lighthouse v0.9 releases: Code Coverage Explorer for IDA Pro
Lighthouse – Code Coverage Explorer for IDA Pro
Lighthouse is a code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.
This plugin is labelled only as a prototype and IDA / Qt code example for the community.
Special thanks to @0vercl0k for the inspiration.
|- Added support for ‘module+offset’ style coverage files / traces
|- Added a coverage cross-reference dialog, like git-blame for coverage hits
|- Theme subsystem for custom user defined Lighthouse themes and colors
|- Added a fallback ‘Module Selector’ dialog to pick which ‘binary’ to load coverage for
|- Complete refactor for native Binary Ninja 2.0 support, multiple databases
|- Updated to fully support IDA 7.0 -> 7.4
|- Python 2/3 compatible for all platforms & disassemblers
|- Faster, more accurate database painting subsystem
+ Minor Changes
|- Extensible coverage parser interface makes it easier to load custom coverage formats
|- Added support for absolute address (bb, or instr.) style coverage files / traces
|- Updated the drcov coverage parser to support newer revisions
|- Batch loading no longer loads all files into memory before aggregating data
|- Decompilation views in IDA will now refresh coverage paint automatically
|- Lighthouse is now ‘accessible’ through the disassembler console, with lighthouse.get_context(…)
|- Significantly improved the database painter performance and stability in IDA
|- Improved the performance for caching database metadata
|- Support ‘interleaved’ instruction coverage in capable disassemblers (Binary Ninja)
|- ‘Forcefully’ clearing database paint will now block with a waitbox while running
|- Double clicking a function in the coverage table will now jump to the ‘first’ block with coverage
|- Added a simple check against GitHub to notify when a new version of Lighthouse is available
|- Removed the ‘range’ syntax from the composition grammar — nobody used it anyway
|- IDA should now close faster than it previously did after using Lighthouse
|- Deprecated support for IDA 6.8 -> 6.95
|- Tons of other minor improvements and code cleanup
|- Lighthouse now ships with two default themes, one ‘Light’ and one ‘Dark’
|- Unless the user specifies a theme preference, Lighthouse will pick which one it thinks is best
|- Reduced the font size of Lighthouse on macOS by 1pt, text should look a bit less comical
|- The coverage overview will more consistently snap to the right-side of the disassembler on open
|- Horizontal scrolling in the coverage table is now ‘per-pixel’ vs ‘per-column’ (less jumpy…)
|- Changed column sizing for the coverage table, ‘Function Name’ will also stretch by default now
|- Improved the coverage shell so that text selection (click+drag) actually works
|- Improved overall consistency with opening / closing the coverage combobox
|- Improved the combobox and coverage shell styling to look a bit sharper
|- Lighthouse error messages should be less likely to look bungled on other platforms
|- Continue to improve cross-platform & cross-disassembler UI consistency
|- Added tooltips to the coverage overview table header
|- A partially executed basic block should no longer appear fully painted in graph views
|- Fixed a bug that could prompt the user ‘several’ times for a coverage name when saving a composition
|- Lighthouse will now attempt to rebase itself should the user ‘rebase’ their IDB (IDA only)
|- Fixed a bug where the Aggregate set symbol ‘*’ was simply unusable in the coverage shell
|- The drcov parser could fail to extract module filenames when parsing a log collected on a different OS
|- Fixed some edge cases to improve the stability of metadata collection (caching)
|- Fixed a bug where deleted / undefined functions would persist in the coverage table after refresh
|- Using the shell to jump to sub_… function names did not work in Binary Ninja due to case sensitivity
|- Fixed bug that caused ‘renamed’ functions to lose their navigability (click to jump) in the table
+ BINJA KNOWN ISSUES
|- Highlighting the newly released Binary Ninja HLIL is not yet supported
|- Lighthouse will not properly spin down its threads and resources after closing a bndb / bv
|- Live rebasing of Lighthouse is *not* supported in Binja — rebase first, and then open Lighthouse
Install Lighthouse into the IDA plugins folder.
- git clone https://github.com/gaasedelen/lighthouse.git
- Copy the contents of the plugin folder to the IDA plugins folder
- On Windows, the folder is at C:\Program Files (x86)\IDA 6.8\plugins
- On MacOS, the folder is at /Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/plugins
- On Linux, the folder may be at /opt/IDA/plugins/
The plugin is platform agnostic but has only been tested on Windows for IDA 6.8 –> 7.0
Lighthouse loads automatically when an IDB is opened, installing a handful of menu entries into the IDA interface.
These are the entry points for a user to load and view coverage data.
– File –> Load file –> Code coverage file…
– File –> Load file –> Code coverage batch…
– View –> Open subviews –> Coverage Overview
A batch load can quickly aggregate hundreds (thousands?) of collected coverage files into a single composite at load time.
Lighthouse ‘paints’ the active coverage data across the three major IDA views as applicable. Specifically, the Disassembly, Graph, and Pseudocode views.
The Coverage Overview is a dockable widget that provides a function level view of the active coverage data for the database.
This table can be sorted by column, and entries can be double-clicked to jump to their corresponding disassembly.
Building relationships between multiple sets of coverage data often distills deeper meaning than their individual parts. The shell at the bottom of the Coverage Overview provides an interactive means of constructing these relationships.
Pressing enter on the shell will evaluate and save a user constructed composition.
Coverage composition or Composing as demonstrated above is achieved through a simple expression grammar and ‘shorthand’ coverage symbols (A to Z) on the composing shell.
- Logical Operators: |, &, ^, –
Coverage Symbol: A, B, C, …, Z
Coverage Range: A,C, Q,Z, …
- Parenthesis: (…)
- A & B
- (A & B) | C
- (C & (A – B)) | (F,H & Q)
The evaluation of the composition may occur right to left, parenthesis are suggested for potentially ambiguous expressions.
Additionally, there is a ‘Hot Shell’ mode that asynchronously evaluates and caches user compositions in real-time.
The hot shell serves as a natural gateway into the unguided exploration of composed relationships.
Using the shell, one can search and filter the functions listed in the coverage table by prefixing their query with /.
The head of the shell will show an updated coverage % computed only from the remaining functions. This is useful when analyzing coverage for specific function families.
Entering an address or function name into the shell can be used to jump to corresponding function entries in the table.
Loaded coverage data and user-constructed compositions can be selected or deleted through the coverage combobox.
Copyright (c) 2017 Markus Gaasedelen