Lighthouse is a Code Coverage Plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.
This plugin is labeled only as a prototype and IDA / Qt code example for the community.
Special thanks to @0vercl0k for the inspiration.
- v0.3 -- Coverage composition, interactive composing shell.
- v0.2 -- Multifile support, perfomance improvements, bugfixes.
- v0.1 -- Initial release
Install Lighthouse into the IDA plugins folder.
- Copy the contents of the
pluginfolder to the IDA plugins folder- On Windows, the folder is at
C:\Program Files (x86)\IDA 6.8\plugins - On MacOS, the folder is at
/Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/plugins - On Linux, the folder may be at
/opt/IDA/plugins/
- On Windows, the folder is at
The plugin has only been tested on IDA Pro 6.8, 6.95 for Windows.
Lighthouse loads automatically when an IDB is opened, installing the following menu entries into the IDA interface:
- File --> Load file --> Code Coverage File(s)...
- View --> Open subviews --> Coverage Overview
These are the entry points for a user to load and view coverage data.
Lighthouse 'paints' the active coverage data across the three major IDA views as applicable. Specifically, the Disassembly, Graph, and Pseudocode views.
The Coverage Overview is a dockable widget that provides a function level view of the active coverage data for the database.
This table can be sorted by column, and entries can be double clicked to jump to their corresponding disassembly.
Building relationships between multiple sets of coverage data often distills deeper meaning than their individual parts. The composing shell is an interactive means of constructing these relationships.
Pressing enter on the shell will evaluate and save a user constructed composition.
Coverage composition, or Composing as demonstrated above is achieved through a simple expression grammar and 'shorthand' coverage symbols (A to Z) on the composing shell.
- Logical Operators:
|, &, ^, - - Coverage Symbol:
A, B, C, ..., Z - Coverage Range:
A,C,Q,Z, ... - Parenthesis:
(...)
A & B(A & B) | C(C & (A - B)) | (F,H & Q)
The evaluation of the composition may occur right to left, parenthesis are suggested for potentially ambiguous expressions.
Loaded coverage data and user constructed compositions can be selected or deleted through the coverage combobox.
Additionally, there is a prototype 'Hot Shell' mode that evaluates user compositions in real-time. This promotes a more natural experience in the unguided exploration of composed relationships.
The performance of this feature will be vastly improved in the next release, v0.4.0.
At this time, Lighthouse only consumes binary coverage data as produced by DynamoRIO's drcov code coverage module.
Collecting blackbox coverage data with drcov is relatively straightforward. The following example demonstrates how coverage was produced for the boombox.exe testcase provided in this repository.
..\DynamoRIO-Windows-7.0.0-RC1\bin64\drrun.exe -t drcov -- boombox.exe
This command will produce a .log file consisting of the coverage data upon termination of the target application.
drcov was selected as the initial coverage data source due to its availability, adoption, multi-platform (Win/Mac/Linux), and multi-architecture (x86/AMD64/ARM) support.
Intel's PIN for example does not come with a default code coverage pintool. It appears that most implement their own solution and there is no clear format for Lighthouse to standardize on. In the future, Lighthouse may ship with its own pintool.
While Lighthouse is considered a prototype, internally it is largely agnostic of its data source. Future work will hopefully allow one to drop a loader into the parsers folder without any need for code changes to Lighthouse. Right now, this is not the case.
Time and motivation permitting, future work may include:
- Asynchronous composition, painting, metadata collection
Multifile/coverage support- Profiling based heatmaps/painting
- Coverage & Profiling Treemaps
- Automatic parser pickup
- Parsers for additional coverage sources, eg PIN
- Improved Pseudocode painting
- Markus Gaasedelen (@gaasedelen)