Skip to content

Commit

Permalink
Merge pull request #1 from gaasedelen/master
Browse files Browse the repository at this point in the history 
merge upstream
  • Loading branch information
@yrp604
yrp604 authored Jul 10, 2018
2 parents a6eac8a + 1cbff29 commit bb9c4ba
Show file tree
Hide file tree
Showing 22 changed files with 1,516 additions and 329 deletions.
29 changes: 25 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Special thanks to [@0vercl0k](https://twitter.com/0vercl0k) for the inspiration.

## Releases

* v0.7 -- Frida, C++ demangling, context menu, function prefixing, tweaks, bugfixes.
* v0.6 -- Intel pintool, cyclomatic complexity, batch load, bugfixes.
* v0.5 -- Search, IDA 7 support, many improvements, stability.
* v0.4 -- Most compute is now asynchronous, bugfixes.
Expand All @@ -29,7 +30,7 @@ Install Lighthouse into the IDA plugins folder.
- On MacOS, the folder is at `/Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/plugins`
- On Linux, the folder may be at `/opt/IDA/plugins/`

The plugin is platform agnostic, but has only been tested on Windows for IDA 6.8 --> 7.0
The plugin is compatible with IDA Pro 6.8 --> 7.0 on Windows, MacOS, and Linux.

## Usage

Expand Down Expand Up @@ -67,6 +68,16 @@ The Coverage Overview is a dockable widget that provides a function level view o

This table can be sorted by column, and entries can be double clicked to jump to their corresponding disassembly.

## Context Menu

Right clicking the table in the Coverage Overview will produce a context menu with a few basic amenities.

<p align="center">
<img alt="Lighthouse Context Menu" src="screenshots/context_menu.gif"/>
</p>

These actions can be used to quickly manipulate or interact with entries in the table.

## Coverage Composition

Building relationships between multiple sets of coverage data often distills deeper meaning than their individual parts. The shell at the bottom of the [Coverage Overview](#coverage-overview) provides an interactive means of constructing these relationships.
Expand Down Expand Up @@ -134,7 +145,7 @@ Loaded coverage data and user constructed compositions can be selected or delete

Before using Lighthouse, one will need to collect code coverage data for their target binary / application.

The examples below demonstrate how one can use [DynamoRIO](http://www.dynamorio.org) or [Intel Pin](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) to collect Lighthouse compatible coverage agaainst a target. The `.log` files produced by these instrumentation tools can be loaded directly into Lighthouse.
The examples below demonstrate how one can use [DynamoRIO](http://www.dynamorio.org), [Intel Pin](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) or [Frida](https://www.frida.re) to collect Lighthouse compatible coverage against a target. The `.log` files produced by these instrumentation tools can be loaded directly into Lighthouse.

## DynamoRIO

Expand All @@ -156,7 +167,17 @@ Example usage:
pin.exe -t CodeCoverage64.dll -- boombox.exe
```

For convenience, binaries for the Windows pintool can be found on the [releases](https://github.com/gaasedelen/lighthouse/releases/tag/v0.6.0) page. MacOS and Linux users need to compile the pintool themselves following the [instructions](coverage/pin#compilation) included with the pintool for their respective platforms.
For convenience, binaries for the Windows pintool can be found on the [releases](https://github.com/gaasedelen/lighthouse/releases/tag/v0.7.0) page. MacOS and Linux users need to compile the pintool themselves following the [instructions](coverage/pin#compilation) included with the pintool for their respective platforms.

## Frida (Experimental)

Lighthouse offers limited support for Frida based code coverage via a custom [instrumentation script](coverage/frida) contributed by [yrp](https://twitter.com/yrp604).

Example usage:

```
sudo python frida-drcov.py bb-bench
```

# Future Work

Expand All @@ -166,7 +187,7 @@ Time and motivation permitting, future work may include:
* ~~Multifile/coverage support~~
* Profiling based heatmaps/painting
* Coverage & Profiling Treemaps
* Additional coverage sources, trace formats, etc
* ~~Additional coverage sources, trace formats, etc~~
* Improved Pseudocode painting

I welcome external contributions, issues, and feature requests.
Expand Down
72 changes: 72 additions & 0 deletions coverage/frida/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# frida-drcov.py

In this folder you will find the code coverage collection script `frida-drcov.py` that run ontop of the [Frida](https://www.frida.re/) DBI toolkit. This script will produce code coverage (using Frida) in a log format compatible with [Lighthouse](https://github.com/gaasedelen/lighthouse).

Frida is best supported on mobile platforms such as iOS or Android, claiming some support for Windows, MacOS, Linux, and QNX. Practically speaking, `frida-drcov.py` should only be used for collecting coverage data on mobile applications.

This script is labeled only as a prototype.

## Install

To use `frida-drcov.py`, you must have [Frida](https://www.frida.re/) installed. This can be done via python's `pip`:

```
sudo pip install frida
```

## Usage

Once frida is installed, the `frida-drcov.py` script in this repo can be used to collect coverage against a running process as demonstrated below. By default, the code coverage data will be written to the file `frida-drcov.log` at the end of execution.

```
python frida-drcov.py <process name | pid>
```

Here is an example of us instrumenting the running process `bb-bench`.

```
$ sudo python frida-drcov.py bb-bench
[+] Got module info
Starting to stalk threads...
Stalking thread 775
Done stalking threads.
[*] Now collecting info, control-D to terminate....
[*] Detaching, this might take a second... # ^d
[+] Detached. Got 320 basic blocks.
[*] Formatting coverage and saving...
[!] Done
$ ls -lh frida-cov.log # this is the file you will load into lighthouse
-rw-r--r-- 1 root staff 7.2K 21 Oct 11:58 frida-cov.log
```

Using the `-o` flag, one can specify a custom name/location for the coverage log file:

```
python frida-drcov.py -o more-coverage.log foo
```

## Module Whitelisting

One can whitelist specific modules inside the target process. Say you have binary `foo` which imports the libraries `libfoo`, `libbar`, and `libbaz`. Using the `-w` flag (whitelist) on the command line, we can explicitly target modules of interest:

```
$ python frida-drcov.py -w libfoo -w libbaz foo
```

This will reduce the amount of information collected and improve performance. If no `-w` arguments are supplied, `frida-drcov.py` will trace all loaded images.

## Thread Targeting

On multi-threaded applications, tracing all threads can impose significant overhead. For these cases you can filter coverage collection based on thread id if you only care about specific threads.

In the following example, we target thread id `543`, and `678` running in the process named `foo`.

```
python frida-drcov.py -t 543 -t 678 foo
```

Without the `-t` flag, all threads that exist in the process at the time of attach will be traced.

# Authors

* yrp ([@yrp604](https://twitter.com/yrp604))
Loading

0 comments on commit bb9c4ba

Please sign in to comment.