lighthouse v0.9.2 releases: Code Coverage Explorer for IDA Pro
Lighthouse – Code Coverage Explorer for IDA Pro
Overview
Lighthouse is a code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.
This plugin is labelled only as a prototype and IDA / Qt code example for the community.
Special thanks to @0vercl0k for the inspiration.
Changelog
v0.9.2
|- Lighthouse can now be installed through the Binary Ninja plugin manager (2.4.2918 and newer)
|- Misc Qt/compatibility fixes for newer versions of Binary Ninja
|- Updated the drcov parser to support reading of newer (v5) drcov log files
|- Added basic support for loading ‘coverage’ from a Tenet-style trace
|- Loosened the ‘instruction vs basic block’ heuristic for determining trace format
|- Improved UI styling to better select ‘Monospace’ fonts cross platform (at least, macOS)
|- Improved disassembly color detection logic for newer version of IDA
|- Fixed an issue where Lighthouse would fail to load with multiple Qt packages present
|- Fixed a crash that could occur when loading coverage for an executable with a Unicode name
|- Intel pin tool code updated to compile on the latest versions of pin
Download
Installation
Install Lighthouse into the IDA plugins folder.
- git clone https://github.com/gaasedelen/lighthouse.git
- Copy the contents of the plugin folder to the IDA plugins folder
- On Windows, the folder is at C:\Program Files (x86)\IDA 6.8\plugins
- On MacOS, the folder is at /Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/plugins
- On Linux, the folder may be at /opt/IDA/plugins/
The plugin is platform agnostic but has only been tested on Windows for IDA 6.8 –> 7.0
Usage
Lighthouse loads automatically when an IDB is opened, installing a handful of menu entries into the IDA interface.
These are the entry points for a user to load and view coverage data.
– File –> Load file –> Code coverage file…
– File –> Load file –> Code coverage batch…
– View –> Open subviews –> Coverage Overview
A batch load can quickly aggregate hundreds (thousands?) of collected coverage files into a single composite at load time.
Coverage Painting
Lighthouse ‘paints’ the active coverage data across the three major IDA views as applicable. Specifically, the Disassembly, Graph, and Pseudocode views.
Coverage Overview
The Coverage Overview is a dockable widget that provides a function level view of the active coverage data for the database.
This table can be sorted by column, and entries can be double-clicked to jump to their corresponding disassembly.
Coverage Composition
Building relationships between multiple sets of coverage data often distills deeper meaning than their individual parts. The shell at the bottom of the Coverage Overview provides an interactive means of constructing these relationships.
Pressing enter on the shell will evaluate and save a user constructed composition.
Composition Syntax
Coverage composition or Composing as demonstrated above is achieved through a simple expression grammar and ‘shorthand’ coverage symbols (A to Z) on the composing shell.
Grammar Tokens
- Logical Operators: |, &, ^, –
Coverage Symbol: A, B, C, …, Z
Coverage Range: A,C, Q,Z, … - Parenthesis: (…)
Example Compositions
- A & B
- (A & B) | C
- (C & (A – B)) | (F,H & Q)
The evaluation of the composition may occur right to left, parenthesis are suggested for potentially ambiguous expressions.
Hot Shell
Additionally, there is a ‘Hot Shell’ mode that asynchronously evaluates and caches user compositions in real-time.
The hot shell serves as a natural gateway into the unguided exploration of composed relationships.
Search
Using the shell, one can search and filter the functions listed in the coverage table by prefixing their query with /.
The head of the shell will show an updated coverage % computed only from the remaining functions. This is useful when analyzing coverage for specific function families.
Jump
Entering an address or function name into the shell can be used to jump to corresponding function entries in the table.
Coverage ComboBox
Loaded coverage data and user-constructed compositions can be selected or deleted through the coverage combobox.
Copyright (c) 2017 Markus Gaasedelen
Source: https://github.com/gaasedelen/
