Questions on the harness example #56
Description
The harness example included in the README is as follows:
#include <stdio.h>
...
typedef int (__stdcall *IDP_Init_func_t)(int);
typedef int (__stdcall *IDP_GetPlugInInfo_func_t)(int);
...
void fuzz_me(char* filename){
IDP_Init_func_t IDP_Init_func;
IDP_GetPlugInInfo_func_t IDP_GetPlugInInfo_func;
...
/* Harness function #0 */
int* c0_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_Init);
int IDP_Init_ret = IDP_Init_func(&c0_a0);
dbg_printf("IDP_Init, ret = %d\n", IDP_Init_ret);
/* Harness function #1 */
int* c1_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_GetPlugInInfo);
int IDP_GetPlugInInfo_ret = IDP_GetPlugInInfo_func(&c1_a0);
dbg_printf("IDP_GetPlugInInfo, ret = %d\n", IDP_GetPlugInInfo_ret);
...
/* Harness function #66 */
int* c66_a0 = (int*) calloc (4096, sizeof(int));
LOAD_FUNC(dlllib, IDP_CloseImage);
int IDP_CloseImage_ret = IDP_CloseImage_func(&c66_a0);
dbg_printf("IDP_CloseImage, ret = %d\n", IDP_CloseImage_ret);
}
int main(int argc, char ** argv)
{
if (argc < 2) {
printf("Usage %s: <input file>\n", argv[0]);
printf(" e.g., harness.exe input\n");
exit(1);
}
dlllib = LoadLibraryA("%s");
if (dlllib == NULL){
dbg_printf("failed to load library, gle = %d\n", GetLastError());
exit(1);
}
char * filename = argv[1];
fuzz_me(filename);
return 0;
}
Questions:
- The
LoadLibraryAcall does not accept any DLL name as input. Then how would the corresponding library be loaed? - The
filenamepassed to thefuzz_memethod in never read. Then how would it feed input to the API calls? The broader question is how the input read from the file flows to the APIs. - According to the function signature,
IDP_Initmethod accepts anintargument. However, a pointer to an integer array was passed during invocation. Is that intended? - According to the README,
afl-fuzzexpects a DLL as harness (-harness harness.dll), while the example above is likely to generate a standalone executable that does not even conform the harness API. Can you explain?