME=$(uname)
 4 | 
 5 | DIR=`dirname $0`
 6 | 
 7 | if [ "$UNAME" = Darwin ]; then
 8 |   export DYLD_LIBRARY_PATH=../../unicorn
 9 | else
10 |   export LD_LIBRARY_PATH=../../unicorn
11 | fi
12 | 
13 | 
14 | 
15 | if [ ! test -e $DIR/harness]; then
16 |   echo "[!] harness not found in $DIR"
17 |   exit 1
18 | fi


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/persistent/simple_target_x86_64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/persistent/simple_target_x86_64


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/sample_inputs/sample1.bin:
--------------------------------------------------------------------------------
1 | abcd


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/sample_inputs/sample2.bin:
--------------------------------------------------------------------------------
1 | �


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/sample_inputs/sample3.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/sample_inputs/sample4.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/sample_inputs/sample5.bin:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/simple_target.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/unicorn_mode/samples/python_simple/simple_target.bin


--------------------------------------------------------------------------------
/unicorn_mode/samples/python_simple/simple_target.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Sample target file to test afl-unicorn fuzzing capabilities.
 3 |  * This is a very trivial example that will crash pretty easily
 4 |  * in several different exciting ways. 
 5 |  *
 6 |  * Input is assumed to come from a buffer located at DATA_ADDRESS 
 7 |  * (0x00300000), so make sure that your Unicorn emulation of this 
 8 |  * puts user data there.
 9 |  *
10 |  * Written by Nathan Voss <njvoss99@gmail.com>
11 |  */
12 | 
13 | // Magic address where mutated data will be placed
14 | #define DATA_ADDRESS 	0x00300000
15 | 
16 | int main(void) {
17 |   unsigned char *data_buf = (unsigned char *) DATA_ADDRESS;
18 | 
19 |   if (data_buf[20] != 0) {
20 |     // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04'
21 |     unsigned char invalid_read = *(unsigned char *) 0x00000000;
22 |   } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
23 |     // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2]
24 |     unsigned char invalid_read = *(unsigned char *) 0x00000000;
25 |   } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) {
26 |     // Cause a crash if data[10] is not zero, but [9] and [11] are zero
27 |     unsigned char invalid_read = *(unsigned char *) 0x00000000;
28 |   }
29 | 
30 |   return 0;
31 | }
32 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/.gitignore:
--------------------------------------------------------------------------------
1 | output
2 | harness
3 | harness-debug
4 | target
5 | target.o
6 | target.offsets.*
7 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/Makefile:
--------------------------------------------------------------------------------
 1 | CFLAGS += -Wall -Werror -Wextra -Wpedantic -Og -g -fPIE
 2 | 
 3 | .PHONY: all clean
 4 | 
 5 | all: target target.offsets.main
 6 | 
 7 | clean:
 8 | 	rm -rf *.o target target.offsets.*
 9 | 
10 | target.o: target.c
11 | 	${CC} ${CFLAGS} -c target.c -o $@
12 | 
13 | target: target.o
14 | 	${CC} ${CFLAGS} target.o -o $@
15 | 
16 | target.offsets.main: target
17 | 	./get_offsets.py


