Understanding Qiling fuzzing

[psparc82]

Hi,

I'm trying to understand at a high level how Qiling fuzzes with AFL++ and unicorn. The fuzzing examples and documentation don't fully explain it. So here's a few questions:

• When I set the hook that starts the fuzzing (ql.hook_address(start_afl, target_func_addr, then ql.run()) does this do the following?
  1. emulates until target_func_addr is hit
  2. starts the fuzzing engine which generates the inputs
  3. fuzzer/Qiling then only calls target_func_addr and doesn't restart the binary from the beginning for each fuzz?
  4. If the binary isn't restarted for each fuzz then what is Qiling using in the register values each time target_func_addr is called?
  5. What happens with the emulators memory, do heap objects persist or are they cleared for each fuzz?

Any sort of diagram / order of events explaining how the fuzzing works would be great!

Thanks for reading and thanks for the excellent project

[psparc82]

Any help?

[iMoD1998]

Not sure which example you are looking at but they usually ship with 2 scripts, a saver which gets the binary into a state where the target func can be called which then dumps the entire state, memory, registers, etc all to a file called snapshot.bin.

Then in the fuzzer script you can call your target function with fuzzer input and then restore the context from snapshot.bin and send another input and so on...

[psparc82]

@iMoD1998 Thanks for clearing that up!