Need help with hotwax?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

172 Stars 23 Forks The Unlicense 21 Commits 2 Opened issues


Coverage-guided binary fuzzing powered by Frida Stalker

Services available


Need anything else?

Contributors list

# 122,080
13 commits
# 5,110
2 commits
# 2,769
1 commit


This repo is not longer maintained. See LibAFL

Coverage-guided binary fuzzing powered by Frida Stalker

A good introduction to the concept of coverage-guided fuzzing can be found on the AFL repo. Details on the Frida Stalker can be found here (note that these examples are in JavaScript whereas this uses the C API which has little documentation.)

How does this work?

The main hangup with fuzzing binaries is the lack of instrumentation. In traditional coverage-guided fuzzing scenarios, the target binary is instrumented ahead-of-time (AOT) using, for example, a compiler plugin which inserts function calls on basic block edges to report binary coverage. This provides a feedback mechanism to a generative algorithm which decides whether a mutated input was useful or not. Usefulness is based on a number of factors, with the primary one being how many basic blocks a specific input reaches. The goal of this stochastic process is to maximize basic block coverage. The more code you reach, the more bugs you are likely to hit.

However, in our closed-box example, we do not have the ability to AOT instrument binaries because we do not have perfect control flow to operate off of. Here's where Frida comes in: we observe program execution, looking for basic block terminators (jumps, branches, etc.) and dynamically insert machine instructions on these basic block edges. (This kind of dynamic instrumentation can be particularily complex at times, and is described in further detail in the Frida Stalker article.) These machine instructions then call out into a fuzzer and provide it with coverage information. Now we can use AFL's well-tuned fuzzing algorithms by providing it with basic block coverage!

How can I use it?

You need the

, which can be found here: (make sure you pick the correct OS and architecture)

You'll also need to have AFL built, enter

in the root.

To build

, you need
. Consult your package manager or the meson documentation for details. Use
meson build && cd build && ninja
to build.

To begin fuzzing the example targets, create the

and place a seed in it:
mkdir -p testcase_dir && echo "AAA" > testcase_dir/sample.txt
. Then, use your AFL built to begin fuzzing the appropriate target, e.g.:
$ ./AFL/afl-fuzz -m 128 -i testcase_dir -o findings_dir ./build/targets/target_persistent

To fuzz custom software, replace the code in

and add test case(s) as appropriate. External libraries will be automatically instrumented (you can prevent this by adding exclusion calls in the respective target).

To build the baseline, which is now deprecated:

1) Enter

and run
2) Build the baseline targets:
    $ ./AFL/afl-clang targets/target.c baseline/fork_instr.c -o baseline/fork_instr
    $ ./AFL/afl-clang-fast targets/target.c baseline/persistent_instr.c -o baseline/persistent_instr


If you find bugs with this tool, please make a PR to add to the trophy case.


This software uses code from AFL which is licensed under the Apache 2.0 license and is copyright of Google Inc. Further, some code is lifted from the Frida project which is licensed under the wxWindows Library Licence, Version 3.1. See respective file headers for more details. All code in this repository of

's copyright is under the Unlicense.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.