{"id":13538880,"url":"https://github.com/googleprojectzero/winafl","last_synced_at":"2025-05-14T01:03:10.024Z","repository":{"id":38360608,"uuid":"62802730","full_name":"googleprojectzero/winafl","owner":"googleprojectzero","description":"A fork of AFL for fuzzing Windows binaries","archived":false,"fork":false,"pushed_at":"2025-03-25T18:23:17.000Z","size":5488,"stargazers_count":2412,"open_issues_count":156,"forks_count":538,"subscribers_count":120,"default_branch":"master","last_synced_at":"2025-04-03T15:52:28.671Z","etag":null,"topics":["afl","fuzzing","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/googleprojectzero.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-07-07T11:46:59.000Z","updated_at":"2025-04-02T12:27:12.000Z","dependencies_parsed_at":"2023-01-30T00:15:35.344Z","dependency_job_id":"96ad5586-a3ba-446b-bbd8-93d49a4bbd9a","html_url":"https://github.com/googleprojectzero/winafl","commit_stats":{"total_commits":347,"total_committers":43,"mean_commits":8.069767441860465,"dds":0.8357348703170029,"last_synced_commit":"5f6acd0ab370acf7c639885fa2abaf0dcad23339"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2Fwinafl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2Fwinafl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2Fwinafl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2Fwinafl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/googleprojectzero","download_url":"https://codeload.github.com/googleprojectzero/winafl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248281390,"owners_count":21077423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afl","fuzzing","security"],"created_at":"2024-08-01T09:01:17.282Z","updated_at":"2025-04-10T19:24:44.512Z","avatar_url":"https://github.com/googleprojectzero.png","language":"C","readme":"# WinAFL\n\n```\n   Original AFL code written by Michal Zalewski \u003clcamtuf@google.com\u003e\n\n   Windows fork written and maintained by Ivan Fratric \u003cifratric@google.com\u003e\n\n   Copyright 2016 Google Inc. All Rights Reserved.\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n```\n\n## Background\n\nAFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines\nfast target execution with clever heuristics to find new execution paths in\nthe target binary. It has been successfully used to find a large number of\nvulnerabilities in real products. For more info about the original project,\nplease refer to the original documentation at:\n\nhttp://lcamtuf.coredump.cx/afl/\n\nUnfortunately, the original AFL does not work on Windows due to very\n*nix-specific design (e.g. instrumentation, forkserver etc.). This project is\na fork of AFL that uses different instrumentation approach which works on\nWindows even for black box binary fuzzing.\n\n## The WinAFL approach\n\nInstead of instrumenting the code at compilation time, WinAFL supports the\nfollowing instrumentation modes:\n - Dynamic instrumentation using DynamoRIO (http://dynamorio.org/)\n - Dynamic instrumentation using TinyInst (https://github.com/googleprojectzero/TinyInst)\n - Hardware tracing using Intel PT\n - Static instrumentation via Syzygy\n\nThese instrumentation modes are described in more detail in the separate\ndocuments.\n\n\u003cp align=\"center\"\u003e\n\u003cimg alt=\"afl-fuzz.exe\" src=\"screenshots/afl-fuzz.gif\"/\u003e\n\u003c/p\u003e\n\nTo improve the process startup time, WinAFL relies heavily on persistent\nfuzzing mode, that is, executing multiple input samples without restarting the\ntarget process. This is accomplished by selecting a target function (that the\nuser wants to fuzz) and instrumenting it so that it runs in a loop.\n\n#### Known CVEs\n\nWinAFL has been successfully used to identify bugs in Windows software, such as the following:\n\n| Software | Bugs | Found by |\n| - | - | - |\n| Adobe | [CVE-2018-4985](https://cpr-zero.checkpoint.com/vulns/cprid-2046/), [CVE-2018-5063](https://cpr-zero.checkpoint.com/vulns/cprid-2047/), [CVE-2018-5064](https://cpr-zero.checkpoint.com/vulns/cprid-2048/), [CVE-2018-5065](https://cpr-zero.checkpoint.com/vulns/cprid-2049/), [CVE-2018-5068](https://cpr-zero.checkpoint.com/vulns/cprid-2050/), [CVE-2018-5069](https://cpr-zero.checkpoint.com/vulns/cprid-2051/), [CVE-2018-5070](https://cpr-zero.checkpoint.com/vulns/cprid-2052/), [CVE-2018-12754](https://cpr-zero.checkpoint.com/vulns/cprid-2053/), [CVE-2018-12755](https://cpr-zero.checkpoint.com/vulns/cprid-2054/), [CVE-2018-12764](https://cpr-zero.checkpoint.com/vulns/cprid-2055/), [CVE-2018-12765](https://cpr-zero.checkpoint.com/vulns/cprid-2056/), [CVE-2018-12766](https://cpr-zero.checkpoint.com/vulns/cprid-2057/), [CVE-2018-12767](https://cpr-zero.checkpoint.com/vulns/cprid-2058/), [CVE-2018-12768](https://cpr-zero.checkpoint.com/vulns/cprid-2059/), [CVE-2018-12839](https://cpr-zero.checkpoint.com/vulns/cprid-2060/), [CVE-2018-12840](https://cpr-zero.checkpoint.com/vulns/cprid-2061/), [CVE-2018-12848](https://cpr-zero.checkpoint.com/vulns/cprid-2062/), [CVE-2018-12849](https://cpr-zero.checkpoint.com/vulns/cprid-2063/), [CVE-2018-12850](https://cpr-zero.checkpoint.com/vulns/cprid-2064/), [CVE-2018-12857](https://cpr-zero.checkpoint.com/vulns/cprid-2065/), [CVE-2018-12859](https://cpr-zero.checkpoint.com/vulns/cprid-2066/), [CVE-2018-12860](https://cpr-zero.checkpoint.com/vulns/cprid-2067/), [CVE-2018-12861](https://cpr-zero.checkpoint.com/vulns/cprid-2068/), [CVE-2018-12862](https://cpr-zero.checkpoint.com/vulns/cprid-2069/), [CVE-2018-12863](https://cpr-zero.checkpoint.com/vulns/cprid-2070/), [CVE-2018-12864](https://cpr-zero.checkpoint.com/vulns/cprid-2071/), [CVE-2018-12865](https://cpr-zero.checkpoint.com/vulns/cprid-2072/), [CVE-2018-12866](https://cpr-zero.checkpoint.com/vulns/cprid-2073/), [CVE-2018-12867](https://cpr-zero.checkpoint.com/vulns/cprid-2074/), [CVE-2018-12869](https://cpr-zero.checkpoint.com/vulns/cprid-2075/), [CVE-2018-12870](https://cpr-zero.checkpoint.com/vulns/cprid-2076/), [CVE-2018-12871](https://cpr-zero.checkpoint.com/vulns/cprid-2077/), [CVE-2018-12872](https://cpr-zero.checkpoint.com/vulns/cprid-2078/), [CVE-2018-12873](https://cpr-zero.checkpoint.com/vulns/cprid-2079/), [CVE-2018-12874](https://cpr-zero.checkpoint.com/vulns/cprid-2080/), [CVE-2018-12875](https://cpr-zero.checkpoint.com/vulns/cprid-2081/), [CVE-2018-15927](https://cpr-zero.checkpoint.com/vulns/cprid-2082/), CVE-2018-15928, [CVE-2018-15929](https://cpr-zero.checkpoint.com/vulns/cprid-2083/), [CVE-2018-15930](https://cpr-zero.checkpoint.com/vulns/cprid-2084/), [CVE-2018-15931](https://cpr-zero.checkpoint.com/vulns/cprid-2085/), [CVE-2018-15932](https://cpr-zero.checkpoint.com/vulns/cprid-2086/), [CVE-2018-15933](https://cpr-zero.checkpoint.com/vulns/cprid-2087/), [CVE-2018-15934](https://cpr-zero.checkpoint.com/vulns/cprid-2088/), [CVE-2018-15935](https://cpr-zero.checkpoint.com/vulns/cprid-2089/), [CVE-2018-15936](https://cpr-zero.checkpoint.com/vulns/cprid-2090/), [CVE-2018-15937](https://cpr-zero.checkpoint.com/vulns/cprid-2091/), [CVE-2018-15938](https://cpr-zero.checkpoint.com/vulns/cprid-2092/), [CVE-2018-15952](https://cpr-zero.checkpoint.com/vulns/cprid-2093/), [CVE-2018-15953](https://cpr-zero.checkpoint.com/vulns/cprid-2094/), [CVE-2018-15954](https://cpr-zero.checkpoint.com/vulns/cprid-2095/), [CVE-2018-15955](https://cpr-zero.checkpoint.com/vulns/cprid-2096/), [CVE-2018-15956](https://cpr-zero.checkpoint.com/vulns/cprid-2097/) | Yoav Alon ([@yoavalon](https://twitter.com/yoavalon)) and Netanel Ben-Simon ([@NetanelBenSimon](https://twitter.com/netanelbensimon)) of Check Point Software Technologies\n| Adobe | CVE-2018-12853, CVE-2018-16024, CVE-2018-16023, CVE-2018-15995 | Guy Inbar ([@guyio_](https://twitter.com/guyio_))\n| Adobe | CVE-2018-16004, CVE-2018-16005, CVE-2018-16007, CVE-2018-16009, CVE-2018-16010, CVE-2018-16043, CVE-2018-16045, CVE-2018-16046, CVE-2018-19719, CVE-2018-19720, CVE-2019-7045 | Sebastian Apelt ([@bitshifter123](https://twitter.com/bitshifter123))\n| Microsoft | [CVE-2016-7212](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-7212) | Aral Yaman of Noser Engineering