AFLplusplus
diff --git a/‎.github/workflows/build_and_test.yml
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/build_and_test.yml
Lines changed: 9 additions & 0 deletions
diff --git a/‎fuzzers/tinyinst_simple/Cargo.toml
Lines changed: 2 additions & 2 deletions b/‎fuzzers/tinyinst_simple/Cargo.toml
Lines changed: 2 additions & 2 deletions
diff --git a/‎fuzzers/tinyinst_simple/Makefile.toml
Lines changed: 52 additions & 4 deletions b/‎fuzzers/tinyinst_simple/Makefile.toml
Lines changed: 52 additions & 4 deletions
diff --git a/‎fuzzers/tinyinst_simple/README.md
Lines changed: 9 additions & 1 deletion b/‎fuzzers/tinyinst_simple/README.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎fuzzers/tinyinst_simple/src/main.rs
Lines changed: 29 additions & 9 deletions b/‎fuzzers/tinyinst_simple/src/main.rs
Lines changed: 29 additions & 9 deletions
diff --git a/‎fuzzers/tinyinst_simple/test/test.c
Lines changed: 0 additions & 36 deletions b/‎fuzzers/tinyinst_simple/test/test.c
Lines changed: 0 additions & 36 deletions
diff --git a/‎fuzzers/tinyinst_simple/test/test.cpp
Lines changed: 163 additions & 0 deletions b/‎fuzzers/tinyinst_simple/test/test.cpp
Lines changed: 163 additions & 0 deletions
@@ -173,6 +173,9 @@ jobs:
       run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
     - name: Add no_std toolchain
       run: rustup toolchain install nightly-x86_64-unknown-linux-gnu ; rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
+    - name: Install cxxbridge
+      if: runner.os == 'macOS'
+      run: cargo install cxxbridge-cmd
     - name: Install python (macOS)
       # Removing macOS things already installed in CI against failed linking
       if: runner.os == 'macOS'
@@ -255,10 +258,14 @@ jobs:
     - name: install cargo-make
       run: cargo install --force cargo-make
     - uses: ilammy/msvc-dev-cmd@v1
+    - name: install cxx bridge
+      run: cargo install cxxbridge-cmd
     - name: Build fuzzers/frida_libpng
       run: cd fuzzers/frida_libpng/ && cargo make test
     - name: Build fuzzers/frida_gdiplus
       run: cd fuzzers/frida_gdiplus/ && cargo make test
+    - name: Build fuzzers/tinyinst_simple
+      run: cd fuzzers/tinyinst_simple/ && cargo make test
 
   macos:
     runs-on: macOS-latest
@@ -271,6 +278,8 @@ jobs:
       run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
     - name: Install deps
       run: brew install z3 gtk+3
+    - name: Install cxxbridge
+      run: cargo install cxxbridge-cmd
     - uses: actions/checkout@v3
     - uses: Swatinem/rust-cache@v2
     - name: MacOS Build
 
@@ -6,8 +6,8 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-libafl = { version = "0.8.1", path = "../../libafl", features = ["tui"] }
-libafl_tinyinst = { version = "0.8.1", path = "../../libafl_tinyinst" }
+libafl = { version = "0.8.2", path = "../../libafl", features = ["introspection"] }
+libafl_tinyinst = { version = "0.8.2", path = "../../libafl_tinyinst" }
 [profile.release]
 codegen-units = 1
 opt-level = 3
@@ -1,8 +1,56 @@
-[tasks.build_test]
-command = "cl"
-args = ["./test/test.c", "-o", "./test/test.exe"]
+[tasks.unsupported]
+script_runner="@shell"
+script='''
+echo "Cargo-make not integrated yet on this"
+'''
 
+# Harness
+[tasks.harness]
+linux_alias = "unsupported"
+mac_alias = "unsupported"
+windows_alias = "harness_windows"
+
+[tasks.harness_windows]
+script='''
+cl test\test.cpp -o test.exe
+'''
+
+# Fuzzer
+[tasks.fuzzer]
+linux_alias = "unsupported"
+mac_alias = "unsupported"
+windows_alias = "fuzzer_windows"
+
+[tasks.fuzzer_windows]
+dependencies = ["harness"]
+command = "cargo"
+args = ["build", "--release"]
+
+# Run the fuzzer
 [tasks.run]
-dependencies = ["build_test"]
+linux_alias = "unsupported"
+mac_alias = "unsupported"
+windows_alias = "run_windows"
+
+[tasks.run_windows]
+dependencies = ["harness", "fuzzer"]
 command = "cargo"
 args = ["run", "--release"]
+
+
+# Run the fuzzer
+[tasks.test]
+linux_alias = "unsupported"
+mac_alias = "unsupported"
+windows_alias = "test_windows"
+
+[tasks.test_windows]
+script_runner = "@shell"
+script='''
+copy .\target\release\tinyinst_simple.exe .
+start "" "tinyinst_simple.exe"
+#ping is for timeout
+ping -n 10 127.0.0.1>NUL && taskkill /im tinyinst_simple.exe /F
+>nul 2>nul dir /a-d "corpus_discovered\*" && (echo Files exist) || (exit /b 1337)
+'''
+dependencies = [ "harness", "fuzzer" ]
@@ -1,3 +1,11 @@
-# Run Instruction
+# Tinyinst example
+This is a fuzzer example to show how libafl_tinyinst works
+
+## How to build
+1. Build the harness with `cl test\test.cpp -o test.exe`
+2. Build the fuzzer with `cargo build --release`. The fuzzer is `target\release\tinyinst_simple.exe`
+
+## Run with cargo-make
+Or, you can simple run it using cargo-make
 1. Open up developer powershell so that you have access to cl (Windows Default Compiler)
 2. Run `cargo make run` to run the fuzzer
@@ -1,8 +1,13 @@
 use std::path::PathBuf;
 
+#[cfg(target_vendor = "apple")]
+use libafl::bolts::shmem::UnixShMemProvider;
+#[cfg(windows)]
+use libafl::bolts::shmem::Win32ShMemProvider;
 use libafl::{
     bolts::{
         rands::{RandomSeed, StdRand},
+        shmem::ShMemProvider,
         tuples::tuple_list,
     },
     corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus, Testcase},
@@ -17,17 +22,30 @@ use libafl::{
     state::StdState,
     Fuzzer, StdFuzzer,
 };
-use libafl_tinyinst::executor::TinyInstExecutor;
+use libafl_tinyinst::executor::TinyInstExecutorBuilder;
 static mut COVERAGE: Vec<u64> = vec![];
 
+#[cfg(not(any(target_vendor = "apple", windows)))]
+fn main() {}
+
+#[cfg(any(target_vendor = "apple", windows))]
 fn main() {
     // Tinyinst things
     let tinyinst_args = vec!["-instrument_module".to_string(), "test.exe".to_string()];
 
-    let args = vec![".\\test\\test.exe".to_string(), "@@".to_string()];
+    // use shmem to pass testcases
+    let args = vec!["test.exe".to_string(), "-m".to_string(), "@@".to_string()];
+
+    // use file to pass testcases
+    // let args = vec!["test.exe".to_string(), "-f".to_string(), "@@".to_string()];
 
     let observer = unsafe { ListObserver::new("cov", &mut COVERAGE) };
     let mut feedback = ListFeedback::with_observer(&observer);
+    #[cfg(windows)]
+    let mut shmem_provider = Win32ShMemProvider::new().unwrap();
+
+    #[cfg(target_vendor = "apple")]
+    let mut shmem_provider = UnixShMemProvider::new().unwrap();
 
     let input = BytesInput::new(b"bad".to_vec());
     let rand = StdRand::new();
@@ -46,13 +64,15 @@ fn main() {
 
     let mut mgr = SimpleEventManager::new(monitor);
     let mut executor = unsafe {
-        TinyInstExecutor::new(
-            &mut COVERAGE,
-            tinyinst_args,
-            args,
-            5000,
-            tuple_list!(observer),
-        )
+        TinyInstExecutorBuilder::new()
+            .tinyinst_args(tinyinst_args)
+            .program_args(args)
+            .use_shmem()
+            .persistent("test.exe".to_string(), "fuzz".to_string(), 1, 10000)
+            .timeout(std::time::Duration::new(5, 0))
+            .shmem_provider(&mut shmem_provider)
+            .build(&mut COVERAGE, tuple_list!(observer))
+            .unwrap()
     };
     let mutator = StdScheduledMutator::new(havoc_mutations());
     let mut stages = tuple_list!(StdMutationalStage::new(mutator));
 
@@ -0,0 +1,163 @@
+/*
+Copyright 2020 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#define _CRT_SECURE_NO_WARNINGS
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <string.h>
+#include <inttypes.h>
+
+// shared memory stuff
+
+#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)
+  #include <windows.h>
+#else
+  #include <sys/mman.h>
+#endif
+
+#define MAX_SAMPLE_SIZE 1000000
+#define SHM_SIZE (4 + MAX_SAMPLE_SIZE)
+unsigned char *shm_data;
+
+bool use_shared_memory;
+
+#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)
+
+int setup_shmem(const char *name) {
+  HANDLE map_file;
+
+  map_file = OpenFileMapping(FILE_MAP_ALL_ACCESS,  // read/write access
+                             FALSE,                // do not inherit the name
+                             name);                // name of mapping object
+
+  if (map_file == NULL) {
+    printf("Error accessing shared memory\n");
+    return 0;
+  }
+
+  shm_data = (unsigned char *)MapViewOfFile(
+      map_file,             // handle to map object
+      FILE_MAP_ALL_ACCESS,  // read/write permission
+      0, 0, SHM_SIZE);
+
+  if (shm_data == NULL) {
+    printf("Error accessing shared memory\n");
+    return 0;
+  }
+
+  return 1;
+}
+
+#else
+
+int setup_shmem(const char *name) {
+  int fd;
+
+  // get shared memory file descriptor (NOT a file)
+  fd = shm_open(name, O_RDONLY, S_IRUSR | S_IWUSR);
+  if (fd == -1) {
+    printf("Error in shm_open\n");
+    return 0;
+  }
+
+  // map shared memory to process address space
+  shm_data =
+      (unsigned char *)mmap(NULL, SHM_SIZE, PROT_READ, MAP_SHARED, fd, 0);
+  if (shm_data == MAP_FAILED) {
+    printf("Error in mmap\n");
+    return 0;
+  }
+
+  return 1;
+}
+
+#endif
+
+// used to force a crash
+char *crash = NULL;
+
+// ensure we can find the target
+
+#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)
+  #define FUZZ_TARGET_MODIFIERS __declspec(dllexport)
+#else
+  #define FUZZ_TARGET_MODIFIERS __attribute__((noinline))
+#endif
+
+// actual target function
+
+void FUZZ_TARGET_MODIFIERS fuzz(char *name) {
+  char    *sample_bytes = NULL;
+  uint32_t sample_size = 0;
+
+  // read the sample either from file or
+  // shared memory
+  if (use_shared_memory) {
+    sample_size = *(uint32_t *)(shm_data);
+    if (sample_size > MAX_SAMPLE_SIZE) sample_size = MAX_SAMPLE_SIZE;
+    sample_bytes = (char *)malloc(sample_size);
+    memcpy(sample_bytes, shm_data + sizeof(uint32_t), sample_size);
+  } else {
+    FILE *fp = fopen(name, "rb");
+    if (!fp) {
+      printf("Error opening %s a\n", name);
+      return;
+    }
+    fseek(fp, 0, SEEK_END);
+    sample_size = ftell(fp);
+    fseek(fp, 0, SEEK_SET);
+    sample_bytes = (char *)malloc(sample_size);
+    fread(sample_bytes, 1, sample_size, fp);
+    fclose(fp);
+  }
+  // printf("sample_bytes: %s", sample_bytes);
+  if (sample_size >= 4) {
+    // check if the sample spells "test"
+    if (*(uint32_t *)(sample_bytes) == 0x74736574) {
+      // if so, crash
+      crash[0] = 1;
+    }
+  }
+
+  if (sample_bytes) free(sample_bytes);
+}
+
+int main(int argc, char **argv) {
+  if (argc != 3) {
+    printf("Usage: %s <-f|-m> <file or shared memory name>\n", argv[0]);
+    return 0;
+  }
+  if (!strcmp(argv[1], "-m")) {
+    use_shared_memory = true;
+  } else if (!strcmp(argv[1], "-f")) {
+    use_shared_memory = false;
+  } else {
+    printf("Usage: %s <-f|-m> <file or shared memory name>\n", argv[0]);
+    return 0;
+  }
+
+  // map shared memory here as we don't want to do it
+  // for every operation
+  if (use_shared_memory) {
+    if (!setup_shmem(argv[2])) { printf("Error mapping shared memory\n"); }
+  }
+
+  fuzz(argv[2]);
+
+  return 0;
+}