xref: /aosp_15_r20/external/AFLplusplus/utils/argv_fuzzing/README.md (revision 08b48e0b10e97b33e7b60c5b6e2243bd915777f2) 
1# argv_fuzzing feature
2AFL++ supports fuzzing file inputs or standard input. The argv_fuzzing feature
3allows for the fuzzing of arguments passed to a program from the command line
4interface rather than from STDIN.
5
6## With source code
7When the source code is available, a specific macro from the `argv-fuzz-inl.h`
8header file can be used to change the program's behavior to build argv from STDIN.
9
10### Without persistent mode
11Conditions needed to use the argv_fuzzing feature:
121. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`)
132. Identify your main function that parses arguments
14(for example, `int main(int argc, char **argv)`)
153. Use one of the following macros (near the beginning of the main function)
16to initialize argv with the fuzzer's input:
17   - `AFL_INIT_ARGV();` or
18   - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]`
19   (the name of the program being executed)
20
21see: [argv_fuzz_demo.c](argv_fuzz_demo.c)
22
23### With persistent mode
24Conditions needed to use the argv_fuzzing feature with persistent mode:
251. Ensure your target can handle persistent mode fuzzing
262. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md)
273. Use one of the following macros near the beginning of the main function and after
28the buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`):
29   - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to
30   - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)`
31
32see: [argv_fuzz_persistent_demo.c](argv_fuzz_persistent_demo.c)
33
34## Binary only
35`argvfuzz` tries to provide the same functionality for binaries. When loaded
36using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
37argv using the same logic of `argv-fuzz-inl.h`.
38
39A few conditions need to be fulfilled for this mechanism to work correctly:
40
411. As it relies on hooking the loader, it cannot work on static binaries
422. If the target binary does not use the default libc's `_start` implementation
43   (crt1.o), the hook may not run.
443. The hook will replace argv with pointers to `.data` of `argvfuzz.so`.
45Things may go wrong if the target binary expects argv to live on the stack.
46