git clone https://github.com/googleprojectzero/winafl之后我们进入vs 2017 交叉x64_86的兼容命令行下32位编译**mkdir build32cd build32cmake -G"Visual Studio 15 2017" -A Win32 .. -DDynamoRIO_DIR=..\path\to\DynamoRIO\cmake -DINTELPT=1cmake --build . --config Release**64位编译**mkdir build64cd build64cmake -G"Visual Studio 15 2017" -A x64 .. -DDynamoRIO_DIR=..\path\to\DynamoRIO\cmake -DINTELPT=1cmake --build . --config Release**

afl-fuzz.exe -i input -o output -D C:\Users\fuzz\Desktop\dynamorio-cronbuild-8.0.18978\build_x64\bin64 -t 20000 -- -coverage_module test.exe -fuzz_iterations 5000 -target_module test.exe -target_offset 0x1200 -nargs 2 -- test.exe @@-i 输入文件路径-o 输出文件路径-D dynamorio路径-- 第一条分界线-coverage_module 代码覆盖包含-fuzz_iterations 迭代次数-target_module 测试程序-target_offset 测试函数偏移-nargs 命令行打开参数（包括程序本身）@@使用 input 文件内容进行输入如下是效果图 测试的时候记得关闭地址随机化哦

#include <stdio.h>#include <Windows.h>
#define ASSISTANTTOOLS_DLL "AssistantTools.dll"
extern "C" __declspec(dllexport) VOID fuzz_method(CHAR * filePath);
// AssistantTools.dllstatic HMODULE hAssistantTools = NULL;// AssistantTools!XL_ParseTorrentFileWsigned int __cdecl XL_ParseTorrentFileW(CHAR* aFileName, PVOID* a1);using Fun_XL_ParseTorrentFileW = decltype(&XL_ParseTorrentFileW);static Fun_XL_ParseTorrentFileW fun_XL_ParseTorrentFileW = NULL;// AssistantTools!XL_ReleaseTorrentFileInfoWvoid __cdecl XL_ReleaseTorrentFileInfoW(PVOID a1);using Fun_XL_ReleaseTorrentFileInfoW = decltype(&XL_ReleaseTorrentFileInfoW);static Fun_XL_ReleaseTorrentFileInfoW fun_XL_ReleaseTorrentFileInfoW = NULL;
VOID fuzz_method(CHAR* filePath){PVOID a1 = NULL;
fun_XL_ParseTorrentFileW(filePath, &a1);
if (a1){    fun_XL_ReleaseTorrentFileInfoW(a1);}
return;}
int main(int argc, char* argv[]){CHAR assistantTools_path[MAX_PATH] = {0};CHAR* pTemp = NULL;
if (2 != argc){    printf("Parameter Error\n");    goto End;}
// 获取AssistantTools.dll的全路径if(0 == GetModuleFileNameA(NULL, assistantTools_path, sizeof(assistantTools_path))){    printf("GetModuleFileNameA Error\n");    goto End;}pTemp = strrchr(assistantTools_path, '\\');if(NULL == pTemp){    printf("strrchr Error\n");    goto End;}++pTemp;*pTemp = '\0';strcat(pTemp, ASSISTANTTOOLS_DLL);
// 加载AssistantTools.dll并获取函数地址hAssistantTools = LoadLibraryA(assistantTools_path);if (NULL == hAssistantTools){    printf("LoadLibraryA fail: 0x%x\n", GetLastError());    goto End;}fun_XL_ParseTorrentFileW = (Fun_XL_ParseTorrentFileW)GetProcAddress(hAssistantTools, "XL_ParseTorrentFileW");if (NULL == fun_XL_ParseTorrentFileW){    printf("GetProcAddress fail\n");    goto End;}fun_XL_ReleaseTorrentFileInfoW = (Fun_XL_ReleaseTorrentFileInfoW)GetProcAddress(hAssistantTools, "XL_ReleaseTorrentFileInfoW");if (NULL == fun_XL_ParseTorrentFileW){    printf("GetProcAddress fail\n");    goto End;}
fuzz_method(argv[1]);End:if(hAssistantTools){FreeLibrary(hAssistantTools);}
return 0;
return 0;}

afl-fuzz.exe -i input -M master -o "out" -D "D:\fuzz\dynamorio\build_Win32\bin32" -I 100000+ -t 9000 -- -coverage_module AssistantTools.dll -coverage_module P2PBase.dll -target_module fuzz_program.exe -target_method fuzz_method -fuzz_iterations 5000 -nargs 2 -- "fuzz_program.exe" @@