1*08b48e0bSAndroid Build Coastguard Worker# AFL++ Examples 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard WorkerHere's a quick overview of the stuff you can find in this directory: 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker - aflpp_driver - easily instrument LLVMFuzzerTestOneInput() 6*08b48e0bSAndroid Build Coastguard Worker harnesses. 7*08b48e0bSAndroid Build Coastguard Worker 8*08b48e0bSAndroid Build Coastguard Worker - afl_network_proxy - fuzz a target over the network: afl-fuzz on 9*08b48e0bSAndroid Build Coastguard Worker a host, target on an embedded system. 10*08b48e0bSAndroid Build Coastguard Worker 11*08b48e0bSAndroid Build Coastguard Worker - plot_ui - simple UI window utility to display the 12*08b48e0bSAndroid Build Coastguard Worker plots generated by afl-plot 13*08b48e0bSAndroid Build Coastguard Worker 14*08b48e0bSAndroid Build Coastguard Worker - afl_proxy - skeleton file example to show how to fuzz 15*08b48e0bSAndroid Build Coastguard Worker something where you gather coverage data via 16*08b48e0bSAndroid Build Coastguard Worker different means, e.g., hw debugger 17*08b48e0bSAndroid Build Coastguard Worker 18*08b48e0bSAndroid Build Coastguard Worker - afl_untracer - fuzz binary-only libraries much faster but with 19*08b48e0bSAndroid Build Coastguard Worker less coverage than QEMU mode 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker - analysis_scripts - random -o out analysis scripts 22*08b48e0bSAndroid Build Coastguard Worker 23*08b48e0bSAndroid Build Coastguard Worker - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed 24*08b48e0bSAndroid Build Coastguard Worker (e.g., to test setuid programs). 25*08b48e0bSAndroid Build Coastguard Worker 26*08b48e0bSAndroid Build Coastguard Worker - asan_cgroups - a contributed script to simplify fuzzing ASAN 27*08b48e0bSAndroid Build Coastguard Worker binaries with robust memory limits on Linux. 28*08b48e0bSAndroid Build Coastguard Worker 29*08b48e0bSAndroid Build Coastguard Worker - autodict_ql - generate dictionary files from source code. 30*08b48e0bSAndroid Build Coastguard Worker 31*08b48e0bSAndroid Build Coastguard Worker - bash_shellshock - a simple hack used to find a bunch of 32*08b48e0bSAndroid Build Coastguard Worker post-Shellshock bugs in bash. 33*08b48e0bSAndroid Build Coastguard Worker 34*08b48e0bSAndroid Build Coastguard Worker - canvas_harness - a test harness used to find browser bugs with a 35*08b48e0bSAndroid Build Coastguard Worker corpus generated using simple image parsing 36*08b48e0bSAndroid Build Coastguard Worker binaries & afl-fuzz. 37*08b48e0bSAndroid Build Coastguard Worker 38*08b48e0bSAndroid Build Coastguard Worker - clang_asm_normalize - a script that makes it easy to instrument 39*08b48e0bSAndroid Build Coastguard Worker hand-written assembly, provided that you have clang. 40*08b48e0bSAndroid Build Coastguard Worker 41*08b48e0bSAndroid Build Coastguard Worker - crash_triage - a very rudimentary example of how to annotate crashes 42*08b48e0bSAndroid Build Coastguard Worker with additional gdb metadata. 43*08b48e0bSAndroid Build Coastguard Worker 44*08b48e0bSAndroid Build Coastguard Worker - custom_mutators - examples for the AFL++ custom mutator interface in 45*08b48e0bSAndroid Build Coastguard Worker C and Python. Note: They were moved to 46*08b48e0bSAndroid Build Coastguard Worker ../custom_mutators/examples/ 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker - defork - intercept fork() in targets 49*08b48e0bSAndroid Build Coastguard Worker 50*08b48e0bSAndroid Build Coastguard Worker - distributed_fuzzing - a sample script for synchronizing fuzzer instances 51*08b48e0bSAndroid Build Coastguard Worker across multiple machines. 52*08b48e0bSAndroid Build Coastguard Worker 53*08b48e0bSAndroid Build Coastguard Worker - libdislocator - like ASAN but lightweight. 54*08b48e0bSAndroid Build Coastguard Worker 55*08b48e0bSAndroid Build Coastguard Worker - libtokencap - collect string tokens for a dictionary. 56*08b48e0bSAndroid Build Coastguard Worker 57*08b48e0bSAndroid Build Coastguard Worker - libpng_no_checksum - a sample patch for removing CRC checks in libpng. 58*08b48e0bSAndroid Build Coastguard Worker 59*08b48e0bSAndroid Build Coastguard Worker - persistent_mode - an example of how to use the LLVM persistent process 60*08b48e0bSAndroid Build Coastguard Worker mode to speed up certain fuzzing jobs. 61*08b48e0bSAndroid Build Coastguard Worker 62*08b48e0bSAndroid Build Coastguard Worker - qemu_persistent_hook - persistent mode support module for qemu. 63*08b48e0bSAndroid Build Coastguard Worker 64*08b48e0bSAndroid Build Coastguard Worker - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin 65*08b48e0bSAndroid Build Coastguard Worker for fuzzing access with AFL++ 66*08b48e0bSAndroid Build Coastguard Worker 67*08b48e0bSAndroid Build Coastguard WorkerNote that the minimize_corpus.sh tool has graduated from the utils/ 68*08b48e0bSAndroid Build Coastguard Workerdirectory and is now available as ../afl-cmin. The LLVM mode has likewise 69*08b48e0bSAndroid Build Coastguard Workergraduated to ../instrumentation/*. 70*08b48e0bSAndroid Build Coastguard Worker 71*08b48e0bSAndroid Build Coastguard WorkerMost of the tools in this directory are meant chiefly as examples that need to 72*08b48e0bSAndroid Build Coastguard Workerbe tweaked for your specific needs. They come with some basic documentation, 73*08b48e0bSAndroid Build Coastguard Workerbut are not necessarily production-grade. 74