通常來講,afl-fuzz需要對待fuzz程序重編譯,重而對其進行插樁,這就要求擁有待fuzz程序的完整源代碼。而afl-dyninst提供了一種靜態無源碼插樁的手段使得可以對無源碼二進制程序插樁。

本文的測試系統為:ubuntu14.04。

下載&&編譯

首先需要安裝以下軟件:

sudo apt-get install libelf-dev libelf1 libiberty-dev libboost-all-dev

 

 

afl-dyninst是基於dyninst的,所以需要下載&&編譯&&安裝dyninst:

git clone https://github.com/dyninst/dyninst.git
cd dyninst
mkdir build
cd build
cmake -DBOOST_LIBRARYDIR=/usr/lib/x86_64-linux-gnu
make
sudo make install

 

 

 

 

 

下載&&編譯afl-dyninst

git clone https://github.com/talos-vulndev/afl-dyninst.git
cd afl-dyninst
make
sudo cp afl-dyninst /usr/bin/
sudo cp libAflDyninst.so /usr/local/lib/
echo "/usr/local/lib" > /etc/ld.so.conf.d/dyninst.conf && ldconfig
echo "export DYNINSTAPI_RT_LIB=/usr/local/lib/libdyninstAPI_RT.so" >> ~/.bashrc

 

 

 

 

使用

Usage: ./afl-dyninst -i <binary> -o <binary> -l <library> -e <address> -s <number>
-i: Input binary
-o: Output binary
-l: Library to instrument (repeat for more than one)
-e: Entry point address to patch (required for stripped binaries)
-r: Runtime library to instrument (path to, repeat for more than one)
-s: Number of basic blocks to skip
-v: Verbose output
example:
afl-dyninst -i testbin -o testbin_ins
to fuzz:
export AFL_SKIP_BIN_CHECK=1
afl-fuzz -i in -o out testbin_ins

 

 

 

 

 

 

 

 

dyninst目前支持POWER/Linux, x86/Linux, x86_64/Linux,x86/Windows XP/2000/2003/Windows 7多個平台以及aarch64,不過可惜的是不支持arm/thumb。afl-dyninst於15年3月公布,不過到目前為止還未添加到afl-fuzz的發行版本中,推測其應該存在較多的bug。不過dyninst項目目前仍然活躍,相信以后會更加成熟。持續關注中!