drrun is not reading fuzz_iterations about winafl HOT 9 CLOSED

It is not supposed to close automatically, that's not how WinAFL works. You need to select a target_offset of a function that will return when processing of your input file is done. See another discussion on this in https://github.com/ivanfratric/winafl/issues/6

from winafl.

after the manual intervention i am able to get the iterations but again running AFL results in hangs

1 processes nudged
[!] WARNING: Test case results in a hang (skipping)
[*] Attempting dry run with 'id_000002'...

this is the command line i am using

afl-fuzz.exe -i in -o new -D c:\winafl-master\dyno\bin64 -t 1000+ -- -coverage_module notepad.exe -target_offset 0x3a14 -target_module notepad.exe -fuzz_iterations 5000 -nargs 4 -- C:\Windows\system32\notepad.exe

from winafl.

Please read the other thread I linked. I assume you are trying to fuzz the WinMain function of notepad.exe. That function won't return without user interaction and WinAFL won't handle that user interaction for you.

from winafl.

@ivanfratric thanks for the help now i have a fair understanding of the issue

from winafl.

thanks @ivanfratric i was able to fuzz programs like internet explorer 64 bit but do you have any recommendation for finding the target function for any generic program

from winafl.

That's a difficult question and I don't think there really is a generic way, it will usually take some reversing of the target to figure out what a good target function might be. Some approaches that might work:

• If you know where some of the functionality (e.g. file parsing) that you want to fuzz is implemented, you can set a breakpoint somewhere into that and when you hit that breakpoint list a call stack. Your target function should be something on that call stack.
• Another approach might be to set a breakpoint on file opening functions (e.g. CreateFileA/CreateFileW), look where your input file is opened and do the callstack from there.

from winafl.

hi @ifratric @ivanfratric i was successfully able to fuzz many programs any suggestions on how to create valid testcases from the raw fuzzer output in windows some sort of crash analyzer

from winafl.

I'm not sure if that's what you mean but all samples with new coverage as well as all samples that caused a crash are stored in the WinAFL output directory (same as AFL).

from winafl.

to be precise how can we produce straightforward reproduction cases from the sample in crash folder , such as an HTML for a browser or as specific file format

from winafl.