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/README.md:
--------------------------------------------------------------------------------
 1 | # Speedtest
 2 | 
 3 | This is a simple sample harness for a non-crashing file,
 4 | to show the raw speed of C, Rust, and Python harnesses.
 5 | 
 6 | ## Compiling...
 7 | 
 8 | Make sure you built unicornafl first (`../../build_unicorn_support.sh`).
 9 | Build the target using the provided Makefile.
10 | This will also run the [./get_offsets.py](./get_offsets.py) script,
11 | which finds some relevant addresses in the target binary using `objdump`,
12 | and dumps them to different files.
13 | Then, follow these individual steps:
14 | 
15 | ### Rust
16 | 
17 | ```bash
18 | cd rust
19 | cargo build --release
20 | ../../../../afl-fuzz -i ../sample_inputs -o out -U -- ./target/release/harness @@
21 | ```
22 | 
23 | ### C
24 | 
25 | ```bash
26 | cd c
27 | make
28 | ../../../../afl-fuzz -i ../sample_inputs -o out -U -- ./harness @@
29 | ```
30 | 
31 | ### python
32 | 
33 | ```bash
34 | cd python
35 | ../../../../afl-fuzz -i ../sample_inputs -o out -U -- python3 ./harness.py @@
36 | ```
37 | 
38 | ## Results
39 | 
40 | TODO: add results here.
41 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/python/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all fuzz
 2 | 
 3 | all: ../target
 4 | 
 5 | afl-fuzz: ../../../../afl-fuzz
 6 | ../../../../afl-fuzz:
 7 | 	$(MAKE) -C ../../../../ afl-fuzz
 8 | 
 9 | 
10 | ../target:
11 | 	$(MAKE) -C ..
12 | 
13 | fuzz: all afl-fuzz
14 | 	rm -rf ./ouptput
15 | 	../../../../afl-fuzz -s 1 -U -i ../sample_inputs -o ./output -- python3 harness.py @@
16 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/rust/.gitignore:
--------------------------------------------------------------------------------
1 | target
2 | Cargo.lock
3 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/rust/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "harness"
 3 | version = "0.1.0"
 4 | authors = ["Dominik Maier <domenukk@gmail.com>"]
 5 | edition = "2018"
 6 | 
 7 | [profile.release]
 8 | lto = true
 9 | opt-level = 3
10 | panic = "abort"
11 | 
12 | [dependencies]
13 | unicornafl = { path = "../../../unicornafl/bindings/rust/", version="1.0.0" }
14 | capstone="0.11.0"
15 | libc="0.2.66"
16 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/rust/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all fuzz
 2 | 
 3 | all: ../target ./target/release/unicornafl_harness
 4 | 
 5 | afl-fuzz: ../../../../afl-fuzz
 6 | ../../../../afl-fuzz:
 7 | 	$(MAKE) -C ../../../../ afl-fuzz
 8 | 
 9 | clean:
10 | 	cargo clean
11 | 
12 | ./target/release/unicornafl_harness: ./src/main.rs
13 | 	cargo build --release
14 | 
15 | ./target/debug/unicornafl_harness: ./src/main.rs
16 | 	cargo build
17 | 
18 | ../target:
19 | 	$(MAKE) -C ..
20 | 
21 | fuzz: all afl-fuzz
22 | 	rm -rf ./output
23 | 	SKIP_BIN_CHECK=1 ../../../../afl-fuzz -s 1 -i ../sample_inputs -o ./output -- ./target/release/unicornafl_harness @@
24 | 


--------------------------------------------------------------------------------
/unicorn_mode/samples/speedtest/sample_inputs/a:
--------------------------------------------------------------------------------
1 | a
2 | 


--------------------------------------------------------------------------------
/unicorn_mode/update_uc_ref.sh:
--------------------------------------------------------------------------------
 1 | #/bin/sh
 2 | 
 3 | ##################################################
 4 | # AFL++ internal tool to update unicornafl ref.
 5 | # Usage: ./update_uc_ref.sh <new commit hash>
 6 | # If no commit hash was provided, it'll take HEAD.
 7 | ##################################################
 8 | 
 9 | UC_VERSION_FILE='./UNICORNAFL_VERSION'
10 | 
11 | NEW_VERSION="$1"
12 | 
13 | if [ "$NEW_VERSION" = "-h" ]; then
14 |   echo "Internal script to update bound unicornafl version."
15 |   echo
16 |   echo "Usage: ./update_uc_ref.sh <new commit hash>"
17 |   echo "If no commit hash is provided, will use HEAD."
18 |   echo "-h to show this help screen."
19 |   exit 1
20 | fi
21 | 
22 | git submodule init && git submodule update unicornafl || exit 1
23 | cd ./unicornafl || exit 1
24 | git fetch origin uc1 1>/dev/null || exit 1
25 | git stash 1>/dev/null 2>/dev/null
26 | git stash drop 1>/dev/null 2>/dev/null
27 | git checkout main
28 | 
29 | if [ -z "$NEW_VERSION" ]; then
30 |   # No version provided, take HEAD.
31 |   NEW_VERSION=$(git rev-parse --short HEAD)
32 | fi
33 | 
34 | if [ -z "$NEW_VERSION" ]; then
35 |   echo "Error getting version."
36 |   exit 1
37 | fi
38 | 
39 | git checkout "$NEW_VERSION" || exit 1
40 | 
41 | cd ..
42 | 
43 | rm "$UC_VERSION_FILE"
44 | echo "$NEW_VERSION" > "$UC_VERSION_FILE"
45 | 
46 | echo "Done. New unicornafl version is $NEW_VERSION."
47 | 


--------------------------------------------------------------------------------
/utils/afl_network_proxy/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | 	@echo please use GNU make, thanks!
3 | 


