QEMU Mode: Stop Fuzzing at a Specific Address #1932
Comments
vanhauser-thc
added
enhancement
|
that is an idea we have in the TODO.md: would be nice if someone would add this :) |
|
I would like to work on this issue. |
|
I would like to work in this issue |
I would like to help in implementing this feature, but the functionality of AFL_QEMU_EXITPOINT and AFL_QEMU_PERSISTENT_RET seems quite similar. Both involve running the guest to a specified address. To better understand the requirements, I would like to clarify the differences between these two. @legical |
|
PERSISTENT_RET is for the persistent loop feature and results in that the program counter is reset. this is not what we want in this feature. with AFL_QEMU_EXITPOINT (which should support a list of addresses) this should result in an exit() of the emulated process instead. |
Is your feature request related to a problem? Please describe.
I am currently using AFL++ with QEMU mode for fuzz testing and I am wondering if there is a way to stop fuzzing when a specific address is reached. In some cases, the target programs are quite large, and I am only interested in fuzzing a specific segment of the binary code, typically from the program entry point to a specific address.
I would like to propose a feature that allows users to set a specific address as a fuzzing target in AFL++ QEMU mode.
Describe the solution you'd like
Describe alternatives you've considered
persistent mode allows for repeated execution of a particular section of a reentrant function, but that doesn't satisfy my needs. I want to be able to repeat the fuzzing of a program entry to any given address.
Additional context
none.
The text was updated successfully, but these errors were encountered: