utils/argv_fuzzing/README.md

*08b48e0bSAndroid Build Coastguard Worker# argv_fuzzing feature
*08b48e0bSAndroid Build Coastguard WorkerAFL++ supports fuzzing file inputs or standard input. The argv_fuzzing feature
*08b48e0bSAndroid Build Coastguard Workerallows for the fuzzing of arguments passed to a program from the command line
*08b48e0bSAndroid Build Coastguard Workerinterface rather than from STDIN.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker## With source code
*08b48e0bSAndroid Build Coastguard WorkerWhen the source code is available, a specific macro from the `argv-fuzz-inl.h`
*08b48e0bSAndroid Build Coastguard Workerheader file can be used to change the program's behavior to build argv from STDIN.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker### Without persistent mode
*08b48e0bSAndroid Build Coastguard WorkerConditions needed to use the argv_fuzzing feature:
*08b48e0bSAndroid Build Coastguard Worker1. Include `argv-fuzz-inl.h` header file (`#include "argv-fuzz-inl.h"`)
*08b48e0bSAndroid Build Coastguard Worker2. Identify your main function that parses arguments
*08b48e0bSAndroid Build Coastguard Worker(for example, `int main(int argc, char **argv)`)
*08b48e0bSAndroid Build Coastguard Worker3. Use one of the following macros (near the beginning of the main function)
*08b48e0bSAndroid Build Coastguard Workerto initialize argv with the fuzzer's input:
*08b48e0bSAndroid Build Coastguard Worker   - `AFL_INIT_ARGV();` or
*08b48e0bSAndroid Build Coastguard Worker   - `AFL_INIT_SET0("prog_name");` to preserve `argv[0]`
*08b48e0bSAndroid Build Coastguard Worker   (the name of the program being executed)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workersee: [argv_fuzz_demo.c](argv_fuzz_demo.c)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker### With persistent mode
*08b48e0bSAndroid Build Coastguard WorkerConditions needed to use the argv_fuzzing feature with persistent mode:
*08b48e0bSAndroid Build Coastguard Worker1. Ensure your target can handle persistent mode fuzzing
*08b48e0bSAndroid Build Coastguard Worker2. Follow instructions in the [llvm_mode persistent mode](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md)
*08b48e0bSAndroid Build Coastguard Worker3. Use one of the following macros near the beginning of the main function and after
*08b48e0bSAndroid Build Coastguard Workerthe buffer initialization (`unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF`):
*08b48e0bSAndroid Build Coastguard Worker   - `AFL_INIT_ARGV_PERSISTENT(buf)`, if you want to
*08b48e0bSAndroid Build Coastguard Worker   - `AFL_INIT_SET0_PERSISTENT("name_of_binary", buf)`
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workersee: [argv_fuzz_persistent_demo.c](argv_fuzz_persistent_demo.c)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker## Binary only
*08b48e0bSAndroid Build Coastguard Worker`argvfuzz` tries to provide the same functionality for binaries. When loaded
*08b48e0bSAndroid Build Coastguard Workerusing `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
*08b48e0bSAndroid Build Coastguard Workerargv using the same logic of `argv-fuzz-inl.h`.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard WorkerA few conditions need to be fulfilled for this mechanism to work correctly:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker1. As it relies on hooking the loader, it cannot work on static binaries
*08b48e0bSAndroid Build Coastguard Worker2. If the target binary does not use the default libc's `_start` implementation
*08b48e0bSAndroid Build Coastguard Worker   (crt1.o), the hook may not run.
*08b48e0bSAndroid Build Coastguard Worker3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`.
*08b48e0bSAndroid Build Coastguard WorkerThings may go wrong if the target binary expects argv to live on the stack.