This guide walks you through launching a complete multi-core AFLPlusPlus campaign using AFL Runner from scratch. By the end you will have generated a full set ofDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
afl-fuzz invocations, started them in a tmux session, and attached the built-in TUI to monitor progress in real time — all using a single tool.
Prepare your prerequisites
Before invoking
aflr, you need two things in place:- An AFL++-instrumented target binary. Compile your target at least once with
afl-clang-fast(orafl-clang-lto,afl-gcc-fast, etc.). For best results inmultiple-coresmode, compile additional variants with Address Sanitizer (-fsanitize=address), CMPLOG (AFL_LLVM_CMPLOG=1), and CMPCOV (AFL_LLVM_LAF_ALL=1). - A seed corpus directory. Create a directory containing at least one non-empty, representative input file for your target. Even a single valid sample is enough to get started.
If no
-i / --input-dir flag is provided, AFL Runner defaults to /tmp/afl_input as the corpus directory, and /tmp/afl_output as the output directory.Generate the fuzzing commands with aflr gen
Use
The default mode is If you have additional instrumented binaries, supply them directly:AFL Runner routes each binary type to the appropriate runner slot automatically.
aflr gen to produce and inspect the full set of afl-fuzz invocations before executing anything. This is the safest first step — it lets you verify runner count, mode, and binary assignments without touching your system.| Flag | Meaning |
|---|---|
-t / --target | Path to the AFL++-instrumented target binary |
-i / --input-dir | Seed corpus directory |
-o / --output-dir | AFL++ output directory (crashes, queue, stats) |
-n / --runners | Number of parallel afl-fuzz processes to launch |
multiple-cores, which automatically assigns one process as the main fuzzer (-M) and distributes the remaining n-1 processes as secondaries (-S) with varied power schedules. To explicitly set the mode:Run the campaign with aflr run
When you are satisfied with the generated commands, use AFL Runner creates a tmux session (named automatically, or set with To start the campaign in the background with no attached terminal, use
aflr run to execute them. It accepts the same flags as aflr gen and additionally manages the tmux (or screen) session. Add --tui to launch the monitoring interface immediately alongside the fuzzers.--session-name), opens a window for each fuzzer, and starts every afl-fuzz process. With --tui the terminal transitions directly into the status dashboard.To preview the commands that would be run without actually executing them, use --dry-run:--detached:Monitor with the TUI
If you launched without Pass the AFL++ output directory as the sole argument. The TUI reads the
--tui, or if you want to reconnect to the dashboard at any point, run:fuzzer_stats files written by each running instance and displays aggregate and per-fuzzer metrics — total execs, paths found, crashes, hangs, and exec speed — refreshed in real time. It is a full replacement for afl-whatsup.The TUI works against any AFL++ output directory, whether the fuzzers were started by AFL Runner or invoked manually. It does not need to be connected to an active tmux session.
Using a Config File
Repeatedly typing long flag lists is error-prone and makes campaign setups hard to reproduce. AFL Runner supports TOML configuration files that capture all settings for a project. A minimalaflr_cfg.toml for the campaign above looks like this:
CLI flags always take precedence over config file values. You can keep a shared project config and override specific settings per invocation — for example, changing the runner count without editing the file:
aflr run -n 16.