--------------------------------------------------------------------------------
/utils/afl_proxy/Makefile:
--------------------------------------------------------------------------------
1 | all:	afl-proxy
2 | 
3 | afl-proxy:	afl-proxy.c
4 | 	$(CC) -I../../include -o afl-proxy afl-proxy.c
5 | 
6 | clean:
7 | 	rm -f afl-proxy *~ core
8 | 


--------------------------------------------------------------------------------
/utils/afl_proxy/README.md:
--------------------------------------------------------------------------------
 1 | # afl-proxy
 2 | 
 3 | afl-proxy is an example skeleton file which can easily be used to fuzz
 4 | and instrument non-standard things.
 5 | 
 6 | You only need to change the while() loop of the main() to send the
 7 | data of buf[] with length len to the target and write the coverage
 8 | information to __afl_area_ptr[__afl_map_size]
 9 | 
10 | UPDATE: you can also use [custom mutators](../../docs/custom_mutators.md) with
11 | afl_custom_fuzz_send to send data to a target, which is much more efficient!
12 | But you can only use this feature if you start the target via afl-fuzz and
13 | a forkserver is active (e.g. via -Q qemu_mode or source compiled).
14 | 
15 | 


--------------------------------------------------------------------------------
/utils/afl_untracer/Makefile:
--------------------------------------------------------------------------------
 1 | ifdef DEBUG
 2 |   OPT=-O0
 3 | else
 4 |   OPT=-O3
 5 | endif
 6 | SYS = $(shell uname -s)
 7 | DL =
 8 | ifeq "$(SYS)" "Linux"
 9 |     DL = -ldl
10 | endif
11 | 
12 | all:	afl-untracer libtestinstr.so
13 | 
14 | afl-untracer:	afl-untracer.c
15 | 	$(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c $(DL)
16 | 
17 | libtestinstr.so:	libtestinstr.c
18 | 	$(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c
19 | 
20 | clean:
21 | 	rm -f afl-untracer libtestinstr.so *~ core
22 | 


--------------------------------------------------------------------------------
/utils/afl_untracer/TODO:
--------------------------------------------------------------------------------
1 |  * add shmem fuzzing
2 |  * add snapshot feature?
3 | 


--------------------------------------------------------------------------------
/utils/afl_untracer/libtestinstr.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    american fuzzy lop++ - a trivial program to test the build
 3 |    --------------------------------------------------------
 4 |    Originally written by Michal Zalewski
 5 |    Copyright 2014 Google Inc. All rights reserved.
 6 |    Copyright 2019-2024 AFLplusplus Project. All rights reserved.
 7 |    Licensed under the Apache License, Version 2.0 (the "License");
 8 |    you may not use this file except in compliance with the License.
 9 |    You may obtain a copy of the License at:
10 |      http://www.apache.org/licenses/LICENSE-2.0
11 |  */
12 | 
13 | #include <stdio.h>
14 | #include <stdlib.h>
15 | #include <unistd.h>
16 | #include <string.h>
17 | #include <sys/types.h>
18 | #include <sys/stat.h>
19 | #include <fcntl.h>
20 | 
21 | void testinstr(char *buf, int len) {
22 | 
23 |   if (len < 1) return;
24 |   buf[len] = 0;
25 | 
26 |   // we support three input cases
27 |   if (buf[0] == '0')
28 |     printf("Looks like a zero to me!\n");
29 |   else if (buf[0] == '1')
30 |     printf("Pretty sure that is a one!\n");
31 |   else
32 |     printf("Neither one or zero? How quaint!\n");
33 | 
34 | }
35 | 
36 | 


--------------------------------------------------------------------------------
/utils/afl_untracer/patches.txt:
--------------------------------------------------------------------------------
 1 | libtestinstr.so:0x1000
 2 | 0x10
 3 | 0x12
 4 | 0x20
 5 | 0x36
 6 | 0x30
 7 | 0x40
 8 | 0x50
 9 | 0x63
10 | 0x6f
11 | 0x78
12 | 0x80
13 | 0xa4
14 | 0xb0
15 | 0xb8
16 | 0x100
17 | 0xc0
18 | 0xc9
19 | 0xd7
20 | 0xe3
21 | 0xe8
22 | 0xf8
23 | 0x105
24 | 0x11a
25 | 0x135
26 | 0x141
27 | 0x143
28 | 0x14e
29 | 0x15a
30 | 0x15c
31 | 0x168
32 | 0x16a
33 | 0x16b
34 | 0x170
35 | 


--------------------------------------------------------------------------------
/utils/aflpp_driver/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | 	@gmake all || echo please install GNUmake
3 | 


