search

AFLplusplus / qemuafl

This fork of QEMU enables fuzzing userspace ELF binaries under AFL++.
https://aflplus.plus
Other
79 stars 43 forks source link

Add ability for hook and AppCall #29

Closed bjchan9an closed 1 year ago

bjchan9an commented 2 years ago

1. Hook (or intercept) Function Call

Currently qemuafl supports in-process fuzzing by setting AFL_QEMU_PERSISTENT_ADDR. However, it will be more flexible if we could intercept other function calls (e.g., emulate the socket recv/send). Maybe users should implement this feature by ourselves, similar to AFL's instrumentation?

2. AppCalls

Currently qemuafl supports registers settings with afl_persistent_hook() and afl_persistent_hook_init(void). However, sometimes we need actively call functions of the program under test for initializing or recovering. For example, frida allows AppCalls as follows.

const addr = Module.getExportByName(null, "target_function");
const target_fn = new NativeFunction(addr, "void", ["int", "pointer"]);

Will qemuafl supports this feature?

andreafioraldi commented 2 years ago

Hi, good point in general, but will not invest development time in extensibility features for qemuafl when we are already putting this effort in libafl_qemu.

andreafioraldi commented 2 years ago

However, feel free to contribute with a PR.