qiling icon indicating copy to clipboard operation
qiling copied to clipboard
verified publisher icon qilingframework

Understanding Qiling fuzzing

Open psparc82 opened this issue 1 year ago • 0 comments

Hi,

I'm trying to understand at a high level how Qiling fuzzes with AFL++ and unicorn. The fuzzing examples and documentation don't fully explain it. So here's a few questions:

  • When I set the hook that starts the fuzzing (ql.hook_address(start_afl, target_func_addr, then ql.run()) does this do the following?
    1. emulates until target_func_addr is hit
    2. starts the fuzzing engine which generates the inputs
    3. fuzzer/Qiling then only calls target_func_addr and doesn't restart the binary from the beginning for each fuzz?
    4. If the binary isn't restarted for each fuzz then what is Qiling using in the register values each time target_func_addr is called?
    5. What happens with the emulators memory, do heap objects persist or are they cleared for each fuzz?

Any sort of diagram / order of events explaining how the fuzzing works would be great!

Thanks for reading and thanks for the excellent project

psparc82 avatar Feb 16 '24 12:02 psparc82