--------------------------------------------------------------------------------
/utils/aflpp_driver/aflpp_driver_test.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <stdint.h>
 4 | 
 5 | char *foo = NULL;
 6 | 
 7 | int __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
 8 | 
 9 |   if (Size < 5) return -1;
10 | 
11 |   if (Data[0] == 'F')
12 |     if (Data[1] == 'A')
13 |       if (Data[2] == '
#39;)
14 |         if (Data[3] == '
#39;)
15 |           if (Data[4] == '
#39;) *foo = 1;
16 | 
17 |   return 0;
18 | 
19 | }
20 | 
21 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
22 | 
23 |   if (Size)
24 |     return crashme(Data, Size);
25 |   else
26 |     return -1;
27 | 
28 | }
29 | 
30 | 


--------------------------------------------------------------------------------
/utils/aflpp_driver/aflpp_qemu_driver.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdint.h>
 3 | #include <stdlib.h>
 4 | #include <unistd.h>
 5 | 
 6 | // libFuzzer interface is thin, so we don't include any libFuzzer headers.
 7 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
 8 | __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
 9 | 
10 | #define kMaxAflInputSize (1 * 1024 * 1024)
11 | static uint8_t AflInputBuf[kMaxAflInputSize];
12 | 
13 | void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) {
14 | 
15 |   size_t l = read(0, AflInputBuf, kMaxAflInputSize);
16 |   LLVMFuzzerTestOneInput(AflInputBuf, l);
17 | 
18 | }
19 | 
20 | int main(int argc, char **argv) {
21 | 
22 |   if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
23 |   // Do any other expensive one-time initialization here.
24 | 
25 |   if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) {
26 | 
27 |     afl_qemu_driver_stdin_input();
28 | 
29 |   } else {
30 | 
31 |     fprintf(stderr,
32 |             "Using shared-memory testcases. To read via stdin, set "
33 |             "AFL_QEMU_DRIVER_NO_HOOK=1.\n");
34 |     uint8_t dummy_input[1024000] = {0};
35 |     LLVMFuzzerTestOneInput(dummy_input, 1);
36 | 
37 |   }
38 | 
39 |   return 0;
40 | 
41 | }
42 | 
43 | 


--------------------------------------------------------------------------------
/utils/aflpp_driver/aflpp_qemu_driver_hook.c:
--------------------------------------------------------------------------------
 1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h"
 2 | 
 3 | #include <stdint.h>
 4 | #include <string.h>
 5 | 
 6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
 7 | #define h2g(x) ((uint64_t)(x) - guest_base)
 8 | 
 9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
10 |                          uint8_t *input_buf, uint32_t input_buf_len) {
11 | 
12 |   // In this example the register RDI is pointing to the memory location
13 |   // of the target buffer, and the length of the input is in RSI.
14 |   // This can be seen with a debugger, e.g. gdb (and "disass main")
15 | 
16 |   memcpy(g2h(regs->rdi), input_buf, input_buf_len);
17 |   regs->rsi = input_buf_len;
18 | 
19 | }
20 | 
21 | #undef g2h
22 | #undef h2g
23 | 
24 | int afl_persistent_hook_init(void) {
25 | 
26 |   // 1 for shared memory input (faster), 0 for normal input (you have to use
27 |   // read(), input_buf will be NULL)
28 |   return 1;
29 | 
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/utils/argv_fuzzing/argv_fuzz_demo.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include "argv-fuzz-inl.h"
 4 | 
 5 | int main(int argc, char **argv) {
 6 | 
 7 |   // Initialize the argv array for use with the AFL (American Fuzzy Lop) tool
 8 |   AFL_INIT_ARGV();
 9 | 
10 |   /* Check the number of command line arguments and
11 |     compare the values of the first two arguments to specific strings.
12 |     If the number of arguments is not correct or the values do not match,
13 |     an error message is printed. If the values do match, the program
14 |     calls the abort() function. */
15 |   if (argc > 1 && strcmp(argv[1], "XYZ") == 0) {
16 | 
17 |     if (strcmp(argv[2], "TEST2") == 0) { abort(); }
18 | 
19 |   } else {
20 | 
21 |     printf("Bad number of arguments!\n");
22 | 
23 |   }
24 | 
25 |   return 0;
26 | 
27 | }
28 | 
29 | 


