There’s no doubt that reverse engineering can be a very complex and confusing matter, even for those that love doing it.
Jumping into a program and being greeted with tons of assembly and weirdly-named functions and variables is hardly what most would call a fun time.
Not to mention that identifying specific functionality in a program can be an exercise in sanity at times.
That’s why today we’re releasing Cartographer: A Ghidra plugin for mapping out code coverage data.
Cartographer simplifies the complexities of reverse engineering by allowing researchers to visually observe which parts of a program were executed, obtain details about each function’s execution, compare different runs of the same program, and much more.
Cartographer is a code coverage mapping plugin for Ghidra, enabling researchers to observe which parts of a program have been executed without requiring source code.
The latest stable version of Cartographer can be downloaded from the Releases page.
File -> Install Extensions...Once the plugin is loaded, there will be additional controls in the CodeBrowser window for working with code coverage data.
Code coverage files can be loaded via the Tools menu: Tools -> Code Coverage -> Load Code Coverage File(s)...
When a code coverage file is loaded, all of the coverage data is immediately highlighted in the Listing view and the Decompiler view.
Detailed information about the coverage data for each function can be found within the Code Coverage window.
The Code Coverage window can be opened by navigating to Window -> Code Coverage, or by pressing Ctrl-Shift-C on Windows (Cmd-Shift-C on Mac).
This window shows various details about each function in the program:
Clicking on any function will navigate to the specified function in the Listing view and Decompiler view.
The Filter input box can be used to search for a function by name.
Any of the data displayed in the coverage table can be used as a column filter.
The dropdown at the bottom-right of the Code Coverage window can be used to quickly and easily swap between loaded code coverage files.
The text box at the bottom of the Code Coverage window can be used to perform logical operations on loaded code coverage files.
This can be extremely useful for examining differences and similarities between different runs of a program.
Below are the logical operators that can be used within the expression parser.
&: Gets only the code executed by both coverages|: Gets any code executed by either coverages^: Gets only the executed code that differs between the coverages-: Gets only executed code which is unique to the left-hand coverageCoverages are referenced by their alphabetical IDs in the dropdown menu, such as A, B, XY, etc.
Each logical operation is grouped using parentheses, and expressions can be of any length or complexity.
A and B:A & B2. Show the executed code that was different between coverages A and B:
A ^ B3. Show code that was only executed in B:
B - A4. Combine all of the coverage data found in A and B, then find any differences from C:
(A | B) ^ CGradle can be used to build Cartographer from its source code.
$ git clone https://github.com/nccgroup/Cartographer.git2. Enter the repository and build with gradle.
$ cd Cartographer
$ gradle -PGHIDRA_INSTALL_DIR=<ghidra_install_dir><ghidra_install_dir> with the path to your local Ghidra installation path.3. After building, the plugin ZIP file will be located in the dist/ folder.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…