in_app persistent mode not working correctly

[personnumber3377]

Hi!

I have found a method inside a closed source binary and then patched the binary to go into a loop when executing the function of interest. (I added a jmp after the return from the target function such that it jumps back to the call instruction). The fuzzer seems to work correctly, however the persistence doesn't work, since it opens the entire program again on each fuzzing cycle. How to make it such that it actually loops correctly? The program is ORGCHART.EXE in microsoft office and you can read more about that here: https://personnumber3377.github.io/projects/fuzzing_orgchat.html . I am trying to essentially fuzz ORGCHART.EXE and I patched the binary such that it should loop the function of interest, however afl-fuzz opens the binary on each cycle again.

[ifratric]

Hi, I can't help with your target, but you can test the in_app persistent mode as described in https://github.com/googleprojectzero/winafl/blob/master/readme_dr.md#in-app-persistence-mode and report if you encounter problems with that.

But also, you shouldn't have to patch your target to run a function in a loop - by default, WinAFL's instrumentation will loop over the target function on its own. The in_app persistent mode is mostly useful when the target already loops over the target method for some reason.

Note that the target process being restarted for each iteration could be a sing that there is another issue with your setup and the target is being killed for this other reason and then restarted for each iteration.