--------------------------------------------------------------------------------
/utils/autodict_ql/build-codeql.sh:
--------------------------------------------------------------------------------
 1 | cd ~
 2 | if [ -d "codeql-home" ]; then
 3 |     echo "Exist !"
 4 |     exit 1
 5 | fi
 6 | mkdir codeql-home
 7 | cd codeql-home
 8 | git clone https://github.com/github/codeql.git codeql-repo
 9 | git clone https://github.com/github/codeql-go.git
10 | wget https://github.com/github/codeql-cli-binaries/releases/download/v2.7.3/codeql-linux64.zip
11 | unzip codeql-linux64.zip 
12 | mv codeql codeql-cli
13 | export "PATH=~/codeql-home/codeql-cli/:$PATH"
14 | echo "export PATH=~/codeql-home/codeql-cli/:$PATH" >> ~/.bashrc
15 | codeql resolve languages
16 | codeql resolve qlpacks
17 | codeql
18 | 


--------------------------------------------------------------------------------
/utils/autodict_ql/litool.ql:
--------------------------------------------------------------------------------
 1 | import cpp
 2 | 
 3 | class HexOrOctLiteral extends Literal{
 4 |     HexOrOctLiteral(){
 5 |       (this instanceof HexLiteral) or (this instanceof OctalLiteral)
 6 |     }
 7 | }
 8 | 
 9 | from HexOrOctLiteral lit
10 | select lit.getValueText()
11 | 


--------------------------------------------------------------------------------
/utils/autodict_ql/memcmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp 
2 | 
3 | /// function :  memcmp trace
4 | 
5 | from FunctionCall fucall, Expr size
6 | where
7 |     fucall.getTarget().hasName("memcmp")
8 | select fucall.getArgument(_).getValueText()	


--------------------------------------------------------------------------------
/utils/autodict_ql/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: autodict
2 | version: 0.0.0
3 | libraryPathDependencies: codeql-cpp
4 | 


--------------------------------------------------------------------------------
/utils/autodict_ql/strcmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp 
2 | 
3 | /// function : strcmp
4 | 
5 | from FunctionCall fucall, Expr size
6 | where
7 |     fucall.getTarget().hasName("strcmp")
8 | select fucall.getArgument(_).getValueText()


--------------------------------------------------------------------------------
/utils/autodict_ql/strncmp-str.ql:
--------------------------------------------------------------------------------
1 | import cpp 
2 | 
3 | /// function : strncmp
4 | 
5 | from FunctionCall fucall, Expr size
6 | where
7 |     fucall.getTarget().hasName("strncmp")
8 | select fucall.getArgument(_).getValueText()


--------------------------------------------------------------------------------
/utils/autodict_ql/strtool.ql:
--------------------------------------------------------------------------------
 1 | import cpp
 2 | import semmle.code.cpp.dataflow.DataFlow
 3 | class StringLiteralNode extends DataFlow::Node {
 4 |   StringLiteralNode() { this.asExpr() instanceof StringLiteral }
 5 | }
 6 | class CmpArgNode extends DataFlow::Node {
 7 |    CmpArgNode() {
 8 |     exists(FunctionCall fc |
 9 |       fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and
10 |       fc.getArgument(0) = this.asExpr() 
11 |     )
12 |  or
13 |     exists(FunctionCall fc |
14 |       fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and
15 |       fc.getArgument(1) = this.asExpr()
16 |     )
17 |   }
18 | }
19 | 
20 | from StringLiteralNode src, CmpArgNode arg
21 | where
22 |   DataFlow::localFlow(src, arg)
23 | 
24 | select src.asExpr().(StringLiteral).toString()


--------------------------------------------------------------------------------
/utils/bench/Makefile:
--------------------------------------------------------------------------------
1 | all:	hash
2 | 
3 | hash:	hash.c
4 | 	gcc -O3 -mavx2 -march=native -I../../include -o hash hash.c
5 | 
6 | clean:
7 | 	rm -f hash
8 | 
9 | 


--------------------------------------------------------------------------------
/utils/bench/README.md:
--------------------------------------------------------------------------------
1 | # Internal AFL++ benchmarking
2 | 
3 | 


--------------------------------------------------------------------------------
/utils/defork/README.md:
--------------------------------------------------------------------------------
 1 | # defork
 2 | 
 3 | when the target forks, this breaks all normal fuzzing runs.
 4 | Sometimes, though, it is enough to just run the child process.
 5 | If this is the case, then this LD_PRELOAD library will always return 0 on fork,
 6 | the target will believe it is running as the child, post-fork.
 7 | 
 8 | This is defork.c from the amazing preeny project
 9 | https://github.com/zardus/preeny
10 | 
11 | It is altered for AFL++ to work with its fork-server: the initial fork will go through, the second fork will be blocked.
12 | 


--------------------------------------------------------------------------------
/utils/defork/forking_target.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <unistd.h>
 3 | #include <stdint.h>
 4 | #include <sys/types.h>
 5 | 
 6 | /* This is an example target for defork.c - fuzz using
 7 | ```
 8 | mkdir in; echo a > ./in/a
 9 | AFL_PRELOAD=./defork64.so ../../afl-fuzz -i in -o out -- ./forking_target @@
10 | ```
11 | */
12 | 
13 | int main(int argc, char **argv) {
14 | 
15 |   if (argc < 2) {
16 | 
17 |     printf("Example tool to test defork.\nUsage ./forking_target <input>\n");
18 |     return -1;
19 | 
20 |   }
21 | 
22 |   pid_t pid = fork();
23 |   if (pid == 0) {
24 | 
25 |     printf("We're in the child.\n");
26 |     FILE *f = fopen(argv[1], "r");
27 |     char  buf[4096];
28 |     fread(buf, 1, 4096, f);
29 |     fclose(f);
30 |     uint32_t offset = buf[100] + (buf[101] << 8);
31 |     char     test_val = buf[offset];
32 |     return test_val < 100;
33 | 
34 |   } else if (pid < 0) {
35 | 
36 |     perror("fork");
37 |     return -1;
38 | 
39 |   } else {
40 | 
41 |     printf("We are in the parent - defork didn't work! :( (pid=%d)\n",
42 |            (int)pid);
43 | 
44 |   }
45 | 
46 |   return 0;
47 | 
48 | }
49 | 
50 | 


--------------------------------------------------------------------------------
/utils/libaflppdesock/Makefile:
--------------------------------------------------------------------------------
 1 | 
 2 | # For cross compilation modify this as needed
 3 | #GLIBC_PATH := /path/to/glibc-2.xx/build/local_install
 4 | #CROSS_CFLAGS := -mfloat-abi=soft -nostdlib  -I$(GLIBC_PATH)/include -L$(GLIBC_PATH)/lib -Wl,-rpath=/lib -Wl,--dynamic-linker=/lib/ld-linux.so.3
 5 | 
 6 | all:	libaflppdesock.so
 7 | 
 8 | libaflppdesock.so:	libaflppdesock.c
 9 | 	$(CC) $(CROSS_CFLAGS) -shared -fPIC -o libaflppdesock.so libaflppdesock.c
10 | 
11 | clean:
12 | 	rm -f libaflppdesock.so *~ core
13 | 


--------------------------------------------------------------------------------
/utils/libpng_no_checksum/libpng-nocrc.patch:
--------------------------------------------------------------------------------
 1 | --- pngrutil.c.orig	2014-06-12 03:35:16.000000000 +0200
 2 | +++ pngrutil.c	2014-07-01 05:08:31.000000000 +0200
 3 | @@ -268,7 +268,11 @@
 4 |     if (need_crc != 0)
 5 |     {
 6 |        crc = png_get_uint_32(crc_bytes);
 7 | -      return ((int)(crc != png_ptr->crc));
 8 | +
 9 | +      if (crc != png_ptr->crc)
10 | +        fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc);
11 | +
12 | +      return ((int)(1 != 1));
13 |     }
14 |  
15 |     else
16 | 


--------------------------------------------------------------------------------
/utils/persistent_mode/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	../../afl-clang-fast -o persistent_demo persistent_demo.c
 3 | 	../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c
 4 | 	AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c
 5 | 
 6 | document:
 7 | 	AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c
 8 | 
 9 | clean:
10 | 	rm -f persistent_demo persistent_demo_new persistent_demo_new_compat test-instr
11 | 


--------------------------------------------------------------------------------
/utils/plot_ui/Makefile:
--------------------------------------------------------------------------------
 1 | CFLAGS=`pkg-config --cflags gtk+-3.0`
 2 | LDFLAGS=`pkg-config --libs gtk+-3.0`
 3 | 
 4 | all:  afl-plot-ui
 5 | 
 6 | afl-plot-ui:	afl-plot-ui.c
 7 | 	$(CC) $(CFLAGS) -o afl-plot-ui afl-plot-ui.c $(LDFLAGS)
 8 | 
 9 | clean:
10 | 	rm -f afl-plot-ui
11 | 


--------------------------------------------------------------------------------
/utils/plot_ui/README.md:
--------------------------------------------------------------------------------
 1 | # afl-plot-ui
 2 | 
 3 | `afl-plot-ui` is a helper utility for rendering the GNUplot graphs in a GTK window. This allows to real time resizing, scrolling, and cursor positioning features while viewing the graph. This utility also provides options to hide graphs using check buttons.
 4 | 
 5 | Currently, this utility is not built by default.
 6 | You can manually build and install `afl-plot-ui` as follows
 7 | 
 8 | ```shell
 9 | sudo apt install libgtk-3-0 libgtk-3-dev pkg-config
10 | make
11 | cd ../../
12 | sudo make install
13 | ```
14 | 
15 | *NOTE:* This utility is not meant to be used standalone. Never run this utility directly. Always run [`afl-plot`](../../afl-plot), which will, in turn, invoke this utility (when run using `-g` or `--graphical` flag).


--------------------------------------------------------------------------------
/utils/qbdi_mode/assets/screen1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/7d77cbd89e29c290c6b110a556bed3c778788610/utils/qbdi_mode/assets/screen1.png


--------------------------------------------------------------------------------
/utils/qbdi_mode/demo-so.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | // gcc -shared -o libdemo.so demo-so.c -w
 4 | int target_func(char *buf, int size) {
 5 | 
 6 |   printf("buffer:%p, size:%p\n", buf, size);
 7 |   switch (buf[0]) {
 8 | 
 9 |     case 1:
10 |       puts("222");
11 |       if (buf[1] == '\x44') {
12 | 
13 |         puts("null ptr deference");
14 |         *(char *)(0) = 1;
15 | 
16 |       }
17 | 
18 |       break;
19 |     case 0xff:
20 |       if (buf[2] == '\xff') {
21 | 
22 |         if (buf[1] == '\x44') {
23 | 
24 |           puts("crash....");
25 |           *(char *)(0xdeadbeef) = 1;
26 | 
27 |         }
28 | 
29 |       }
30 | 
31 |       break;
32 |     default:
33 |       puts("default action");
34 |       break;
35 | 
36 |   }
37 | 
38 |   return 1;
39 | 
40 | }
41 | 
42 | 


--------------------------------------------------------------------------------
/utils/qemu_persistent_hook/Makefile:
--------------------------------------------------------------------------------
 1 | all:
 2 | 	$(CC) -no-pie test.c -o test
 3 | 	$(CC) -fPIC -shared read_into_rdi.c -o read_into_rdi.so
 4 | 
 5 | all_mipsel: test.c mipsel_read_into_a0.c
 6 | 	$(CPU_TARGET_CC) -no-pie test.c -o mipsel_test
 7 | 	$(CC) -fPIC -shared mipsel_read_into_a0.c -o mipsel_read_into_a0.so
 8 | 
 9 | clean:
10 | 	rm -rf in out test read_into_rdi.so mipsel_test mipsel_read_into_a0.so
11 | 


--------------------------------------------------------------------------------
/utils/qemu_persistent_hook/mipsel_read_into_a0.c:
--------------------------------------------------------------------------------
 1 | #define TARGET_MIPS
 2 | #include "../../qemu_mode/qemuafl/qemuafl/api.h"
 3 | 
 4 | #include <stdio.h>
 5 | #include <string.h>
 6 | 
 7 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
 8 | #define h2g(x) ((uint64_t)(x) - guest_base)
 9 | 
10 | void afl_persistent_hook(struct mips_regs *regs, uint64_t guest_base,
11 |                          uint8_t *input_buf, uint32_t input_buf_len) {
12 | 
13 |   // In this example the register $a0 is pointing to the memory location
14 |   // of the target buffer, and the length of the input is in $a1.
15 |   // This can be seen with a debugger, e.g. gdb (and "disass main")
16 | 
17 |   printf("Placing input into 0x%lx\n", regs->a0);
18 | 
19 |   if (input_buf_len > 1024) input_buf_len = 1024;
20 |   memcpy(g2h(regs->a0), input_buf, input_buf_len);
21 |   regs->a1 = input_buf_len;
22 | 
23 | }
24 | 
25 | #undef g2h
26 | #undef h2g
27 | 
28 | int afl_persistent_hook_init(void) {
29 | 
30 |   // 1 for shared memory input (faster), 0 for normal input (you have to use
31 |   // read(), input_buf will be NULL)
32 |   return 1;
33 | 
34 | }
35 | 
36 | 


--------------------------------------------------------------------------------
/utils/qemu_persistent_hook/read_into_rdi.c:
--------------------------------------------------------------------------------
 1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h"
 2 | 
 3 | #include <stdio.h>
 4 | #include <string.h>
 5 | 
 6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
 7 | #define h2g(x) ((uint64_t)(x) - guest_base)
 8 | 
 9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base,
10 |                          uint8_t *input_buf, uint32_t input_buf_len) {
11 | 
12 |   // In this example the register RDI is pointing to the memory location
13 |   // of the target buffer, and the length of the input is in RSI.
14 |   // This can be seen with a debugger, e.g. gdb (and "disass main")
15 | 
16 |   printf("Placing input into 0x%lx\n", regs->rdi);
17 | 
18 |   if (input_buf_len > 1024) input_buf_len = 1024;
19 |   memcpy(g2h(regs->rdi), input_buf, input_buf_len);
20 |   regs->rsi = input_buf_len;
21 | 
22 | }
23 | 
24 | #undef g2h
25 | #undef h2g
26 | 
27 | int afl_persistent_hook_init(void) {
28 | 
29 |   // 1 for shared memory input (faster), 0 for normal input (you have to use
30 |   // read(), input_buf will be NULL)
31 |   return 1;
32 | 
33 | }
34 | 
35 | 


--------------------------------------------------------------------------------
/utils/qemu_persistent_hook/test.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | int target_func(unsigned char *buf, int size) {
 4 | 
 5 |   printf("buffer:%p, size:%d\n", buf, size);
 6 |   switch (buf[0]) {
 7 | 
 8 |     case 1:
 9 |       if (buf[1] == '\x44') { puts("a"); }
10 |       break;
11 |     case 0xff:
12 |       if (buf[2] == '\xff') {
13 | 
14 |         if (buf[1] == '\x44') { puts("b"); }
15 | 
16 |       }
17 | 
18 |       break;
19 |     default:
20 |       break;
21 | 
22 |   }
23 | 
24 |   return 1;
25 | 
26 | }
27 | 
28 | char data[1024];
29 | 
30 | int main() {
31 | 
32 |   target_func(data, 1024);
33 | 
34 | }
35 | 
36 | 


--------------------------------------------------------------------------------
/utils/replay_record/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | 	test `grep '//[\s\t ]*#define[\s\t ]*AFL_PERSISTENT_RECORD' ../../include/config.h | wc -l` -eq 0 || (echo "AFL_PERSISTENT_RECORD must be enabled in config.h"; exit 1)
3 | 	../../afl-clang-fast -o persistent_demo_replay persistent_demo_replay.c
4 | 	${CC} -I ../../include -o persistent_demo_replay_compat persistent_demo_replay.c
5 | 	${CC} -g -I ../../include -DAFL_PERSISTENT_REPLAY_ARGPARSE -o persistent_demo_replay_argparse persistent_demo_replay.c
6 | 
7 | clean:
8 | 	rm -f persistent_demo_replay persistent_demo_replay_argparse persistent_demo_replay_compat
9 | 


--------------------------------------------------------------------------------
/utils/replay_record/README.md:
--------------------------------------------------------------------------------
 1 | # AFL++ persistent record replay
 2 | 
 3 | This persistent record replay demo showcases the `AFL_PERSISTENT_RECORD` replay functionality.
 4 | 
 5 | The [Makefile](Makefile) will produce three binaries:
 6 |   + persistent_demo_replay: uses afl-cc and makes use of the replay functionality included in the compiler runtime library
 7 |   + persistent_demo_replay_compat: uses the [afl-record-compat.h](../../include/afl-record-compat.h) compatibility header to compile the same example without `afl-cc` 
 8 |   + persistent_demo_replay_argparse: makes use of `afl-record-compat.h`, and the Makefile defines `AFL_PERSISTENT_REPLAY_ARGPARSE` to test the replay functionality but parses the input file via a command-line argument (`@@`-style harness).
 9 | 
10 | For more information see [README.persistent_mode.md](../../instrumentation/README.persistent_mode.md).


--------------------------------------------------------------------------------
/utils/socket_fuzzing/README.md:
--------------------------------------------------------------------------------
 1 | # socketfuzz
 2 | 
 3 | when you want to fuzz a network service and you can not/do not want to modify
 4 | the source (or just have a binary), then this LD_PRELOAD library will allow
 5 | for sending input to stdin which the target binary will think is coming from
 6 | a network socket.
 7 | 
 8 | This is desock_dup.c from the amazing preeny project
 9 | [https://github.com/zardus/preeny](https://github.com/zardus/preeny)
10 | 
11 | It is packaged in AFL++ to have it at hand if needed
12 | 


--------------------------------------------------------------------------------