1*08b48e0bSAndroid Build Coastguard Worker# afl-untracer - fast fuzzing of binary-only libraries 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard Worker## Introduction 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Workerafl-untracer is an example skeleton file which can easily be used to fuzz 6*08b48e0bSAndroid Build Coastguard Workera closed source library. 7*08b48e0bSAndroid Build Coastguard Worker 8*08b48e0bSAndroid Build Coastguard WorkerIt requires less memory and is x3-5 faster than QEMU mode, however, it is way 9*08b48e0bSAndroid Build Coastguard Workermore course grained and does not provide interesting features like compcov or 10*08b48e0bSAndroid Build Coastguard Workercmplog. 11*08b48e0bSAndroid Build Coastguard Worker 12*08b48e0bSAndroid Build Coastguard WorkerSupported is so far Intel (i386/x86_64) and AARCH64. 13*08b48e0bSAndroid Build Coastguard Worker 14*08b48e0bSAndroid Build Coastguard Worker## How-to 15*08b48e0bSAndroid Build Coastguard Worker 16*08b48e0bSAndroid Build Coastguard Worker### Modify afl-untracer.c 17*08b48e0bSAndroid Build Coastguard Worker 18*08b48e0bSAndroid Build Coastguard WorkerRead and modify afl-untracer.c, then `make`. 19*08b48e0bSAndroid Build Coastguard WorkerTo adapt afl-untracer.c to your needs, read the header of the file and then 20*08b48e0bSAndroid Build Coastguard Workersearch and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. 21*08b48e0bSAndroid Build Coastguard Worker 22*08b48e0bSAndroid Build Coastguard Worker### Generate patches.txt file 23*08b48e0bSAndroid Build Coastguard Worker 24*08b48e0bSAndroid Build Coastguard WorkerTo generate the `patches.txt` file for your target library use the 25*08b48e0bSAndroid Build Coastguard Worker`ida_get_patchpoints.py` script for IDA Pro or 26*08b48e0bSAndroid Build Coastguard Worker`ghidra_get_patchpoints.java` for Ghidra. 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard WorkerThe patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`. 29*08b48e0bSAndroid Build Coastguard Worker 30*08b48e0bSAndroid Build Coastguard WorkerTo easily run the scripts without needing to run the GUI with Ghidra: 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard Worker``` 33*08b48e0bSAndroid Build Coastguard Worker/opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java 34*08b48e0bSAndroid Build Coastguard Workerrm -rf /tmp/tmp$$ 35*08b48e0bSAndroid Build Coastguard Worker``` 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard WorkerThe file is created at `~/Desktop/patches.txt` 38*08b48e0bSAndroid Build Coastguard Worker 39*08b48e0bSAndroid Build Coastguard Worker### Fuzzing 40*08b48e0bSAndroid Build Coastguard Worker 41*08b48e0bSAndroid Build Coastguard WorkerExample (after modifying afl-untracer.c to your needs, compiling and creating 42*08b48e0bSAndroid Build Coastguard Workerpatches.txt): 43*08b48e0bSAndroid Build Coastguard Worker 44*08b48e0bSAndroid Build Coastguard Worker``` 45*08b48e0bSAndroid Build Coastguard WorkerLD_LIBRARY_PATH=/path/to/target/library AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer 46*08b48e0bSAndroid Build Coastguard Worker``` 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker(or even remote via afl-network-proxy). 49*08b48e0bSAndroid Build Coastguard Worker 50*08b48e0bSAndroid Build Coastguard Worker### Testing and debugging 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard WorkerFor testing/debugging you can try: 53*08b48e0bSAndroid Build Coastguard Worker 54*08b48e0bSAndroid Build Coastguard Worker``` 55*08b48e0bSAndroid Build Coastguard Workermake DEBUG=1 56*08b48e0bSAndroid Build Coastguard WorkerAFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer 57*08b48e0bSAndroid Build Coastguard Worker``` 58*08b48e0bSAndroid Build Coastguard Worker 59*08b48e0bSAndroid Build Coastguard Workerand then you can easily set breakpoints to "breakpoint" and "fuzz". 60*08b48e0bSAndroid Build Coastguard Worker 61*08b48e0bSAndroid Build Coastguard Worker# Background 62*08b48e0bSAndroid Build Coastguard Worker 63*08b48e0bSAndroid Build Coastguard WorkerThis idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) 64*08b48e0bSAndroid Build Coastguard Workerand modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). 65*08b48e0bSAndroid Build Coastguard WorkerThis implementation is slower because the traps are not patched out with each 66*08b48e0bSAndroid Build Coastguard Workerrun, but on the other hand gives much better coverage information.