AG\n| Microsoft | [CVE-2017-0073](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0073), [CVE-2017-0190](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0190), [CVE-2017-11816](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11816), [CVE-2018-8472](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8472), [CVE-2019-1311](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1311) | Symeon Paraschoudis ([@symeonp](https://twitter.com/symeonp))\n| Microsoft | [CVE-2018-8494](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8494) | Guy Inbar ([@guyio_](https://twitter.com/guyio_))\n| Microsoft | [CVE-2018-8464](https://cpr-zero.checkpoint.com/vulns/cprid-2098/) | Yoav Alon ([@yoavalon](https://twitter.com/yoavalon)) and Netanel Ben-Simon ([@NetanelBenSimon](https://twitter.com/netanelbensimon)) of Check Point Research\n| Microsoft | [CVE-2019-0538](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0538), [CVE-2019-0576](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0576), [CVE-2019-0577](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0577), [CVE-2019-0579](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0579), [CVE-2019-0580](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0580), [CVE-2019-0879](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0879), [CVE-2019-0889](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0889), [CVE-2019-0891](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0891), [CVE-2019-0899](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0899), [CVE-2019-0902](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0902), [CVE-2019-1243](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1243), [CVE-2019-1250](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1250), [CVE-2020-0687](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0687), [CVE-2020-0744](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0744), [CVE-2020-0879](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0879), [CVE-2020-0964](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0964), [CVE-2020-0995](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0995), [CVE-2020-1141](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1141), [CVE-2020-1145](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1145), [CVE-2020-1160](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1160), [CVE-2020-1179](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1179), [CVE-2021-1665](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-1665-remote-code-execution-vulnerability-in-windows-gdi/) | Hardik Shah ([@hardik05](https://twitter.com/hardik05)) of McAfee\n| Microsoft | [CVE-2021-42276](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42276), [CVE-2021-28350](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28350), [CVE-2021-28349](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28349), [CVE-2021-28348](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28348) | Simon Barsky ([expend20](https://twitter.com/expend20))\n| Microsoft | [CVE-2022-21903](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21903), [CVE-2022-21904](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_setdibitstodevice-record/), [CVE-2022-21915](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_stretchdibits-record/), [CVE-2022-26934](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_createdibpatternbrushpt-record/), [CVE-2022-29112](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_bitblt-record/), [CVE-2022-35837](https://www.seljan.hu/posts/arbitrary-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_startdoc-record/), [CVE-2022-34728](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_setpixelv-record/), [CVE-2022-38006](https://www.seljan.hu/posts/out-of-bounds-read-information-disclosure-vulnerability-in-microsoft-windows-gdi-emr_stretchdibits-record-again/) | [Gábor Selján](https://twitter.com/GaborSeljan)\n| Microsoft | [CVE-2021-38665](https://thalium.github.io/blog/posts/leaking-aslr-through-rdp-printer-cache-registry/), [CVE-2021-38666](https://thalium.github.io/blog/posts/deserialization-bug-through-rdp-smart-card-extension/) | Valentino Ricotta with Thalium\n| Microsoft | [CVE-2022-26929](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26929), [CVE-2022-30130](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30130) | Eran Zimmerman Gonen ([@3r4nz](https://twitter.com/3r4nz))\n| FreeRDP | [CVE-2021-37594](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37594), [CVE-2021-37595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37595) | Valentino Ricotta with Thalium\n| Kollective | CVE-2018-11672 | Maksim Shudrak ([@MShudrak](https://twitter.com/MShudrak)) of Salesforce\n| Mozilla | [CVE-2018-5177](https://bugzilla.mozilla.org/show_bug.cgi?id=1451908) | Guy Inbar ([@guyio_](https://twitter.com/guyio_))\n| libxml2 | CVE-2018-14404 | Guy Inbar ([@guyio_](https://twitter.com/guyio_))\n| WinRAR | [CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253](https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/) | Nadav Grossman ([@NadavGrossman](https://twitter.com/NadavGrossman)) of Check Point Software Technologies\n| XnView | [CVE-2019-13083](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x384e2a.md), [CVE-2019-13084](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x26b739.md), [CVE-2019-13085](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x30ecfa.md), [CVE-2019-13253](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x0000000000385474.md), [CVE-2019-13254](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x000000000032e808.md), [CVE-2019-13255](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x0000000000327464.md), [CVE-2019-13256](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x000000000032e849.md), [CVE-2019-13257](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x00000000003273aa.md), [CVE-2019-13258](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x0000000000328165.md), [CVE-2019-13259](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x000000000032e566.md), [CVE-2019-13260](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x0000000000327a07.md), [CVE-2019-13261](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x0000000000328384.md), [CVE-2019-13262](https://github.com/apriorit/pentesting/blob/master/bugs/xnview/0x00000000003283eb.md) | [@expend20](https://twitter.com/expend20) and Anton Kukoba of Apriorit\n| IrfanView | [CVE-2019-13242](https://github.com/apriorit/pentesting/blob/master/bugs/irfanview/0x0000000000013a98.md), [CVE-2019-13243](https://github.com/apriorit/pentesting/blob/master/bugs/irfanview/0x00000000000249c6.md) | [@expend20](https://twitter.com/expend20) and Anton Kukoba of Apriorit\n| FastStone | [CVE-2019-13244](https://github.com/apriorit/pentesting/blob/master/bugs/fsview/0x0000000000002d7d.md), [CVE-2019-13245](https://github.com/apriorit/pentesting/blob/master/bugs/fsview/0x00000000001a95b1.md), [CVE-2019-13246](https://github.com/apriorit/pentesting/blob/master/bugs/fsview/0x00000000001a9601.md) | [@expend20](https://twitter.com/expend20) and Anton Kukoba of Apriorit\n| ACDSee | [CVE-2019-13247](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x00000000000024ed.md), [CVE-2019-13248](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x0000000000002450.md), [CVE-2019-13249](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x00000000000b9e7a.md), [CVE-2019-13250](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x00000000000b9c2f.md), [CVE-2019-13251](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x00000000000c47ff.md), [CVE-2019-13252](https://github.com/apriorit/pentesting/blob/master/bugs/acdsee/0x00000000001172b0.md), [CVE-2019-15293](https://www.apriorit.com/dev-blog/640-qa-fuzzing-for-closed-source-windows-software) | [@expend20](https://twitter.com/expend20) and Anton Kukoba of Apriorit\n| Foxit | [CVE-2019-13330](https://www.zerodayinitiative.com/advisories/ZDI-19-853/), [CVE-2019-13331](https://www.zerodayinitiative.com/advisories/ZDI-19-854/), [CVE-2020-8844](https://www.zerodayinitiative.com/advisories/ZDI-20-200/) | Natnael Samson ([@NattiSamson](https://twitter.com/NattiSamson))\n| Rockwell Automation | [CVE-2020-12034, CVE-2020-12038](https://www.us-cert.gov/ics/advisories/icsa-20-140-01) | [Sharon Brizinov](https://sharonbrizinov.com/) and Amir Preminger of Claroty\n| F-Secure \u0026 WithSecure | CVE-2021-33599, CVE-2021-33602, CVE-2021-40836, CVE-2021-40837, CVE-2022-28875, CVE-2022-28876, CVE-2022-28879, CVE-2022-28881, CVE-2022-28882, CVE-2022-28883, CVE-2022-28884, CVE-2022-28886, CVE-2022-28887 | [@faty420](https://twitter.com/faty420)\n\n(Let me know if you know of any others, and I'll include them in the list)\n\n## Building WinAFL\n\n1. If you are building with DynamoRIO support, download and build\nDynamoRIO sources or download DynamoRIO Windows binary package from\nhttps://github.com/DynamoRIO/dynamorio/releases\n\n2. If you are building with Intel PT support, pull third party dependencies by running `git submodule update --init --recursive` from the WinAFL source directory\n\n3. Open Visual Studio Command Prompt (or Visual Studio x64 Win64 Command Prompt\nif you want a 64-bit build). Note that you need a 64-bit winafl.dll build if\nyou are fuzzing 64-bit targets and vice versa.\n\n4. Go to the directory containing the source\n\n5. Type the following commands. Modify the -DDynamoRIO_DIR flag to point to the\nlocation of your DynamoRIO cmake files (either full path or relative to the\nsource directory).\n\n### For a 32-bit build:\n\n```\nmkdir build32\ncd build32\ncmake -G\"Visual Studio 16 2019\" -A Win32 .. -DDynamoRIO_DIR=C:\\path\\to\\DynamoRIO\\cmake -DINTELPT=1\ncmake --build . --config Release\n```\n\n### For a 64-bit build:\n\n```\nmkdir build64\ncd build64\ncmake -G\"Visual Studio 16 2019\" -A x64 .. -DDynamoRIO_DIR=C:\\path\\to\\DynamoRIO\\cmake -DINTELPT=1\ncmake --build . --config Release\n```\n\n### Build configuration options\n\nThe following cmake configuration options are supported:\n\n - `-DDynamoRIO_DIR=..\\path\\to\\DynamoRIO\\cmake` - Needed to build the\n   winafl.dll DynamoRIO client\n\n - `-DTINYINST=1` - Enable TinyInst mode. For more information see\n   https://github.com/googleprojectzero/winafl/blob/master/readme_tinyinst.md\n\n - `-DINTELPT=1` - Enable Intel PT mode. For more information see\n   https://github.com/googleprojectzero/winafl/blob/master/readme_pt.md\n\n - `-DUSE_COLOR=1` - color support (Windows 10 Anniversary edition or higher)\n\n - `-DUSE_DRSYMS=1` - Drsyms support (use symbols when available to obtain\n   -target_offset from -target_method). Enabling this has been known to cause\n   issues on Windows 10 v1809, though there are workarounds,\n   see https://github.com/googleprojectzero/winafl/issues/145\n\n## Using WinAFL\n\nThe command line for afl-fuzz on Windows is different than on Linux. Instead of:\n\n```\n%s [ afl options ] -- target_cmd_line\n```\n\nit now looks like this:\n\n```\nafl-fuzz [afl options] -- [instrumentation options] -- target_cmd_line\n```\n\nThe following afl-fuzz options are supported:\n\n```\n  -i dir        - input directory with test cases\n  -o dir        - output directory for fuzzer findings\n  -t msec       - timeout for each run\n  -s            - deliver sample via shared memory\n  -D dir        - directory containing DynamoRIO binaries (drrun, drconfig)\n  -w path       - path to winafl.dll\n  -e            - expert mode to run WinAFL as a DynamoRIO tool\n  -P            - use Intel PT tracing mode\n  -Y            - enable the static instrumentation mode\n  -f file       - location read by the fuzzed program\n  -m limit      - memory limit for the target process\n  -p            - persist DynamoRIO cache across target process restarts\n  -c cpu        - the CPU to run the fuzzed program\n  -d            - quick \u0026 dirty mode (skips deterministic steps)\n  -n            - fuzz without instrumentation (dumb mode)\n  -x dir        - optional fuzzer dictionary\n  -I msec       - timeout for process initialization and first run\n  -T text       - text banner to show on the screen\n  -M \\\\ -S id   - distributed mode\n  -C            - crash exploration mode (the peruvian rabbit thing)\n  -l path       - a path to user-defined DLL for custom test cases processing\n  -A module     - a module identifying a unique process to attach to\n```\n\nPlease refer to the original AFL documentation for more info on these flags.