googleprojectzero
A problem about pre_fuzz_handler
Hi, I am not understanding about how winafl implements persistent fuzzing for a target program. I think winafl saves the register(sp and cp) value in function "pre_fuzz_handle" function, and restores the register(sp and ) value in function "post_fuzz_handle",but there is nothing operations about restoring memory data. Is my understanding correct?
You are correct, the content of PC(EIP/RIP) and SP(ESP/RSP) registers is saved and restored between the iterations, as well as all function arguments (that's why you need to specify how many of them there are :-)
It is true that memory isn't saved/restored - it is my assumption that, in most WinAFL use cases, that won't be needed. And if that is not the case for some target, pre/post_fuzz_handler can be extended to save the specific data required (rather than attempting to restore everything, which would be too expensive).
thanks for your replying. I raised this question because I found that some programs can't run normally. For example, ffmpeg, I set the offset address of the main function as the target_offset, but it doesn't work. What do you think might be the reason? In addition I set ffmpeg to use single thread.