通常来讲,afl-fuzz需要对待fuzz程序重编译,重而对其进行插桩,这就要求拥有待fuzz程序的完整源代码。而afl-dyninst提供了一种静态无源码插桩的手段使得可以对无源码二进制程序插桩。
本文的测试系统为:ubuntu14.04。
下载&&编译
首先需要安装以下软件:
1
| sudo apt-get install libelf-dev libelf1 libiberty-dev libboost-all-dev
|
afl-dyninst是基于dyninst的,所以需要下载&&编译&&安装dyninst:
1 2 3 4 5 6 7
| git clone https://github.com/dyninst/dyninst.git cd dyninst mkdir build cd build cmake -DBOOST_LIBRARYDIR=/usr/lib/x86_64-linux-gnu make sudo make install
|
下载&&编译afl-dyninst
1 2 3 4 5 6 7
| git clone https://github.com/talos-vulndev/afl-dyninst.git cd afl-dyninst make sudo cp afl-dyninst /usr/bin/ sudo cp libAflDyninst.so /usr/local/lib/ echo "/usr/local/lib" > /etc/ld.so.conf.d/dyninst.conf && ldconfig echo "export DYNINSTAPI_RT_LIB=/usr/local/lib/libdyninstAPI_RT.so" >> ~/.bashrc
|
使用
1 2 3 4 5 6 7 8 9 10 11 12 13
| Usage: ./afl-dyninst -i <binary> -o <binary> -l <library> -e <address> -s <number> -i: Input binary -o: Output binary -l: Library to instrument (repeat for more than one) -e: Entry point address to patch (required for stripped binaries) -r: Runtime library to instrument (path to, repeat for more than one) -s: Number of basic blocks to skip -v: Verbose output example: afl-dyninst -i testbin -o testbin_ins to fuzz: export AFL_SKIP_BIN_CHECK=1 afl-fuzz -i in -o out testbin_ins
|
碎碎念
dyninst目前支持POWER/Linux, x86/Linux, x86_64/Linux,x86/Windows XP/2000/2003/Windows 7多个平台以及aarch64,不过可惜的是不支持arm/thumb。afl-dyninst于15年3月公布,不过到目前为止还未添加到afl-fuzz的发行版本中,推测其应该存在较多的bug。不过dyninst项目目前仍然活跃,相信以后会更加成熟。持续关注中!