Harness with Example

In order to perform the massive number of iterations required for fuzzing the tested method(s) will need to be called with minimal overhead. The GitHub includes example harnesses, including https://github.com/googleprojectzero/winafl/blob/master/gdiplus.cpp.

The harness needs to include an entry method for WinAFL, specified with the argument 'target_method'. The target method must preform all of the following (from WinAFL GitHub):

Open the input file. This needs to happen within the target function so that you can read a new input file for each iteration as the input file is rewritten between target function runs.
Parse it (so that you can measure coverage of file parsing)
Close the input file. This is important because if the input file is not closed WinAFL won't be able to rewrite it.
Return normally (So that WinAFL can "catch" this return and redirect execution. "returning" via ExitProcess() and such won't work)

In my example I use the following to expose main:

extern "C" __declspec(dllexport) int main(int argc, char* argv[]);

Main simply accepts a command line argument with the file URL and calls the function which calls the methods of interest for fuzzing before returning zero. (The compiler optimizes out this call and inlines the function calls in reality.)

int main(int argc, char* argv[])
{
    if (__argc > 2)
    {
        return 0;
    }
    process(charToWChar(argv[1]));
    return 0;
}

https://github.com/DShankle/WMF_Harness/blob/main/wmf_harness/wmf_harness.cppgithub.com

PreviousTesting Coverage NextTesting Harness

Last updated 3 years ago

Was this helpful?