Hacking Tools

Cartographer – Advanced Code Coverage Mapping in Ghidra

Introduction

There’s no doubt that reverse engineering can be a very complex and confusing matter, even for those that love doing it.

Jumping into a program and being greeted with tons of assembly and weirdly-named functions and variables is hardly what most would call a fun time.

Not to mention that identifying specific functionality in a program can be an exercise in sanity at times.

That’s why today we’re releasing Cartographer: A Ghidra plugin for mapping out code coverage data.

Cartographer simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and much more.

Description

Cartographer is a code coverage mapping plugin for Ghidra, enabling researchers to observe which parts of a program have been executed without requiring source code.

Table Of Contents

Key Features

  • Colorizes executed code
    • Function Graph
    • Disassembly (Listing) View
    • Decompiler View
  • Fully customizable colors
  • Supports Ghidra themes
  • Loads DRCOV files and custom EZCOV files
    • See EZCOV.md for details on the EZCOV format
  • Provides a detailed overview of function coverage
    • Includes heat map showing how much of each function was executed
  • Easily swap between loaded coverage files
  • Search for functions by name
  • Filter results by coverage amount and more
  • Powerful expression parser
    • Perform logical operations on multiple loaded coverages
  • Supports coverage in different address spaces

Installation

The latest stable version of Cartographer can be downloaded from the Releases page.

Loading The Plugin

  1. Launch Ghidra.
  2. Navigate to the Install Extensions window.
    • File -> Install Extensions...
  3. Click the green “+” icon at the top-right corner.
  4. Select the downloaded ZIP file to load the plugin into Ghidra.
  5. Click the “OK” button to exit the Install Extensions window.
  6. Restart Ghidra when prompted.

Usage

Once the plugin is loaded, there will be additional controls in the CodeBrowser window for working with code coverage data.

Loading Code Coverage Files

Code coverage files can be loaded via the Tools menu: Tools -> Code Coverage -> Load Code Coverage File(s)...

When a code coverage file is loaded, all of the coverage data is immediately highlighted in the Listing view and the Decompiler view.

Code Coverage Details

Detailed information about the coverage data for each function can be found within the Code Coverage window.

The Code Coverage window can be opened by navigating to Window -> Code Coverage, or by pressing Ctrl-Shift-C on Windows (Cmd-Shift-C on Mac).

This window shows various details about each function in the program:

  • Coverage %: Percentage of the function that was executed
  • Name: Name of the function
  • Address: Address (entry point) of the function
  • Blocks Hit: Number of basic blocks executed
  • Instructions Hit Number of instructions executed
  • Function Size: Size of the function in bytes

Clicking on any function will navigate to the specified function in the Listing view and Decompiler view.

Searching And Filtering

The Filter input box can be used to search for a function by name.

Any of the data displayed in the coverage table can be used as a column filter.

Swapping Between Coverages

The dropdown at the bottom-right of the Code Coverage window can be used to quickly and easily swap between loaded code coverage files.

Expression Parser

The text box at the bottom of the Code Coverage window can be used to perform logical operations on loaded code coverage files.

This can be extremely useful for examining differences and similarities between different runs of a program.

Syntax

Below are the logical operators that can be used within the expression parser.

  • &: Gets only the code executed by both coverages
  • |: Gets any code executed by either coverages
  • ^: Gets only the executed code that differs between the coverages
  • -: Gets only executed code which is unique to the left-hand coverage

Coverages are referenced by their alphabetical IDs in the dropdown menu, such as ABXY, etc.

Each logical operation is grouped using parentheses, and expressions can be of any length or complexity.

Examples

  1. Show the code that was executed in both coverages A and B:
A & B

2. Show the executed code that was different between coverages A and B:

A ^ B

3. Show code that was only executed in B:

B - A

4. Combine all of the coverage data found in A and B, then find any differences from C:

(A | B) ^ C

Contributing

Building From Source

Gradle can be used to build Cartographer from its source code.

  1. Clone the Cartographer GitHub repository.
$ git clone https://github.com/nccgroup/Cartographer.git

2. Enter the repository and build with gradle.

$ cd Cartographer
$ gradle -PGHIDRA_INSTALL_DIR=<ghidra_install_dir>
  • Replace <ghidra_install_dir> with the path to your local Ghidra installation path.

3. After building, the plugin ZIP file will be located in the dist/ folder.

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

11 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

11 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago