├── .clang-format ├── .custom-format.py ├── .dockerignore ├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── workflows │ ├── build_aflplusplus_docker.yaml │ ├── ci.yml │ ├── codeql-analysis.yml │ └── rust_custom_mutator.yml ├── .gitignore ├── .gitmodules ├── Android.bp ├── CONTRIBUTING.md ├── Changelog.md ├── Dockerfile ├── GNUmakefile ├── GNUmakefile.gcc_plugin ├── GNUmakefile.llvm ├── LICENSE ├── Makefile ├── README.md ├── README.md.AFLpp ├── TODO.md ├── afl-cmin ├── afl-cmin.bash ├── afl-persistent-config ├── afl-plot ├── afl-system-config ├── afl-whatsup ├── afl-wine-trace ├── config.h ├── config └── wufuzz.cfg ├── coresight_mode ├── .gitignore ├── GNUmakefile ├── Makefile ├── README.md └── patches │ └── 0001-Add-AFL-forkserver.patch ├── custom_mutators ├── Android.bp ├── README.md ├── examples │ ├── Makefile │ ├── README.md │ ├── XmlMutatorMin.py │ ├── common.py │ ├── custom_mutator_helpers.h │ ├── example.c │ ├── example.py │ ├── post_library_gif.so.c │ ├── post_library_png.so.c │ ├── simple-chunk-replace.py │ ├── simple_example.c │ └── wrapper_afl_min.py ├── gramatron │ ├── JSONC_VERSION │ ├── README.md │ ├── build_gramatron_mutator.sh │ ├── gramfuzz-helpers.c │ ├── gramfuzz-mutators.c │ ├── gramfuzz-util.c │ ├── gramfuzz.c │ ├── gramfuzz.h │ ├── grammars │ │ ├── js │ │ │ ├── source.json │ │ │ └── source_automata.json │ │ ├── php │ │ │ ├── source.json │ │ │ └── source_automata.json │ │ └── ruby │ │ │ ├── source.json │ │ │ └── source_automata.json │ ├── hashmap.c │ ├── hashmap.h │ ├── preprocess │ │ ├── construct_automata.py │ │ ├── gnf_converter.py │ │ └── prep_automaton.sh │ ├── test.c │ ├── test.h │ ├── utarray.h │ └── uthash.h ├── grammar_mutator │ ├── GRAMMAR_VERSION │ ├── README.md │ ├── build_grammar_mutator.sh │ └── update_grammar_ref.sh ├── honggfuzz │ ├── Makefile │ ├── README.md │ ├── custom_mutator_helpers.h │ ├── honggfuzz.c │ ├── honggfuzz.h │ ├── input.h │ ├── libhfcommon │ │ ├── common.h │ │ ├── log.h │ │ └── util.h │ ├── mangle.c │ └── mangle.h ├── libfuzzer │ ├── FuzzerBuiltins.h │ ├── FuzzerBuiltinsMsvc.h │ ├── FuzzerCommand.h │ ├── FuzzerCorpus.h │ ├── FuzzerCrossOver.cpp │ ├── FuzzerDataFlowTrace.cpp │ ├── FuzzerDataFlowTrace.h │ ├── FuzzerDefs.h │ ├── FuzzerDictionary.h │ ├── FuzzerDriver.cpp │ ├── FuzzerExtFunctions.def │ ├── FuzzerExtFunctions.h │ ├── FuzzerExtFunctionsDlsym.cpp │ ├── FuzzerExtFunctionsWeak.cpp │ ├── FuzzerExtFunctionsWindows.cpp │ ├── FuzzerExtraCounters.cpp │ ├── FuzzerFlags.def │ ├── FuzzerFork.cpp │ ├── FuzzerFork.h │ ├── FuzzerIO.cpp │ ├── FuzzerIO.h │ ├── FuzzerIOPosix.cpp │ ├── FuzzerIOWindows.cpp │ ├── FuzzerInterceptors.cpp │ ├── FuzzerInterface.h │ ├── FuzzerInternal.h │ ├── FuzzerLoop.cpp │ ├── FuzzerMain.cpp │ ├── FuzzerMerge.cpp │ ├── FuzzerMerge.h │ ├── FuzzerMutate.cpp │ ├── FuzzerMutate.h │ ├── FuzzerOptions.h │ ├── FuzzerPlatform.h │ ├── FuzzerRandom.h │ ├── FuzzerSHA1.cpp │ ├── FuzzerSHA1.h │ ├── FuzzerTracePC.cpp │ ├── FuzzerTracePC.h │ ├── FuzzerUtil.cpp │ ├── FuzzerUtil.h │ ├── FuzzerUtilDarwin.cpp │ ├── FuzzerUtilFuchsia.cpp │ ├── FuzzerUtilLinux.cpp │ ├── FuzzerUtilPosix.cpp │ ├── FuzzerUtilWindows.cpp │ ├── FuzzerValueBitMap.h │ ├── Makefile │ ├── README.md │ ├── libfuzzer.cpp │ └── libfuzzer.inc ├── libprotobuf-mutator-example │ ├── Android.bp │ ├── README.md │ ├── lpm_aflpp_custom_mutator_input.cc │ ├── lpm_aflpp_custom_mutator_input.h │ ├── test.proto │ └── vuln.c ├── radamsa │ ├── GNUmakefile │ ├── LICENSE │ ├── README.md │ ├── custom_mutator_helpers.h │ ├── libradamsa-test.c │ ├── libradamsa.c │ ├── radamsa-mutator.c │ └── radamsa.h ├── rust │ ├── .gitignore │ ├── Cargo.toml │ ├── README.md │ ├── custom_mutator-sys │ │ ├── Cargo.toml │ │ ├── build.rs │ │ ├── src │ │ │ └── lib.rs │ │ └── wrapper.h │ ├── custom_mutator │ │ ├── Cargo.toml │ │ └── src │ │ │ └── lib.rs │ ├── example │ │ ├── Cargo.toml │ │ └── src │ │ │ └── example_mutator.rs │ └── example_lain │ │ ├── Cargo.toml │ │ ├── rust-toolchain │ │ └── src │ │ └── lain_mutator.rs └── symcc │ ├── Makefile │ ├── README.md │ ├── symcc.c │ └── test_examples │ ├── file_test.c │ └── stdin_test.c ├── dictionaries ├── README.md ├── aff.dict ├── ass.dict ├── atom.dict ├── av1_dc.dict ├── bash.dict ├── bdf.dict ├── bmp.dict ├── bz2.dict ├── creole.dict ├── css.dict ├── csv.dict ├── dds.dict ├── djvu.dict ├── docommand.dict ├── exif.dict ├── fbs.dict ├── ftp.dict ├── gif.dict ├── graphviz.dict ├── heif.dict ├── hoextdown.dict ├── html_tags.dict ├── http.dict ├── icc.dict ├── iccprofile.dict ├── icns.dict ├── initfile.dict ├── jbig2.dict ├── jpeg.dict ├── jpeg2000.dict ├── js.dict ├── json.dict ├── jsonnet.dict ├── markdown.dict ├── math.dict ├── mathml.dict ├── mp4.dict ├── mysqld.dict ├── ogg.dict ├── openexr.dict ├── otf.dict ├── pbm.dict ├── pcap.dict ├── pdf.dict ├── perl.dict ├── png.dict ├── proj4.dict ├── protobuf.dict ├── ps.dict ├── psd.dict ├── regexp.dict ├── riff.dict ├── rss.dict ├── rst.dict ├── rtf.dict ├── sas.dict ├── spss.dict ├── sql.dict ├── stata.dict ├── svg.dict ├── tex.dict ├── theme-load-fuzz.dict ├── tiff.dict ├── tokener_parse_ex.dict ├── toml.dict ├── type42.dict ├── url.dict ├── utf8.dict ├── vcf.dict ├── vhd.dict ├── vpx_dec.dict ├── wav.dict ├── webm.dict ├── webp.dict ├── wkt.dict ├── x86.dict ├── xml.dict ├── xml_UTF_16.dict ├── xml_UTF_16BE.dict ├── xml_UTF_16LE.dict ├── xpath.dict ├── xslt.dict ├── yaml.dict ├── yara.dict └── zip.dict ├── docs ├── COPYING ├── Changelog.md ├── FAQ.md ├── INSTALL.md ├── README.md ├── afl-fuzz_approach.md ├── best_practices.md ├── custom_mutators.md ├── docs.md ├── docs2.md ├── env_variables.md ├── features.md ├── fuzzing_binary-only_targets.md ├── fuzzing_in_depth.md ├── ideas.md ├── important_changes.md ├── resources │ ├── 0_fuzzing_process_overview.drawio.svg │ ├── 1_instrument_target.drawio.svg │ ├── 2_prepare_campaign.drawio.svg │ ├── 3_fuzz_target.drawio.svg │ ├── 4_manage_campaign.drawio.svg │ ├── afl_gzip.png │ ├── grafana-afl++.json │ ├── screenshot.png │ └── statsd-grafana.png ├── rpc_statsd.md ├── third_party_tools.md └── tutorials.md ├── dynamic_list.txt ├── frida_mode ├── .gitignore ├── DEBUGGING.md ├── GNUmakefile ├── Makefile ├── MapDensity.md ├── README.md ├── Scripting.md ├── addr │ └── addr.c ├── frida.map ├── hook │ ├── frida_hook.c │ └── qemu_hook.c ├── include │ ├── asan.h │ ├── ctx.h │ ├── entry.h │ ├── frida_cmplog.h │ ├── instrument.h │ ├── intercept.h │ ├── js.h │ ├── lib.h │ ├── output.h │ ├── persistent.h │ ├── prefetch.h │ ├── ranges.h │ ├── seccomp.h │ ├── stalker.h │ ├── stats.h │ └── util.h ├── many-linux │ ├── Dockerfile │ ├── GNUmakefile │ ├── Makefile │ └── README.md ├── src │ ├── asan │ │ ├── asan.c │ │ ├── asan_arm32.c │ │ ├── asan_arm64.c │ │ ├── asan_x64.c │ │ └── asan_x86.c │ ├── cmplog │ │ ├── cmplog.c │ │ ├── cmplog_arm32.c │ │ ├── cmplog_arm64.c │ │ ├── cmplog_x64.c │ │ └── cmplog_x86.c │ ├── ctx │ │ ├── ctx_arm32.c │ │ ├── ctx_arm64.c │ │ ├── ctx_x64.c │ │ └── ctx_x86.c │ ├── entry.c │ ├── instrument │ │ ├── instrument.c │ │ ├── instrument_arm32.c │ │ ├── instrument_arm64.c │ │ ├── instrument_coverage.c │ │ ├── instrument_debug.c │ │ ├── instrument_x64.c │ │ └── instrument_x86.c │ ├── intercept.c │ ├── js │ │ ├── api.js │ │ ├── js.c │ │ └── js_api.c │ ├── lib │ │ ├── lib.c │ │ └── lib_apple.c │ ├── main.c │ ├── output.c │ ├── persistent │ │ ├── persistent.c │ │ ├── persistent_arm32.c │ │ ├── persistent_arm64.c │ │ ├── persistent_x64.c │ │ └── persistent_x86.c │ ├── prefetch.c │ ├── ranges.c │ ├── seccomp │ │ ├── seccomp.c │ │ ├── seccomp_atomic.c │ │ ├── seccomp_callback.c │ │ ├── seccomp_child.c │ │ ├── seccomp_event.c │ │ ├── seccomp_filter.c │ │ ├── seccomp_print.c │ │ ├── seccomp_socket.c │ │ └── seccomp_syscall.c │ ├── stalker.c │ ├── stats │ │ ├── stats.c │ │ ├── stats_arm32.c │ │ ├── stats_arm64.c │ │ └── stats_x86_64.c │ └── util.c ├── test │ ├── bloaty │ │ ├── GNUmakefile │ │ └── Makefile │ ├── cmplog │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── cmplog.c │ │ └── get_section_addrs.py │ ├── deferred │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── testinstr.c │ ├── entry_point │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── testinstr.c │ ├── exe │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── testinstr.c │ ├── fasan │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── test.c │ ├── freetype2 │ │ ├── GNUmakefile │ │ └── Makefile │ ├── jpeg │ │ ├── GNUmakefile │ │ └── Makefile │ ├── js │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── entry.js │ │ ├── fuzz.js │ │ ├── main.js │ │ ├── patch.js │ │ ├── replace.js │ │ ├── stalker.js │ │ ├── test.c │ │ └── test2.c │ ├── libpcap │ │ ├── GNUmakefile │ │ └── Makefile │ ├── libxml │ │ ├── GNUmakefile │ │ └── Makefile │ ├── libxslt │ │ ├── GNUmakefile │ │ └── Makefile │ ├── osx-lib │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── harness.c │ │ ├── harness2.c │ │ ├── harness3.c │ │ ├── lib.c │ │ └── lib2.c │ ├── output │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── frida_stderr.txt │ │ ├── frida_stdout.txt │ │ └── testinstr.c │ ├── perf │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── perf.c │ ├── persistent_ret │ │ ├── GNUmakefile │ │ ├── Makefile │ │ ├── test.js │ │ └── testinstr.c │ ├── png │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── persistent │ │ │ ├── GNUmakefile │ │ │ ├── Makefile │ │ │ └── hook │ │ │ ├── GNUmakefile │ │ │ ├── Makefile │ │ │ ├── cmodule.js │ │ │ └── load.js │ ├── proj4 │ │ ├── GNUmakefile │ │ └── Makefile │ ├── re2 │ │ ├── GNUmakefile │ │ └── Makefile │ ├── sqlite │ │ ├── GNUmakefile │ │ └── Makefile │ ├── testinstr │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── testinstr.c │ ├── unstable │ │ ├── GNUmakefile │ │ ├── Makefile │ │ └── unstable.c │ └── vorbis │ │ ├── GNUmakefile │ │ └── Makefile ├── ts │ ├── lib │ │ └── afl.ts │ ├── package-lock.json │ ├── package.json │ ├── tsconfig.json │ └── tslint.json ├── ub1804 │ ├── Dockerfile │ ├── GNUmakefile │ └── Makefile ├── update_frida_version.sh └── util │ ├── bin2c.c │ └── get_symbol_addr.sh ├── fuzz_graph.py ├── fuzz_graph_cheng_vs_afl.py ├── ghidra_script └── Auto_Decompile_All_Func.py ├── globals.py ├── include ├── afl-as.h ├── afl-fuzz.h ├── afl-prealloc.h ├── alloc-inl.h ├── android-ashmem.h ├── cmplog.h ├── common.h ├── config.h ├── coverage-32.h ├── coverage-64.h ├── debug.h ├── envs.h ├── forkserver.h ├── hash.h ├── list.h ├── parse.h ├── sharedmem.h ├── snapshot-inl.h ├── types.h └── xxhash.h ├── instrumentation ├── COPYING3 ├── Makefile ├── README.cmplog.md ├── README.gcc_plugin.md ├── README.instrument_list.md ├── README.laf-intel.md ├── README.llvm.md ├── README.lto.md ├── README.persistent_mode.md ├── SanitizerCoverageLTO.so.cc ├── SanitizerCoveragePCGUARD.so.cc ├── afl-compiler-rt.o.c ├── afl-gcc-pass.so.cc ├── afl-llvm-common.cc ├── afl-llvm-common.h ├── afl-llvm-dict2file.so.cc ├── afl-llvm-lto-instrumentlist.so.cc ├── afl-llvm-pass.so.cc ├── afl-llvm-rt-lto.o.c ├── cmplog-instructions-pass.cc ├── cmplog-routines-pass.cc ├── cmplog-switches-pass.cc ├── compare-transform-pass.so.cc ├── llvm-alternative-coverage.h ├── split-compares-pass.so.cc └── split-switches-pass.so.cc ├── nyx_mode ├── LIBNYX_VERSION ├── PACKER_VERSION ├── QEMU_NXY_VERSION ├── README.md ├── build_nyx_support.sh ├── custom_harness │ ├── example.c │ ├── fuzz.sh │ └── fuzz_no_pt.sh └── update_ref.sh ├── parse_txt.py ├── qemu_mode ├── QEMUAFL_VERSION ├── README.md ├── README.persistent.md ├── README.wine.md ├── build_qemu_support.sh ├── libcompcov │ ├── Makefile │ ├── README.md │ ├── compcovtest.cc │ ├── libcompcov.so.c │ └── pmparser.h ├── libqasan │ ├── Makefile │ ├── README.md │ ├── dlmalloc.c │ ├── hooks.c │ ├── libqasan.c │ ├── libqasan.h │ ├── malloc.c │ ├── map_macro.h │ ├── patch.c │ ├── string.c │ └── uninstrument.c ├── unsigaction │ ├── Makefile │ ├── README.md │ └── unsigaction.c └── update_ref.sh ├── qiling_harness.py ├── src ├── README.md ├── afl-analyze.c ├── afl-as.c ├── afl-cc.c ├── afl-common.c ├── afl-forkserver.c ├── afl-fuzz-bitmap.c ├── afl-fuzz-cmplog.c ├── afl-fuzz-extras.c ├── afl-fuzz-init.c ├── afl-fuzz-mutators.c ├── afl-fuzz-one.c ├── afl-fuzz-python.c ├── afl-fuzz-queue.c ├── afl-fuzz-redqueen.c ├── afl-fuzz-run.c ├── afl-fuzz-state.c ├── afl-fuzz-stats.c ├── afl-fuzz-statsd.c ├── afl-fuzz.c ├── afl-gotcpu.c ├── afl-ld-lto.c ├── afl-performance.c ├── afl-sharedmem.c ├── afl-showmap.c ├── afl-tmin.c └── parse.c ├── test-instr.c ├── test ├── checkcommit.sh ├── test-all.sh ├── test-basic.sh ├── test-cmplog.c ├── test-compcov.c ├── test-custom-mutator.c ├── test-custom-mutators.sh ├── test-dlopen.c ├── test-floatingpoint.c ├── test-fpExtra.sh ├── test-fp_Infcases.c ├── test-fp_NaNcases.c ├── test-fp_cases.c ├── test-fp_minusZerocases.c ├── test-frida-mode.sh ├── test-gcc-plugin.sh ├── test-int_cases.c ├── test-libextensions.sh ├── test-llvm-lto.sh ├── test-llvm.sh ├── test-multiple-mutators.c ├── test-performance.sh ├── test-post.sh ├── test-pre.sh ├── test-qemu-mode.sh ├── test-uint_cases.c ├── test-unicorn-mode.sh ├── test-unittests.sh ├── test-unsigaction.c └── unittests │ ├── unit_hash.c │ ├── unit_list.c │ ├── unit_maybe_alloc.c │ ├── unit_preallocable.c │ └── unit_rand.c ├── test_target └── 2sum.c ├── testcases ├── README.md ├── archives │ ├── common │ │ ├── ar │ │ │ └── small_archive.a │ │ ├── bzip2 │ │ │ └── small_archive.bz2 │ │ ├── cab │ │ │ └── small_archive.cab │ │ ├── compress │ │ │ └── small_archive.Z │ │ ├── cpio │ │ │ └── small_archive.cpio │ │ ├── gzip │ │ │ └── small_archive.gz │ │ ├── lzo │ │ │ └── small_archive.lzo │ │ ├── rar │ │ │ └── small_archive.rar │ │ ├── tar │ │ │ └── small_archive.tar │ │ ├── xz │ │ │ └── small_archive.xz │ │ └── zip │ │ │ └── small_archive.zip │ └── exotic │ │ ├── arj │ │ └── small_archive.arj │ │ ├── lha │ │ └── small_archive.lha │ │ ├── lrzip │ │ └── small_archive.lrz │ │ ├── lzip │ │ └── small_archive.lz │ │ ├── lzma │ │ └── small_archive.lzma │ │ ├── rzip │ │ └── small_archive.rz │ │ └── zoo │ │ └── small_archive.zoo ├── images │ ├── bmp │ │ └── not_kitty.bmp │ ├── gif │ │ └── not_kitty.gif │ ├── ico │ │ └── not_kitty.ico │ ├── jp2 │ │ └── not_kitty.jp2 │ ├── jpeg │ │ └── not_kitty.jpg │ ├── jxr │ │ └── not_kitty.jxr │ ├── png │ │ ├── not_kitty.png │ │ ├── not_kitty_alpha.png │ │ ├── not_kitty_gamma.png │ │ └── not_kitty_icc.png │ ├── tiff │ │ └── not_kitty.tiff │ └── webp │ │ └── not_kitty.webp ├── multimedia │ └── h264 │ │ └── small_movie.mp4 └── others │ ├── elf │ └── small_exec.elf │ ├── js │ └── small_script.js │ ├── pcap │ └── small_capture.pcap │ ├── pdf │ └── small.pdf │ ├── rtf │ └── small_document.rtf │ ├── sql │ └── simple_queries.sql │ ├── text │ └── hello_world.txt │ └── xml │ └── small_document.xml ├── types.h ├── unicorn_mode ├── README.md ├── UNICORNAFL_VERSION ├── build_unicorn_support.sh ├── helper_scripts │ ├── ida_context_loader.py │ ├── unicorn_dumper_gdb.py │ ├── unicorn_dumper_ida.py │ ├── unicorn_dumper_lldb.py │ ├── unicorn_dumper_pwndbg.py │ └── unicorn_loader.py ├── samples │ ├── c │ │ ├── .gitignore │ │ ├── COMPILE.md │ │ ├── Makefile │ │ ├── harness.c │ │ ├── persistent_target.c │ │ ├── persistent_target_x86_64 │ │ ├── sample_all.sh │ │ ├── sample_inputs │ │ │ ├── sample1.bin │ │ │ ├── sample2.bin │ │ │ ├── sample3.bin │ │ │ ├── sample4.bin │ │ │ └── sample5.bin │ │ └── simple_target_x86_64 │ ├── compcov_x64 │ │ ├── COMPILE.md │ │ ├── compcov_target.bin │ │ ├── compcov_target.c │ │ ├── compcov_target.elf │ │ ├── compcov_test_harness.py │ │ └── sample_inputs │ │ │ └── sample1.bin │ ├── persistent │ │ ├── .gitignore │ │ ├── COMPILE.md │ │ ├── Makefile │ │ ├── harness.c │ │ ├── persistent_target │ │ ├── persistent_target.c │ │ ├── persistent_target_x86_64 │ │ ├── sample_all.sh │ │ ├── sample_inputs │ │ │ ├── sample1.bin │ │ │ ├── sample2.bin │ │ │ ├── sample3.bin │ │ │ ├── sample4.bin │ │ │ └── sample5.bin │ │ ├── simple_target_noncrashing.c │ │ └── simple_target_x86_64 │ ├── simple │ │ ├── COMPILE.md │ │ ├── sample_inputs │ │ │ ├── sample1.bin │ │ │ ├── sample2.bin │ │ │ ├── sample3.bin │ │ │ ├── sample4.bin │ │ │ └── sample5.bin │ │ ├── simple_target.bin │ │ ├── simple_target.c │ │ ├── simple_test_harness.py │ │ └── simple_test_harness_alt.py │ └── speedtest │ │ ├── .gitignore │ │ ├── Makefile │ │ ├── README.md │ │ ├── c │ │ ├── Makefile │ │ └── harness.c │ │ ├── get_offsets.py │ │ ├── python │ │ ├── Makefile │ │ └── harness.py │ │ ├── rust │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Makefile │ │ └── src │ │ │ └── main.rs │ │ ├── sample_inputs │ │ └── a │ │ └── target.c └── update_uc_ref.sh ├── utils ├── README.md ├── afl_network_proxy │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ ├── afl-network-client.c │ └── afl-network-server.c ├── afl_proxy │ ├── Makefile │ ├── README.md │ └── afl-proxy.c ├── afl_untracer │ ├── Makefile │ ├── README.md │ ├── TODO │ ├── afl-untracer.c │ ├── ghidra_get_patchpoints.java │ ├── ida_get_patchpoints.py │ ├── libtestinstr.c │ └── patches.txt ├── aflpp_driver │ ├── GNUmakefile │ ├── Makefile │ ├── README.md │ ├── aflpp_driver.c │ ├── aflpp_driver_test.c │ ├── aflpp_qemu_driver.c │ └── aflpp_qemu_driver_hook.c ├── analysis_scripts │ └── queue2csv.sh ├── argv_fuzzing │ ├── Makefile │ ├── README.md │ ├── argv-fuzz-inl.h │ └── argvfuzz.c ├── asan_cgroups │ └── limit_memory.sh ├── autodict_ql │ ├── autodict-ql.py │ ├── build-codeql.sh │ ├── litan.py │ ├── litool.ql │ ├── memcmp-str.ql │ ├── memcmp-strings.py │ ├── qlpack.yml │ ├── readme.md │ ├── stan-strings.py │ ├── strcmp-str.ql │ ├── strcmp-strings.py │ ├── strncmp-str.ql │ ├── strncmp-strings.py │ └── strtool.ql ├── bash_shellshock │ └── shellshock-fuzz.diff ├── canvas_harness │ └── canvas_harness.html ├── clang_asm_normalize │ └── as ├── crash_triage │ └── triage_crashes.sh ├── defork │ ├── Makefile │ ├── README.md │ ├── defork.c │ └── forking_target.c ├── distributed_fuzzing │ └── sync_script.sh ├── libdislocator │ ├── Makefile │ ├── README.md │ └── libdislocator.so.c ├── libpng_no_checksum │ └── libpng-nocrc.patch ├── libtokencap │ ├── Makefile │ ├── README.md │ └── libtokencap.so.c ├── optimin │ ├── .gitignore │ ├── CMakeLists.txt │ ├── EVALMAXSAT_VERSION │ ├── README.md │ ├── build_optimin.sh │ └── src │ │ ├── CMakeLists.txt │ │ └── OptiMin.cpp ├── persistent_mode │ ├── Makefile │ ├── persistent_demo.c │ ├── persistent_demo_new.c │ └── test-instr.c ├── plot_ui │ ├── Makefile │ ├── README.md │ └── afl-plot-ui.c ├── qbdi_mode │ ├── README.md │ ├── assets │ │ └── screen1.png │ ├── build.sh │ ├── demo-so.c │ └── template.cpp ├── qemu_persistent_hook │ ├── Makefile │ ├── README.md │ ├── read_into_rdi.c │ └── test.c └── socket_fuzzing │ ├── Makefile │ ├── README.md │ └── socketfuzz.c ├── valid_cgi_crash.py └── xml ├── 2sum └── parameters.xml ├── aeon-0.2a └── parameters.xml ├── bento4 ├── mp42hls │ └── parameters.xml ├── mp4dump │ └── parameters.xml └── mp4info │ └── parameters.xml ├── binutils ├── nm_parameters_cheng.xml ├── objcopy2_parameters_cheng.xml └── objdump_parameters_cheng.xml ├── exiv2 ├── parameters.xml └── parameters_init.xml ├── imagemagick └── imagemagick.xml └── libjpeg-turbo ├── djpeg_parameters_cheng.xml └── jpegtran_parameters_cheng.xml /.dockerignore: -------------------------------------------------------------------------------- 1 | .test 2 | .test2 3 | .sync_tmp 4 | *.o 5 | *.so 6 | *.pyc 7 | *.dSYM 8 | as 9 | ld 10 | in 11 | out 12 | core* 13 | afl-analyze 14 | afl-as 15 | afl-clang 16 | afl-clang\+\+ 17 | afl-clang-fast 18 | afl-clang-fast\+\+ 19 | afl-clang-lto 20 | afl-clang-lto\+\+ 21 | afl-fuzz 22 | afl-g\+\+ 23 | afl-gcc 24 | afl-gcc-fast 25 | afl-g\+\+-fast 26 | afl-gotcpu 27 | afl-ld 28 | afl-ld-lto 29 | afl-qemu-trace 30 | afl-showmap 31 | afl-tmin 32 | afl-analyze.8 33 | afl-as.8 34 | afl-clang-fast\+\+.8 35 | afl-clang-fast.8 36 | afl-clang-lto.8 37 | afl-clang-lto\+\+.8 38 | afl-cmin.8 39 | afl-cmin.bash.8 40 | afl-fuzz.8 41 | afl-gcc.8 42 | afl-gcc-fast.8 43 | afl-g\+\+-fast.8 44 | afl-gotcpu.8 45 | afl-plot.8 46 | afl-showmap.8 47 | afl-system-config.8 48 | afl-tmin.8 49 | afl-whatsup.8 50 | qemu_mode/libcompcov/compcovtest 51 | qemu_mode/qemu-* 52 | unicorn_mode/samples/*/\.test-* 53 | unicorn_mode/samples/*/output 54 | unicorn_mode/unicornafl 55 | test/unittests/unit_maybe_alloc 56 | test/unittests/unit_preallocable 57 | test/unittests/unit_list 58 | test/unittests/unit_rand 59 | test/unittests/unit_hash 60 | examples/afl_network_proxy/afl-network-server 61 | examples/afl_network_proxy/afl-network-client 62 | examples/afl_frida/afl-frida 63 | examples/afl_frida/libtestinstr.so 64 | examples/afl_frida/frida-gum-example.c 65 | examples/afl_frida/frida-gum.h -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | github: AFLplusplus 5 | patreon: # Replace with a single Patreon username 6 | open_collective: AFLplusplusEU 7 | ko_fi: # Replace with a single Ko-fi username 8 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 9 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 10 | liberapay: # Replace with a single Liberapay username 11 | issuehunt: # Replace with a single IssueHunt username 12 | otechie: # Replace with a single Otechie username 13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **IMPORTANT** 11 | 1. You have verified that the issue to be present in the current `dev` branch. 12 | 2. Please supply the command line options and relevant environment variables, 13 | e.g., a copy-paste of the contents of `out/default/fuzzer_setup`. 14 | 15 | Thank you for making AFL++ better! 16 | 17 | **Describe the bug** 18 | A clear and concise description of what the bug is. 19 | 20 | **To Reproduce** 21 | Steps to reproduce the behavior: 22 | 1. ... 23 | 2. ... 24 | 25 | **Expected behavior** 26 | A clear and concise description of what you expected to happen. 27 | 28 | **Screen output/Screenshots** 29 | If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in **English** and not in Chinese, Russian, German, etc. 30 | 31 | **Additional context** 32 | Add any other context about the problem here. 33 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/build_aflplusplus_docker.yaml: -------------------------------------------------------------------------------- 1 | name: Publish Docker Images 2 | 3 | on: 4 | push: 5 | branches: [ stable ] 6 | # paths: 7 | # - Dockerfile 8 | 9 | jobs: 10 | push_to_registry: 11 | name: Push Docker images to Dockerhub 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@master 15 | - name: Login to Dockerhub 16 | uses: docker/login-action@v1 17 | with: 18 | username: ${{ secrets.DOCKER_USERNAME }} 19 | password: ${{ secrets.DOCKER_TOKEN }} 20 | - name: Publish aflpp to Registry 21 | uses: docker/build-push-action@v2 22 | with: 23 | context: . 24 | push: true 25 | tags: aflplusplus/aflplusplus:latest 26 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [ stable, dev ] 6 | pull_request: 7 | branches: [ stable, dev ] 8 | 9 | jobs: 10 | analyze: 11 | name: Analyze 12 | runs-on: ubuntu-latest 13 | 14 | strategy: 15 | fail-fast: false 16 | matrix: 17 | language: [ 'cpp' ] 18 | 19 | steps: 20 | - name: Checkout repository 21 | uses: actions/checkout@v2 22 | 23 | - name: Initialize CodeQL 24 | uses: github/codeql-action/init@v1 25 | with: 26 | languages: ${{ matrix.language }} 27 | 28 | - name: Autobuild 29 | uses: github/codeql-action/autobuild@v1 30 | 31 | - name: Perform CodeQL Analysis 32 | uses: github/codeql-action/analyze@v1 33 | -------------------------------------------------------------------------------- /.github/workflows/rust_custom_mutator.yml: -------------------------------------------------------------------------------- 1 | name: Rust Custom Mutators 2 | 3 | on: 4 | push: 5 | branches: [ stable, dev ] 6 | pull_request: 7 | branches: [ stable, dev ] 8 | 9 | jobs: 10 | test: 11 | name: Test Rust Custom Mutator Support 12 | runs-on: '${{ matrix.os }}' 13 | defaults: 14 | run: 15 | working-directory: custom_mutators/rust 16 | strategy: 17 | matrix: 18 | os: [ubuntu-20.04] 19 | steps: 20 | - uses: actions/checkout@v2 21 | - name: Install Rust Toolchain 22 | uses: actions-rs/toolchain@v1 23 | with: 24 | toolchain: stable 25 | - name: Check Code Compiles 26 | run: cargo check 27 | - name: Run General Tests 28 | run: cargo test 29 | - name: Run Tests for afl_internals feature flag 30 | run: cd custom_mutator && cargo test --features=afl_internals -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "unicorn_mode/unicornafl"] 2 | path = unicorn_mode/unicornafl 3 | url = https://github.com/AFLplusplus/unicornafl 4 | [submodule "custom_mutators/grammar_mutator"] 5 | path = custom_mutators/grammar_mutator/grammar_mutator 6 | url = https://github.com/AFLplusplus/Grammar-Mutator 7 | [submodule "qemu_mode/qemuafl"] 8 | path = qemu_mode/qemuafl 9 | url = https://github.com/AFLplusplus/qemuafl 10 | [submodule "custom_mutators/gramatron/json-c"] 11 | path = custom_mutators/gramatron/json-c 12 | url = https://github.com/json-c/json-c 13 | [submodule "utils/optimin/EvalMaxSAT"] 14 | path = utils/optimin/EvalMaxSAT 15 | url = https://github.com/FlorentAvellaneda/EvalMaxSAT 16 | [submodule "coresight_mode/patchelf"] 17 | path = coresight_mode/patchelf 18 | url = https://github.com/NixOS/patchelf.git 19 | [submodule "coresight_mode/coresight-trace"] 20 | path = coresight_mode/coresight-trace 21 | url = https://github.com/RICSecLab/coresight-trace.git 22 | [submodule "nyx_mode/libnyx"] 23 | path = nyx_mode/libnyx 24 | url = https://github.com/nyx-fuzz/libnyx.git 25 | [submodule "nyx_mode/QEMU-Nyx"] 26 | path = nyx_mode/QEMU-Nyx 27 | url = https://github.com/nyx-fuzz/qemu-nyx.git 28 | [submodule "nyx_mode/packer"] 29 | path = nyx_mode/packer 30 | url = https://github.com/nyx-fuzz/packer.git 31 | -------------------------------------------------------------------------------- /Changelog.md: -------------------------------------------------------------------------------- 1 | docs/Changelog.md -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | source-only: 6 | @gmake source-only 7 | 8 | binary-only: 9 | @gmake binary-only 10 | 11 | distrib: 12 | @gmake distrib 13 | 14 | man: 15 | @gmake man 16 | 17 | install: 18 | @gmake install 19 | 20 | document: 21 | @gmake document 22 | 23 | deepclean: 24 | @gmake deepclean 25 | 26 | code-format: 27 | @gmake code-format 28 | 29 | help: 30 | @gmake help 31 | 32 | tests: 33 | @gmake tests 34 | 35 | unit: 36 | @gmake unit 37 | 38 | unit_clean: 39 | @gmake unit_clean 40 | 41 | clean: 42 | @gmake clean 43 | -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | # TODO list for AFL++ 2 | 3 | ## Should 4 | 5 | - better autodetection of shifting runtime timeout values 6 | - Update afl->pending_not_fuzzed for MOpt 7 | - afl-plot to support multiple plot_data 8 | - parallel builds for source-only targets 9 | - get rid of check_binary, replace with more forkserver communication 10 | 11 | ## Maybe 12 | 13 | - afl_custom_fuzz_splice_optin() 14 | - afl_custom_splice() 15 | - cmdline option from-to range for mutations 16 | 17 | ## Further down the road 18 | 19 | QEMU mode/FRIDA mode: 20 | - non colliding instrumentation 21 | - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, 22 | AFL_COMPCOV_LEVEL?) 23 | - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as there is 24 | persistent mode 25 | 26 | ## Ideas 27 | 28 | - LTO/sancov: write current edge to prev_loc and use that information when 29 | using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow up 30 | edge numbers that both following cmp paths have been found and then disable 31 | working on this edge id -> cmplog_intelligence branch 32 | - use cmplog colorization taint result for havoc locations? -------------------------------------------------------------------------------- /config.h: -------------------------------------------------------------------------------- 1 | include/config.h -------------------------------------------------------------------------------- /config/wufuzz.cfg: -------------------------------------------------------------------------------- 1 | [PATH] 2 | target_rootfs_path = /home/wulearn/qiling/examples/rootfs/x8664_linux 3 | target_path = /home/wulearn/Desktop/My-fuzz/test_target/test_env/testtarget 4 | base_folder_path = /home/wulearn/Desktop/wufuzztmp1 5 | xml_file_name = parse_out_decompiler_testtarget.xml 6 | stack_chk_fail_file_name = parse_stack_testtarget.txt 7 | target_main_file_name = parse_main_testtarget.txt 8 | crash_index_name = testtarget_crash_index_info.txt 9 | 10 | fuzz_out_dir_path = /home/wulearn/Desktop/wufuzztmp1/out/default 11 | -------------------------------------------------------------------------------- /coresight_mode/.gitignore: -------------------------------------------------------------------------------- 1 | .local 2 | glibc* 3 | -------------------------------------------------------------------------------- /coresight_mode/Makefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env make 2 | # SPDX-License-Identifier: Apache-2.0 3 | # Copyright 2021 Ricerca Security, Inc. All rights reserved. 4 | 5 | all: 6 | @echo trying to use GNU make... 7 | @gmake all || echo please install GNUmake 8 | 9 | build: 10 | @echo trying to use GNU make... 11 | @gmake build || echo please install GNUmake 12 | 13 | patch: 14 | @echo trying to use GNU make... 15 | @gmake patch || echo please install GNUmake 16 | 17 | clean: 18 | @echo trying to use GNU make... 19 | @gmake clean || echo please install GNUmake 20 | 21 | .PHONY: all build patch clean 22 | -------------------------------------------------------------------------------- /custom_mutators/examples/Makefile: -------------------------------------------------------------------------------- 1 | all: libexamplemutator.so 2 | 3 | libexamplemutator.so: 4 | $(CC) $(CFLAGS) -D_FORTIFY_SOURCE=2 -O3 -fPIC -shared -g -I ../../include example.c -o libexamplemutator.so 5 | 6 | clean: 7 | rm -rf libexamplemutator.so 8 | -------------------------------------------------------------------------------- /custom_mutators/examples/common.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | """ 4 | Module containing functions shared between multiple AFL modules 5 | 6 | @author: Christian Holler (:decoder) 7 | 8 | @license: 9 | 10 | This Source Code Form is subject to the terms of the Mozilla Public 11 | License, v. 2.0. If a copy of the MPL was not distributed with this 12 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 13 | 14 | @contact: choller@mozilla.com 15 | """ 16 | 17 | from __future__ import print_function 18 | import random 19 | import os 20 | import re 21 | 22 | 23 | def randel(l): 24 | if not l: 25 | return None 26 | return l[random.randint(0, len(l) - 1)] 27 | 28 | 29 | def randel_pop(l): 30 | if not l: 31 | return None 32 | return l.pop(random.randint(0, len(l) - 1)) 33 | 34 | 35 | def write_exc_example(data, exc): 36 | exc_name = re.sub(r"[^a-zA-Z0-9]", "_", repr(exc)) 37 | 38 | if not os.path.exists(exc_name): 39 | with open(exc_name, "w") as f: 40 | f.write(data) 41 | -------------------------------------------------------------------------------- /custom_mutators/gramatron/JSONC_VERSION: -------------------------------------------------------------------------------- 1 | af8dd4a307e7b837f9fa2959549548ace4afe08b 2 | -------------------------------------------------------------------------------- /custom_mutators/gramatron/preprocess/prep_automaton.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script creates a FSA describing the input grammar *.g4 4 | 5 | if [ ! "$#" -lt 4 ]; then 6 | echo "Usage: ./prep_pda.sh [stack_limit]" 7 | exit 1 8 | fi 9 | 10 | GRAMMAR_FILE=$1 11 | GRAMMAR_DIR="$(dirname $GRAMMAR_FILE)" 12 | START="$2" 13 | STACK_LIMIT="$3" 14 | 15 | # Get filename 16 | FILE=$(basename -- "$GRAMMAR_FILE") 17 | echo "File:$FILE" 18 | FILENAME="${FILE%.*}" 19 | echo "Name:$FILENAME" 20 | 21 | 22 | # Create the GNF form of the grammar 23 | CMD="python gnf_converter.py --gf $GRAMMAR_FILE --out ${FILENAME}.json --start $START" 24 | $CMD 25 | 26 | # Generate grammar automaton 27 | # Check if user provided a stack limit 28 | if [ -z "${STACK_LIMIT}" ]; then 29 | CMD="python3 construct_automata.py --gf ${FILENAME}.json" 30 | else 31 | CMD="python construct_automata.py --gf ${FILENAME}.json --limit ${STACK_LIMIT}" 32 | fi 33 | echo $CMD 34 | $CMD 35 | 36 | # Move PDA to the source dir of the grammar 37 | echo "Copying ${FILENAME}_automata.json to $GRAMMAR_DIR" 38 | mv "${FILENAME}_automata.json" $GRAMMAR_DIR/ 39 | -------------------------------------------------------------------------------- /custom_mutators/gramatron/test.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "hashmap.h" 8 | #include "uthash.h" 9 | #include "utarray.h" 10 | 11 | #define INIT_SIZE 100 // Initial size of the dynamic array holding the input 12 | 13 | typedef struct terminal { 14 | 15 | int state; 16 | int trigger_idx; 17 | size_t symbol_len; 18 | char * symbol; 19 | 20 | } terminal; 21 | 22 | typedef struct trigger { 23 | 24 | char * id; 25 | int dest; 26 | char * term; 27 | size_t term_len; 28 | 29 | } trigger; 30 | 31 | typedef struct state { 32 | 33 | int state_name; // Integer State name 34 | int trigger_len; // Number of triggers associated with this state 35 | trigger *ptr; // Pointer to beginning of the list of triggers 36 | 37 | } state; 38 | 39 | typedef struct { 40 | 41 | size_t used; 42 | size_t size; 43 | size_t inputlen; 44 | terminal *start; 45 | 46 | } Array; 47 | 48 | int init_state; 49 | int curr_state; 50 | int final_state; 51 | 52 | state *create_pda(char *); 53 | Array *gen_input(state *, Array *); 54 | void print_repr(Array *, char *); 55 | void initArray(Array *, size_t); 56 | void insertArray(Array *, int, char *, size_t, int); 57 | 58 | -------------------------------------------------------------------------------- /custom_mutators/grammar_mutator/GRAMMAR_VERSION: -------------------------------------------------------------------------------- 1 | 6ca490c 2 | -------------------------------------------------------------------------------- /custom_mutators/grammar_mutator/README.md: -------------------------------------------------------------------------------- 1 | # Grammar-Mutator 2 | 3 | This is just a stub directory that will clone the real grammar mutator 4 | directory. 5 | 6 | Execute `./build_grammar_mutator.sh` to set everything up. 7 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/Makefile: -------------------------------------------------------------------------------- 1 | 2 | CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic 3 | 4 | all: honggfuzz-mutator.so 5 | 6 | honggfuzz-mutator.so: honggfuzz.c input.h mangle.c ../../src/afl-performance.c 7 | $(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz-mutator.so honggfuzz.c mangle.c ../../src/afl-performance.c 8 | 9 | update: 10 | @# seriously? --unlink is a dud option? sigh ... 11 | rm -f mangle.c mangle.h honggfuzz.h 12 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c 13 | wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h 14 | wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h 15 | 16 | clean: 17 | rm -f *.o *~ *.so core 18 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: honggfuzz mangle 2 | 3 | this is the honggfuzz mutator in mangle.c as a custom mutator 4 | module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h 5 | with a lot of mocking around it :-) 6 | 7 | just type `make` to build 8 | 9 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz-mutator.so afl-fuzz ...``` 10 | 11 | > Original repository: https://github.com/google/honggfuzz 12 | > Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5 13 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/custom_mutator_helpers.h: -------------------------------------------------------------------------------- 1 | #ifndef CUSTOM_MUTATOR_HELPERS 2 | #define CUSTOM_MUTATOR_HELPERS 3 | 4 | #include "config.h" 5 | #include "types.h" 6 | #include "afl-fuzz.h" 7 | #include 8 | 9 | #define INITIAL_GROWTH_SIZE (64) 10 | 11 | /* Use in a struct: creates a name_buf and a name_size variable. */ 12 | #define BUF_VAR(type, name) \ 13 | type * name##_buf; \ 14 | size_t name##_size; 15 | /* this filles in `&structptr->something_buf, &structptr->something_size`. */ 16 | #define BUF_PARAMS(struct, name) \ 17 | (void **)&struct->name##_buf, &struct->name##_size 18 | 19 | #undef INITIAL_GROWTH_SIZE 20 | 21 | #endif 22 | 23 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/libhfcommon/common.h: -------------------------------------------------------------------------------- 1 | #ifndef LOG_E 2 | #define LOG_E LOG_F 3 | #endif 4 | -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/libhfcommon/log.h: -------------------------------------------------------------------------------- 1 | common.h -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/libhfcommon/util.h: -------------------------------------------------------------------------------- 1 | common.h -------------------------------------------------------------------------------- /custom_mutators/honggfuzz/mangle.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * honggfuzz - buffer mangling routines 4 | * ----------------------------------------- 5 | * 6 | * Author: Robert Swiecki 7 | * 8 | * Copyright 2010-2018 by Google Inc. All Rights Reserved. 9 | * 10 | * Licensed under the Apache License, Version 2.0 (the "License"); you may 11 | * not use this file except in compliance with the License. You may obtain 12 | * a copy of the License at 13 | * 14 | * http://www.apache.org/licenses/LICENSE-2.0 15 | * 16 | * Unless required by applicable law or agreed to in writing, software 17 | * distributed under the License is distributed on an "AS IS" BASIS, 18 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 19 | * implied. See the License for the specific language governing 20 | * permissions and limitations under the License. 21 | * 22 | */ 23 | 24 | #ifndef _HF_MANGLE_H_ 25 | #define _HF_MANGLE_H_ 26 | 27 | #include "honggfuzz.h" 28 | 29 | extern void mangle_mangleContent(run_t* run, int speed_factor); 30 | 31 | #endif 32 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerExtFunctions.h: -------------------------------------------------------------------------------- 1 | //===- FuzzerExtFunctions.h - Interface to external functions ---*- C++ -* ===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // Defines an interface to (possibly optional) functions. 9 | //===----------------------------------------------------------------------===// 10 | 11 | #ifndef LLVM_FUZZER_EXT_FUNCTIONS_H 12 | #define LLVM_FUZZER_EXT_FUNCTIONS_H 13 | 14 | #include 15 | #include 16 | 17 | namespace fuzzer { 18 | 19 | struct ExternalFunctions { 20 | // Initialize function pointers. Functions that are not available will be set 21 | // to nullptr. Do not call this constructor before ``main()`` has been 22 | // entered. 23 | ExternalFunctions(); 24 | 25 | #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \ 26 | RETURN_TYPE(*NAME) FUNC_SIG = nullptr 27 | 28 | #include "FuzzerExtFunctions.def" 29 | 30 | #undef EXT_FUNC 31 | }; 32 | } // namespace fuzzer 33 | 34 | #endif 35 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerFork.h: -------------------------------------------------------------------------------- 1 | //===- FuzzerFork.h - run fuzzing in sub-processes --------------*- C++ -* ===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | 9 | #ifndef LLVM_FUZZER_FORK_H 10 | #define LLVM_FUZZER_FORK_H 11 | 12 | #include "FuzzerDefs.h" 13 | #include "FuzzerOptions.h" 14 | #include "FuzzerRandom.h" 15 | 16 | #include 17 | 18 | namespace fuzzer { 19 | void FuzzWithFork(Random &Rand, const FuzzingOptions &Options, 20 | const Vector &Args, 21 | const Vector &CorpusDirs, int NumJobs); 22 | } // namespace fuzzer 23 | 24 | #endif // LLVM_FUZZER_FORK_H 25 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerMain.cpp: -------------------------------------------------------------------------------- 1 | //===- FuzzerMain.cpp - main() function and flags -------------------------===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // main() and flags. 9 | //===----------------------------------------------------------------------===// 10 | 11 | #include "FuzzerDefs.h" 12 | #include "FuzzerPlatform.h" 13 | 14 | extern "C" { 15 | 16 | // This function should be defined by the user. 17 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); 18 | 19 | } // extern "C" 20 | 21 | ATTRIBUTE_INTERFACE int main(int argc, char **argv) { 22 | 23 | return fuzzer::FuzzerDriver(&argc, &argv, LLVMFuzzerTestOneInput); 24 | 25 | } 26 | 27 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerRandom.h: -------------------------------------------------------------------------------- 1 | //===- FuzzerRandom.h - Internal header for the Fuzzer ----------*- C++ -* ===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // fuzzer::Random 9 | //===----------------------------------------------------------------------===// 10 | 11 | #ifndef LLVM_FUZZER_RANDOM_H 12 | #define LLVM_FUZZER_RANDOM_H 13 | 14 | #include 15 | 16 | namespace fuzzer { 17 | class Random : public std::minstd_rand { 18 | public: 19 | explicit Random(unsigned int seed) : std::minstd_rand(seed) {} 20 | result_type operator()() { return this->std::minstd_rand::operator()(); } 21 | size_t Rand() { return this->operator()(); } 22 | size_t RandBool() { return Rand() % 2; } 23 | size_t SkewTowardsLast(size_t n) { 24 | size_t T = this->operator()(n * n); 25 | size_t Res = sqrt(T); 26 | return Res; 27 | } 28 | size_t operator()(size_t n) { return n ? Rand() % n : 0; } 29 | intptr_t operator()(intptr_t From, intptr_t To) { 30 | assert(From < To); 31 | intptr_t RangeSize = To - From + 1; 32 | return operator()(RangeSize) + From; 33 | } 34 | }; 35 | 36 | } // namespace fuzzer 37 | 38 | #endif // LLVM_FUZZER_RANDOM_H 39 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerSHA1.h: -------------------------------------------------------------------------------- 1 | //===- FuzzerSHA1.h - Internal header for the SHA1 utils --------*- C++ -* ===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // SHA1 utils. 9 | //===----------------------------------------------------------------------===// 10 | 11 | #ifndef LLVM_FUZZER_SHA1_H 12 | #define LLVM_FUZZER_SHA1_H 13 | 14 | #include "FuzzerDefs.h" 15 | #include 16 | #include 17 | 18 | namespace fuzzer { 19 | 20 | // Private copy of SHA1 implementation. 21 | static const int kSHA1NumBytes = 20; 22 | 23 | // Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'. 24 | void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out); 25 | 26 | std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]); 27 | 28 | std::string Hash(const Unit &U); 29 | 30 | } // namespace fuzzer 31 | 32 | #endif // LLVM_FUZZER_SHA1_H 33 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/FuzzerUtilLinux.cpp: -------------------------------------------------------------------------------- 1 | //===- FuzzerUtilLinux.cpp - Misc utils for Linux. ------------------------===// 2 | // 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 | // See https://llvm.org/LICENSE.txt for license information. 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 | // 7 | //===----------------------------------------------------------------------===// 8 | // Misc utils for Linux. 9 | //===----------------------------------------------------------------------===// 10 | #include "FuzzerPlatform.h" 11 | #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \ 12 | LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN 13 | #include "FuzzerCommand.h" 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | namespace fuzzer { 21 | 22 | int ExecuteCommand(const Command &Cmd) { 23 | 24 | std::string CmdLine = Cmd.toString(); 25 | int exit_code = system(CmdLine.c_str()); 26 | if (WIFEXITED(exit_code)) return WEXITSTATUS(exit_code); 27 | return exit_code; 28 | 29 | } 30 | 31 | void DiscardOutput(int Fd) { 32 | 33 | FILE *Temp = fopen("/dev/null", "w"); 34 | if (!Temp) return; 35 | dup2(fileno(Temp), Fd); 36 | fclose(Temp); 37 | 38 | } 39 | 40 | } // namespace fuzzer 41 | 42 | #endif 43 | 44 | -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: libfuzzer LLVMFuzzerMutate() 2 | 3 | This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12. 4 | 5 | just type `make` to build 6 | 7 | ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libfuzzer/libfuzzer-mutator.so afl-fuzz ...``` 8 | 9 | Note that this is currently a simple implementation and it is missing two features: 10 | * Splicing ("Crossover") 11 | * Dictionary support 12 | 13 | To update the source, all that is needed is that FuzzerDriver.cpp has to receive 14 | 15 | ``` 16 | #include "libfuzzer.inc" 17 | ``` 18 | 19 | before the closing namespace bracket. 20 | 21 | It is also libfuzzer.inc where the configuration of the libfuzzer mutations 22 | are done. 23 | 24 | > Original repository: https://github.com/llvm/llvm-project 25 | > Path: compiler-rt/lib/fuzzer/*.{h|cpp} 26 | > Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb -------------------------------------------------------------------------------- /custom_mutators/libfuzzer/libfuzzer.inc: -------------------------------------------------------------------------------- 1 | 2 | 3 | extern "C" ATTRIBUTE_INTERFACE void 4 | LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) { 5 | auto *Rand = new Random(Seed); 6 | FuzzingOptions Options; 7 | Options.Verbosity = 3; 8 | Options.MaxLen = 1024000; 9 | Options.LenControl = true; 10 | Options.DoCrossOver = false; 11 | Options.MutateDepth = 6; 12 | Options.UseCounters = false; 13 | Options.UseMemmem = false; 14 | Options.UseCmp = false; 15 | Options.UseValueProfile = false; 16 | Options.Shrink = false; 17 | Options.ReduceInputs = false; 18 | Options.PreferSmall = false; 19 | Options.ReloadIntervalSec = 0; 20 | Options.OnlyASCII = false; 21 | Options.DetectLeaks = false; 22 | Options.PurgeAllocatorIntervalSec = 0; 23 | Options.TraceMalloc = false; 24 | Options.RssLimitMb = 100; 25 | Options.MallocLimitMb = 100; 26 | Options.MaxNumberOfRuns = 0; 27 | Options.ReportSlowUnits = false; 28 | Options.Entropic = false; 29 | 30 | struct EntropicOptions Entropic; 31 | Entropic.Enabled = Options.Entropic; 32 | EF = new ExternalFunctions(); 33 | auto *MD = new MutationDispatcher(*Rand, Options); 34 | auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic); 35 | auto *F = new Fuzzer(Callback, *Corpus, *MD, Options); 36 | } 37 | -------------------------------------------------------------------------------- /custom_mutators/libprotobuf-mutator-example/Android.bp: -------------------------------------------------------------------------------- 1 | cc_library_shared { 2 | name: "libprotobuf-mutator-example-afl", 3 | vendor_available: true, 4 | host_supported: true, 5 | 6 | cflags: [ 7 | "-g", 8 | "-O0", 9 | "-fPIC", 10 | "-Wall", 11 | "-Wno-unused-parameter", 12 | ], 13 | 14 | srcs: [ 15 | "lpm_aflpp_custom_mutator_input.cc", 16 | "test.proto", 17 | ], 18 | 19 | shared_libs: [ 20 | "libprotobuf-cpp-full", 21 | "libprotobuf-mutator", 22 | ], 23 | } 24 | 25 | cc_binary { 26 | name: "libprotobuf-mutator-vuln", 27 | vendor_available: true, 28 | host_supported: true, 29 | 30 | srcs: [ 31 | "vuln.c", 32 | ], 33 | 34 | cflags: [ 35 | "-Wno-unused-result", 36 | "-Wno-unused-parameter", 37 | ], 38 | } 39 | -------------------------------------------------------------------------------- /custom_mutators/libprotobuf-mutator-example/README.md: -------------------------------------------------------------------------------- 1 | Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input) 2 | -------------------------------------------------------------------------------- /custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include "test.pb.h" 3 | 4 | class MyMutator : public protobuf_mutator::Mutator { 5 | public: 6 | uint8_t *mutated_out = nullptr; 7 | ~MyMutator() { 8 | delete[] mutated_out; 9 | } 10 | }; 11 | -------------------------------------------------------------------------------- /custom_mutators/libprotobuf-mutator-example/test.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto2"; 2 | 3 | message TEST { 4 | required uint32 a = 1; 5 | required string b = 2; 6 | } 7 | 8 | -------------------------------------------------------------------------------- /custom_mutators/libprotobuf-mutator-example/vuln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char *argv[]) 8 | { 9 | char str[100]={}; 10 | read(0, str, 100); 11 | int *ptr = NULL; 12 | if( str[0] == '\x02' || str[0] == '\xe8') { 13 | *ptr = 123; 14 | } 15 | return 0; 16 | } 17 | 18 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/GNUmakefile: -------------------------------------------------------------------------------- 1 | CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) 2 | 3 | all: radamsa-mutator.so 4 | 5 | # These can be overriden: 6 | CFLAGS ?= $(CFLAGS_FLTO) 7 | 8 | # These are required: (otherwise radamsa gets very very slooooow) 9 | CFLAGS += -O3 -funroll-loops 10 | 11 | #libradamsa.so: libradamsa.a 12 | # $(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so 13 | 14 | libradamsa.a: libradamsa.c radamsa.h 15 | @echo " ***************************************************************" 16 | @echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *" 17 | @echo " ***************************************************************" 18 | $(CC) -fPIC $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c 19 | 20 | radamsa-mutator.so: radamsa-mutator.c libradamsa.a 21 | $(CC) $(CFLAGS) $(CPPFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c 22 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a 23 | 24 | test: libradamsa.a libradamsa-test.c 25 | $(CC) $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a 26 | ./libradamsa-test libradamsa-test.c | grep "library test passed" 27 | rm /tmp/libradamsa-*.fuzz 28 | 29 | clean: 30 | rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core 31 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013 Aki Helin 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is 8 | furnished to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 | THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: libradamsa 2 | 3 | Pretranslated radamsa library. This code belongs to the radamsa author. 4 | 5 | > Original repository: https://gitlab.com/akihe/radamsa 6 | 7 | > Source commit: 7b2cc2d0 8 | 9 | > The code here is adapted for AFL++ with minor changes respect the original version 10 | -------------------------------------------------------------------------------- /custom_mutators/radamsa/custom_mutator_helpers.h: -------------------------------------------------------------------------------- 1 | ../examples/custom_mutator_helpers.h -------------------------------------------------------------------------------- /custom_mutators/radamsa/radamsa.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void radamsa_init(void); 5 | 6 | size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max, 7 | unsigned int seed); 8 | 9 | size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed); 10 | 11 | -------------------------------------------------------------------------------- /custom_mutators/rust/.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /custom_mutators/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | members = [ 3 | "custom_mutator-sys", 4 | "custom_mutator", 5 | "example", 6 | # Lain needs a nightly toolchain 7 | # "example_lain", 8 | ] -------------------------------------------------------------------------------- /custom_mutators/rust/README.md: -------------------------------------------------------------------------------- 1 | # Rust Custom Mutators 2 | 3 | Bindings to create custom mutators in Rust. 4 | 5 | These bindings are documented with rustdoc. To view the documentation run 6 | ```cargo doc -p custom_mutator --open```. 7 | 8 | A minimal example can be found in `example`. Build it using `cargo build --example example_mutator`. 9 | 10 | An example using [lain](https://github.com/microsoft/lain) for structured fuzzing can be found in `example_lain`. 11 | Since lain requires a nightly rust toolchain, you need to set one up before you can play with it. 12 | -------------------------------------------------------------------------------- /custom_mutators/rust/custom_mutator-sys/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "custom_mutator-sys" 3 | version = "0.1.0" 4 | authors = ["Julius Hohnerlein "] 5 | edition = "2018" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | 11 | [build-dependencies] 12 | bindgen = "0.56" 13 | -------------------------------------------------------------------------------- /custom_mutators/rust/custom_mutator-sys/src/lib.rs: -------------------------------------------------------------------------------- 1 | #![allow(non_upper_case_globals)] 2 | #![allow(non_camel_case_types)] 3 | #![allow(non_snake_case)] 4 | 5 | include!(concat!(env!("OUT_DIR"), "/bindings.rs")); 6 | -------------------------------------------------------------------------------- /custom_mutators/rust/custom_mutator-sys/wrapper.h: -------------------------------------------------------------------------------- 1 | #include "../../../include/afl-fuzz.h" 2 | #include "../../../include/common.h" 3 | #include "../../../include/config.h" 4 | #include "../../../include/debug.h" 5 | -------------------------------------------------------------------------------- /custom_mutators/rust/custom_mutator/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "custom_mutator" 3 | version = "0.1.0" 4 | authors = ["Julius Hohnerlein "] 5 | edition = "2018" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [features] 10 | afl_internals = ["custom_mutator-sys"] 11 | 12 | [dependencies] 13 | custom_mutator-sys = { path = "../custom_mutator-sys", optional=true } 14 | -------------------------------------------------------------------------------- /custom_mutators/rust/example/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "example_mutator" 3 | version = "0.1.0" 4 | authors = ["Julius Hohnerlein "] 5 | edition = "2018" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | custom_mutator = { path = "../custom_mutator" } 11 | 12 | [[example]] 13 | name = "example_mutator" 14 | path = "./src/example_mutator.rs" 15 | crate-type = ["cdylib"] -------------------------------------------------------------------------------- /custom_mutators/rust/example/src/example_mutator.rs: -------------------------------------------------------------------------------- 1 | #![cfg(unix)] 2 | #![allow(unused_variables)] 3 | 4 | use custom_mutator::{export_mutator, CustomMutator}; 5 | 6 | struct ExampleMutator; 7 | 8 | impl CustomMutator for ExampleMutator { 9 | type Error = (); 10 | 11 | fn init(seed: u32) -> Result { 12 | Ok(Self) 13 | } 14 | 15 | fn fuzz<'b, 's: 'b>( 16 | &'s mut self, 17 | buffer: &'b mut [u8], 18 | add_buff: Option<&[u8]>, 19 | max_size: usize, 20 | ) -> Result, Self::Error> { 21 | buffer.reverse(); 22 | Ok(Some(buffer)) 23 | } 24 | } 25 | 26 | struct OwnBufferExampleMutator { 27 | own_buffer: Vec, 28 | } 29 | 30 | impl CustomMutator for OwnBufferExampleMutator { 31 | type Error = (); 32 | 33 | fn init(seed: u32) -> Result { 34 | Ok(Self { 35 | own_buffer: Vec::new(), 36 | }) 37 | } 38 | 39 | fn fuzz<'b, 's: 'b>( 40 | &'s mut self, 41 | buffer: &'b mut [u8], 42 | add_buff: Option<&[u8]>, 43 | max_size: usize, 44 | ) -> Result, ()> { 45 | self.own_buffer.reverse(); 46 | Ok(Some(self.own_buffer.as_slice())) 47 | } 48 | } 49 | 50 | export_mutator!(ExampleMutator); 51 | -------------------------------------------------------------------------------- /custom_mutators/rust/example_lain/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "example_lain" 3 | version = "0.1.0" 4 | authors = ["Julius Hohnerlein "] 5 | edition = "2018" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | custom_mutator = { path = "../custom_mutator" } 11 | lain="0.5" 12 | 13 | [[example]] 14 | name = "example_lain" 15 | path = "./src/lain_mutator.rs" 16 | crate-type = ["cdylib"] -------------------------------------------------------------------------------- /custom_mutators/rust/example_lain/rust-toolchain: -------------------------------------------------------------------------------- 1 | nightly -------------------------------------------------------------------------------- /custom_mutators/symcc/Makefile: -------------------------------------------------------------------------------- 1 | 2 | ifdef DEBUG 3 | CFLAGS += -DDEBUG 4 | endif 5 | 6 | all: symcc-mutator.so 7 | 8 | CFLAGS += -O3 -funroll-loops 9 | 10 | symcc-mutator.so: symcc.c 11 | $(CC) $(CFLAGS) $(CPPFLAGS) -g -I../../include -shared -fPIC -o symcc-mutator.so symcc.c 12 | 13 | clean: 14 | rm -f symcc-mutator.so *.o *~ core 15 | -------------------------------------------------------------------------------- /custom_mutators/symcc/README.md: -------------------------------------------------------------------------------- 1 | # custum mutator: symcc 2 | 3 | This uses the excellent symcc to find new paths into the target. 4 | 5 | To use this custom mutator follow the steps in the symcc repository 6 | [https://github.com/eurecom-s3/symcc/](https://github.com/eurecom-s3/symcc/) 7 | on how to build symcc and how to instrument a target binary (the same target 8 | that you are fuzzing). 9 | 10 | The target program compiled with symcc has to be pointed to with the 11 | `SYMCC_TARGET` environment variable. 12 | 13 | just type `make` to build this custom mutator. 14 | 15 | ```SYMCC_TARGET=/prg/to/symcc/compiled/target AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symcc/symcc-mutator.so afl-fuzz ...``` 16 | -------------------------------------------------------------------------------- /custom_mutators/symcc/test_examples/file_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char **argv) { 8 | 9 | if (argc < 2) { 10 | 11 | printf("Need a file argument\n"); 12 | return 1; 13 | 14 | } 15 | 16 | int fd = open(argv[1], O_RDONLY); 17 | if (fd < 0) { 18 | 19 | printf("Couldn't open file\n"); 20 | return 1; 21 | 22 | } 23 | 24 | uint32_t value = 0; 25 | 26 | read(fd, &value, sizeof(value)); 27 | close(fd); 28 | 29 | value = value ^ 0xffffffff; 30 | if (value == 0x11223344) printf("Value one\n"); 31 | if (value == 0x44332211) printf("Value two\n"); 32 | if (value != 0x0) printf("Not zero\n"); 33 | return 0; 34 | 35 | } 36 | 37 | -------------------------------------------------------------------------------- /custom_mutators/symcc/test_examples/stdin_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) { 7 | 8 | char input_buffer[16]; 9 | uint32_t comparisonValue; 10 | size_t bytesRead; 11 | bytesRead = read(STDIN_FILENO, input_buffer, sizeof(input_buffer)); 12 | if (bytesRead < 0) exit(-1); 13 | comparisonValue = *(uint32_t *)input_buffer; 14 | comparisonValue = comparisonValue ^ 0xff112233; 15 | if (comparisonValue == 0x66554493) { 16 | 17 | printf("First value\n"); 18 | 19 | } else { 20 | 21 | if (comparisonValue == 0x84444415) printf("Second value\n"); 22 | 23 | } 24 | 25 | return 0; 26 | 27 | } 28 | 29 | -------------------------------------------------------------------------------- /dictionaries/aff.dict: -------------------------------------------------------------------------------- 1 | # https://www.systutorials.com/docs/linux/man/4-hunspell/ 2 | 3 | # Affix keywords 4 | "AF" 5 | "AM" 6 | "BREAK" 7 | "CHECKCOMPOUNDCASE" 8 | "CHECKCOMPOUNDDUP" 9 | "CHECKCOMPOUNDPATTERN" 10 | "CHECKCOMPOUNDREP" 11 | "CHECKCOMPOUNDTRIPLE" 12 | "COMPLEXPREFIXES" 13 | "COMPOUNDBEGIN" 14 | "COMPOUNDFLAG" 15 | "COMPOUNDFORBIDFLAG" 16 | "COMPOUNDLAST" 17 | "COMPOUNDMIDDLE" 18 | "COMPOUNDMIN" 19 | "COMPOUNDPERMITFLAG" 20 | "COMPOUNDROOT" 21 | "COMPOUNDRULE" 22 | "COMPOUNDSYLLABLE" 23 | "COMPOUNDWORDMAX" 24 | "FLAG" 25 | "FORBIDWARN" 26 | "FORCEUCASE" 27 | "IGNORE" 28 | "KEY" 29 | "LANG" 30 | "MAP" 31 | "MAXCODSUGS" 32 | "MAXDIFF" 33 | "MAXNGRAMSUGS" 34 | "NOSPLITSUGS" 35 | "NOSUGGEST" 36 | "ONLYINCOMPOUND" 37 | "ONLYMAXDIFF" 38 | "PFX" 39 | "PHONE" 40 | "REP" 41 | "SET" 42 | "SFX" 43 | "SIMPLIFIEDTRIPLE" 44 | "SUGWITHDOTS" 45 | "SYLLABLENUM" 46 | "TRY" 47 | "WARN" 48 | "CIRCUMFIX" 49 | "FORBIDDENWORD" 50 | "FULLSTRIP" 51 | "KEEPCASE" 52 | "ICONV" 53 | "OCONV" 54 | "LEMMA_PRESENT" 55 | "NEEDAFFIX" 56 | "PSEUDOROOT" 57 | "SUBSTANDARD" 58 | "WORDCHARS" 59 | "CHECKSHARPS" 60 | 61 | # Optional data fields 62 | "ph:" 63 | "st:" 64 | "al:" 65 | "po:" 66 | "ds:" 67 | "is:" 68 | "ts:" 69 | "sp:" 70 | "pa:" 71 | "dp:" 72 | "ip:" 73 | "tp:" 74 | -------------------------------------------------------------------------------- /dictionaries/atom.dict: -------------------------------------------------------------------------------- 1 | # https://validator.w3.org/feed/docs/atom.html 2 | # https://tools.ietf.org/html/rfc4287 3 | 4 | "" 5 | "" 6 | 7 | "" 8 | "" 9 | "" 10 | "" 11 | "" 12 | "" 13 | "" 14 | "" 15 | "" 16 | "" 17 | "" 18 | "" 19 | "" 20 | "" 21 | "" 22 | " 23 | "" 24 | "" 25 | "" 26 | "" 27 | "" 28 | "" 29 | "" 30 | "" 31 | "" 32 | "<updated>" 33 | "<uri>" 34 | -------------------------------------------------------------------------------- /dictionaries/av1_dc.dict: -------------------------------------------------------------------------------- 1 | # IVF Signature + version (bytes 0-5) 2 | kw1="DKIF\x00\x00" 3 | 4 | # AV1 codec fourCC (bytes 8-11) 5 | kw2="AV01" 6 | -------------------------------------------------------------------------------- /dictionaries/bdf.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Glyph_Bitmap_Distribution_Format 2 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5005.BDF_Spec.pdf 3 | 4 | "STARTFONT" 5 | "COMMENT" 6 | "CONTENTVERSION" 7 | "FONT" 8 | "SIZE" 9 | "FONTBOUNDINGBOX" 10 | "METRICSSET" 11 | "SWIDTH" 12 | "DWIDTH" 13 | "SWIDTH1" 14 | "DWIDTH1" 15 | "VVECTOR" 16 | "STARTPROPERTIES" 17 | "ENDPROPERTIES" 18 | "CHARS" 19 | "STARTCHAR" 20 | "ENCODING" 21 | "BBX" 22 | "BITMAP" 23 | "ENDCHAR" 24 | "ENDFONT" 25 | 26 | # misc 27 | "255" 28 | "-1" 29 | "0" 30 | "2.1" 31 | -------------------------------------------------------------------------------- /dictionaries/bmp.dict: -------------------------------------------------------------------------------- 1 | windows="BM" 2 | os2_bitmap="BA" 3 | os2_icon="CI" 4 | os2_pointer="CP" 5 | os2_struct="IC" 6 | os2_ptr="PT" 7 | windows_color_space="Win " 8 | srgb="sRGB" 9 | link="LINK" 10 | mbed="MBED" 11 | -------------------------------------------------------------------------------- /dictionaries/bz2.dict: -------------------------------------------------------------------------------- 1 | magic="BZ" 2 | compress_magic="\x31\x41\x59\x26\x53\x59" 3 | eos_magic="\x17\x72\x45\x38\x50\x90" 4 | -------------------------------------------------------------------------------- /dictionaries/creole.dict: -------------------------------------------------------------------------------- 1 | # http://www.wikicreole.org/wiki/Creole1.0 2 | 3 | bold="**" 4 | italic="//" 5 | heading="==" 6 | link1="[[a|b]]" 7 | link2="[[a:b]]" 8 | hr="----" 9 | img=" {{a|b}}" 10 | table_heading="|=a |=b |" 11 | raw="{{{a}}}" 12 | escape="~" 13 | placeholder="<<<x>>>" 14 | line_break="\\\\" 15 | -------------------------------------------------------------------------------- /dictionaries/csv.dict: -------------------------------------------------------------------------------- 1 | "\x00" 2 | "\r\n" 3 | ";;" 4 | ",," 5 | "\t;" 6 | "\n;" 7 | -------------------------------------------------------------------------------- /dictionaries/dds.dict: -------------------------------------------------------------------------------- 1 | # See http://www.mindcontrol.org/~hplus/graphics/dds-info/ 2 | 3 | magic="\x20\x53\x44\x44" 4 | 5 | # Headers 6 | "\x00\x00\x00\x01" 7 | "\x00\x00\x00\x02" 8 | "\x00\x00\x00\x04" 9 | "\x00\x00\x00\x08" 10 | "\x00\x00\x10\x00" 11 | "\x00\x02\x00\x00" 12 | "\x00\x08\x00\x00" 13 | "\x00\x80\x00\x00" 14 | "\x00\x00\x00\x01" 15 | "\x00\x00\x00\x04" 16 | "\x00\x00\x00\x20" 17 | "\x00\x00\x00\x40" 18 | "\x00\x00\x00\x08" 19 | "\x00\x00\x10\x00" 20 | "\x00\x40\x00\x00" 21 | "\x00\x00\x02\x00" 22 | "\x00\x00\x04\x00" 23 | "\x00\x00\x08\x00" 24 | "\x00\x00\x10\x00" 25 | "\x00\x00\x20\x00" 26 | "\x00\x00\x40\x00" 27 | "\x00\x00\x80\x00" 28 | "\x00\x20\x00\x00" 29 | 30 | #formats 31 | "1TXD" 32 | "2TXD" 33 | "3TXD" 34 | "4TXD" 35 | "5TXD" 36 | -------------------------------------------------------------------------------- /dictionaries/djvu.dict: -------------------------------------------------------------------------------- 1 | "ANTa" 2 | "ANTz" 3 | "BG2k" 4 | "BG44" 5 | "BGjp" 6 | "BM44" 7 | "CELX" 8 | "DIRM" 9 | "DJVI" 10 | "DJVM" 11 | "DJVU" 12 | "Djbz" 13 | "FAKE" 14 | "FG2k" 15 | "FG44" 16 | "FGbz" 17 | "FGjp" 18 | "FORM" 19 | "INCL" 20 | "INFO" 21 | "LINK" 22 | "METa" 23 | "METz" 24 | "NAVM" 25 | "NDIR" 26 | "PM44" 27 | "SINF" 28 | "Sjbz" 29 | "Smmr" 30 | "TH44" 31 | "THUM" 32 | "TXTa" 33 | "TXTz" 34 | "WMRM" 35 | -------------------------------------------------------------------------------- /dictionaries/fbs.dict: -------------------------------------------------------------------------------- 1 | # spec: https://google.github.io/flatbuffers/flatbuffers_grammar.html 2 | 3 | attribute="attribute" 4 | bool="bool" 5 | byte="byte" 6 | double="double" 7 | enum="enum" 8 | false="false" 9 | file_extension="file_extension" 10 | float32="float32" 11 | float64="float64" 12 | float="float" 13 | include="include" 14 | inf="inf" 15 | infinity="infinity" 16 | int16="int16" 17 | int32="int32" 18 | int64="int64" 19 | int8="int8" 20 | int="int" 21 | long="long" 22 | namespace="namespace" 23 | nan="nan" 24 | root_type="root_type" 25 | root_type="root_type" 26 | rpc_service="rpc_service" 27 | short="short" 28 | string="string" 29 | struct="struct" 30 | table="table" 31 | true="true" 32 | ubyte="ubyte" 33 | uint16="uint16" 34 | uint32="uint32" 35 | uint64="uint64" 36 | uint="uint" 37 | ulong="ulong" 38 | union="union" 39 | ushort="ushort" 40 | 41 | separator=":" 42 | eol=";" 43 | -------------------------------------------------------------------------------- /dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /dictionaries/heif.dict: -------------------------------------------------------------------------------- 1 | # https://standards.iso.org/ittf/PubliclyAvailableStandards/c066067_ISO_IEC_23008-12_2017.zip 2 | 3 | "altr" 4 | "auxC" 5 | "auxc" 6 | "auxi" 7 | "auxv" 8 | "avcC" 9 | "avci" 10 | "avcs" 11 | "ccst" 12 | "cdsc" 13 | "clap" 14 | "colr" 15 | "dimg" 16 | "dinf" 17 | "dref" 18 | "elst" 19 | "equi" 20 | "free" 21 | "frma" 22 | "ftyp" 23 | "grid" 24 | "grp1" 25 | "hdlr" 26 | "heic" 27 | "heim" 28 | "heis" 29 | "heix" 30 | "hevc" 31 | "hevx" 32 | "hvc1" 33 | "hvc2" 34 | "hvcC" 35 | "idat" 36 | "iden" 37 | "iinf" 38 | "iloc" 39 | "imir" 40 | "infe" 41 | "iovl" 42 | "ipro" 43 | "iprp" 44 | "iref" 45 | "irot" 46 | "ispe" 47 | "jpeg" 48 | "jpgC" 49 | "jpgs" 50 | "lhv1" 51 | "lhvC" 52 | "lsel" 53 | "mdat" 54 | "meta" 55 | "mif1" 56 | "mime" 57 | "mjpg" 58 | "msf1" 59 | "oinf" 60 | "pasp" 61 | "pict" 62 | "pitm" 63 | "pixi" 64 | "refs" 65 | "rloc" 66 | "schi" 67 | "schm" 68 | "sgpd" 69 | "sinf" 70 | "skip" 71 | "stsz" 72 | "subs" 73 | "thmb" 74 | "tkhd" 75 | "tols" 76 | "trak" 77 | -------------------------------------------------------------------------------- /dictionaries/hoextdown.dict: -------------------------------------------------------------------------------- 1 | asterisk="*" 2 | attr_generic=" a=\"1\"" 3 | attr_href=" href=\"1\"" 4 | attr_xml_lang=" xml:lang=\"1\"" 5 | attr_xmlns=" xmlns=\"1\"" 6 | backslash="\\" 7 | backtick="`" 8 | colon=":" 9 | dashes="---" 10 | double_quote="\"" 11 | entity_builtin="<" 12 | entity_decimal="" 13 | entity_external="&a;" 14 | entity_hex="" 15 | equals="===" 16 | exclamation="!" 17 | greater_than=">" 18 | hash="#" 19 | hyphen="-" 20 | indent=" " 21 | left_bracket="[" 22 | left_paren="(" 23 | less_than="<" 24 | plus="+" 25 | right_bracket="]" 26 | right_paren=")" 27 | single_quote="'" 28 | string_any="ANY" 29 | string_brackets="[]" 30 | string_cdata="CDATA" 31 | string_dashes="--" 32 | string_empty_dblquotes="\"\"" 33 | string_empty_quotes="''" 34 | string_idrefs="IDREFS" 35 | string_parentheses="()" 36 | string_pcdata="#PCDATA" 37 | tag_cdata="<![CDATA[" 38 | tag_close="</a>" 39 | tag_doctype="<!DOCTYPE" 40 | tag_element="<!ELEMENT" 41 | tag_entity="<!ENTITY" 42 | tag_notation="<!NOTATION" 43 | tag_open="<a>" 44 | tag_open_close="<a />" 45 | tag_open_exclamation="<!" 46 | tag_open_q="<?" 47 | tag_sq2_close="]]>" 48 | tag_xml_q="<?xml?>" 49 | underscore="_" 50 | -------------------------------------------------------------------------------- /dictionaries/iccprofile.dict: -------------------------------------------------------------------------------- 1 | # Dict for ICC profiles parsed by skcms. 2 | 3 | "mft1" 4 | "mft2" 5 | "mAB " 6 | "rXYZ" 7 | "gXYZ" 8 | "bXYZ" 9 | "rTRC" 10 | "gTRC" 11 | "bTRC" 12 | "kTRC" 13 | "A2B0" 14 | "curv" 15 | "para" 16 | "mluc" 17 | "XYZ " 18 | "Lab " 19 | "RGB " 20 | "CMYK" 21 | "GRAY" 22 | "mntr" 23 | "scnr" 24 | "prtr" 25 | "spac" 26 | -------------------------------------------------------------------------------- /dictionaries/icns.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Apple_Icon_Image_format 2 | 3 | "ICN#" 4 | "ICON" 5 | "TOC " 6 | "h8mk" 7 | "ic04" 8 | "ic05" 9 | "ic07" 10 | "ic08" 11 | "ic09" 12 | "ic10" 13 | "ic11" 14 | "ic12" 15 | "ic13" 16 | "ic14" 17 | "ich#" 18 | "ich4" 19 | "ich8" 20 | "icl4" 21 | "icl8" 22 | "icm#" 23 | "icm4" 24 | "icm8" 25 | "icnV" 26 | "icns" 27 | "icp4" 28 | "icp5" 29 | "icp6" 30 | "ics#" 31 | "ics4" 32 | "ics8" 33 | "icsB" 34 | "icsb" 35 | "ih32" 36 | "il32" 37 | "info" 38 | "is32" 39 | "it32" 40 | "l8mk" 41 | "name" 42 | "s8mk" 43 | "t8mk" 44 | -------------------------------------------------------------------------------- /dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /dictionaries/jpeg2000.dict: -------------------------------------------------------------------------------- 1 | type="jP " 2 | ftyp="ftyp" 3 | subtype1="jp2 " 4 | subtype2="jp20" 5 | subtype3="jpm " 6 | subtype4="jpx " 7 | subtype5="jp2h" 8 | subtype6="jpxb" 9 | subtype7="mjp2" 10 | subtype8="mj2s" 11 | subtype9="jp2c" 12 | subtype10="jpch" 13 | subtype11="jplh" 14 | codestream="\xFF\x4F\xFF\x51" 15 | signature="\x0d\x0a\x87\x0a" 16 | tag1="hdr" 17 | tag2="colr" 18 | tag3="url" 19 | tag4="req" 20 | tag5="res" 21 | tag6="page" 22 | tag7="obj" 23 | -------------------------------------------------------------------------------- /dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net> 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | 54 | "$ref" 55 | "type" 56 | "coordinates" 57 | "@context" 58 | "@id" 59 | 60 | "," 61 | ":" 62 | -------------------------------------------------------------------------------- /dictionaries/jsonnet.dict: -------------------------------------------------------------------------------- 1 | # https://jsonnet.org/ref/spec.html 2 | 3 | # Keywords 4 | "assert" 5 | "else" 6 | "error" 7 | "false" 8 | "for" 9 | "function" 10 | "if" 11 | "import" 12 | "importstr" 13 | "in" 14 | "local" 15 | "null" 16 | "self" 17 | "super" 18 | "tailstrict" 19 | "then" 20 | "true" 21 | "super" 22 | "local" 23 | 24 | # operators 25 | "|||" 26 | "@\"" 27 | "@'" 28 | "!=" 29 | "==" 30 | "[::]" 31 | "+:::" 32 | 33 | # functions 34 | "std.acos(" 35 | "std.asin(" 36 | "std.atan(" 37 | "std.ceil(" 38 | "std.char(" 39 | "std.codepoint(" 40 | "std.cos(" 41 | "std.equals(" 42 | "std.exp(" 43 | "std.exponent(" 44 | "std.floor(" 45 | "std.join(" 46 | "std.length(" 47 | "std.log(" 48 | "std.makeArray(" 49 | "std.mantissa(" 50 | "std.mod" 51 | "std.modulo(" 52 | "std.objectFiledsEx(" 53 | "std.objectsHasEx(" 54 | "std.pow(" 55 | "std.primitiveEquals(" 56 | "std.sin(" 57 | "std.slice(" 58 | "std.sqrt(" 59 | "std.tan(" 60 | "std.type(" 61 | -------------------------------------------------------------------------------- /dictionaries/markdown.dict: -------------------------------------------------------------------------------- 1 | strike="~~" 2 | list="2." 3 | link="[a](" 4 | link_without_ref="[a][" 5 | image="![b](" 6 | bold="**" 7 | separator="---" 8 | title="# " 9 | fence="```" 10 | link_bottom="[a]:" 11 | link_inline="<http://" 12 | link_bottom_title="[1]: http://a.com" 13 | checklist="- [x" 14 | toc="[TOC]" 15 | highlight_rst=":::python" 16 | 17 | 18 | # GFM - https://github.github.com/gfm/ 19 | "| ---" 20 | leaf1="***" 21 | leaf2="___" 22 | code_hl="```html" 23 | task="- [ ]" 24 | 25 | 26 | # Extended syntax: https://www.markdownguide.org/extended-syntax/ 27 | footnote="[^a]" 28 | title_id="#a {#b}" 29 | -------------------------------------------------------------------------------- /dictionaries/math.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "," 4 | "[" 5 | "]" 6 | "," 7 | ":" 8 | "e" 9 | "e+" 10 | "e-" 11 | "E" 12 | "E+" 13 | "E-" 14 | "\"" 15 | "\\" 16 | " " 17 | "null" 18 | "1" 19 | "1.234" 20 | "3e4" 21 | -------------------------------------------------------------------------------- /dictionaries/mysqld.dict: -------------------------------------------------------------------------------- 1 | user="root" 2 | -------------------------------------------------------------------------------- /dictionaries/ogg.dict: -------------------------------------------------------------------------------- 1 | # https://xiph.org/vorbis/doc/Vorbis_I_spec.html 2 | 3 | header="OggS" 4 | 5 | # Codecs 6 | "BBCD\x00" 7 | "\x7fFLAC" 8 | "\x80theora" 9 | "\x01vorbis" 10 | "CELT " 11 | "CMML\x00\x00\x00\x00" 12 | "\x8bJNG\x0d\x0a\x1a\x0a" 13 | "\x80kate\x00\x00\x00" 14 | "OggMIDI\x00" 15 | "\x8aMNG\x0d\x0a\x1a\x0a" 16 | "PCM " 17 | "\x89PNG\x0d\x0a\x1a\x0a" 18 | "Speex " 19 | "YUV4MPEG" 20 | 21 | # Metadata 22 | "TITLE=" 23 | "VERSION=" 24 | "ALBUM=" 25 | "TRACKNUMBER=" 26 | "ARTIST=" 27 | "PERFORMER=" 28 | "COPYRIGHT=" 29 | "LICENSE=" 30 | "ORGANIZATION=" 31 | "DESCRIPTION=" 32 | "GENRE=" 33 | "DATE=" 34 | "LOCATION=" 35 | "CONTACT=" 36 | "ISRC=" 37 | -------------------------------------------------------------------------------- /dictionaries/pbm.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Netpbm_format 2 | header1="P1" 3 | header2="P2" 4 | header3="P3" 5 | header4="P4" 6 | header5="P5" 7 | header6="P6" 8 | zero="0" 9 | one="1" 10 | comment="#" 11 | max="255" 12 | overflow="256" 13 | 14 | # PAM - https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format 15 | header7="P7" 16 | width="WIDTH" 17 | height="HEIGHT" 18 | depth="DEPTH" 19 | maxval="MAXVAL" 20 | enhdr="ENDHDR" 21 | tupltype="TUPLTYPE" 22 | tupltype1="RGB_ALPHA" 23 | tupltype2="RGB" 24 | typltype3="BLACKANDWHITE" 25 | typltype4="BLACKANDWHITE_ALPHA" 26 | typltype5="GRAYSCALE" 27 | typltype6="GRAYSCALE_ALPHA" 28 | maxval_num="65535" 29 | maxval_overlfow="65536" 30 | -------------------------------------------------------------------------------- /dictionaries/pcap.dict: -------------------------------------------------------------------------------- 1 | # https://www.tcpdump.org/pcap/pcap.html 2 | 3 | # Headers 4 | "\xa1\xb2\xc3\xd4" 5 | "\xd4\xc3\xb2\xa1" 6 | "\xa1\xb2\x3c\x4d" 7 | "\x4d\x3c\xb2\xa1" 8 | 9 | 10 | current_version="\x02\x00\x04\x00" 11 | -------------------------------------------------------------------------------- /dictionaries/perl.dict: -------------------------------------------------------------------------------- 1 | 2 | # 3 | # AFL dictionary for fuzzing Perl 4 | # -------------------------------- 5 | # 6 | # Created by @RandomDhiraj 7 | # 8 | 9 | "<:crlf" 10 | "fwrite()" 11 | "fread()" 12 | ":raw:utf8" 13 | ":raw:eol(LF)" 14 | "Perl_invert()" 15 | ":raw:eol(CRLF)" 16 | "Perl_PerlIO_eof()" 17 | -------------------------------------------------------------------------------- /dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /dictionaries/protobuf.dict: -------------------------------------------------------------------------------- 1 | # Keywords taken from https://developers.google.com/protocol-buffers/docs/reference/proto2-spec 2 | 3 | bool="bool" 4 | bytes="bytes" 5 | double="double" 6 | enum="enum" 7 | extend="extend" 8 | extension="extension" 9 | false="false" 10 | fixed32="fixed32" 11 | fixed64="fixed64" 12 | float="float" 13 | group="group" 14 | import="import" 15 | inner="inner" 16 | int32="int32" 17 | int64="int64" 18 | map="map<" 19 | message="message" 20 | option="option" 21 | optional="optional" 22 | package="package" 23 | public="public" 24 | repeated="repeated" 25 | required="required" 26 | reserved="reserved" 27 | returns="returns" 28 | rpc="rpc" 29 | service="service" 30 | sfixed32="sfixed32" 31 | sfixed64="sfixed64" 32 | sint32="sint32" 33 | sint64="sint64" 34 | stream="stream" 35 | string="string" 36 | syntax="syntax" 37 | true="true" 38 | uint32="uint32" 39 | uint64="uint64" 40 | weak="weak" 41 | -------------------------------------------------------------------------------- /dictionaries/riff.dict: -------------------------------------------------------------------------------- 1 | # https://developers.google.com/speed/webp/docs/riff_container 2 | 3 | # FourCC 4 | "ALPH" 5 | "ANIM" 6 | "ANMF" 7 | "EXIF" 8 | "ICCP" 9 | "RIFF" 10 | "VP8 " 11 | "VP8L" 12 | "VP8X" 13 | "WEBP" 14 | "XMP " 15 | 16 | # VP8 signature 17 | "\x9D\x01\x2A" 18 | -------------------------------------------------------------------------------- /dictionaries/rss.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/RSS 2 | 3 | "<?xml version='1.0' encoding='UTF-8' ?>" 4 | "<rss version='2.0'>" 5 | "<author>" 6 | "<category>" 7 | "<channel>" 8 | "<cloud>" 9 | "<comments>" 10 | "<copyright>" 11 | "<description>" 12 | "<docs>" 13 | "<enclosure>" 14 | "<generator>" 15 | "<guid>" 16 | "<image>" 17 | "<item>" 18 | "<language>" 19 | "<lastBuildDate>" 20 | "<link>" 21 | "<managingEditor>" 22 | "<pubDate>" 23 | "<rating>" 24 | "<skipDays>" 25 | "<skipHours>" 26 | "<source>" 27 | "<textInput>" 28 | "<title>" 29 | "<ttl>" 30 | "<url>" 31 | "<webMaster>" 32 | -------------------------------------------------------------------------------- /dictionaries/rst.dict: -------------------------------------------------------------------------------- 1 | # https://docutils.readthedocs.io/en/sphinx-docs/ref/rst/restructuredtext.html 2 | 3 | bold="**" 4 | list1="1. " 5 | list2="(1) " 6 | list3="1) " 7 | list4="I. " 8 | list5="i. " 9 | list6="* " 10 | list7="- " 11 | list8="+ " 12 | end_of_paragraph="::" 13 | title="=====" 14 | image=".. image:: " 15 | image_attr=" :a: 1" 16 | doctest=">>>" 17 | table1="+--+"" 18 | table2="+==+"" 19 | footnote_and_citation=".. [a] " 20 | hyperlink=".. _a: http://a " 21 | macro=".. |b| a" 22 | -------------------------------------------------------------------------------- /dictionaries/sas.dict: -------------------------------------------------------------------------------- 1 | " " 2 | "#" 3 | "$" 4 | "$CHAR" 5 | "%LET" 6 | "(" 7 | ")" 8 | "*/" 9 | "/*" 10 | ";" 11 | "@" 12 | "ATTRIB" 13 | "CLEAR" 14 | "CONTENTS" 15 | "DATA" 16 | "DATE" 17 | "FILENAME" 18 | "FOOTNOTE" 19 | "FORMAT" 20 | "IF" 21 | "INFILE" 22 | "INPUT" 23 | "INVALUE" 24 | "LABEL" 25 | "LENGTH" 26 | "LIBNAME" 27 | "LIST" 28 | "MISSING" 29 | "OPTIONS" 30 | "OTHER" 31 | "PRINT" 32 | "PROC" 33 | "RUN" 34 | "VALUE" 35 | "_ALL_" 36 | "dlm" 37 | "firstobs" 38 | -------------------------------------------------------------------------------- /dictionaries/spss.dict: -------------------------------------------------------------------------------- 1 | "(" 2 | "(NOMINAL)" 3 | "(ORDINAL)" 4 | "(SCALE)" 5 | ")" 6 | "." 7 | "/" 8 | "/VARIABLES" 9 | "=" 10 | " " 11 | "A" 12 | "ADATE" 13 | "COMMENT" 14 | "DATA" 15 | "DATASET" 16 | "DATE" 17 | "DELIMITERS" 18 | "DICTIONARY" 19 | "DISPLAY" 20 | "END" 21 | "EXECUTE" 22 | "F" 23 | "FILE" 24 | "FIRSTCASE" 25 | "FIXED" 26 | "FORMATS" 27 | "HANDLE" 28 | "IF" 29 | "INPUT" 30 | "LABEL" 31 | "LABELS" 32 | "LEVEL" 33 | "LIST" 34 | "NAME" 35 | "OUTFILE" 36 | "PROGRAM" 37 | "RECODE" 38 | "RECORD" 39 | "SAVE" 40 | "SELECT" 41 | "SET" 42 | "SYSMIS" 43 | "TABLE" 44 | "VALUE" 45 | "VARIABLE" 46 | "WINDOW" 47 | -------------------------------------------------------------------------------- /dictionaries/stata.dict: -------------------------------------------------------------------------------- 1 | " " 2 | ")" 3 | "*/" 4 | "/*" 5 | "_column(" 6 | "_firstlineoffile(" 7 | "_line(" 8 | "_lines(" 9 | "_lrecl(" 10 | "_newline" 11 | "_skip(" 12 | "byte" 13 | "dictionary" 14 | "double" 15 | "float" 16 | "infile" 17 | "int" 18 | "long" 19 | "str" 20 | "using" 21 | "{" 22 | "}" 23 | -------------------------------------------------------------------------------- /dictionaries/theme-load-fuzz.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "\"" 4 | ";" 5 | "=" 6 | "formats" 7 | "replaces" 8 | "abstracts" 9 | "timestamp" 10 | -------------------------------------------------------------------------------- /dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /dictionaries/tokener_parse_ex.dict: -------------------------------------------------------------------------------- 1 | "{" 2 | "}" 3 | "," 4 | "[" 5 | "]" 6 | "," 7 | ":" 8 | "e" 9 | "e+" 10 | "e-" 11 | "E" 12 | "E+" 13 | "E-" 14 | "\"" 15 | "null" 16 | "1" 17 | "1.234" 18 | "3e4" 19 | -------------------------------------------------------------------------------- /dictionaries/toml.dict: -------------------------------------------------------------------------------- 1 | # https://github.com/toml-lang/toml 2 | 3 | key_value="a.b=\"c\"" 4 | unicode="\\u1234" 5 | unicode_long="\\u12345678" 6 | true="true" 7 | false="false" 8 | multiline_literal="'''" 9 | multiline="\"\"\"" 10 | integer="+1_2_3_4" 11 | negative_integer="-1" 12 | hex="0xde_ad" 13 | oct="0o6" 14 | bin="0b1" 15 | float="-6_3.6e-05" 16 | nan="nan" 17 | inf="inf" 18 | time="1979-05-27T07:32:00Z" 19 | array="[1,2]" 20 | table="[a]" 21 | inline_table="a={1=2,3=4}" 22 | array_table="[[a]]" 23 | -------------------------------------------------------------------------------- /dictionaries/type42.dict: -------------------------------------------------------------------------------- 1 | # https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5012.Type42_Spec.pdf 2 | # This format is a super-set of postscript, so don't forget to use ps.dict as well 3 | 4 | magic="%!PS-TrueTypeFont" 5 | "%%VMUsage:" 6 | "/FontType" 7 | "/FontMatrix" 8 | "/FontName" 9 | "/FontInfo" 10 | "/Encoding" 11 | "/FontBBox" 12 | "/UniqueID" 13 | "/XUID" 14 | "/PaintType" 15 | "/StrokeWidth" 16 | "/Metrics" 17 | "/Metrics2" 18 | "/CDevProc" 19 | "/CharStrings" 20 | "/sfnts" 21 | "/CIDMap" 22 | "/GDBytes" 23 | "/GlyphDirectory" 24 | "/MetricsCount" 25 | "/WMode" 26 | -------------------------------------------------------------------------------- /dictionaries/url.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Uniform_Resource_Identifier 2 | 3 | # scheme 4 | "aim" 5 | "callto" 6 | "cvs" 7 | "data" 8 | "facetime" 9 | "feed" 10 | "file" 11 | "ftp" 12 | "git" 13 | "gopher" 14 | "gtalk" 15 | "h323" 16 | "hdl" 17 | "http" 18 | "https" 19 | "imap" 20 | "irc" 21 | "irc6" 22 | "ircs" 23 | "itms" 24 | "javascript" 25 | "magnet" 26 | "mailto" 27 | "mms" 28 | "msnim" 29 | "news" 30 | "nntp" 31 | "prospero" 32 | "rsync" 33 | "rtsp" 34 | "rtspu" 35 | "sftp" 36 | "shttp" 37 | "sip" 38 | "sips" 39 | "skype" 40 | "smb" 41 | "snews" 42 | "ssh" 43 | "svn" 44 | "svn" 45 | "svn+ssh" 46 | "telnet" 47 | "tel" 48 | "wais" 49 | "ymsg" 50 | 51 | # encoded characters 52 | "%2f" 53 | "%40" 54 | "%26" 55 | 56 | # misc 57 | "://" 58 | "//" 59 | "\\" 60 | "../" 61 | ";type=a" 62 | "xn--" 63 | -------------------------------------------------------------------------------- /dictionaries/vhd.dict: -------------------------------------------------------------------------------- 1 | # https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-VHDX/%5bMS-VHDX%5d.pdf 2 | 3 | magic="\x65\x6C\x69\x66\x78\x64\x68\x76" 4 | head="\x64\x61\x65\x68" 5 | regi="\x69\x67\x65\x72" 6 | loge="\x65\x67\x6F\x6C" 7 | zero="\x6F\x72\x65\x7A" 8 | desc="\x63\x73\x65\x64" 9 | data="\x61\x74\x61\x64" 10 | metadata="\x61\x74\x61\x64\x61\x74\x65\x6D" 11 | -------------------------------------------------------------------------------- /dictionaries/vpx_dec.dict: -------------------------------------------------------------------------------- 1 | # IVF Signature + version (bytes 0-5) 2 | kw1="DKIF\x00\x00" 3 | 4 | # VP9 codec fourCC (bytes 8-11) 5 | kw2="VP90" 6 | 7 | # VP8 codec fourCC (bytes 8-11) 8 | kw3="VP80" 9 | -------------------------------------------------------------------------------- /dictionaries/wav.dict: -------------------------------------------------------------------------------- 1 | header="RIFF" 2 | header_id="WAVE" 3 | 4 | fmt_chunk="fmt " 5 | fact_chunk="fact" 6 | data_chunk="data" 7 | cue_chunk="cue " 8 | playlist_chunk="plst" 9 | list_chunk="list" 10 | label_chunk="labl" 11 | note_chunk="note" 12 | labeled_text_chunk="ltxt" 13 | sampler_chunk="smpl" 14 | instrument_chunk="inst" 15 | 16 | # IFF extension: https://web.archive.org/web/20080114200405/http://www.borg.com/~jglatt/tech/aboutiff.htm 17 | "FORM" 18 | "LIST" 19 | "CAT " 20 | "ILBM" 21 | "AIFF" 22 | "ANIM" 23 | "CMAP" 24 | "MIDI" 25 | "MThd" 26 | -------------------------------------------------------------------------------- /dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /dictionaries/wkt.dict: -------------------------------------------------------------------------------- 1 | # https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry 2 | 3 | "AFFINEPLACEMENT" 4 | "BREPSOLID" 5 | "CIRCLE" 6 | "CIRCULARSTRING" 7 | "CLOTHOID" 8 | "COMPOUNDCURVE" 9 | "CURVE" 10 | "CURVEPOLYGON" 11 | "ELLIPTICALCURVE" 12 | "EMPTY" 13 | "GEODESICSTRING" 14 | "GEOMETRY" 15 | "GEOMETRYCOLLECTION" 16 | "LINESTRING" 17 | "MULTICURVE" 18 | "MULTILINESTRING" 19 | "MULTIPOINT" 20 | "MULTIPOLYGON" 21 | "MULTISURFACE" 22 | "NURBSCURVE" 23 | "POINT" 24 | "PATCHES" 25 | "POLYGON" 26 | "POLYHEDRALSURFACE" 27 | "SPIRALCURVE" 28 | "SRID" 29 | "SURFACE" 30 | "TIN" 31 | "TRIANGLE" 32 | "ZM" 33 | 34 | # misc 35 | "(1,2)" 36 | -------------------------------------------------------------------------------- /dictionaries/xpath.dict: -------------------------------------------------------------------------------- 1 | # https://developer.mozilla.org/en-US/docs/Web/XPath 2 | # https://devhints.io/xpath 3 | 4 | # selectors 5 | "//" 6 | "./" 7 | "::" 8 | "[*]" 9 | 10 | 11 | # functions - https://developer.mozilla.org/en-US/docs/Web/XPath/Functions 12 | "boolean(" 13 | "ceiling(" 14 | "choose(" 15 | "concat(" 16 | "contains(" 17 | "count(" 18 | "current()" 19 | "document(" 20 | "element-available(" 21 | "ends-with(" 22 | "false()" 23 | "floor(" 24 | "format-number(" 25 | "function-available(" 26 | "generate-id(" 27 | "id(" 28 | "key(" 29 | "lang(" 30 | "last()" 31 | "local-name(" 32 | "name(" 33 | "namespace-uri(" 34 | "normalize-space(" 35 | "not(" 36 | "number(" 37 | "or" 38 | "position(" 39 | "round(" 40 | "starts-with(" 41 | "string(" 42 | "string-length(" 43 | "substring(" 44 | "substring-after(" 45 | "substring-before(" 46 | "sum(" 47 | "system-property(" 48 | "text()" 49 | "translate(" 50 | "true()" 51 | "unparsed-entity-url(" 52 | 53 | # axes - https://developer.mozilla.org/en-US/docs/Web/XPath/Axes 54 | "ancestor" 55 | "ancestor-or-self" 56 | "attribute" 57 | "child" 58 | "descendant" 59 | "descendant-or-self" 60 | "following" 61 | "following-sibling" 62 | "namespace" 63 | "parent" 64 | "preceding" 65 | "preceding-sibling" 66 | "self" 67 | -------------------------------------------------------------------------------- /dictionaries/zip.dict: -------------------------------------------------------------------------------- 1 | header1="\x50\x4B\x03\x04" 2 | header2="\x50\x4B\x05\x06" 3 | header2="\x50\x4B\x07\x08" 4 | -------------------------------------------------------------------------------- /docs/resources/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/docs/resources/afl_gzip.png -------------------------------------------------------------------------------- /docs/resources/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/docs/resources/screenshot.png -------------------------------------------------------------------------------- /docs/resources/statsd-grafana.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/docs/resources/statsd-grafana.png -------------------------------------------------------------------------------- /frida_mode/.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | frida_test.dat 3 | qemu_test.dat 4 | frida_out/** 5 | qemu_out/** 6 | ts/dist/ 7 | ts/node_modules/ 8 | -------------------------------------------------------------------------------- /frida_mode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | format: 13 | @gmake format 14 | 15 | hook: 16 | @gmake hook 17 | -------------------------------------------------------------------------------- /frida_mode/addr/addr.c: -------------------------------------------------------------------------------- 1 | #include <errno.h> 2 | #include <link.h> 3 | #include <stdio.h> 4 | #include <unistd.h> 5 | #include <sys/personality.h> 6 | 7 | #define UNUSED_PARAMETER(x) (void)(x) 8 | 9 | int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) 10 | { 11 | UNUSED_PARAMETER (size); 12 | 13 | ElfW(Addr) * base = data; 14 | 15 | if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; } 16 | return 0; 17 | } 18 | 19 | int main (int argc, char** argv, char** envp) { 20 | UNUSED_PARAMETER (argc); 21 | 22 | ElfW(Addr) base = 0; 23 | 24 | int persona = personality(ADDR_NO_RANDOMIZE); 25 | if (persona == -1) { 26 | 27 | printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno); 28 | return 1; 29 | } 30 | 31 | if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); } 32 | 33 | dl_iterate_phdr(phdr_callback, &base); 34 | 35 | printf("%p\n", (void *)base); 36 | if (base == 0) { return 1; } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /frida_mode/frida.map: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | __afl_fuzz_len; 4 | __afl_fuzz_ptr; 5 | __afl_sharedmem_fuzzing; 6 | afl_frida_start; 7 | js_api_add_exclude_range; 8 | js_api_add_include_range; 9 | js_api_done; 10 | js_api_error; 11 | js_api_set_backpatch_disable; 12 | js_api_set_debug_maps; 13 | js_api_set_entrypoint; 14 | js_api_set_instrument_coverage_file; 15 | js_api_set_instrument_debug_file; 16 | js_api_set_instrument_jit; 17 | js_api_set_instrument_libraries; 18 | js_api_set_instrument_no_optimize; 19 | js_api_set_instrument_seed; 20 | js_api_set_instrument_trace; 21 | js_api_set_instrument_trace_unique; 22 | js_api_set_instrument_unstable_coverage_file; 23 | js_api_set_js_main_hook; 24 | js_api_set_persistent_address; 25 | js_api_set_persistent_count; 26 | js_api_set_persistent_debug; 27 | js_api_set_persistent_hook; 28 | js_api_set_persistent_return; 29 | js_api_set_prefetch_backpatch_disable; 30 | js_api_set_prefetch_disable; 31 | js_api_set_seccomp_file; 32 | js_api_set_stalker_callback; 33 | js_api_set_stalker_adjacent_blocks; 34 | js_api_set_stalker_ic_entries; 35 | js_api_set_stats_file; 36 | js_api_set_stats_interval; 37 | js_api_set_stderr; 38 | js_api_set_stdout; 39 | js_api_set_traceable; 40 | js_api_set_verbose; 41 | 42 | local: 43 | *; 44 | }; 45 | -------------------------------------------------------------------------------- /frida_mode/include/asan.h: -------------------------------------------------------------------------------- 1 | #ifndef _ASAN_H 2 | #define _ASAN_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern gboolean asan_initialized; 7 | 8 | void asan_config(void); 9 | void asan_init(void); 10 | void asan_arch_init(void); 11 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator); 12 | void asan_exclude_module_by_symbol(gchar *symbol_name); 13 | 14 | #endif 15 | 16 | -------------------------------------------------------------------------------- /frida_mode/include/ctx.h: -------------------------------------------------------------------------------- 1 | #ifndef _CTX_H 2 | #define _CTX_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | #if defined(__x86_64__) 7 | gsize ctx_read_reg(GumX64CpuContext *ctx, x86_reg reg); 8 | #elif defined(__i386__) 9 | gsize ctx_read_reg(GumIA32CpuContext *ctx, x86_reg reg); 10 | #elif defined(__aarch64__) 11 | gsize ctx_read_reg(GumArm64CpuContext *ctx, arm64_reg reg); 12 | size_t ctx_get_size(const cs_insn *instr, cs_arm64_op *operand); 13 | #elif defined(__arm__) 14 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg); 15 | #endif 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /frida_mode/include/entry.h: -------------------------------------------------------------------------------- 1 | #ifndef _ENTRY_H 2 | #define _ENTRY_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern guint64 entry_point; 7 | extern gboolean traceable; 8 | extern gboolean entry_compiled; 9 | extern gboolean entry_run; 10 | 11 | void entry_config(void); 12 | 13 | void entry_init(void); 14 | 15 | void entry_start(void); 16 | 17 | void entry_prologue(GumStalkerIterator *iterator, GumStalkerOutput *output); 18 | 19 | void entry_on_fork(void); 20 | 21 | #endif 22 | 23 | -------------------------------------------------------------------------------- /frida_mode/include/frida_cmplog.h: -------------------------------------------------------------------------------- 1 | #ifndef _CMPLOG_H 2 | #define _CMPLOG_H 3 | 4 | extern struct cmp_map *__afl_cmp_map; 5 | 6 | void cmplog_config(void); 7 | void cmplog_init(void); 8 | 9 | /* Functions to be implemented by the different architectures */ 10 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator); 11 | 12 | gboolean cmplog_is_readable(guint64 addr, size_t size); 13 | 14 | #endif 15 | 16 | -------------------------------------------------------------------------------- /frida_mode/include/intercept.h: -------------------------------------------------------------------------------- 1 | #ifndef _INTERCEPTOR_H 2 | #define _INTERCEPTOR_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | void intercept_hook(void *address, gpointer replacement, gpointer user_data); 7 | void intercept_unhook(void *address); 8 | void intercept_unhook_self(void); 9 | 10 | #endif 11 | 12 | -------------------------------------------------------------------------------- /frida_mode/include/js.h: -------------------------------------------------------------------------------- 1 | #ifndef _JS_H 2 | #define _JS_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | typedef gboolean (*js_api_stalker_callback_t)(const cs_insn *insn, 7 | gboolean begin, gboolean excluded, 8 | GumStalkerOutput *output); 9 | 10 | typedef int (*js_main_hook_t)(int argc, char **argv, char **envp); 11 | 12 | extern unsigned char api_js[]; 13 | extern unsigned int api_js_len; 14 | 15 | extern gboolean js_done; 16 | extern js_api_stalker_callback_t js_user_callback; 17 | extern js_main_hook_t js_main_hook; 18 | 19 | /* Frida Mode */ 20 | 21 | void js_config(void); 22 | 23 | void js_start(void); 24 | 25 | gboolean js_stalker_callback(const cs_insn *insn, gboolean begin, 26 | gboolean excluded, GumStalkerOutput *output); 27 | 28 | #endif 29 | 30 | -------------------------------------------------------------------------------- /frida_mode/include/lib.h: -------------------------------------------------------------------------------- 1 | #ifndef _LIB_H 2 | #define _LIB_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | void lib_config(void); 7 | 8 | void lib_init(void); 9 | 10 | guint64 lib_get_text_base(void); 11 | 12 | guint64 lib_get_text_limit(void); 13 | 14 | #endif 15 | 16 | -------------------------------------------------------------------------------- /frida_mode/include/output.h: -------------------------------------------------------------------------------- 1 | #ifndef _OUTPUT_H 2 | #define _OUTPUT_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern char *output_stdout; 7 | extern char *output_stderr; 8 | 9 | void output_config(void); 10 | void output_init(void); 11 | 12 | #endif 13 | 14 | -------------------------------------------------------------------------------- /frida_mode/include/persistent.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PERSISTENT_H 3 | #define _PERSISTENT_H 4 | 5 | #include "frida-gumjs.h" 6 | #include "config.h" 7 | 8 | typedef struct arch_api_regs api_regs; 9 | 10 | typedef void (*afl_persistent_hook_fn)(api_regs *regs, uint64_t guest_base, 11 | uint8_t *input_buf, 12 | uint32_t input_buf_len); 13 | 14 | extern int __afl_persistent_loop(unsigned int max_cnt); 15 | 16 | extern unsigned int * __afl_fuzz_len; 17 | extern unsigned char *__afl_fuzz_ptr; 18 | 19 | extern guint64 persistent_start; 20 | extern guint64 persistent_count; 21 | extern guint64 persistent_ret; 22 | extern gboolean persistent_debug; 23 | extern afl_persistent_hook_fn persistent_hook; 24 | 25 | void persistent_config(void); 26 | 27 | void persistent_init(void); 28 | 29 | /* Functions to be implemented by the different architectures */ 30 | gboolean persistent_is_supported(void); 31 | 32 | void persistent_prologue(GumStalkerOutput *output); 33 | void persistent_prologue_arch(GumStalkerOutput *output); 34 | 35 | void persistent_epilogue(GumStalkerOutput *output); 36 | void persistent_epilogue_arch(GumStalkerOutput *output); 37 | 38 | #endif 39 | 40 | -------------------------------------------------------------------------------- /frida_mode/include/prefetch.h: -------------------------------------------------------------------------------- 1 | #ifndef _PREFETCH_H 2 | #define _PREFETCH_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern gboolean prefetch_enable; 7 | extern gboolean prefetch_backpatch; 8 | 9 | void prefetch_config(void); 10 | void prefetch_init(void); 11 | void prefetch_write(void *addr); 12 | void prefetch_read(void); 13 | 14 | #endif 15 | 16 | -------------------------------------------------------------------------------- /frida_mode/include/ranges.h: -------------------------------------------------------------------------------- 1 | #ifndef _RANGES_H 2 | #define _RANGES_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern gboolean ranges_debug_maps; 7 | extern gboolean ranges_inst_libs; 8 | extern gboolean ranges_inst_jit; 9 | 10 | void ranges_config(void); 11 | void ranges_init(void); 12 | 13 | void ranges_print_debug_maps(void); 14 | 15 | gboolean range_is_excluded(GumAddress address); 16 | 17 | void ranges_exclude(); 18 | 19 | void ranges_add_include(GumMemoryRange *range); 20 | void ranges_add_exclude(GumMemoryRange *range); 21 | 22 | #endif 23 | 24 | -------------------------------------------------------------------------------- /frida_mode/include/stalker.h: -------------------------------------------------------------------------------- 1 | #ifndef _STALKER_H 2 | #define _STALKER_H 3 | 4 | #include "frida-gumjs.h" 5 | 6 | extern guint stalker_ic_entries; 7 | extern gboolean backpatch_enable; 8 | extern guint stalker_adjacent_blocks; 9 | 10 | void stalker_config(void); 11 | void stalker_init(void); 12 | GumStalker *stalker_get(void); 13 | void stalker_start(void); 14 | void stalker_trust(void); 15 | 16 | GumStalkerObserver *stalker_get_observer(void); 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /frida_mode/many-linux/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM fridadotre/manylinux-x86_64 2 | 3 | RUN yum -y install xz 4 | 5 | WORKDIR /AFLplusplus 6 | ENV CFLAGS="\ 7 | -DADDR_NO_RANDOMIZE=0x0040000 \ 8 | -Wno-implicit-function-declaration \ 9 | " 10 | ENV CXX=$CC 11 | -------------------------------------------------------------------------------- /frida_mode/many-linux/GNUmakefile: -------------------------------------------------------------------------------- 1 | PWD:=$(shell pwd)/ 2 | ROOT:=$(PWD)../../ 3 | BUILD_DIR:=$(PWD)build/ 4 | 5 | .PHONY: all build docker clean shell 6 | 7 | all: docker 8 | docker run --rm \ 9 | -v $(ROOT):/AFLplusplus \ 10 | many-afl-frida \ 11 | make -C /AFLplusplus/frida_mode clean all 12 | 13 | build: 14 | docker run --rm \ 15 | -v $(ROOT):/AFLplusplus \ 16 | many-afl-frida \ 17 | make -C /AFLplusplus/frida_mode 18 | 19 | docker: 20 | docker build --tag many-afl-frida . 21 | 22 | clean: 23 | docker images --filter 'dangling=true' -q --no-trunc | xargs -L1 docker rmi --force 24 | 25 | shell: 26 | docker run -ti --rm many-afl-frida /bin/bash 27 | -------------------------------------------------------------------------------- /frida_mode/many-linux/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | clean: 6 | @gmake clean 7 | 8 | shell: 9 | @gmake shell 10 | -------------------------------------------------------------------------------- /frida_mode/many-linux/README.md: -------------------------------------------------------------------------------- 1 | # many-linux 2 | 3 | This folder contains a Docker image to allow the building of 4 | `afl-frida-trace.so` using the `many-linux` docker image. This docker image is 5 | based on CentOS Linux 5. By building `afl-frida-trace.so` for such an old 6 | version of Linux, given the strong backward compatibility of Linux, this should 7 | work on the majority of Linux environments. This may be useful for targetting 8 | Linux distributions other than your development environment. `many-local` builds 9 | `AFLplusplus` from the local working copy in the `many-linux` environment. 10 | -------------------------------------------------------------------------------- /frida_mode/src/asan/asan.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "asan.h" 4 | #include "ranges.h" 5 | #include "util.h" 6 | 7 | static gboolean asan_enabled = FALSE; 8 | gboolean asan_initialized = FALSE; 9 | 10 | void asan_config(void) { 11 | 12 | if (getenv("AFL_USE_FASAN") != NULL) { asan_enabled = TRUE; } 13 | 14 | } 15 | 16 | void asan_init(void) { 17 | 18 | FOKF(cBLU "Instrumentation" cRST " - " cGRN "asan:" cYEL " [%c]", 19 | asan_enabled ? 'X' : ' '); 20 | 21 | if (asan_enabled) { 22 | 23 | asan_arch_init(); 24 | asan_initialized = TRUE; 25 | 26 | } 27 | 28 | } 29 | 30 | static gboolean asan_exclude_module(const GumModuleDetails *details, 31 | gpointer user_data) { 32 | 33 | gchar * symbol_name = (gchar *)user_data; 34 | GumAddress address; 35 | 36 | address = gum_module_find_export_by_name(details->name, symbol_name); 37 | if (address == 0) { return TRUE; } 38 | 39 | ranges_add_exclude((GumMemoryRange *)details->range); 40 | return FALSE; 41 | 42 | } 43 | 44 | void asan_exclude_module_by_symbol(gchar *symbol_name) { 45 | 46 | gum_process_enumerate_modules(asan_exclude_module, symbol_name); 47 | 48 | } 49 | 50 | -------------------------------------------------------------------------------- /frida_mode/src/asan/asan_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "asan.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { 8 | 9 | UNUSED_PARAMETER(instr); 10 | UNUSED_PARAMETER(iterator); 11 | if (asan_initialized) { 12 | 13 | FFATAL("ASAN mode not supported on this architecture"); 14 | 15 | } 16 | 17 | } 18 | 19 | void asan_arch_init(void) { 20 | 21 | FFATAL("ASAN mode not supported on this architecture"); 22 | 23 | } 24 | 25 | #endif 26 | 27 | -------------------------------------------------------------------------------- /frida_mode/src/cmplog/cmplog_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "frida_cmplog.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | void cmplog_instrument(const cs_insn *instr, GumStalkerIterator *iterator) { 8 | 9 | UNUSED_PARAMETER(instr); 10 | UNUSED_PARAMETER(iterator); 11 | if (__afl_cmp_map == NULL) { return; } 12 | FFATAL("CMPLOG mode not supported on this architecture"); 13 | 14 | } 15 | 16 | #endif 17 | 18 | -------------------------------------------------------------------------------- /frida_mode/src/ctx/ctx_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "ctx.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | 8 | gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) { 9 | 10 | FFATAL("ctx_read_reg unimplemented for this architecture"); 11 | 12 | } 13 | 14 | #endif 15 | 16 | -------------------------------------------------------------------------------- /frida_mode/src/instrument/instrument_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "instrument.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | 8 | gboolean instrument_is_coverage_optimize_supported(void) { 9 | 10 | return false; 11 | 12 | } 13 | 14 | void instrument_coverage_optimize(const cs_insn * instr, 15 | GumStalkerOutput *output) { 16 | 17 | UNUSED_PARAMETER(instr); 18 | UNUSED_PARAMETER(output); 19 | FFATAL("Optimized coverage not supported on this architecture"); 20 | 21 | } 22 | 23 | void instrument_coverage_optimize_init(void) { 24 | 25 | FWARNF("Optimized coverage not supported on this architecture"); 26 | 27 | } 28 | 29 | void instrument_flush(GumStalkerOutput *output) { 30 | 31 | if (output->encoding == GUM_INSTRUCTION_SPECIAL) { 32 | 33 | gum_thumb_writer_flush(output->writer.thumb); 34 | 35 | } else { 36 | 37 | gum_arm_writer_flush(output->writer.arm); 38 | 39 | } 40 | 41 | } 42 | 43 | gpointer instrument_cur(GumStalkerOutput *output) { 44 | 45 | return gum_arm_writer_cur(output->writer.arm); 46 | 47 | } 48 | 49 | #endif 50 | 51 | -------------------------------------------------------------------------------- /frida_mode/src/intercept.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "intercept.h" 4 | #include "util.h" 5 | 6 | void intercept_hook(void *address, gpointer replacement, gpointer user_data) { 7 | 8 | GumInterceptor *interceptor = gum_interceptor_obtain(); 9 | gum_interceptor_begin_transaction(interceptor); 10 | GumReplaceReturn ret = 11 | gum_interceptor_replace(interceptor, address, replacement, user_data); 12 | if (ret != GUM_REPLACE_OK) { FFATAL("gum_interceptor_attach: %d", ret); } 13 | gum_interceptor_end_transaction(interceptor); 14 | 15 | } 16 | 17 | void intercept_unhook(void *address) { 18 | 19 | GumInterceptor *interceptor = gum_interceptor_obtain(); 20 | 21 | gum_interceptor_begin_transaction(interceptor); 22 | gum_interceptor_revert(interceptor, address); 23 | gum_interceptor_end_transaction(interceptor); 24 | gum_interceptor_flush(interceptor); 25 | 26 | } 27 | 28 | void intercept_unhook_self(void) { 29 | 30 | GumInvocationContext *ctx = gum_interceptor_get_current_invocation(); 31 | intercept_unhook(ctx->function); 32 | 33 | } 34 | 35 | -------------------------------------------------------------------------------- /frida_mode/src/persistent/persistent_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "persistent.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | 8 | struct arm_regs { 9 | 10 | uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10; 11 | 12 | union { 13 | 14 | uint32_t r11; 15 | uint32_t fp; 16 | 17 | }; 18 | 19 | union { 20 | 21 | uint32_t r12; 22 | uint32_t ip; 23 | 24 | }; 25 | 26 | union { 27 | 28 | uint32_t r13; 29 | uint32_t sp; 30 | 31 | }; 32 | 33 | union { 34 | 35 | uint32_t r14; 36 | uint32_t lr; 37 | 38 | }; 39 | 40 | union { 41 | 42 | uint32_t r15; 43 | uint32_t pc; 44 | 45 | }; 46 | 47 | uint32_t cpsr; 48 | 49 | uint8_t vfp_zregs[32][16]; 50 | uint32_t vfp_xregs[16]; 51 | 52 | }; 53 | 54 | typedef struct arm_regs arch_api_regs; 55 | 56 | gboolean persistent_is_supported(void) { 57 | 58 | return false; 59 | 60 | } 61 | 62 | void persistent_prologue_arch(GumStalkerOutput *output) { 63 | 64 | UNUSED_PARAMETER(output); 65 | FFATAL("Persistent mode not supported on this architecture"); 66 | 67 | } 68 | 69 | void persistent_epilogue_arch(GumStalkerOutput *output) { 70 | 71 | UNUSED_PARAMETER(output); 72 | FFATAL("Persistent mode not supported on this architecture"); 73 | 74 | } 75 | 76 | #endif 77 | 78 | -------------------------------------------------------------------------------- /frida_mode/src/seccomp/seccomp.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "seccomp.h" 4 | #include "util.h" 5 | 6 | char *seccomp_filename = NULL; 7 | 8 | void seccomp_on_fork(void) { 9 | 10 | if (seccomp_filename == NULL) { return; } 11 | 12 | #ifdef __APPLE__ 13 | FFATAL("Seccomp not supported on OSX"); 14 | #else 15 | seccomp_callback_parent(); 16 | #endif 17 | 18 | } 19 | 20 | void seccomp_config(void) { 21 | 22 | seccomp_filename = getenv("AFL_FRIDA_SECCOMP_FILE"); 23 | 24 | } 25 | 26 | void seccomp_init(void) { 27 | 28 | FOKF(cBLU "Seccomp" cRST " - " cGRN "file:" cYEL " [%s]", 29 | seccomp_filename == NULL ? " " : seccomp_filename); 30 | 31 | if (seccomp_filename == NULL) { return; } 32 | 33 | #ifdef __APPLE__ 34 | FFATAL("Seccomp not supported on OSX"); 35 | #else 36 | seccomp_callback_initialize(); 37 | #endif 38 | 39 | } 40 | 41 | -------------------------------------------------------------------------------- /frida_mode/src/seccomp/seccomp_atomic.c: -------------------------------------------------------------------------------- 1 | #if defined(__linux__) && !defined(__ANDROID__) 2 | 3 | #include <stdbool.h> 4 | #include <stdio.h> 5 | 6 | #include "util.h" 7 | 8 | void seccomp_atomic_set(volatile bool *ptr, bool val) { 9 | 10 | if (!__sync_bool_compare_and_swap(ptr, !val, val)) { 11 | 12 | FFATAL("Failed to set event"); 13 | 14 | } 15 | 16 | } 17 | 18 | bool seccomp_atomic_try_set(volatile bool *ptr, bool val) { 19 | 20 | return __sync_bool_compare_and_swap(ptr, !val, val); 21 | 22 | } 23 | 24 | void seccomp_atomic_wait(volatile bool *ptr, bool val) { 25 | 26 | while (!__sync_bool_compare_and_swap(ptr, val, !val)) 27 | ; 28 | 29 | } 30 | 31 | #endif 32 | 33 | -------------------------------------------------------------------------------- /frida_mode/src/seccomp/seccomp_event.c: -------------------------------------------------------------------------------- 1 | #if defined(__linux__) && !defined(__ANDROID__) 2 | 3 | #include <stdint.h> 4 | #include <stdio.h> 5 | #include <sys/syscall.h> 6 | #include <unistd.h> 7 | 8 | #include "seccomp.h" 9 | #include "util.h" 10 | 11 | int seccomp_event_create(void) { 12 | 13 | #ifdef SYS_eventfd 14 | int fd = syscall(SYS_eventfd, 0, 0); 15 | #else 16 | #ifdef SYS_eventfd2 17 | int fd = syscall(SYS_eventfd2, 0, 0); 18 | #endif 19 | #endif 20 | if (fd < 0) { FFATAL("seccomp_event_create"); } 21 | return fd; 22 | 23 | } 24 | 25 | void seccomp_event_signal(int fd) { 26 | 27 | uint64_t val = 1; 28 | if (write(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { 29 | 30 | FFATAL("seccomp_event_signal"); 31 | 32 | } 33 | 34 | } 35 | 36 | void seccomp_event_wait(int fd) { 37 | 38 | uint64_t val = 1; 39 | if (read(fd, &val, sizeof(uint64_t)) != sizeof(uint64_t)) { 40 | 41 | FFATAL("seccomp_event_wait"); 42 | 43 | } 44 | 45 | } 46 | 47 | void seccomp_event_destroy(int fd) { 48 | 49 | if (close(fd) < 0) { FFATAL("seccomp_event_destroy"); } 50 | 51 | } 52 | 53 | #endif 54 | 55 | -------------------------------------------------------------------------------- /frida_mode/src/seccomp/seccomp_print.c: -------------------------------------------------------------------------------- 1 | #if defined(__linux__) && !defined(__ANDROID__) 2 | 3 | #include <stdarg.h> 4 | 5 | #include "seccomp.h" 6 | #include "util.h" 7 | 8 | static void seccomp_print_v(int fd, char *format, va_list ap) { 9 | 10 | char buffer[4096] = {0}; 11 | int len; 12 | 13 | if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } 14 | 15 | len = strnlen(buffer, sizeof(buffer)); 16 | IGNORED_RETURN(write(fd, buffer, len)); 17 | 18 | } 19 | 20 | void seccomp_print(char *format, ...) { 21 | 22 | va_list ap; 23 | va_start(ap, format); 24 | seccomp_print_v(SECCOMP_OUTPUT_FILE_FD, format, ap); 25 | va_end(ap); 26 | 27 | } 28 | 29 | #endif 30 | 31 | -------------------------------------------------------------------------------- /frida_mode/src/stats/stats_arm32.c: -------------------------------------------------------------------------------- 1 | #include "frida-gumjs.h" 2 | 3 | #include "stats.h" 4 | #include "util.h" 5 | 6 | #if defined(__arm__) 7 | 8 | void starts_arch_init(void) { 9 | 10 | FFATAL("Stats not supported on this architecture"); 11 | 12 | } 13 | 14 | void stats_write_arch(stats_data_t *data) { 15 | 16 | FFATAL("Stats not supported on this architecture"); 17 | 18 | } 19 | 20 | void stats_collect_arch(const cs_insn *instr, gboolean begin) { 21 | 22 | UNUSED_PARAMETER(instr); 23 | UNUSED_PARAMETER(begin); 24 | FFATAL("Stats not supported on this architecture"); 25 | 26 | } 27 | 28 | #endif 29 | 30 | -------------------------------------------------------------------------------- /frida_mode/test/bloaty/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/cmplog/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | 19 | frida-nocmplog: 20 | @gmake frida-nocmplog 21 | 22 | format: 23 | @gmake format 24 | 25 | debug: 26 | @gmake debug 27 | -------------------------------------------------------------------------------- /frida_mode/test/cmplog/get_section_addrs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | from elftools.elf.elffile import ELFFile 4 | 5 | 6 | def process_file(file, section, base): 7 | with open(file, "rb") as f: 8 | for sect in ELFFile(f).iter_sections(): 9 | if sect.name == section: 10 | start = base + sect.header["sh_offset"] 11 | end = start + sect.header["sh_size"] 12 | print("0x%016x-0x%016x" % (start, end)) 13 | return 14 | 15 | print("Section '%s' not found in '%s'" % (section, file)) 16 | 17 | 18 | def hex_value(x): 19 | return int(x, 16) 20 | 21 | 22 | def main(): 23 | parser = argparse.ArgumentParser(description="Process some integers.") 24 | parser.add_argument( 25 | "-f", "--file", dest="file", type=str, help="elf file name", required=True 26 | ) 27 | parser.add_argument( 28 | "-s", 29 | "--section", 30 | dest="section", 31 | type=str, 32 | help="elf section name", 33 | required=True, 34 | ) 35 | parser.add_argument( 36 | "-b", 37 | "--base", 38 | dest="base", 39 | type=hex_value, 40 | help="elf base address", 41 | required=True, 42 | ) 43 | 44 | args = parser.parse_args() 45 | process_file(args.file, args.section, args.base) 46 | 47 | 48 | if __name__ == "__main__": 49 | main() 50 | -------------------------------------------------------------------------------- /frida_mode/test/deferred/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/entry_point/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | 15 | frida_entry: 16 | @gmake frida 17 | -------------------------------------------------------------------------------- /frida_mode/test/exe/GNUmakefile: -------------------------------------------------------------------------------- 1 | PWD:=$(shell pwd)/ 2 | ROOT:=$(PWD)../../../ 3 | BUILD_DIR:=$(PWD)build/ 4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ 5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in 6 | 7 | TESTINSTBIN:=$(BUILD_DIR)testinstr 8 | TESTINSTSRC:=$(PWD)testinstr.c 9 | 10 | QEMU_OUT:=$(BUILD_DIR)qemu-out 11 | FRIDA_OUT:=$(BUILD_DIR)frida-out 12 | 13 | .PHONY: all 32 clean qemu frida 14 | 15 | all: $(TESTINSTBIN) 16 | make -C $(ROOT)frida_mode/ 17 | 18 | 32: 19 | CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all 20 | 21 | $(BUILD_DIR): 22 | mkdir -p $@ 23 | 24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR) 25 | mkdir -p $@ 26 | 27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) 28 | echo -n "000" > $@ 29 | 30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) 31 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -no-pie 32 | 33 | clean: 34 | rm -rf $(BUILD_DIR) 35 | 36 | 37 | qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) 38 | $(ROOT)afl-fuzz \ 39 | -D \ 40 | -Q \ 41 | -i $(TESTINSTR_DATA_DIR) \ 42 | -o $(QEMU_OUT) \ 43 | -- \ 44 | $(TESTINSTBIN) @@ 45 | 46 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) 47 | $(ROOT)afl-fuzz \ 48 | -D \ 49 | -O \ 50 | -i $(TESTINSTR_DATA_DIR) \ 51 | -o $(FRIDA_OUT) \ 52 | -- \ 53 | $(TESTINSTBIN) @@ 54 | -------------------------------------------------------------------------------- /frida_mode/test/exe/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | -------------------------------------------------------------------------------- /frida_mode/test/fasan/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida-noasan: 13 | @gmake frida-noasan 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | 21 | run: 22 | @gmake run 23 | -------------------------------------------------------------------------------- /frida_mode/test/freetype2/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/jpeg/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | 15 | debug: 16 | @gmake debug 17 | -------------------------------------------------------------------------------- /frida_mode/test/js/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida_js_entry: 13 | @gmake frida_js_entry 14 | 15 | frida_js_replace: 16 | @gmake frida_js_replace 17 | 18 | frida_js_patch: 19 | @gmake frida_js_patch 20 | 21 | frida_js_stalker: 22 | @gmake frida_js_stalker 23 | 24 | debug: 25 | @gmake debug 26 | -------------------------------------------------------------------------------- /frida_mode/test/js/entry.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | new ModuleMap().values().forEach(m => { 9 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 10 | }); 11 | 12 | const name = Process.enumerateModules()[0].name; 13 | Afl.print(`Name: ${name}`); 14 | 15 | if (name === 'test') { 16 | 17 | Afl.print('Searching...\n'); 18 | const entry_point = DebugSymbol.fromName('run'); 19 | Afl.print(`entry_point: ${entry_point}`); 20 | 21 | Afl.setEntryPoint(entry_point.address); 22 | 23 | } 24 | 25 | Afl.done(); 26 | Afl.print("done"); 27 | -------------------------------------------------------------------------------- /frida_mode/test/js/fuzz.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | const name = Process.enumerateModules()[0].name; 9 | Afl.print(`Name: ${name}`); 10 | 11 | new ModuleMap().values().forEach(m => { 12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 13 | }); 14 | 15 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; 16 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); 17 | 18 | const cm = new CModule(` 19 | 20 | extern unsigned char * __afl_fuzz_ptr; 21 | extern unsigned int * __afl_fuzz_len; 22 | extern void LLVMFuzzerTestOneInput(char *buf, int len); 23 | 24 | void My_LLVMFuzzerTestOneInput(char *buf, int len) { 25 | 26 | LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); 27 | 28 | } 29 | `, 30 | { 31 | LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, 32 | __afl_fuzz_ptr: Afl.getAflFuzzPtr(), 33 | __afl_fuzz_len: Afl.getAflFuzzLen() 34 | }); 35 | 36 | Afl.setEntryPoint(cm.My_LLVMFuzzerTestOneInput); 37 | Afl.setPersistentAddress(cm.My_LLVMFuzzerTestOneInput); 38 | Afl.setInMemoryFuzzing(); 39 | Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput); 40 | Afl.print("done"); 41 | Afl.done(); 42 | -------------------------------------------------------------------------------- /frida_mode/test/js/main.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | const name = Process.enumerateModules()[0].name; 9 | Afl.print(`Name: ${name}`); 10 | 11 | new ModuleMap().values().forEach(m => { 12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 13 | }); 14 | 15 | const main = DebugSymbol.fromName('main').address; 16 | Afl.print(`main: ${main}`); 17 | 18 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; 19 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); 20 | 21 | const cm = new CModule(` 22 | 23 | extern unsigned char * __afl_fuzz_ptr; 24 | extern unsigned int * __afl_fuzz_len; 25 | extern void LLVMFuzzerTestOneInput(char *buf, int len); 26 | 27 | int main(int argc, char **argv) { 28 | 29 | LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); 30 | 31 | } 32 | `, 33 | { 34 | LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, 35 | __afl_fuzz_ptr: Afl.getAflFuzzPtr(), 36 | __afl_fuzz_len: Afl.getAflFuzzLen() 37 | }); 38 | 39 | Afl.setEntryPoint(cm.main); 40 | Afl.setPersistentAddress(cm.main); 41 | Afl.setInMemoryFuzzing(); 42 | Afl.setJsMainHook(cm.main); 43 | Afl.print("done"); 44 | Afl.done(); 45 | -------------------------------------------------------------------------------- /frida_mode/test/js/patch.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | const main = DebugSymbol.fromName('main').address; 7 | Afl.print(`main: ${main}`); 8 | Afl.setEntryPoint(main); 9 | Afl.setPersistentAddress(main); 10 | Afl.setPersistentCount(10000000); 11 | 12 | const crc32_check = DebugSymbol.fromName('crc32_check').address; 13 | const crc32_replacement = new NativeCallback( 14 | (buf, len) => { 15 | Afl.print(`len: ${len}`); 16 | if (len < 4) { 17 | return 0; 18 | } 19 | 20 | return 1; 21 | }, 22 | 'int', 23 | ['pointer', 'int']); 24 | Interceptor.replace(crc32_check, crc32_replacement); 25 | 26 | const some_boring_bug = DebugSymbol.fromName('some_boring_bug').address 27 | const boring_replacement = new NativeCallback( 28 | (c) => { }, 29 | 'void', 30 | ['char']); 31 | Interceptor.replace(some_boring_bug, boring_replacement); 32 | 33 | Afl.done(); 34 | Afl.print("done"); 35 | -------------------------------------------------------------------------------- /frida_mode/test/js/replace.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | const name = Process.enumerateModules()[0].name; 9 | Afl.print(`Name: ${name}`); 10 | 11 | new ModuleMap().values().forEach(m => { 12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 13 | }); 14 | 15 | const slow = DebugSymbol.fromName('slow').address; 16 | Afl.print(`slow: ${slow}`); 17 | 18 | const LLVMFuzzerTestOneInput = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; 19 | Afl.print(`LLVMFuzzerTestOneInput: ${LLVMFuzzerTestOneInput}`); 20 | 21 | const cm = new CModule(` 22 | 23 | extern unsigned char * __afl_fuzz_ptr; 24 | extern unsigned int * __afl_fuzz_len; 25 | extern void LLVMFuzzerTestOneInput(char *buf, int len); 26 | 27 | void slow(void) { 28 | 29 | LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); 30 | } 31 | `, 32 | { 33 | LLVMFuzzerTestOneInput: LLVMFuzzerTestOneInput, 34 | __afl_fuzz_ptr: Afl.getAflFuzzPtr(), 35 | __afl_fuzz_len: Afl.getAflFuzzLen() 36 | }); 37 | 38 | Afl.setEntryPoint(cm.slow); 39 | Afl.setPersistentAddress(cm.slow); 40 | Afl.setInMemoryFuzzing(); 41 | Interceptor.replace(slow, cm.slow); 42 | Afl.print("done"); 43 | Afl.done(); 44 | -------------------------------------------------------------------------------- /frida_mode/test/libxml/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/libxslt/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/osx-lib/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | clean: 6 | @gmake clean 7 | 8 | frida_persistent: 9 | @gmake frida_persistent 10 | 11 | frida_persistent_hook: 12 | @gmake frida_persistent_hook 13 | -------------------------------------------------------------------------------- /frida_mode/test/osx-lib/harness3.c: -------------------------------------------------------------------------------- 1 | #include <string.h> 2 | #include <assert.h> 3 | #include <stdio.h> 4 | #include <stdlib.h> 5 | #include <dlfcn.h> 6 | 7 | 8 | extern void crashme(const uint8_t *Data, size_t Size); 9 | 10 | int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size){ 11 | crashme(data, size); 12 | return 0; 13 | } 14 | 15 | void run (int argc, const char * argv[]) 16 | { 17 | for (int i = 1; i < argc; i++) { 18 | fprintf(stderr, "Running: %s\n", argv[i]); 19 | FILE *f = fopen(argv[i], "r"); 20 | assert(f); 21 | fseek(f, 0, SEEK_END); 22 | size_t len = ftell(f); 23 | fseek(f, 0, SEEK_SET); 24 | unsigned char *buf = (unsigned char*)malloc(len); 25 | size_t n_read = fread(buf, 1, len, f); 26 | fclose(f); 27 | assert(n_read == len); 28 | LLVMFuzzerTestOneInput(buf, len); 29 | free(buf); 30 | fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); 31 | } 32 | } 33 | 34 | int main(int argc, const char * argv[]) 35 | { 36 | 37 | run(argc, argv); 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /frida_mode/test/osx-lib/lib.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <stdint.h> 4 | 5 | 6 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { 7 | 8 | if (Size < 5) return; 9 | 10 | if (Data[0] == 'F') 11 | if (Data[1] == 'A') 12 | if (Data[2] == '$') 13 | if (Data[3] == '$') 14 | if (Data[4] == '$') abort(); 15 | 16 | 17 | } 18 | -------------------------------------------------------------------------------- /frida_mode/test/osx-lib/lib2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <stdint.h> 4 | #include <string.h> 5 | 6 | 7 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { 8 | 9 | if (Size < 1) return; 10 | 11 | char *buf = malloc(10); 12 | 13 | if (buf == NULL) return; 14 | 15 | switch (Data[0]) { 16 | 17 | /* Underflow */ 18 | case 'U': 19 | printf("Underflow\n"); 20 | buf[-1] = '\0'; 21 | free(buf); 22 | break; 23 | /* Overflow */ 24 | case 'O': 25 | printf("Overflow\n"); 26 | buf[10] = '\0'; 27 | free(buf); 28 | break; 29 | /* Double free */ 30 | case 'D': 31 | printf("Double free\n"); 32 | free(buf); 33 | free(buf); 34 | break; 35 | /* Use after free */ 36 | case 'A': 37 | printf("Use after free\n"); 38 | free(buf); 39 | buf[0] = '\0'; 40 | break; 41 | /* Test Limits (OK) */ 42 | case 'T': 43 | printf("Test-Limits - No Error\n"); 44 | buf[0] = 'A'; 45 | buf[9] = 'I'; 46 | free(buf); 47 | break; 48 | case 'M': 49 | printf("Memset too many\n"); 50 | memset(buf, '\0', 11); 51 | free(buf); 52 | break; 53 | default: 54 | printf("Nop - No Error\n"); 55 | break; 56 | 57 | } 58 | 59 | 60 | } 61 | 62 | -------------------------------------------------------------------------------- /frida_mode/test/output/GNUmakefile: -------------------------------------------------------------------------------- 1 | PWD:=$(shell pwd)/ 2 | ROOT:=$(PWD)../../../ 3 | BUILD_DIR:=$(PWD)build/ 4 | TESTINSTR_DATA_DIR:=$(BUILD_DIR)in/ 5 | TESTINSTR_DATA_FILE:=$(TESTINSTR_DATA_DIR)in 6 | 7 | TESTINSTBIN:=$(BUILD_DIR)testinstr 8 | TESTINSTSRC:=$(PWD)testinstr.c 9 | 10 | QEMU_OUT:=$(BUILD_DIR)qemu-out 11 | FRIDA_OUT:=$(BUILD_DIR)frida-out 12 | 13 | .PHONY: all 32 clean qemu frida 14 | 15 | all: $(TESTINSTBIN) 16 | make -C $(ROOT)frida_mode/ 17 | 18 | 32: 19 | CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all 20 | 21 | $(BUILD_DIR): 22 | mkdir -p $@ 23 | 24 | $(TESTINSTR_DATA_DIR): | $(BUILD_DIR) 25 | mkdir -p $@ 26 | 27 | $(TESTINSTR_DATA_FILE): | $(TESTINSTR_DATA_DIR) 28 | echo -n "000" > $@ 29 | 30 | $(TESTINSTBIN): $(TESTINSTSRC) | $(BUILD_DIR) 31 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 32 | 33 | clean: 34 | rm -rf $(BUILD_DIR) 35 | 36 | frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE) 37 | AFL_FRIDA_OUTPUT_STDOUT=frida_stdout.txt \ 38 | AFL_FRIDA_OUTPUT_STDERR=frida_stderr.txt \ 39 | AFL_FRIDA_STATS_FILE=frida_stats.txt \ 40 | AFL_FRIDA_STATS_INTERVAL=1 \ 41 | $(ROOT)afl-fuzz \ 42 | -D \ 43 | -O \ 44 | -i $(TESTINSTR_DATA_DIR) \ 45 | -o $(FRIDA_OUT) \ 46 | -- \ 47 | $(TESTINSTBIN) @@ 48 | -------------------------------------------------------------------------------- /frida_mode/test/output/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/test/perf/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | -------------------------------------------------------------------------------- /frida_mode/test/persistent_ret/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | 15 | frida_ret: 16 | @gmake frida_ret 17 | 18 | debug: 19 | @gmake debug 20 | 21 | run: 22 | @gmake run 23 | -------------------------------------------------------------------------------- /frida_mode/test/png/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | -------------------------------------------------------------------------------- /frida_mode/test/png/persistent/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | qemu_entry: 16 | @gmake qemu_entry 17 | 18 | frida: 19 | @gmake frida 20 | 21 | frida_entry: 22 | @gmake frida_entry 23 | 24 | debug: 25 | @gmake debug 26 | -------------------------------------------------------------------------------- /frida_mode/test/png/persistent/hook/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | format: 13 | @gmake format 14 | 15 | qemu: 16 | @gmake qemu 17 | 18 | qemu_entry: 19 | @gmake qemu_entry 20 | 21 | frida: 22 | @gmake frida 23 | 24 | frida_entry: 25 | @gmake frida_entry 26 | 27 | frida_js: 28 | @gmake frida_js 29 | 30 | debug: 31 | @gmake debug 32 | -------------------------------------------------------------------------------- /frida_mode/test/png/persistent/hook/cmodule.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | const name = Process.enumerateModules()[0].name; 9 | Afl.print(`Name: ${name}`); 10 | 11 | new ModuleMap().values().forEach(m => { 12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 13 | }); 14 | 15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; 16 | Afl.print(`persistent_addr: ${persistent_addr}`); 17 | Afl.setEntryPoint(persistent_addr); 18 | Afl.setPersistentAddress(persistent_addr); 19 | 20 | const cm = new CModule(` 21 | 22 | #include <string.h> 23 | #include <gum/gumdefs.h> 24 | 25 | void afl_persistent_hook(GumCpuContext *regs, uint8_t *input_buf, 26 | uint32_t input_buf_len) { 27 | 28 | memcpy((void *)regs->rdi, input_buf, input_buf_len); 29 | regs->rsi = input_buf_len; 30 | 31 | } 32 | `, 33 | { 34 | memcpy: Module.getExportByName(null, 'memcpy') 35 | }); 36 | Afl.setPersistentHook(cm.afl_persistent_hook); 37 | 38 | Afl.print("done"); 39 | Afl.done(); 40 | -------------------------------------------------------------------------------- /frida_mode/test/png/persistent/hook/load.js: -------------------------------------------------------------------------------- 1 | Afl.print('******************'); 2 | Afl.print('* AFL FRIDA MODE *'); 3 | Afl.print('******************'); 4 | Afl.print(''); 5 | 6 | Afl.print(`PID: ${Process.id}`); 7 | 8 | const name = Process.enumerateModules()[0].name; 9 | Afl.print(`Name: ${name}`); 10 | 11 | new ModuleMap().values().forEach(m => { 12 | Afl.print(`${m.base}-${m.base.add(m.size)} ${m.name}`); 13 | }); 14 | 15 | const persistent_addr = DebugSymbol.fromName('LLVMFuzzerTestOneInput').address; 16 | Afl.print(`persistent_addr: ${persistent_addr}`); 17 | Afl.setEntryPoint(persistent_addr); 18 | Afl.setPersistentAddress(persistent_addr); 19 | 20 | const path = Afl.module.path; 21 | const dir = path.substring(0, path.lastIndexOf("/")); 22 | const mod = Module.load(`${dir}/frida_mode/build/frida_hook.so`); 23 | const hook = mod.getExportByName('afl_persistent_hook'); 24 | Afl.setPersistentHook(hook); 25 | 26 | Afl.print("done"); 27 | Afl.done(); 28 | -------------------------------------------------------------------------------- /frida_mode/test/proj4/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | 15 | debug: 16 | @gmake debug 17 | 18 | -------------------------------------------------------------------------------- /frida_mode/test/re2/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | 21 | -------------------------------------------------------------------------------- /frida_mode/test/sqlite/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | 15 | debug: 16 | @gmake debug 17 | 18 | -------------------------------------------------------------------------------- /frida_mode/test/testinstr/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | -------------------------------------------------------------------------------- /frida_mode/test/unstable/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | qemu: 13 | @gmake qemu 14 | 15 | frida: 16 | @gmake frida 17 | 18 | debug: 19 | @gmake debug 20 | -------------------------------------------------------------------------------- /frida_mode/test/vorbis/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | 32: 6 | @echo trying to use GNU make... 7 | @gmake 32 || echo please install GNUmake 8 | 9 | clean: 10 | @gmake clean 11 | 12 | frida: 13 | @gmake frida 14 | -------------------------------------------------------------------------------- /frida_mode/ts/package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "requires": true, 3 | "lockfileVersion": 1, 4 | "dependencies": { 5 | "tsc": { 6 | "version": "2.0.3", 7 | "resolved": "https://registry.npmjs.org/tsc/-/tsc-2.0.3.tgz", 8 | "integrity": "sha512-SN+9zBUtrpUcOpaUO7GjkEHgWtf22c7FKbKCA4e858eEM7Qz86rRDpgOU2lBIDf0fLCsEg65ms899UMUIB2+Ow==", 9 | "dev": true 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /frida_mode/ts/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@worksbutnottested/aflplusplus-frida", 3 | "version": "1.0.1", 4 | "description": "AFLplusplus Frida Mode", 5 | "main": "./dist/afl.js", 6 | "types": "./dist/afl.d.ts", 7 | "files": [ 8 | "/dist/" 9 | ], 10 | "repository": { 11 | "type": "git", 12 | "url": "git@github.com:worksbutnottested/AFLplusplus.git" 13 | }, 14 | "publishConfig": { 15 | "cache": "~/.npm", 16 | "registry": "https://npm.pkg.github.com/@worksbutnottested" 17 | }, 18 | "scripts": { 19 | "prepare": "npm run build", 20 | "build": "tsc", 21 | "lint": "tslint -p tslint.json" 22 | }, 23 | "devDependencies": { 24 | "@types/node": "^14.14.2", 25 | "typescript": "^4.0.3", 26 | "typescript-tslint-plugin": "^0.5.5", 27 | "tslint": "^6.1.3" 28 | }, 29 | "dependencies": { 30 | "@types/frida-gum": "^16.2.0" 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /frida_mode/ts/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es2020", 4 | "lib": ["es2020"], 5 | "strict": true, 6 | "module": "commonjs", 7 | "esModuleInterop": true, 8 | "declaration": true, 9 | "outDir": "./dist" 10 | }, 11 | "include": [ 12 | "lib/**/*" 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /frida_mode/ub1804/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:xenial 2 | 3 | WORKDIR /AFLplusplus 4 | 5 | RUN apt-get update 6 | RUN apt-get install -y make gcc g++ xz-utils curl wget clang zlib1g-dev -------------------------------------------------------------------------------- /frida_mode/ub1804/GNUmakefile: -------------------------------------------------------------------------------- 1 | PWD:=$(shell pwd)/ 2 | ROOT:=$(PWD)../../ 3 | 4 | .PHONY: all build docker clean shell test 5 | 6 | all: docker 7 | docker run --rm \ 8 | -v $(ROOT):/AFLplusplus \ 9 | ub1804-afl-frida \ 10 | /bin/sh -c \ 11 | 'make -C /AFLplusplus/ clean all && \ 12 | make -C /AFLplusplus/frida_mode clean all' 13 | 14 | test: 15 | docker run --rm \ 16 | -v $(ROOT):/AFLplusplus \ 17 | ub1804-afl-frida \ 18 | /bin/sh -c \ 19 | 'make -C /AFLplusplus/frida_mode/test/png clean all && \ 20 | make -C /AFLplusplus/frida_mode/test/png/persistent/hook frida' 21 | 22 | build: 23 | docker run --rm \ 24 | -v $(ROOT):/AFLplusplus \ 25 | ub1804-afl-frida \ 26 | /bin/sh -c \ 27 | 'make -C /AFLplusplus/ all && \ 28 | make -C /AFLplusplus/frida_mode all' 29 | 30 | docker: 31 | docker build --tag ub1804-afl-frida . 32 | 33 | clean: 34 | docker images --filter 'dangling=true' -q --no-trunc | xargs -L1 docker rmi --force 35 | 36 | shell: 37 | docker run -ti --rm ub1804-afl-frida /bin/bash 38 | -------------------------------------------------------------------------------- /frida_mode/ub1804/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo trying to use GNU make... 3 | @gmake all || echo please install GNUmake 4 | 5 | clean: 6 | @gmake clean 7 | 8 | shell: 9 | @gmake shell 10 | -------------------------------------------------------------------------------- /frida_mode/update_frida_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | test -n "$1" && { echo This script has no options. It updates the referenced Frida version in GNUmakefile to the most current one. ; exit 1 ; } 3 | 4 | OLD=$(egrep '^GUM_DEVKIT_VERSION=' GNUmakefile 2>/dev/null|awk -F= '{print$2}') 5 | NEW=$(curl https://github.com/frida/frida/releases/ 2>/dev/null|egrep 'frida-gum-devkit-[0-9.]*-linux-x86_64'|head -n 1|sed 's/.*frida-gum-devkit-//'|sed 's/-linux.*//') 6 | 7 | echo Current set version: $OLD 8 | echo Newest available version: $NEW 9 | 10 | test -z "$OLD" -o -z "$NEW" -o "$OLD" = "$NEW" && { echo Nothing to be done. ; exit 0 ; } 11 | 12 | sed -i "s/=$OLD/=$NEW/" GNUmakefile || exit 1 13 | echo Successfully updated GNUmakefile 14 | -------------------------------------------------------------------------------- /frida_mode/util/get_symbol_addr.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2020 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # set -x 16 | target="$1" 17 | symbol="$2" 18 | base="$3" 19 | 20 | test -z "$target" -o -z "$symbol" -o '!' -e "$target" && exit 0 21 | 22 | test $(uname -s) = "Darwin" && symbol=_"$symbol" 23 | 24 | file "$target" | grep -q executable && { 25 | nm "$target" | grep -i "T $symbol" | awk '{print"0x"$1}' 26 | exit 0 27 | } 28 | 29 | hex_base=$(echo "$3" | awk '{sub("^0x","");print $0}' | tr a-f A-F ) 30 | nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F | \ 31 | xargs echo "ibase=16;obase=10;$hex_base + " | bc | tr A-F a-f | awk '{print "0x"$0}' 32 | exit 0 33 | -------------------------------------------------------------------------------- /fuzz_graph.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys 3 | import matplotlib.pyplot as plt 4 | def main(): 5 | 6 | if len(sys.argv) < 2: 7 | print("Usage: ./fuzz_graph.py [queue1_plot_data] [plot_data_label1] [queue2_plot_data] [plot_data_label2]... [title]") 8 | else: 9 | for i in range(1, len(sys.argv)-1, 2): 10 | init_time = 0 11 | x = [] 12 | y = [] 13 | print(sys.argv[i]) 14 | f = open(sys.argv[i], 'r') 15 | lines = f.readline() 16 | lines = f.readlines() 17 | f.close() 18 | x.append(0) # init 19 | y.append(0) # init 20 | for line in lines: 21 | time=int(line.split(',', 13)[0].strip()) / 60 22 | x.append(time) 23 | map_size = int(line.split(',', 13)[12].strip()) 24 | y.append(map_size) 25 | 26 | plt.plot(x, y, label = sys.argv[i+1]) 27 | 28 | # naming the x axis 29 | plt.xlabel('t(Min)') 30 | # naming the y axis 31 | plt.ylabel('edge coverage') 32 | # giving a title to my graph 33 | plt.title(sys.argv[len(sys.argv)-1]) 34 | 35 | 36 | # show a legend on the plot 37 | plt.legend() 38 | 39 | # function to show the plot 40 | plt.show() 41 | if __name__ == "__main__": 42 | main() 43 | 44 | -------------------------------------------------------------------------------- /include/parse.h: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <libxml/parser.h> 3 | #include <libxml/tree.h> 4 | #include <stdlib.h> 5 | #include <string.h> 6 | 7 | #define parameter_array_size 300 8 | #define parameter_strings_long 1000 9 | #define variable_array_size 30 10 | 11 | struct environment_list { 12 | _Bool must; 13 | int count; 14 | char name[parameter_strings_long]; 15 | char environment[variable_array_size][parameter_strings_long]; 16 | }; 17 | 18 | struct argument_list { 19 | _Bool must; 20 | int count; 21 | char argument[variable_array_size][parameter_strings_long]; 22 | }; 23 | 24 | struct environment_list environment[parameter_array_size]; 25 | int env_count; 26 | 27 | struct argument_list argument[parameter_array_size]; 28 | int argv_count; 29 | 30 | void parse_xml(char *xml_posion); -------------------------------------------------------------------------------- /instrumentation/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo "no need to do make in the instrumentation/ directory :) - it is all done in the main one" 3 | -------------------------------------------------------------------------------- /instrumentation/README.cmplog.md: -------------------------------------------------------------------------------- 1 | # CmpLog instrumentation 2 | 3 | The CmpLog instrumentation enables logging of comparison operands in a shared 4 | memory. 5 | 6 | These values can be used by various mutators built on top of it. At the moment, 7 | we support the RedQueen mutator (input-2-state instructions only), for details 8 | see 9 | [the RedQueen paper](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf). 10 | 11 | ## Build 12 | 13 | To use CmpLog, you have to build two versions of the instrumented target 14 | program: 15 | 16 | * The first version is built using the regular AFL++ instrumentation. 17 | * The second one, the CmpLog binary, is built with setting `AFL_LLVM_CMPLOG` 18 | during the compilation. 19 | 20 | For example: 21 | 22 | ``` 23 | ./configure --cc=~/path/to/afl-clang-fast 24 | make 25 | cp ./program ./program.afl 26 | make clean 27 | export AFL_LLVM_CMPLOG=1 28 | ./configure --cc=~/path/to/afl-clang-fast 29 | make 30 | cp ./program ./program.cmplog 31 | unset AFL_LLVM_CMPLOG 32 | ``` 33 | 34 | ## Use 35 | 36 | AFL++ has the new `-c` option that needs to be used to specify the CmpLog binary 37 | (the second build). 38 | 39 | For example: 40 | 41 | ``` 42 | afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@ 43 | ``` 44 | 45 | Be careful with the usage of `-m` because CmpLog can map a lot of pages. 46 | -------------------------------------------------------------------------------- /instrumentation/afl-llvm-rt-lto.o.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - LLVM instrumentation bootstrap 3 | ----------------------------------------------------- 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at: 8 | 9 | https://www.apache.org/licenses/LICENSE-2.0 10 | 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | 16 | // to prevent the function from being removed 17 | unsigned char __afl_lto_mode = 0; 18 | 19 | /* Proper initialization routine. */ 20 | 21 | __attribute__((constructor(0))) void __afl_auto_init_globals(void) { 22 | 23 | if (getenv("AFL_DEBUG")) fprintf(stderr, "[__afl_auto_init_globals]\n"); 24 | __afl_lto_mode = 1; 25 | 26 | } 27 | 28 | -------------------------------------------------------------------------------- /instrumentation/llvm-alternative-coverage.h: -------------------------------------------------------------------------------- 1 | #ifndef AFL_NGRAM_CONFIG_H 2 | #define AFL_NGRAM_CONFIG_H 3 | 4 | #include "types.h" 5 | 6 | #if (MAP_SIZE_POW2 <= 16) 7 | typedef u16 PREV_LOC_T; 8 | #elif (MAP_SIZE_POW2 <= 32) 9 | typedef u32 PREV_LOC_T; 10 | #else 11 | typedef u64 PREV_LOC_T; 12 | #endif 13 | 14 | /* Maximum ngram size */ 15 | #define NGRAM_SIZE_MAX 16U 16 | 17 | /* Maximum K for top-K context sensitivity */ 18 | #define CTX_MAX_K 32U 19 | 20 | #endif 21 | 22 | -------------------------------------------------------------------------------- /nyx_mode/LIBNYX_VERSION: -------------------------------------------------------------------------------- 1 | ecbcb2d 2 | -------------------------------------------------------------------------------- /nyx_mode/PACKER_VERSION: -------------------------------------------------------------------------------- 1 | f91742c 2 | -------------------------------------------------------------------------------- /nyx_mode/QEMU_NXY_VERSION: -------------------------------------------------------------------------------- 1 | acc90e462b 2 | -------------------------------------------------------------------------------- /nyx_mode/custom_harness/fuzz.sh: -------------------------------------------------------------------------------- 1 | chmod +x hget 2 | cp hget /tmp/ 3 | cd /tmp/ 4 | echo 0 > /proc/sys/kernel/randomize_va_space 5 | echo 0 > /proc/sys/kernel/printk 6 | ./hget hcat hcat 7 | ./hget habort habort 8 | ./hget target target 9 | chmod +x hcat 10 | chmod +x habort 11 | chmod +x target 12 | ./target 13 | ./habort "Target has terminated without initializing the fuzzing agent ..." 14 | -------------------------------------------------------------------------------- /nyx_mode/custom_harness/fuzz_no_pt.sh: -------------------------------------------------------------------------------- 1 | chmod +x hget 2 | cp hget /tmp/ 3 | cd /tmp/ 4 | echo 0 > /proc/sys/kernel/randomize_va_space 5 | echo 0 > /proc/sys/kernel/printk 6 | ./hget hcat_no_pt hcat 7 | ./hget habort_no_pt habort 8 | ./hget target target 9 | chmod +x hcat 10 | chmod +x habort 11 | chmod +x target 12 | ./target 13 | ./habort "Target has terminated without initializing the fuzzing agent ..." 14 | -------------------------------------------------------------------------------- /qemu_mode/QEMUAFL_VERSION: -------------------------------------------------------------------------------- 1 | ce65a7349e 2 | -------------------------------------------------------------------------------- /qemu_mode/README.wine.md: -------------------------------------------------------------------------------- 1 | # How to troubleshoot AFL++'s wine mode 2 | 3 | ## 1) Debugging 4 | 5 | To turn on wine debugging, use the `WINEDEBUG` environment variable, e.g., 6 | `WINEDEBUG=+timestamp,+tid,+loaddll`. 7 | 8 | ## 2) LoadLibraryA workaround 9 | 10 | The forked process fails to load libraries loaded via `LoadLibrary` if the load 11 | happens after the entry point (error code: 87). To resolve this issue, one needs 12 | to load any external libraries before the fork happens. 13 | 14 | An early DLL load can be achieved by adding the DLL name into the `Import 15 | Directory` in the PE file. Such an entry can be added manually in any PE editor. 16 | 17 | Alternatively, one can generate a `.lib` file from the DLL exports and link them 18 | together with the harness to create an entry in the `Import Directory`. Use 19 | `dumpbin /exports <filename>.dll` to extract the exports and paste the exported 20 | function names into a `.def` file. Use `lib /def:<deffile> /OUT:<libfile>` to 21 | generate a `.lib` and add the library to the linker options. Once the usage of 22 | an export is detected (`__declspec(dllimport)`), the linker adds the early DLL 23 | load. -------------------------------------------------------------------------------- /qemu_mode/libqasan/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libqasan 3 | # ------------------------------- 4 | # 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com> 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | DOC_PATH ?= $(PREFIX)/share/doc/afl 19 | MAN_PATH ?= $(PREFIX)/share/man/man8 20 | 21 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 22 | 23 | CFLAGS += -I ../qemuafl/qemuafl/ 24 | CFLAGS += -Wno-int-to-void-pointer-cast -ggdb 25 | LDFLAGS += -ldl -pthread 26 | 27 | SRC := libqasan.c hooks.c malloc.c string.c uninstrument.c patch.c dlmalloc.c 28 | HDR := libqasan.h 29 | 30 | all: libqasan.so 31 | 32 | libqasan.so: $(HDR) $(SRC) 33 | $(CC) $(CFLAGS) -fPIC -shared $(SRC) -o ../../$@ $(LDFLAGS) 34 | 35 | .NOTPARALLEL: clean 36 | 37 | clean: 38 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 39 | rm -f ../../libqasan.so 40 | 41 | install: all 42 | install -m 755 ../../libqasan.so $${DESTDIR}$(HELPER_PATH) 43 | install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.qasan.md 44 | 45 | -------------------------------------------------------------------------------- /qemu_mode/libqasan/README.md: -------------------------------------------------------------------------------- 1 | # QEMU AddressSanitizer Runtime 2 | 3 | This library is the injected runtime used by QEMU AddressSanitizer (QASan). 4 | 5 | The original repository is [here](https://github.com/andreafioraldi/qasan). 6 | 7 | The version embedded in qemuafl is an updated version of just the usermode part 8 | and this runtime is injected via LD_PRELOAD (so works just for dynamically 9 | linked binaries). 10 | 11 | The usage is super simple, just set the env var `AFL_USE_QASAN=1` when fuzzing 12 | in QEMU mode (-Q). afl-fuzz will automatically set AFL_PRELOAD to load this 13 | library and enable the QASan instrumentation in afl-qemu-trace. 14 | 15 | For debugging purposes, we still suggest to run the original QASan as the 16 | stacktrace support for ARM (just a debug feature, it does not affect the bug 17 | finding capabilities during fuzzing) is WIP. 18 | 19 | ### When should I use QASan? 20 | 21 | If your target binary is PIC x86_64, you should also give a try to 22 | [RetroWrite](https://github.com/HexHive/retrowrite) for static rewriting. 23 | 24 | If it fails, or if your binary is for another architecture, or you want to use 25 | persistent and snapshot mode, AFL++ QASan mode is what you want/have to use. 26 | 27 | Note that the overhead of libdislocator when combined with QEMU mode is much 28 | lower but it can catch less bugs. This is a short blanket, take your choice. 29 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - unsigaction 3 | # -------------------------------- 4 | # 5 | # Written by Andrea Fioraldi <andreafioraldi@gmail.com> 6 | # 7 | # Copyright 2019-2020 Andrea Fioraldi. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | .POSIX: 16 | 17 | _UNIQ=_QINU_ 18 | 19 | TARGETCANDIDATES=unsigaction.so 20 | _TARGETS=$(_UNIQ)$(AFL_NO_X86)$(_UNIQ) 21 | __TARGETS=$(_TARGETS:$(_UNIQ)1$(_UNIQ)=) 22 | TARGETS=$(__TARGETS:$(_UNIQ)$(_UNIQ)=$(TARGETCANDIDATES)) 23 | 24 | all: $(TARGETS) 25 | 26 | unsigaction.so: unsigaction.c 27 | @if $(CC) -fPIC -shared unsigaction.c -o unsigaction.so 2>/dev/null ; then echo "unsigaction build success"; else echo "unsigaction build failure (that's fine)"; fi 28 | 29 | clean: 30 | rm -f unsigaction.so 31 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/README.md: -------------------------------------------------------------------------------- 1 | # unsigaction 2 | 3 | This library disables sigaction handlers when preloaded. 4 | 5 | Mainly needed by Wine mode but can be used as a separate tool. 6 | 7 | A similar solution can be found in [preeny](https://github.com/zardus/preeny). 8 | -------------------------------------------------------------------------------- /qemu_mode/unsigaction/unsigaction.c: -------------------------------------------------------------------------------- 1 | int sigaction(int signum, void *act, void *oldact) { 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /qemu_mode/update_ref.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | ################################################## 4 | # AFL++ internal tool to update qemuafl ref. 5 | # Usage: ./update_ref.sh <new commit hash> 6 | # If no commit hash was provided, it'll take HEAD. 7 | ################################################## 8 | 9 | UC_VERSION_FILE='./QEMUAFL_VERSION' 10 | 11 | NEW_VERSION="$1" 12 | 13 | if [ "$NEW_VERSION" = "-h" ]; then 14 | echo "Internal script to update bound qemuafl version." 15 | echo 16 | echo "Usage: ./update_ref.sh <new commit hash>" 17 | echo "If no commit hash is provided, will use HEAD." 18 | echo "-h to show this help screen." 19 | exit 1 20 | fi 21 | 22 | git submodule init && git submodule update || exit 1 23 | cd ./qemuafl || exit 1 24 | git fetch origin master 1>/dev/null || exit 1 25 | git stash 1>/dev/null 2>/dev/null 26 | git stash drop 1>/dev/null 2>/dev/null 27 | git checkout master 28 | git pull origin master 1>/dev/null || exit 1 29 | 30 | if [ -z "$NEW_VERSION" ]; then 31 | # No version provided, take HEAD. 32 | NEW_VERSION=$(git rev-parse --short HEAD) 33 | fi 34 | 35 | if [ -z "$NEW_VERSION" ]; then 36 | echo "Error getting version." 37 | exit 1 38 | fi 39 | 40 | git checkout "$NEW_VERSION" || exit 1 41 | 42 | cd .. 43 | 44 | rm "$UC_VERSION_FILE" 45 | echo "$NEW_VERSION" > "$UC_VERSION_FILE" 46 | 47 | echo "Done. New qemuafl version is $NEW_VERSION." 48 | -------------------------------------------------------------------------------- /test/test-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | . ./test-pre.sh 4 | 5 | . ./test-basic.sh 6 | 7 | . ./test-llvm.sh 8 | 9 | . ./test-llvm-lto.sh 10 | 11 | . ./test-gcc-plugin.sh 12 | 13 | . ./test-libextensions.sh 14 | 15 | . ./test-qemu-mode.sh 16 | 17 | . ./test-frida-mode.sh 18 | 19 | . ./test-unicorn-mode.sh 20 | 21 | . ./test-custom-mutators.sh 22 | 23 | . ./test-unittests.sh 24 | 25 | . ./test-post.sh 26 | -------------------------------------------------------------------------------- /test/test-cmplog.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | #include <stdint.h> 4 | #include <stdarg.h> 5 | #include <stdlib.h> 6 | #include <stdint.h> 7 | #include <unistd.h> 8 | 9 | int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { 10 | 11 | if (i < 24) return 0; 12 | if (buf[0] != 'A') return 0; 13 | if (buf[1] != 'B') return 0; 14 | if (buf[2] != 'C') return 0; 15 | if (buf[3] != 'D') return 0; 16 | if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; 17 | if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) 18 | abort(); 19 | return 0; 20 | 21 | } 22 | 23 | #ifdef __AFL_COMPILER 24 | int main(int argc, char *argv[]) { 25 | 26 | unsigned char buf[1024]; 27 | ssize_t i; 28 | while (__AFL_LOOP(1000)) { 29 | 30 | i = read(0, (char *)buf, sizeof(buf) - 1); 31 | if (i > 0) buf[i] = 0; 32 | LLVMFuzzerTestOneInput(buf, i); 33 | 34 | } 35 | 36 | return 0; 37 | 38 | } 39 | 40 | #endif 41 | 42 | -------------------------------------------------------------------------------- /test/test-custom-mutator.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Reference: 3 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c 4 | */ 5 | 6 | #include <stdio.h> 7 | #include <string.h> 8 | #include <math.h> 9 | #include <stdlib.h> 10 | #include <unistd.h> 11 | 12 | int main(int argc, char *argv[]) { 13 | 14 | char str[100]; 15 | read(0, str, 100); 16 | if (str[6] == 'A') { abort(); } 17 | return 0; 18 | 19 | } 20 | 21 | -------------------------------------------------------------------------------- /test/test-dlopen.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <errno.h> 3 | #include <dlfcn.h> 4 | #include <stdlib.h> 5 | 6 | int main(int argc, char **argv) { 7 | 8 | if (!getenv("TEST_DLOPEN_TARGET")) { 9 | 10 | fprintf(stderr, "Error: TEST_DLOPEN_TARGET not set!\n"); 11 | return 1; 12 | 13 | } 14 | 15 | void *lib = dlopen(getenv("TEST_DLOPEN_TARGET"), RTLD_LAZY); 16 | if (!lib) { 17 | 18 | perror(dlerror()); 19 | return 2; 20 | 21 | } 22 | 23 | int (*func)(int, char **) = dlsym(lib, "main_exported"); 24 | if (!func) { 25 | 26 | fprintf(stderr, "Error: main_exported not found!\n"); 27 | return 3; 28 | 29 | } 30 | 31 | // must use deferred forkserver as otherwise afl++ instrumentation aborts 32 | // because all dlopen() of instrumented libs must be before the forkserver 33 | __AFL_INIT(); 34 | 35 | fprintf(stderr, "Running main_exported\n"); 36 | return func(argc, argv); 37 | 38 | } 39 | 40 | -------------------------------------------------------------------------------- /test/test-floatingpoint.c: -------------------------------------------------------------------------------- 1 | #include <stdlib.h> 2 | #include <unistd.h> 3 | #include <limits.h> 4 | #include <stdint.h> 5 | 6 | __AFL_FUZZ_INIT(); 7 | 8 | int main(void) { 9 | 10 | ssize_t bytes_read; 11 | 12 | __AFL_INIT(); 13 | float *magic = (float *)__AFL_FUZZ_TESTCASE_BUF; 14 | 15 | while (__AFL_LOOP(INT_MAX)) { 16 | 17 | int len = __AFL_FUZZ_TESTCASE_LEN; 18 | if (len < sizeof(float)) return 1; 19 | 20 | /* 15 + 1/2 = 15.5 */ 21 | /* 15 + 1/2 + 1/8 = 15.625 */ 22 | /* 15 + 1/2 + 1/8 + 1/32 = 15.65625 */ 23 | /* 15 + 1/2 + 1/8 + 1/32 + 1/128 = 15.6640625 */ 24 | if ((*magic >= 15.0 + 0.5 + 0.125 + 0.03125) && 25 | (*magic <= 15.0 + 0.5 + 0.125 + 0.03125 + 0.0078125)) 26 | abort(); 27 | 28 | } 29 | 30 | return 0; 31 | 32 | } 33 | 34 | -------------------------------------------------------------------------------- /test/test-fp_minusZerocases.c: -------------------------------------------------------------------------------- 1 | /* test cases for floating point comparison transformations 2 | * compile with -DFLOAT_TYPE=float 3 | * or -DFLOAT_TYPE=double 4 | * or -DFLOAT_TYPE="long double" 5 | */ 6 | 7 | #include <assert.h> 8 | #define _GNU_SOURCE 9 | #include <math.h> /* for NaNs and infinity values */ 10 | 11 | int main() { 12 | 13 | volatile FLOAT_TYPE a, b; 14 | 15 | /* negative zero */ 16 | a = 1.0 / -(1.0 / 0.0); /* negative 0 */ 17 | b = 0.0; /* positive 0 */ 18 | assert(!(a < b)); 19 | assert((a <= b)); 20 | assert(!(a > b)); 21 | assert((a >= b)); 22 | assert(!(a != b)); 23 | assert((a == b)); 24 | 25 | a = 1.0 / -(1.0 / 0.0); /* negative 0 */ 26 | b = 1.0 / -(1.0 / 0.0); /* negative 0 */ 27 | assert(!(a < b)); 28 | assert((a <= b)); 29 | assert(!(a > b)); 30 | assert((a >= b)); 31 | assert(!(a != b)); 32 | assert((a == b)); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /test/test-multiple-mutators.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Test-Case for multiple custom mutators in C 3 | * Reference: 4 | * https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/blob/master/4_libprotobuf_aflpp_custom_mutator/vuln.c 5 | */ 6 | 7 | #include <stdio.h> 8 | #include <stdlib.h> 9 | #include <string.h> 10 | #include <unistd.h> 11 | 12 | int main(int argc, char **argv) { 13 | 14 | int a = 0; 15 | char s[100]; 16 | read(0, s, 100); 17 | 18 | if (s[7] == 'B') { abort(); } 19 | 20 | return 0; 21 | 22 | } 23 | 24 | -------------------------------------------------------------------------------- /test/test-post.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | AFL_TEST_DEPTH=$((AFL_TEST_DEPTH-1)) 3 | 4 | if [ $AFL_TEST_DEPTH = 0 ]; then 5 | # All runs done :) 6 | 7 | $ECHO "$GREY[*] $AFL_TEST_COUNT test cases completed.$RESET" 8 | test "$INCOMPLETE" = "0" && $ECHO "$GREEN[+] all test cases executed" 9 | test "$INCOMPLETE" = "1" && $ECHO "$YELLOW[-] not all test cases were executed" 10 | test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET" 11 | test "$CODE" = "0" || $ECHO "$RED[!] failure in tests :-($RESET" 12 | exit $CODE 13 | 14 | fi 15 | -------------------------------------------------------------------------------- /test/test-unittests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | . ./test-pre.sh 4 | 5 | $ECHO "$BLUE[*] Execution cmocka Unit-Tests $GREY" 6 | unset AFL_CC 7 | make -C .. unit || CODE=1 INCOMPLETE=1 : 8 | rm -rf unittests/unit_hash unittests/unit_rand 9 | 10 | . ./test-post.sh 11 | 12 | -------------------------------------------------------------------------------- /test/test-unsigaction.c: -------------------------------------------------------------------------------- 1 | #include <signal.h> /* sigemptyset(), sigaction(), kill(), SIGUSR1 */ 2 | #include <stdlib.h> /* exit() */ 3 | #include <unistd.h> /* getpid() */ 4 | #include <errno.h> /* errno */ 5 | #include <stdio.h> /* fprintf() */ 6 | 7 | static void mysig_handler(int sig) { 8 | 9 | exit(2); 10 | 11 | } 12 | 13 | int main() { 14 | 15 | /* setup sig handler */ 16 | struct sigaction sa; 17 | sa.sa_handler = mysig_handler; 18 | sigemptyset(&sa.sa_mask); 19 | sa.sa_flags = 0; 20 | if (sigaction(SIGCHLD, &sa, NULL)) { 21 | 22 | fprintf(stderr, "could not set signal handler %d, aborted\n", errno); 23 | exit(1); 24 | 25 | } 26 | 27 | kill(getpid(), SIGCHLD); 28 | return 0; 29 | 30 | } 31 | 32 | -------------------------------------------------------------------------------- /test_target/2sum.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | #include <stdlib.h> 4 | 5 | int main(void){ 6 | char *data; 7 | int num1,num2; 8 | printf("Content-type: text/html\n\n"); 9 | 10 | data = getenv("QUERY_STRING"); 11 | 12 | if(data == NULL) 13 | printf("<p>null QUERY_STRING</p>"); 14 | else if(sscanf(data,"num1=%d&num2=%d",&num1,&num2)!=2) 15 | printf("<p>err input</p>"); 16 | else{ 17 | int sum=num1+num2; 18 | if(num1>0&&num2>0&&sum<0){ 19 | printf("boom"); 20 | char *x="boommmmmmmmmmmmm"; 21 | char y[3]; 22 | strcpy(y, x); 23 | } 24 | printf("<p>sum result:%d</p>",sum); 25 | } 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /testcases/README.md: -------------------------------------------------------------------------------- 1 | # AFL++ starting test cases 2 | 3 | For the general instruction manual, see [docs/README.md](../docs/README.md). 4 | 5 | The archives/, images/, multimedia/, and others/ subdirectories contain small, 6 | standalone files that can be used to seed afl-fuzz when testing parsers for a 7 | variety of common data formats. 8 | 9 | There is probably not much to be said about these files, except that they were 10 | optimized for size and stripped of any non-essential fluff. Some directories 11 | contain several examples that exercise various features of the underlying format. 12 | For example, there is a PNG file with and without a color profile. 13 | 14 | Additional test cases are always welcome. 15 | 16 | In addition to well-chosen starting files, many fuzzing jobs benefit from a 17 | small and concise dictionary. See [../dictionaries/README.md](../dictionaries/README.md) for more. 18 | -------------------------------------------------------------------------------- /testcases/archives/common/ar/small_archive.a: -------------------------------------------------------------------------------- 1 | !<arch> 2 | limerick/ 1415337776 500 500 100640 191 ` 3 | There was a young man from Japan 4 | Whose limericks never would scan. 5 | When asked why that was, 6 | He replied "It's because 7 | I always try to cram as many words into the last line as I possibly can." 8 | 9 | -------------------------------------------------------------------------------- /testcases/archives/common/bzip2/small_archive.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/bzip2/small_archive.bz2 -------------------------------------------------------------------------------- /testcases/archives/common/cab/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/cab/small_archive.cab -------------------------------------------------------------------------------- /testcases/archives/common/compress/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/compress/small_archive.Z -------------------------------------------------------------------------------- /testcases/archives/common/cpio/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/cpio/small_archive.cpio -------------------------------------------------------------------------------- /testcases/archives/common/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/gzip/small_archive.gz -------------------------------------------------------------------------------- /testcases/archives/common/lzo/small_archive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/lzo/small_archive.lzo -------------------------------------------------------------------------------- /testcases/archives/common/rar/small_archive.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/rar/small_archive.rar -------------------------------------------------------------------------------- /testcases/archives/common/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/xz/small_archive.xz -------------------------------------------------------------------------------- /testcases/archives/common/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/common/zip/small_archive.zip -------------------------------------------------------------------------------- /testcases/archives/exotic/arj/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/arj/small_archive.arj -------------------------------------------------------------------------------- /testcases/archives/exotic/lha/small_archive.lha: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/lha/small_archive.lha -------------------------------------------------------------------------------- /testcases/archives/exotic/lrzip/small_archive.lrz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/lrzip/small_archive.lrz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzip/small_archive.lz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/lzip/small_archive.lz -------------------------------------------------------------------------------- /testcases/archives/exotic/lzma/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/lzma/small_archive.lzma -------------------------------------------------------------------------------- /testcases/archives/exotic/rzip/small_archive.rz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/rzip/small_archive.rz -------------------------------------------------------------------------------- /testcases/archives/exotic/zoo/small_archive.zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/archives/exotic/zoo/small_archive.zoo -------------------------------------------------------------------------------- /testcases/images/bmp/not_kitty.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/bmp/not_kitty.bmp -------------------------------------------------------------------------------- /testcases/images/gif/not_kitty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/gif/not_kitty.gif -------------------------------------------------------------------------------- /testcases/images/ico/not_kitty.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/ico/not_kitty.ico -------------------------------------------------------------------------------- /testcases/images/jp2/not_kitty.jp2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/jp2/not_kitty.jp2 -------------------------------------------------------------------------------- /testcases/images/jpeg/not_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/jpeg/not_kitty.jpg -------------------------------------------------------------------------------- /testcases/images/jxr/not_kitty.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/jxr/not_kitty.jxr -------------------------------------------------------------------------------- /testcases/images/png/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/png/not_kitty.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/png/not_kitty_alpha.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/png/not_kitty_gamma.png -------------------------------------------------------------------------------- /testcases/images/png/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/png/not_kitty_icc.png -------------------------------------------------------------------------------- /testcases/images/tiff/not_kitty.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/tiff/not_kitty.tiff -------------------------------------------------------------------------------- /testcases/images/webp/not_kitty.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/images/webp/not_kitty.webp -------------------------------------------------------------------------------- /testcases/multimedia/h264/small_movie.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/multimedia/h264/small_movie.mp4 -------------------------------------------------------------------------------- /testcases/others/elf/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/others/elf/small_exec.elf -------------------------------------------------------------------------------- /testcases/others/js/small_script.js: -------------------------------------------------------------------------------- 1 | if (1==1) eval('1'); -------------------------------------------------------------------------------- /testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /testcases/others/pdf/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 2 | 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj 3 0 obj<</Type/Page/MediaBox[0 0 3 3]>>endobj trailer<</Size 4/Root 1 0 R>> -------------------------------------------------------------------------------- /testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /testcases/others/sql/simple_queries.sql: -------------------------------------------------------------------------------- 1 | create table t1(one smallint); 2 | insert into t1 values(1); 3 | select * from t1; 4 | -------------------------------------------------------------------------------- /testcases/others/text/hello_world.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | <a b="c">d</a> 2 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | include/types.h -------------------------------------------------------------------------------- /unicorn_mode/UNICORNAFL_VERSION: -------------------------------------------------------------------------------- 1 | 9df92d6868e8b219886e4b7458e5e134c48ff2c9 2 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple harness for unicornafl in C 4 | 5 | ## Compiling sample.c 6 | 7 | The target can be built using the `make` command. 8 | Just make sure you have built unicorn support first: 9 | 10 | ```bash 11 | cd /path/to/afl/unicorn_mode 12 | ./build_unicorn_support.sh 13 | ``` 14 | 15 | ## Compiling simple_target.c 16 | 17 | You shouldn't need to compile simple_target.c since a X86_64 binary version is 18 | pre-built and shipped in this sample folder. This file documents how the binary 19 | was built in case you want to rebuild it or recompile it for any reason. 20 | 21 | The pre-built binary (persistent_target_x86_64) was built using -g -O0 in gcc. 22 | 23 | Then load the binary and execute the main function directly. 24 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/Makefile: -------------------------------------------------------------------------------- 1 | # UnicornAFL Usage 2 | # Original Unicorn Example Makefile by Nguyen Anh Quynh <aquynh@gmail.com>, 2015 3 | # Adapted for AFL++ by domenukk <domenukk@gmail.com>, 2020 4 | .POSIX: 5 | UNAME_S =$(shell uname -s)# GNU make 6 | UNAME_S:sh=uname -s # BSD make 7 | _UNIQ=_QINU_ 8 | 9 | LIBDIR = ../../unicornafl 10 | BIN_EXT = 11 | AR_EXT = a 12 | 13 | # Verbose output? 14 | V ?= 0 15 | 16 | CFLAGS += -Wall -Werror -I../../unicornafl/include 17 | 18 | LDFLAGS += -L$(LIBDIR) -lpthread -lm 19 | 20 | _LRT = $(_UNIQ)$(UNAME_S:Linux=) 21 | __LRT = $(_LRT:$(_UNIQ)=-lrt) 22 | LRT = $(__LRT:$(_UNIQ)=) 23 | 24 | LDFLAGS += $(LRT) 25 | 26 | _CC = $(_UNIQ)$(CROSS) 27 | __CC = $(_CC:$(_UNIQ)=$(CC)) 28 | MYCC = $(__CC:$(_UNIQ)$(CROSS)=$(CROSS)gcc) 29 | 30 | .PHONY: all clean 31 | 32 | all: harness 33 | 34 | clean: 35 | rm -rf *.o harness harness-debug 36 | 37 | harness.o: harness.c ../../unicornafl/include/unicorn/*.h 38 | ${MYCC} ${CFLAGS} -O3 -c harness.c 39 | 40 | harness-debug.o: harness.c ../../unicornafl/include/unicorn/*.h 41 | ${MYCC} ${CFLAGS} -g -c harness.c -o $@ 42 | 43 | harness: harness.o 44 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o $@ 45 | 46 | debug: harness-debug.o 47 | ${MYCC} -L${LIBDIR} harness.o ../../unicornafl/libunicornafl.a $(LDFLAGS) -o harness-debug 48 | -------------------------------------------------------------------------------- /unicorn_mode/samples/c/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/c/persistent_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/c/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/c/simple_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/COMPILE.md: -------------------------------------------------------------------------------- 1 | # Compiling compcov_target.c 2 | 3 | compcov_target.c was compiled without optimization, position-independent, 4 | and without standard libraries using the following command line: 5 | 6 | ``` 7 | gcc -o compcov_target.elf compcov_target.c -fPIC -O0 -nostdlib 8 | ``` 9 | 10 | The .text section from the resulting ELF binary was then extracted to create 11 | the raw binary blob that is loaded and emulated by compcov_test_harness.py: 12 | 13 | ``` 14 | objcopy -O binary --only-section=.text compcov_target.elf compcov_target.bin 15 | ``` 16 | 17 | Note that the output of this is padded with nulls for 16-byte alignment. This is 18 | important when emulating it, as NOPs will be added after the return of main() 19 | as necessary. 20 | -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/compcov_x64/compcov_target.bin -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Andrea Fioraldi 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; 18 | 19 | if (((unsigned short*)data_buf)[0] == 0x0100) { 20 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 21 | } else if (data_buf[1] == data_buf[2] + 0xfffe) { 22 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/compcov_target.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/compcov_x64/compcov_target.elf -------------------------------------------------------------------------------- /unicorn_mode/samples/compcov_x64/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000 -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/.gitignore: -------------------------------------------------------------------------------- 1 | harness 2 | harness-debug 3 | out 4 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/COMPILE.md: -------------------------------------------------------------------------------- 1 | # C Sample 2 | 3 | This shows a simple persistent harness for unicornafl in C. 4 | In contrast to the normal c harness, this harness manually resets the unicorn 5 | state on each new input. 6 | Thanks to this, you can rerun the test case in unicorn multiple times, without 7 | the need to fork again. 8 | 9 | ## Compiling sample.c 10 | 11 | The target can be built using the `make` command. 12 | Just make sure you have built unicorn support first: 13 | 14 | ```bash 15 | cd /path/to/afl/unicorn_mode 16 | ./build_unicorn_support.sh 17 | ``` 18 | 19 | ## Compiling persistent_target.c 20 | 21 | You don't need to compile persistent_target.c since a X86_64 binary version is 22 | pre-built and shipped in this sample folder. This file documents how the binary 23 | was built in case you want to rebuild it or recompile it for any reason. 24 | 25 | The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in 26 | gcc. 27 | 28 | Then load the binary and execute the main function directly. -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/persistent_target: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/persistent/persistent_target -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/persistent_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/persistent/persistent_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -z "${UNAME}" ] && UNAME=$(uname) 4 | 5 | DIR=`dirname $0` 6 | 7 | if [ "$UNAME" = Darwin ]; then 8 | export DYLD_LIBRARY_PATH=../../unicorn 9 | else 10 | export LD_LIBRARY_PATH=../../unicorn 11 | fi 12 | 13 | 14 | 15 | if [ ! test -e $DIR/harness]; then 16 | echo "[!] harness not found in $DIR" 17 | exit 1 18 | fi -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/simple_target_noncrashing.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de> 12 | */ 13 | #include <string.h> 14 | 15 | int main(int argc, char** argv) { 16 | if(argc < 2){ 17 | return -1; 18 | } 19 | 20 | char *data_buf = argv[1]; 21 | 22 | if (strlen(data_buf) >= 21 && data_buf[20] != 0) { 23 | printf("Not crashing"); 24 | } else if (strlen(data_buf) > 1 25 | && data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 26 | printf("Also not crashing with databuf[0] == %c", data_buf[0]) 27 | } 28 | #if 0 29 | // not possible with argv (zero terminated strings) (hexcoder-) 30 | // do not try to access data_buf[10] and beyond 31 | else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 32 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 33 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 34 | } 35 | #endif 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /unicorn_mode/samples/persistent/simple_target_x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/persistent/simple_target_x86_64 -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample1.bin: -------------------------------------------------------------------------------- 1 | abcd -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample2.bin: -------------------------------------------------------------------------------- 1 | � -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample3.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample4.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/sample_inputs/sample5.bin: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/simple_target.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/unicorn_mode/samples/simple/simple_target.bin -------------------------------------------------------------------------------- /unicorn_mode/samples/simple/simple_target.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sample target file to test afl-unicorn fuzzing capabilities. 3 | * This is a very trivial example that will crash pretty easily 4 | * in several different exciting ways. 5 | * 6 | * Input is assumed to come from a buffer located at DATA_ADDRESS 7 | * (0x00300000), so make sure that your Unicorn emulation of this 8 | * puts user data there. 9 | * 10 | * Written by Nathan Voss <njvoss99@gmail.com> 11 | */ 12 | 13 | // Magic address where mutated data will be placed 14 | #define DATA_ADDRESS 0x00300000 15 | 16 | int main(void) { 17 | unsigned char *data_buf = (unsigned char *) DATA_ADDRESS; 18 | 19 | if (data_buf[20] != 0) { 20 | // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' 21 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 22 | } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) { 23 | // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] 24 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 25 | } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) { 26 | // Cause a crash if data[10] is not zero, but [9] and [11] are zero 27 | unsigned char invalid_read = *(unsigned char *) 0x00000000; 28 | } 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/.gitignore: -------------------------------------------------------------------------------- 1 | output 2 | harness 3 | harness-debug 4 | target 5 | target.o 6 | target.offsets.* 7 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS += -Wall -Werror -Wextra -Wpedantic -Og -g -fPIE 2 | 3 | .PHONY: all clean 4 | 5 | all: target target.offsets.main 6 | 7 | clean: 8 | rm -rf *.o target target.offsets.* 9 | 10 | target.o: target.c 11 | ${CC} ${CFLAGS} -c target.c -o $@ 12 | 13 | target: target.o 14 | ${CC} ${CFLAGS} target.o -o $@ 15 | 16 | target.offsets.main: target 17 | ./get_offsets.py -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/python/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all fuzz 2 | 3 | all: ../target 4 | 5 | afl-fuzz: ../../../../afl-fuzz 6 | ../../../../afl-fuzz: 7 | $(MAKE) -C ../../../../ afl-fuzz 8 | 9 | 10 | ../target: 11 | $(MAKE) -C .. 12 | 13 | fuzz: all afl-fuzz 14 | rm -rf ./ouptput 15 | ../../../../afl-fuzz -s 1 -U -i ../sample_inputs -o ./output -- python3 harness.py @@ 16 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/rust/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | Cargo.lock 3 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/rust/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "unicornafl_harness" 3 | version = "0.1.0" 4 | authors = ["Dominik Maier <domenukk@gmail.com>"] 5 | edition = "2018" 6 | 7 | [profile.release] 8 | lto = true 9 | opt-level = 3 10 | panic = "abort" 11 | 12 | [dependencies] 13 | unicornafl = { path = "../../../unicornafl/bindings/rust/", version="1.0.0" } 14 | capstone="0.10.0" 15 | libc="0.2.66" 16 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/rust/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all fuzz 2 | 3 | all: ../target ./target/release/unicornafl_harness 4 | 5 | afl-fuzz: ../../../../afl-fuzz 6 | ../../../../afl-fuzz: 7 | $(MAKE) -C ../../../../ afl-fuzz 8 | 9 | clean: 10 | cargo clean 11 | 12 | ./target/release/unicornafl_harness: ./src/main.rs 13 | cargo build --release 14 | 15 | ./target/debug/unicornafl_harness: ./src/main.rs 16 | cargo build 17 | 18 | ../target: 19 | $(MAKE) -C .. 20 | 21 | fuzz: all afl-fuzz 22 | rm -rf ./output 23 | SKIP_BIN_CHECK=1 ../../../../afl-fuzz -s 1 -i ../sample_inputs -o ./output -- ./target/release/unicornafl_harness @@ 24 | -------------------------------------------------------------------------------- /unicorn_mode/samples/speedtest/sample_inputs/a: -------------------------------------------------------------------------------- 1 | a 2 | -------------------------------------------------------------------------------- /unicorn_mode/update_uc_ref.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | ################################################## 4 | # AFL++ internal tool to update unicornafl ref. 5 | # Usage: ./update_uc_ref.sh <new commit hash> 6 | # If no commit hash was provided, it'll take HEAD. 7 | ################################################## 8 | 9 | UC_VERSION_FILE='./UNICORNAFL_VERSION' 10 | 11 | NEW_VERSION="$1" 12 | 13 | if [ "$NEW_VERSION" = "-h" ]; then 14 | echo "Internal script to update bound unicornafl version." 15 | echo 16 | echo "Usage: ./update_uc_ref.sh <new commit hash>" 17 | echo "If no commit hash is provided, will use HEAD." 18 | echo "-h to show this help screen." 19 | exit 1 20 | fi 21 | 22 | git submodule init && git submodule update unicornafl || exit 1 23 | cd ./unicornafl || exit 1 24 | git fetch origin uc1 1>/dev/null || exit 1 25 | git stash 1>/dev/null 2>/dev/null 26 | git stash drop 1>/dev/null 2>/dev/null 27 | git checkout uc1 28 | 29 | if [ -z "$NEW_VERSION" ]; then 30 | # No version provided, take HEAD. 31 | NEW_VERSION=$(git rev-parse --short HEAD) 32 | fi 33 | 34 | if [ -z "$NEW_VERSION" ]; then 35 | echo "Error getting version." 36 | exit 1 37 | fi 38 | 39 | git checkout "$NEW_VERSION" || exit 1 40 | 41 | cd .. 42 | 43 | rm "$UC_VERSION_FILE" 44 | echo "$NEW_VERSION" > "$UC_VERSION_FILE" 45 | 46 | echo "Done. New unicornafl version is $NEW_VERSION." 47 | -------------------------------------------------------------------------------- /utils/afl_network_proxy/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo please use GNU make, thanks! 3 | -------------------------------------------------------------------------------- /utils/afl_proxy/Makefile: -------------------------------------------------------------------------------- 1 | all: afl-proxy 2 | 3 | afl-proxy: afl-proxy.c 4 | $(CC) -I../../include -o afl-proxy afl-proxy.c 5 | 6 | clean: 7 | rm -f afl-proxy *~ core 8 | -------------------------------------------------------------------------------- /utils/afl_proxy/README.md: -------------------------------------------------------------------------------- 1 | # afl-proxy 2 | 3 | afl-proxy is an example skeleton file which can easily be used to fuzz 4 | and instrument non-standard things. 5 | 6 | You only need to change the while() loop of the main() to send the 7 | data of buf[] with length len to the target and write the coverage 8 | information to __afl_area_ptr[__afl_map_size] 9 | 10 | -------------------------------------------------------------------------------- /utils/afl_untracer/Makefile: -------------------------------------------------------------------------------- 1 | ifdef DEBUG 2 | OPT=-O0 3 | else 4 | OPT=-O3 5 | endif 6 | 7 | all: afl-untracer libtestinstr.so 8 | 9 | afl-untracer: afl-untracer.c 10 | $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl 11 | 12 | libtestinstr.so: libtestinstr.c 13 | $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c 14 | 15 | clean: 16 | rm -f afl-untracer libtestinstr.so *~ core 17 | -------------------------------------------------------------------------------- /utils/afl_untracer/TODO: -------------------------------------------------------------------------------- 1 | * add shmem fuzzing 2 | * add snapshot feature? 3 | -------------------------------------------------------------------------------- /utils/afl_untracer/libtestinstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop++ - a trivial program to test the build 3 | -------------------------------------------------------- 4 | Originally written by Michal Zalewski 5 | Copyright 2014 Google Inc. All rights reserved. 6 | Copyright 2019-2022 AFLplusplus Project. All rights reserved. 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at: 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | */ 12 | 13 | #include <stdio.h> 14 | #include <stdlib.h> 15 | #include <unistd.h> 16 | #include <string.h> 17 | #include <sys/types.h> 18 | #include <sys/stat.h> 19 | #include <fcntl.h> 20 | 21 | void testinstr(char *buf, int len) { 22 | 23 | if (len < 1) return; 24 | buf[len] = 0; 25 | 26 | // we support three input cases 27 | if (buf[0] == '0') 28 | printf("Looks like a zero to me!\n"); 29 | else if (buf[0] == '1') 30 | printf("Pretty sure that is a one!\n"); 31 | else 32 | printf("Neither one or zero? How quaint!\n"); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /utils/afl_untracer/patches.txt: -------------------------------------------------------------------------------- 1 | libtestinstr.so:0x1000 2 | 0x10 3 | 0x12 4 | 0x20 5 | 0x36 6 | 0x30 7 | 0x40 8 | 0x50 9 | 0x63 10 | 0x6f 11 | 0x78 12 | 0x80 13 | 0xa4 14 | 0xb0 15 | 0xb8 16 | 0x100 17 | 0xc0 18 | 0xc9 19 | 0xd7 20 | 0xe3 21 | 0xe8 22 | 0xf8 23 | 0x105 24 | 0x11a 25 | 0x135 26 | 0x141 27 | 0x143 28 | 0x14e 29 | 0x15a 30 | 0x15c 31 | 0x168 32 | 0x16a 33 | 0x16b 34 | 0x170 35 | -------------------------------------------------------------------------------- /utils/aflpp_driver/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @gmake all || echo please install GNUmake 3 | -------------------------------------------------------------------------------- /utils/aflpp_driver/aflpp_driver_test.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <stdint.h> 4 | 5 | void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) { 6 | 7 | if (Size < 5) return; 8 | 9 | if (Data[0] == 'F') 10 | if (Data[1] == 'A') 11 | if (Data[2] == '$') 12 | if (Data[3] == '$') 13 | if (Data[4] == '$') abort(); 14 | 15 | } 16 | 17 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 18 | 19 | if (Size) crashme(Data, Size); 20 | 21 | return 0; 22 | 23 | } 24 | 25 | -------------------------------------------------------------------------------- /utils/aflpp_driver/aflpp_qemu_driver.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdint.h> 3 | #include <stdlib.h> 4 | #include <unistd.h> 5 | 6 | // libFuzzer interface is thin, so we don't include any libFuzzer headers. 7 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); 8 | __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); 9 | 10 | #define kMaxAflInputSize (1 * 1024 * 1024) 11 | static uint8_t AflInputBuf[kMaxAflInputSize]; 12 | 13 | void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) { 14 | 15 | size_t l = read(0, AflInputBuf, kMaxAflInputSize); 16 | LLVMFuzzerTestOneInput(AflInputBuf, l); 17 | 18 | } 19 | 20 | int main(int argc, char **argv) { 21 | 22 | if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); 23 | // Do any other expensive one-time initialization here. 24 | 25 | if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) { 26 | 27 | afl_qemu_driver_stdin_input(); 28 | 29 | } else { 30 | 31 | fprintf(stderr, 32 | "Using shared-memory testcases. To read via stdin, set " 33 | "AFL_QEMU_DRIVER_NO_HOOK=1.\n"); 34 | uint8_t dummy_input[1024000] = {0}; 35 | LLVMFuzzerTestOneInput(dummy_input, 1); 36 | 37 | } 38 | 39 | return 0; 40 | 41 | } 42 | 43 | -------------------------------------------------------------------------------- /utils/aflpp_driver/aflpp_qemu_driver_hook.c: -------------------------------------------------------------------------------- 1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h" 2 | 3 | #include <stdint.h> 4 | #include <string.h> 5 | 6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) 7 | #define h2g(x) ((uint64_t)(x)-guest_base) 8 | 9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, 10 | uint8_t *input_buf, uint32_t input_buf_len) { 11 | 12 | // In this example the register RDI is pointing to the memory location 13 | // of the target buffer, and the length of the input is in RSI. 14 | // This can be seen with a debugger, e.g. gdb (and "disass main") 15 | 16 | memcpy(g2h(regs->rdi), input_buf, input_buf_len); 17 | regs->rsi = input_buf_len; 18 | 19 | } 20 | 21 | #undef g2h 22 | #undef h2g 23 | 24 | int afl_persistent_hook_init(void) { 25 | 26 | // 1 for shared memory input (faster), 0 for normal input (you have to use 27 | // read(), input_buf will be NULL) 28 | return 1; 29 | 30 | } 31 | 32 | -------------------------------------------------------------------------------- /utils/argv_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # argvfuzz 2 | 3 | AFL++ supports fuzzing file inputs or stdin. When source is available, 4 | `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. 5 | 6 | `argvfuzz` tries to provide the same functionality for binaries. When loaded 7 | using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace 8 | argv using the same logic of `argv-fuzz-inl.h`. 9 | 10 | A few conditions need to be fulfilled for this mechanism to work correctly: 11 | 12 | 1. As it relies on hooking the loader, it cannot work on static binaries. 13 | 2. If the target binary does not use the default libc's `_start` implementation 14 | (crt1.o), the hook may not run. 15 | 3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the 16 | target binary expects argv to be living on the stack, things may go wrong. -------------------------------------------------------------------------------- /utils/autodict_ql/build-codeql.sh: -------------------------------------------------------------------------------- 1 | cd ~ 2 | if [ -d "codeql-home" ]; then 3 | echo "Exist !" 4 | exit 1 5 | fi 6 | mkdir codeql-home 7 | cd codeql-home 8 | git clone https://github.com/github/codeql.git codeql-repo 9 | git clone https://github.com/github/codeql-go.git 10 | wget https://github.com/github/codeql-cli-binaries/releases/download/v2.7.3/codeql-linux64.zip 11 | unzip codeql-linux64.zip 12 | mv codeql codeql-cli 13 | export "PATH=~/codeql-home/codeql-cli/:$PATH" 14 | echo "export PATH=~/codeql-home/codeql-cli/:$PATH" >> ~/.bashrc 15 | codeql resolve languages 16 | codeql resolve qlpacks 17 | codeql 18 | -------------------------------------------------------------------------------- /utils/autodict_ql/litool.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | 3 | class HexOrOctLiteral extends Literal{ 4 | HexOrOctLiteral(){ 5 | (this instanceof HexLiteral) or (this instanceof OctalLiteral) 6 | } 7 | } 8 | 9 | from HexOrOctLiteral lit 10 | select lit.getValueText() 11 | -------------------------------------------------------------------------------- /utils/autodict_ql/memcmp-str.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | 3 | /// function : memcmp trace 4 | 5 | from FunctionCall fucall, Expr size 6 | where 7 | fucall.getTarget().hasName("memcmp") 8 | select fucall.getArgument(_).getValueText() -------------------------------------------------------------------------------- /utils/autodict_ql/qlpack.yml: -------------------------------------------------------------------------------- 1 | name: autodict 2 | version: 0.0.0 3 | libraryPathDependencies: codeql-cpp 4 | -------------------------------------------------------------------------------- /utils/autodict_ql/strcmp-str.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | 3 | /// function : strcmp 4 | 5 | from FunctionCall fucall, Expr size 6 | where 7 | fucall.getTarget().hasName("strcmp") 8 | select fucall.getArgument(_).getValueText() -------------------------------------------------------------------------------- /utils/autodict_ql/strncmp-str.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | 3 | /// function : strncmp 4 | 5 | from FunctionCall fucall, Expr size 6 | where 7 | fucall.getTarget().hasName("strncmp") 8 | select fucall.getArgument(_).getValueText() -------------------------------------------------------------------------------- /utils/autodict_ql/strtool.ql: -------------------------------------------------------------------------------- 1 | import cpp 2 | import semmle.code.cpp.dataflow.DataFlow 3 | class StringLiteralNode extends DataFlow::Node { 4 | StringLiteralNode() { this.asExpr() instanceof StringLiteral } 5 | } 6 | class CmpArgNode extends DataFlow::Node { 7 | CmpArgNode() { 8 | exists(FunctionCall fc | 9 | fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and 10 | fc.getArgument(0) = this.asExpr() 11 | ) 12 | or 13 | exists(FunctionCall fc | 14 | fc.getTarget().getName().regexpMatch(".*(str|mem|strn|b)*(cmp|str)*") and 15 | fc.getArgument(1) = this.asExpr() 16 | ) 17 | } 18 | } 19 | 20 | from StringLiteralNode src, CmpArgNode arg 21 | where 22 | DataFlow::localFlow(src, arg) 23 | 24 | select src.asExpr().(StringLiteral).toString() -------------------------------------------------------------------------------- /utils/defork/README.md: -------------------------------------------------------------------------------- 1 | # defork 2 | 3 | when the target forks, this breaks all normal fuzzing runs. 4 | Sometimes, though, it is enough to just run the child process. 5 | If this is the case, then this LD_PRELOAD library will always return 0 on fork, 6 | the target will belive it is running as the child, post-fork. 7 | 8 | This is defork.c from the amazing preeny project 9 | https://github.com/zardus/preeny 10 | 11 | It is altered for AFL++ to work with its fork-server: the initial fork will go through, the second fork will be blocked. 12 | -------------------------------------------------------------------------------- /utils/defork/defork.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include <dlfcn.h> 3 | #include <unistd.h> 4 | #include <stdio.h> 5 | #include <stdbool.h> 6 | 7 | #include "../../include/config.h" 8 | #include "../../include/types.h" 9 | 10 | /* we want to fork once (for the afl++ forkserver), 11 | then immediately return as child on subsequent forks. */ 12 | static bool forked = 0; 13 | 14 | pid_t (*original_fork)(void); 15 | 16 | /* In case we are not running in afl, we use a dummy original_fork */ 17 | static pid_t nop(void) { 18 | 19 | return 0; 20 | 21 | } 22 | 23 | __attribute__((constructor)) void preeny_fork_orig() { 24 | 25 | if (getenv(SHM_ENV_VAR)) { 26 | 27 | printf("defork: running in AFL++. Allowing forkserver.\n"); 28 | original_fork = dlsym(RTLD_NEXT, "socket"); 29 | 30 | } else { 31 | 32 | printf("defork: no AFL++ detected. Disabling fork from the start.\n"); 33 | original_fork = &nop; 34 | 35 | } 36 | 37 | } 38 | 39 | pid_t fork(void) { 40 | 41 | /* If we forked before, or if we're in the child (pid==0), 42 | we don't want to fork anymore, else, we are still in the forkserver. 43 | The forkserver parent needs to fork infinite times, each child should never 44 | fork again. This can be written without branches and I hate myself for it. 45 | */ 46 | pid_t ret = !forked && original_fork(); 47 | forked = !ret; 48 | return ret; 49 | 50 | } 51 | 52 | -------------------------------------------------------------------------------- /utils/defork/forking_target.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <unistd.h> 3 | #include <stdint.h> 4 | #include <sys/types.h> 5 | 6 | /* This is an example target for defork.c - fuzz using 7 | ``` 8 | mkdir in; echo a > ./in/a 9 | AFL_PRELOAD=./defork64.so ../../afl-fuzz -i in -o out -- ./forking_target @@ 10 | ``` 11 | */ 12 | 13 | int main(int argc, char **argv) { 14 | 15 | if (argc < 2) { 16 | 17 | printf("Example tool to test defork.\nUsage ./forking_target <input>\n"); 18 | return -1; 19 | 20 | } 21 | 22 | pid_t pid = fork(); 23 | if (pid == 0) { 24 | 25 | printf("We're in the child.\n"); 26 | FILE *f = fopen(argv[1], "r"); 27 | char buf[4096]; 28 | fread(buf, 1, 4096, f); 29 | fclose(f); 30 | uint32_t offset = buf[100] + (buf[101] << 8); 31 | char test_val = buf[offset]; 32 | return test_val < 100; 33 | 34 | } else if (pid < 0) { 35 | 36 | perror("fork"); 37 | return -1; 38 | 39 | } else { 40 | 41 | printf("We are in the parent - defork didn't work! :( (pid=%d)\n", 42 | (int)pid); 43 | 44 | } 45 | 46 | return 0; 47 | 48 | } 49 | 50 | -------------------------------------------------------------------------------- /utils/libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop++ - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Originally written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 22 | override CFLAGS += -I ../../include/ -Wall -g -Wno-pointer-sign 23 | 24 | CFLAGS_ADD=$(USEHUGEPAGE:1=-DUSEHUGEPAGE) 25 | CFLAGS += $(CFLAGS_ADD) 26 | 27 | all: libdislocator.so 28 | 29 | libdislocator.so: libdislocator.so.c ../../config.h 30 | $(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC libdislocator.so.c -o $@ $(LDFLAGS) 31 | cp -fv libdislocator.so ../../ 32 | 33 | .NOTPARALLEL: clean 34 | 35 | clean: 36 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 37 | rm -f ../../libdislocator.so 38 | 39 | install: all 40 | install -m 755 -d $${DESTDIR}$(HELPER_PATH) 41 | install -m 755 ../../libdislocator.so $${DESTDIR}$(HELPER_PATH) 42 | install -m 644 -T README.md $${DESTDIR}$(HELPER_PATH)/README.dislocator.md 43 | 44 | -------------------------------------------------------------------------------- /utils/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /utils/optimin/.gitignore: -------------------------------------------------------------------------------- 1 | CMakeLists.txt.user 2 | CMakeCache.txt 3 | CMakeFiles 4 | CMakeScripts 5 | Testing 6 | Makefile 7 | cmake_install.cmake 8 | install_manifest.txt 9 | compile_commands.json 10 | CTestTestfile.cmake 11 | _deps 12 | -------------------------------------------------------------------------------- /utils/optimin/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.10) 2 | 3 | project(optimin 4 | LANGUAGES CXX 5 | DESCRIPTION "MaxSAT-based fuzzing corpus minimizer" 6 | ) 7 | 8 | set(CMAKE_CXX_STANDARD 17) 9 | set(CMAKE_CXX_STANDARD_REQUIRED ON) 10 | set(CMAKE_CXX_EXTENSIONS OFF) 11 | 12 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Wextra") 13 | 14 | # Add LLVM 15 | find_package(LLVM REQUIRED CONFIG) 16 | message(STATUS "Found LLVM ${LLVM_PACKAGE_VERSION}") 17 | 18 | include_directories(${LLVM_INCLUDE_DIRS}) 19 | add_definitions(${LLVM_DEFINITIONS} -DNDEBUG) 20 | 21 | add_subdirectory(EvalMaxSAT) 22 | add_subdirectory(src) 23 | -------------------------------------------------------------------------------- /utils/optimin/EVALMAXSAT_VERSION: -------------------------------------------------------------------------------- 1 | 440bf90edf88f6ab940934129e3c5b3b93764295 2 | -------------------------------------------------------------------------------- /utils/optimin/src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_executable(optimin OptiMin.cpp) 2 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-rtti") 3 | 4 | foreach(LIB MaLib EvalMaxSAT glucose) 5 | target_include_directories(optimin PRIVATE 6 | "${CMAKE_SOURCE_DIR}/EvalMaxSAT/lib/${LIB}/src") 7 | target_link_libraries(optimin ${LIB}) 8 | endforeach(LIB) 9 | 10 | llvm_map_components_to_libnames(LLVM_LIBS support) 11 | target_link_libraries(optimin ${LLVM_LIBS}) 12 | 13 | install(TARGETS optimin RUNTIME DESTINATION bin) 14 | -------------------------------------------------------------------------------- /utils/persistent_mode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | ../../afl-clang-fast -o persistent_demo persistent_demo.c 3 | ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c 4 | AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c 5 | 6 | document: 7 | AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c 8 | 9 | clean: 10 | rm -f persistent_demo persistent_demo_new test-instr 11 | -------------------------------------------------------------------------------- /utils/plot_ui/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS=`pkg-config --cflags gtk+-3.0` 2 | LDFLAGS=`pkg-config --libs gtk+-3.0` 3 | 4 | all: afl-plot-ui 5 | 6 | afl-plot-ui: afl-plot-ui.c 7 | $(CC) $(CFLAGS) -o afl-plot-ui afl-plot-ui.c $(LDFLAGS) 8 | 9 | clean: 10 | rm -f afl-plot-ui 11 | -------------------------------------------------------------------------------- /utils/plot_ui/README.md: -------------------------------------------------------------------------------- 1 | # afl-plot-ui 2 | 3 | `afl-plot-ui` is a helper utility for rendering the GNUplot graphs in a GTK window. This allows to real time resizing, scrolling, and cursor positioning features while viewing the graph. This utility also provides options to hide graphs using check buttons. 4 | 5 | Currently, this utility is not built by default. 6 | You can manually build and install `afl-plot-ui` as follows 7 | 8 | ```shell 9 | sudo apt install libgtk-3-0 libgtk-3-dev pkg-config 10 | make 11 | cd ../../ 12 | sudo make install 13 | ``` 14 | 15 | *NOTE:* This utility is not meant to be used standalone. Never run this utility directly. Always run [`afl-plot`](../../afl-plot), which will, in turn, invoke this utility (when run using `-g` or `--graphical` flag). -------------------------------------------------------------------------------- /utils/qbdi_mode/assets/screen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a4865g/Cheng-fuzz/e666067c662a6e7e93540ad40e4797432029340e/utils/qbdi_mode/assets/screen1.png -------------------------------------------------------------------------------- /utils/qbdi_mode/demo-so.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | // gcc -shared -o libdemo.so demo-so.c -w 4 | int target_func(char *buf, int size) { 5 | 6 | printf("buffer:%p, size:%p\n", buf, size); 7 | switch (buf[0]) { 8 | 9 | case 1: 10 | puts("222"); 11 | if (buf[1] == '\x44') { 12 | 13 | puts("null ptr deference"); 14 | *(char *)(0) = 1; 15 | 16 | } 17 | 18 | break; 19 | case 0xff: 20 | if (buf[2] == '\xff') { 21 | 22 | if (buf[1] == '\x44') { 23 | 24 | puts("crash...."); 25 | *(char *)(0xdeadbeef) = 1; 26 | 27 | } 28 | 29 | } 30 | 31 | break; 32 | default: 33 | puts("default action"); 34 | break; 35 | 36 | } 37 | 38 | return 1; 39 | 40 | } 41 | 42 | -------------------------------------------------------------------------------- /utils/qemu_persistent_hook/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | $(CC) -no-pie test.c -o test 3 | $(CC) -fPIC -shared read_into_rdi.c -o read_into_rdi.so 4 | 5 | clean: 6 | rm -rf in out test read_into_rdi.so 7 | -------------------------------------------------------------------------------- /utils/qemu_persistent_hook/README.md: -------------------------------------------------------------------------------- 1 | # QEMU persistent hook example 2 | 3 | Compile the test binary and the library: 4 | 5 | ``` 6 | make 7 | ``` 8 | 9 | Fuzz with: 10 | 11 | ``` 12 | export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}') 13 | export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so 14 | 15 | mkdir in 16 | echo 0000 > in/in 17 | 18 | ../../afl-fuzz -Q -i in -o out -- ./test 19 | ``` -------------------------------------------------------------------------------- /utils/qemu_persistent_hook/read_into_rdi.c: -------------------------------------------------------------------------------- 1 | #include "../../qemu_mode/qemuafl/qemuafl/api.h" 2 | 3 | #include <stdio.h> 4 | #include <string.h> 5 | 6 | #define g2h(x) ((void *)((unsigned long)(x) + guest_base)) 7 | #define h2g(x) ((uint64_t)(x)-guest_base) 8 | 9 | void afl_persistent_hook(struct x86_64_regs *regs, uint64_t guest_base, 10 | uint8_t *input_buf, uint32_t input_buf_len) { 11 | 12 | // In this example the register RDI is pointing to the memory location 13 | // of the target buffer, and the length of the input is in RSI. 14 | // This can be seen with a debugger, e.g. gdb (and "disass main") 15 | 16 | printf("Placing input into 0x%lx\n", regs->rdi); 17 | 18 | if (input_buf_len > 1024) input_buf_len = 1024; 19 | memcpy(g2h(regs->rdi), input_buf, input_buf_len); 20 | regs->rsi = input_buf_len; 21 | 22 | } 23 | 24 | #undef g2h 25 | #undef h2g 26 | 27 | int afl_persistent_hook_init(void) { 28 | 29 | // 1 for shared memory input (faster), 0 for normal input (you have to use 30 | // read(), input_buf will be NULL) 31 | return 1; 32 | 33 | } 34 | 35 | -------------------------------------------------------------------------------- /utils/qemu_persistent_hook/test.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int target_func(unsigned char *buf, int size) { 4 | 5 | printf("buffer:%p, size:%d\n", buf, size); 6 | switch (buf[0]) { 7 | 8 | case 1: 9 | if (buf[1] == '\x44') { puts("a"); } 10 | break; 11 | case 0xff: 12 | if (buf[2] == '\xff') { 13 | 14 | if (buf[1] == '\x44') { puts("b"); } 15 | 16 | } 17 | 18 | break; 19 | default: 20 | break; 21 | 22 | } 23 | 24 | return 1; 25 | 26 | } 27 | 28 | char data[1024]; 29 | 30 | int main() { 31 | 32 | target_func(data, 1024); 33 | 34 | } 35 | 36 | -------------------------------------------------------------------------------- /utils/socket_fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # socketfuzz 2 | 3 | when you want to fuzz a network service and you can not/do not want to modify 4 | the source (or just have a binary), then this LD_PRELOAD library will allow 5 | for sending input to stdin which the target binary will think is coming from 6 | a network socket. 7 | 8 | This is desock_dup.c from the amazing preeny project 9 | [https://github.com/zardus/preeny](https://github.com/zardus/preeny) 10 | 11 | It is packaged in AFL++ to have it at hand if needed 12 | -------------------------------------------------------------------------------- /xml/2sum/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>true</MUST> 4 | <ELEMENT>VVuLeArn</ELEMENT> 5 | </ARGUMENT> 6 | <ENVIRONMENT> 7 | <NAME>QUERY_STRING</NAME> 8 | <MUST>true</MUST> 9 | <ELEMENT>num1=2140000000&num2=@@</ELEMENT> 10 | </ENVIRONMENT> 11 | </root> 12 | -------------------------------------------------------------------------------- /xml/aeon-0.2a/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>true</MUST> 4 | <ELEMENT>VVuLerAn</ELEMENT> 5 | </ARGUMENT> 6 | <ENVIRONMENT> 7 | <NAME>HOME</NAME> 8 | <MUST>true</MUST> 9 | <ELEMENT>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@@</ELEMENT> 10 | </ENVIRONMENT> 11 | </root> 12 | -------------------------------------------------------------------------------- /xml/bento4/mp42hls/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>false</MUST> 4 | <ELEMENT>--verbose</ELEMENT> 5 | </ARGUMENT> 6 | <ARGUMENT> 7 | <MUST>false</MUST> 8 | <ELEMENT>--show-info</ELEMENT> 9 | </ARGUMENT> 10 | <ARGUMENT> 11 | <MUST>false</MUST> 12 | <ELEMENT>--audio-format ts</ELEMENT> 13 | <ELEMENT>--audio-format packed</ELEMENT> 14 | </ARGUMENT> 15 | <ARGUMENT> 16 | <MUST>false</MUST> 17 | <ELEMENT>--encryption-mode AES-128</ELEMENT> 18 | <ELEMENT>--encryption-mode SAMPLE-AES</ELEMENT> 19 | </ARGUMENT> 20 | <ARGUMENT> 21 | <MUST>false</MUST> 22 | <ELEMENT>--encryption-iv-mode sequence</ELEMENT> 23 | <ELEMENT>--encryption-iv-mode random</ELEMENT> 24 | <ELEMENT>--encryption-iv-mode fps</ELEMENT> 25 | </ARGUMENT> 26 | <ARGUMENT> 27 | <MUST>true</MUST> 28 | <ELEMENT>@@</ELEMENT> 29 | </ARGUMENT> 30 | </root> 31 | -------------------------------------------------------------------------------- /xml/bento4/mp4dump/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>false</MUST> 4 | <ELEMENT>--verbosity 0</ELEMENT> 5 | <ELEMENT>--verbosity 1</ELEMENT> 6 | <ELEMENT>--verbosity 2</ELEMENT> 7 | <ELEMENT>--verbosity 3</ELEMENT> 8 | </ARGUMENT> 9 | <ARGUMENT> 10 | <MUST>false</MUST> 11 | <ELEMENT>--format json</ELEMENT> 12 | <ELEMENT>--format text</ELEMENT> 13 | </ARGUMENT> 14 | <ARGUMENT> 15 | <MUST>true</MUST> 16 | <ELEMENT>@@</ELEMENT> 17 | </ARGUMENT> 18 | </root> 19 | -------------------------------------------------------------------------------- /xml/bento4/mp4info/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>false</MUST> 4 | <ELEMENT>--verbose</ELEMENT> 5 | </ARGUMENT> 6 | <ARGUMENT> 7 | <MUST>false</MUST> 8 | <ELEMENT>--format json</ELEMENT> 9 | <ELEMENT>--format text</ELEMENT> 10 | </ARGUMENT> 11 | <ARGUMENT> 12 | <MUST>false</MUST> 13 | <ELEMENT>--show-layout</ELEMENT> 14 | </ARGUMENT> 15 | <ARGUMENT> 16 | <MUST>false</MUST> 17 | <ELEMENT>--show-samples</ELEMENT> 18 | </ARGUMENT> 19 | <ARGUMENT> 20 | <MUST>false</MUST> 21 | <ELEMENT>--show-sample-data</ELEMENT> 22 | </ARGUMENT> 23 | <ARGUMENT> 24 | <MUST>false</MUST> 25 | <ELEMENT>--fast</ELEMENT> 26 | </ARGUMENT> 27 | <ARGUMENT> 28 | <MUST>true</MUST> 29 | <ELEMENT>@@</ELEMENT> 30 | </ARGUMENT> 31 | </root> 32 | -------------------------------------------------------------------------------- /xml/exiv2/parameters.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>true</MUST> 4 | <ELEMENT>pr</ELEMENT> 5 | </ARGUMENT> 6 | <ARGUMENT> 7 | <MUST>false</MUST> 8 | <ELEMENT>-p s</ELEMENT> 9 | <ELEMENT>-p a</ELEMENT> 10 | <ELEMENT>-p e</ELEMENT> 11 | <ELEMENT>-p t</ELEMENT> 12 | <ELEMENT>-p v</ELEMENT> 13 | <ELEMENT>-p h</ELEMENT> 14 | <ELEMENT>-p i</ELEMENT> 15 | <ELEMENT>-p x</ELEMENT> 16 | <ELEMENT>-p c</ELEMENT> 17 | <ELEMENT>-p p</ELEMENT> 18 | <ELEMENT>-p C</ELEMENT> 19 | <ELEMENT>-p R</ELEMENT> 20 | <ELEMENT>-p S</ELEMENT> 21 | <ELEMENT>-p X</ELEMENT> 22 | </ARGUMENT> 23 | <ARGUMENT> 24 | <MUST>false</MUST> 25 | <ELEMENT>-P E</ELEMENT> 26 | <ELEMENT>-P I</ELEMENT> 27 | <ELEMENT>-P X</ELEMENT> 28 | <ELEMENT>-P x</ELEMENT> 29 | <ELEMENT>-P g</ELEMENT> 30 | <ELEMENT>-P k</ELEMENT> 31 | <ELEMENT>-P l</ELEMENT> 32 | <ELEMENT>-P n</ELEMENT> 33 | <ELEMENT>-P y</ELEMENT> 34 | <ELEMENT>-P c</ELEMENT> 35 | <ELEMENT>-P s</ELEMENT> 36 | <ELEMENT>-P v</ELEMENT> 37 | <ELEMENT>-P t</ELEMENT> 38 | <ELEMENT>-P h</ELEMENT> 39 | </ARGUMENT> 40 | <ARGUMENT> 41 | <MUST>true</MUST> 42 | <ELEMENT>@@</ELEMENT> 43 | </ARGUMENT> 44 | </root> 45 | -------------------------------------------------------------------------------- /xml/exiv2/parameters_init.xml: -------------------------------------------------------------------------------- 1 | <root> 2 | <ARGUMENT> 3 | <MUST>true</MUST> 4 | <ELEMENT>@@</ELEMENT> 5 | </ARGUMENT> 6 | </root> 7 | --------------------------------------------------------------------------------