Skip to content

IntelPT babyfuzzer remove TUI, #3725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Marcondiro wants to merge 2 commits into
base: main
Choose a base branch
from
Open

IntelPT babyfuzzer remove TUI, #3725

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ebf939a
libafl_intelpt README.md: Add also my name
Marcondiro Feb 10, 2026
80b789d
intelPT babyfuzzer lints
Marcondiro Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion crates/libafl_intelpt/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Intel Processor Trace (PT) low level code
# Intel Processor Trace (PT) low level code for `LibAFL`

This module is a wrapper around the `IntelPT` kernel driver, exposing functionalities specifically crafted for `LibAFL`.

Expand All @@ -7,6 +7,8 @@ At the moment only `Linux` hosts are supported.
You can run `sudo -E cargo test intel_pt_check_availability -- --show-output` to check if your host has all the features
used by this crate.

This crate is part of [LibAFL](https://github.com/AFLplusplus/LibAFL) and is maintained by Marco Cavenati.

## The `LibAFL` Project

The `LibAFL` project is part of [`AFLplusplus`](https://github.com/AFLplusplus) and maintained by
Expand Down
29 changes: 10 additions & 19 deletions fuzzers/binary_only/intel_pt_baby_fuzzer/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@ use std::{
hint::black_box, num::NonZero, path::PathBuf, process, ptr::copy_nonoverlapping, time::Duration,
};

#[cfg(feature = "tui")]
use libafl::monitors::tui::TuiMonitor;
#[cfg(not(feature = "tui"))]
use libafl::monitors::SimpleMonitor;
use libafl::{
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
Expand All @@ -18,26 +14,27 @@ use libafl::{
fuzzer::{Fuzzer, StdFuzzer},
generators::RandPrintablesGenerator,
inputs::{BytesInput, HasTargetBytes},
monitors::SimpleMonitor,
mutators::{havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator},
observers::ConstMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
use libafl_bolts::{current_nanos, nonnull_raw_mut, rands::StdRand, tuples::tuple_list, AsSlice};
use libafl_bolts::{current_nanos, nonnull_raw_mut, rands::StdRand, tuples::tuple_list};
use proc_maps::get_process_maps;

// Coverage map
// Edge coverage map.
const MAP_SIZE: usize = 4096;
static mut MAP: [u8; MAP_SIZE] = [0; MAP_SIZE];
static mut MAP_PTR: *mut u8 = &raw mut MAP as _;

pub fn main() {
// The closure that we want to fuzz
// The function that we want to fuzz
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let buf = target.as_slice();
let buf = input.target_bytes();
if !buf.is_empty() && buf[0] == b'a' {
// Avoid compiler optimizations
let _do_something = black_box(0);
if buf.len() > 1 && buf[1] == b'b' {
let _do_something = black_box(0);
Expand All @@ -50,17 +47,16 @@ pub fn main() {
};

// Create an observation channel using the map
let observer = unsafe { ConstMapObserver::from_mut_ptr("signals", nonnull_raw_mut!(MAP)) };
let observer = unsafe { ConstMapObserver::from_mut_ptr("edges", nonnull_raw_mut!(MAP)) };

// Feedback to rate the interestingness of an input
let mut feedback = MaxMapFeedback::new(&observer);

// A feedback to choose if an input is a solution or not
let mut objective = CrashFeedback::new();

// create a State from scratch
let mut state = StdState::new(
// RNG
// Random Number Generator
StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance
InMemoryCorpus::new(),
Expand All @@ -75,14 +71,8 @@ pub fn main() {
)
.unwrap();

// The Monitor trait define how the fuzzer stats are displayed to the user
#[cfg(not(feature = "tui"))]
// The Monitor define how the fuzzer stats are displayed to the user, here we simply print
let mon = SimpleMonitor::new(|s| println!("{s}"));
#[cfg(feature = "tui")]
let mon = TuiMonitor::builder()
.title("Baby Fuzzer Intel PT")
.enhanced_graphics(false)
.build();

// The event manager handle the various events generated during the fuzzing loop
// such as the notification of the addition of a new item to the corpus
Expand Down Expand Up @@ -113,6 +103,7 @@ pub fn main() {
})
.collect::<Vec<_>>();

// Pass the executable memory to the code responsible for Intel PT trace decoding
let pt = IntelPT::builder().images(images).build().unwrap();
// Intel PT hook that will handle the setup of Intel PT for each execution and fill the map
let pt_hook = unsafe {
Expand Down
Loading