Version 1 (modified by Sam Hocevar, 14 years ago) (diff)

start writing internal documentation

zzuf internals

This document is an attempt at explaining how zzuf works and how it can be extended to support more functions.

Architecture overview

The zzuf software consists in two parts:

  • The zzuf executable
  • The libzzuf shared library

Here is the global workflow when zzuf fuzzes a process:

  • zzuf reads options from the command line.
  • zzuf writes fuzzing information to the environment
  • zuff preloads libzzuf into the called process and executes it
  • libzzuf reads fuzzing information from the envronment
  • libzzuf diverts standard function calls with its own ones
  • the called process runs normally, but any diverted call goes through libzzuf first

Writing function diversions

Diverted functions are declared using the NEW macro. The address of the original function is stored into a global function pointer using the ORIG macro. The LOADSYM macro takes care of retrieving its address and storing it into the pointer.

For instance, this is how the memalign function is declared in its libc header, malloc.h:

void *memalign(size_t boundary, size_t size);

And here is how memalign is diverted:

#include <malloc.h>
#include "libzzuf.h"
#include "lib-load.h"

/* ... */

#if defined HAVE_MEMALIGN
static void * (*ORIG(memalign)) (size_t boundary, size_t size);
#endif

/* ... */

#if defined HAVE_MEMALIGN
void *NEW(memalign)(size_t boundary, size_t size)
{
    void *ret;
    LOADSYM(memalign);
    ret = ORIG(memalign)(boundary, size);
    /* ... */
    return ret;
}
#endif

Standard file descriptor functions

FILE * functions