\n\nTo see the supported instrumentation flags, please refer to the documentation\non the specific instrumentation mode you are interested in (see \"Instrumentation modes\" below).\n\n## How does my target run under WinAFL\n\nWhen you select a target function and fuzz an application the following happens:\n\n1. Your target runs normally until your target function is reached.\n2. WinAFL starts recording coverage\n3. Your target function runs until return\n4. WinAFL reports coverage, rewrites the input file and patches EIP\n   so that the execution jumps back to step 2\n5. After your target function runs for the specified number of iterations,\n   the target process is killed and restarted. Note that anything that runs\n   after the target function returns is never reached.\n\n## How to select a target function\n\nThe target function should do these things during its lifetime:\n\n1. Open the input file. This needs to happen within the target function so\n   that you can read a new input file for each iteration as the input file is\n   rewritten between target function runs.\n2. Parse it (so that you can measure coverage of file parsing)\n3. Close the input file. This is important because if the input file is\n   not closed WinAFL won't be able to rewrite it.\n4. Return normally (So that WinAFL can \"catch\" this return and redirect\n   execution. \"returning\" via ExitProcess() and such won't work)\n\n## Instrumentation modes\n\nThe following documents provide information on using different instrumentation\nmodes with WinAFL:\n\n - [Dynamic instrumentation using DynamoRIO](https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md)\n - [Dynamic instrumentation using TinyInst](https://github.com/googleprojectzero/winafl/blob/master/readme_tinyinst.md)\n - [Hardware tracing using Intel PT](https://github.com/googleprojectzero/winafl/blob/master/readme_pt.md)\n - [Static instrumentation via Syzygy](https://github.com/googleprojectzero/winafl/blob/master/readme_syzygy.md)\n\nBefore using WinAFL for the first time, you should read the documentation for\nthe specific instrumentation mode you are interested in. These also contain\nusage examples.\n\n## Attaching to a running process\n\nThe DynamoRIO instrumentation mode supports dynamically attaching to running processes. This option can be used to fuzz processes that cannot be directly launched by WinAFL, such as system services.\n\nTo use it, specify the `-A \u003cmodule\u003e` option to `afl-fuzz.exe`, where `\u003cmodule\u003e` is the name of a module loaded only by the target process (if the module is loaded by more than one process WinAFL will terminate).\n\nWinAFL will attach to the target process, and fuzz it normally. When the target process terminates (regardless of the reason), WinAFL will not restart it, but simply try to reattach. It is assumed that the target process will be restarted by an external script (or by the system itself). If WinAFL will not find the new target process within 10 seconds, it will terminate.\n\n## Sample delivery via shared memory\n\nWinAFL supports delivering samples via shared memory (as opposed to via a file, which is the default). This can be enabled by giving `-s` option to `afl-fuzz.exe`. Shared memory is faster and can avoid some problems with files (e.g. unable to overwrite the sample file because a target maintains a lock on it). \nIf you are using shared memory for sample delivery then you need to make sure that in your harness you specifically read data from shared memory instead of file. Check a simple harness here:\n\nhttps://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L41  \nhttps://github.com/googleprojectzero/Jackalope/blob/6d92931b2cf614699e2a023254d5ee7e20f6e34b/test.cpp#L111  \n\n## Corpus minimization\n\nWinAFL includes the windows port of afl-cmin in winafl-cmin.py. Please run the\nbelow command to see the options and usage examples:\n\n```\nD:\\Codes\\winafl\u003epython winafl-cmin.py -h\n[...]