| Version 1 (modified by , 15 years ago) (diff) |
|---|
zzuf internals
This document is an attempt at explaining how zzuf works and how it can be extended to support more functions.
Architecture overview
The zzuf software consists in two parts:
- The
zzufexecutable - The
libzzufshared library
Here is the global workflow when zzuf fuzzes a process:
zzufreads options from the command line.zzufwrites fuzzing information to the environmentzuffpreloadslibzzufinto the called process and executes itlibzzufreads fuzzing information from the envronmentlibzzufdiverts standard function calls with its own ones- the called process runs normally, but any diverted call goes through
libzzuffirst
Writing function diversions
Diverted functions are declared using the NEW macro. The address of the original function is stored into a global function pointer using the ORIG macro. The LOADSYM macro takes care of retrieving its address and storing it into the pointer.
For instance, this is how the memalign function is declared in its libc header, malloc.h:
void *memalign(size_t boundary, size_t size);
And here is how memalign is diverted:
#include <malloc.h>
#include "libzzuf.h"
#include "lib-load.h"
/* ... */
#if defined HAVE_MEMALIGN
static void * (*ORIG(memalign)) (size_t boundary, size_t size);
#endif
/* ... */
#if defined HAVE_MEMALIGN
void *NEW(memalign)(size_t boundary, size_t size)
{
void *ret;
LOADSYM(memalign);
ret = ORIG(memalign)(boundary, size);
/* ... */
return ret;
}
#endif
