Fuzzing unmodified binaries with QEMU #1196
Closed
langston-barrett
started this conversation in
General
Replies: 1 comment
-
Okay, I've got a simple harness working: let path_addr = emu.map_private(0, 1024, MmapPerms::ReadWrite).unwrap();
debug!("Placing path at {path_addr:#x}");
let tmp = tempfile::Builder::new()
.tempfile()
.expect("Couldn't create temporary file");
let tmp_path = tmp.path();
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let mut buf = target.as_slice();
if buf.len() > args.max_size {
buf = &buf[0..args.max_size];
}
std::fs::write(tmp_path, buf).expect("Couldn't write temporary file");
unsafe {
// Reset the emulator to the start of main()
emu.write_reg(Regs::Rip, main_addr).unwrap();
emu.write_reg(Regs::Rsp, main_stack_ptr).unwrap();
// Write the path to argv[2]
let tmp_path_bytes = tmp_path
.to_str()
.expect("Temporary path was not valid Unicode")
.as_bytes();
emu.write_mem(path_addr, tmp_path_bytes);
// 8 = pointer size, overwrite argv[2]
let argv_ptr = emu.read_reg::<_, u64>(Regs::Rsi).unwrap();
emu.write_mem(argv_ptr + (2 * 8), &u64::to_le_bytes(path_addr));
emu.run(); |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'd like to do coverage-guided fuzzing of some unmodified, off-the-shelf binaries. I'm not sure if/how this is possible with the current
libafl_qemu
integration. The example fuzzers find and fuzzLLVMFuzzerTestOneInput
, which would not be present in an unmodified binary. Also, it seems that it's not possible to pass different command lines for different runs of the QEMU fuzzer (e.g., to pass a different fuzzer-generated file each time).Am I missing a way to make this work? Is it possible in principle but not with the current implementation? Or is it difficult or impossible in general to use QEMU this way?
[EDIT]: If the target takes a file as a command-line argument, maybe I could set that argument to some long string when initializing QEMU, add a breakpoint in
main
, and overwrite it with a path to a fuzzer-generated file...Beta Was this translation helpful? Give feedback.
All reactions