\nExamples of use:\n * Typical use\n  winafl-cmin.py -D D:\\DRIO\\bin32 -t 100000 -i in -o minset -covtype edge -coverage_module m.dll -target_module test.exe -target_method fuzz -nargs 2 -- test.exe @@\n\n * Dry-run, keep crashes only with 4 workers with a working directory:\n  winafl-cmin.py -C --dry-run -w 4 --working-dir D:\\dir -D D:\\DRIO\\bin32 -t 10000 -i in -i C:\\fuzz\\in -o out_mini -covtype edge -coverage_module m.dll -target_module test.exe -target_method fuzz -nargs 2 -- test.exe @@\n\n * Read from specific file\n  winafl-cmin.py -D D:\\DRIO\\bin32 -t 100000 -i in -o minset -f foo.ext -covtype edge -coverage_module m.dll -target_module test.exe -target_method fuzz -nargs 2 -- test.exe @@\n\n * Read from specific file with pattern\n  winafl-cmin.py -D D:\\DRIO\\bin32 -t 100000 -i in -o minset -f prefix-@@-foo.ext -covtype edge -coverage_module m.dll -target_module test.exe -target_method fuzz -nargs 2 -- test.exe @@\n\n * Typical use with static instrumentation\n   winafl-cmin.py -Y -t 100000 -i in -o minset -- test.exe @@\n```\n\n\u003cp align=\"center\"\u003e\n\u003cimg alt=\"winafl-cmin.py\" src=\"screenshots/winafl-cmin.py.png\"/\u003e\n\u003c/p\u003e\n\n## Custom test cases processing\n\nWinAFL supports third party DLLs that can be used to define custom test-cases processing (e.g. to send test cases over network). To enable this option, you need to specify ```-l \u003cpath\u003e``` argument.\nThe DLL should export the following two functions:\n```\ndll_init()\ndll_run(char *data, long size, int fuzz_iterations)\ndata - content of test case\nsize - size of test case\nfuzz_iterations - defines a current fuzzing iteration number\n```\n\nWe have implemented two sample DLLs for network-based applications fuzzing that you can customize for your own purposes.\n\n### Network fuzzing\n\nWinAFL's ```custom_net_fuzzer.dll``` allows winAFL to perform network-based applications fuzzing that receive and parse network data. There are several options supported by this DLL that should be provided via the environment variable ```AFL_CUSTOM_DLL_ARGS```:\n\n```\n  -a IP address - IP address to send data in\n  -U            - use UDP protocol instead of TCP to send data (default TCP)\n  -p port       - port to send data in\n  -w msec       - delay in milliseconds before actually start fuzzing\n```\nFor example, if your application receives network packets via UDP protocol at port 7714 you should set up the environment variable in the following way: ```set AFL_CUSTOM_DLL_ARGS=-U -p 7714 -a 127.0.0.1 -w 1000 ```\n\nYou still need to find target function and make sure that this function receives data from the network, parses it, and returns normally. Also, you can use In App Persistence mode described above if your application runs the target function in a loop by its own.\n\nAdditionally, this mode is considered as experimental since we have experienced some problems with stability and performance. However, we found this option very useful and managed to find several vulnerabilities in network-based applications (e.g. in Kollective Kontiki listed above).\n\nThere is a second DLL ```custom_winafl_server.dll``` that allows winAFL to act as a server and perform fuzzing of client-based applications. All you need is to set up the port to listen on for incoming connections from your target application. The environment variable ```AFL_CUSTOM_DLL_ARGS=\u003cport_id\u003e``` should be used for this purpose.\n\n#### Note\n\nIn case of server fuzzing, if the server socket has the `SO_REUSEADDR` option set like the following code, then this may case `10055` error after some time fuzzing due to the accumulation of `TIME_WAIT` sockets when WinAFL restart the fuzzing process. \n```\nsetsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char*)\u0026opt, sizeof(int));\n```\n\nTo avoid this, replace the `SO_REUSEADDR` option by `SO_LINGER` option in the server source code if available.\n```\nsetsockopt(s, SOL_SOCKET, SO_LINGER, (char*)\u0026opt, sizeof(int));\n```\n\n## Custom mutators\n\nWinAFL supports loading a custom mutator from a third-party DLL.  You need to implement `dll_mutate_testcase` or `dll_mutate_testcase_with_energy` in your DLL and provide the DLL path to WinAFL via `-l \u003cpath\u003e` argument.  WinAFL invokes the custom mutator before all the built-in mutations, and the custom mutator can skip all the built-in mutations by returning a non-zero value.  The `dll_mutate_testcase_with_energy` function is additionally provided an energy value that is equivalent to the number of iterations expected to run in the havoc stage without deterministic mutations. The custom mutator should invoke `common_fuzz_stuff` to run and make WinAFL aware of each new test case.  Below is an example mutator that increments every byte by one: \n\n```c\nu8 dll_mutate_testcase(char **argv, u8 *buf, u32 len, u8 (*common_fuzz_stuff)(char**, u8*, u32))\n{\n    u8 bailout = 0;\n    u8 *newbuf;\n    u32 i;\n    // duplicate the input buffer\n    newbuf = malloc(len);\n    if (!newbuf) return bailout;\n    memcpy(newbuf, buf, len);\n    // increment every byte by one and call common_fuzz_stuff for every new test case\n    for (i = 0; i \u003c len; i++) {\n       newbuf[i] += 1;\n       if (common_fuzz_stuff(argv, newbuf, len)) {\n           bailout = 1; // skip the rest of the mutation per common_fuzz_stuff\n           break;\n       }\n    }\n    free(newbuf);\n    return bailout;\n}\n```\n\n## FAQ\n\n```\nQ: WinAFL reports timeouts while processing initial testcases.\nA: You should run your target in debug mode first (-debug flag) and only\n   run WinAFL once you get a message in the debug log that everything\n   appears to be running normally.\n\nQ: WinAFL runs slower than expected\nA: This can commonly happen for several reasons\n - Your target function loads a dll for every iteration. This causes\n   DynamoRIO to translate the same code for every iteration which causes\n   slowdowns. You will be able to see this in the debug log. To\n   resolve, select (or write) your target function differently.\n - Your target function does not close the input file properly, which\n   causes WinAFL to kill the process in order to rewrite it. Please refer to\n   \"How to select a target function\" for what a target function should look like.\n\nQ: Can I fuzz DLLs with WinAFL\nA: Yes, if you can write a harness that loads a library and runs some\n   function within. Write your target function according to \"How to select\n   a target function\" and for best performance, load the dll outside of\n   your target function (see the previous question).\n\nQ: Can I fuzz GUI apps with WinAFL\nA: Yes, provided that\n - There is a target function that behaves as explained in \"How to select\n   a target function\"\n - The target function is reachable without user interaction\n - The target function runs and returns without user interaction\n If these conditions are not satisfied, you might need to make custom changes\n to WinAFL and/or your target.\n```\n\n## Special Thanks\n\nSpecial thanks to Axel \"[0vercl0k](https://twitter.com/0vercl0k)\" Souchet of MSRC Vulnerabilities and\nMitigations Team for his contributions!\n","funding_links":[],"categories":["C","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","C (286)","Uncategorized","\u003ca id=\"c8cdb0e30f24e9b7394fcd5681f2e419\"\u003e\u003c/a\u003eDynamoRIO","Tools"],"sub_categories":["功能","Uncategorized","\u003ca id=\"6c4841dd91cb173093ea2c8d0b557e71\"\u003e\u003c/a\u003e工具","File Format Fuzzers","二进制","Binary"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleprojectzero%2Fwinafl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogleprojectzero%2Fwinafl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleprojectzero%2Fwinafl/lists"}