Custom mutators with coverage feedback #1762
-
Hi guys! I was using AFL++ custom (python) mutator and get confused of the parameters of the fuzz callback def fuzz(buf, add_buf, max_size). According to the examples, buf is Does buf and add_buf have the same data? Is the data mutated from our corpus by AFL? If I set If I want to perform a structure aware fuzzing, for example, only mutate part of the structure, how can I implment it with AFL++ custom mutator API? Any enlightment would be appreciated! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Answering part of my question:
|
Beta Was this translation helpful? Give feedback.
you an do that. if you actually use the queue item (buf) or ignore it is totally up to you.
afl++ still does full coverage analysis.
what you loose is that afl++ will not prefer good mutated input vs. not as good mutated input for the buf data, but that is just how it is with a mutator like that, not uncommon. most grammar mutators have the same issue that they create the new data out of thin air so to say.
and still no - you assumption on add_buf is wrong. it is as I wrote. :)