Convert Figma logo to code with AI

gaasedelen logolighthouse

A Coverage Explorer for Reverse Engineers

2,220
303
2,220
19
View on GitHub

Top Related Projects

doyensec's avatar

inql

1,517

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.

chaitin's avatar

xray

10,226

一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

sqlmapproject's avatar

sqlmap

31,882

Automatic SQL injection and database takeover tool

trailofbits's avatar

algo

28,648

Set up a personal VPN in the cloud

gitleaks's avatar

gitleaks

17,352

Protect and discover secrets using Gitleaks 🔑

Quick Overview

Lighthouse is an open-source code coverage explorer for reverse engineers, fuzzer developers, and vulnerability researchers. It provides a powerful visual interface for analyzing code coverage data, helping users identify unexplored code paths and potential vulnerabilities in binary executables.

Pros

  • Intuitive visual interface for exploring code coverage
  • Seamless integration with IDA Pro and Binary Ninja
  • Supports various code coverage formats, including DynamoRIO and Intel PIN
  • Helps identify unexplored code paths and potential vulnerabilities

Cons

  • Limited to x86/x64 architectures
  • Requires commercial disassemblers (IDA Pro or Binary Ninja)
  • Learning curve for users unfamiliar with reverse engineering concepts
  • May require additional setup for certain coverage formats

Getting Started

  1. Install Lighthouse:

    pip install lighthouse-python

  2. Launch IDA Pro or Binary Ninja and load your target binary.

  3. In the disassembler, run the Lighthouse plugin:

    import lighthouse
lighthouse.start()

  4. Load your coverage data file using the Lighthouse UI.

  5. Explore the highlighted code coverage and use Lighthouse's features to analyze unexplored paths and potential vulnerabilities.

Competitor Comparisons

doyensec logo

inql

1,517

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.

Pros of InQL

  • Specifically designed for GraphQL security testing and introspection
  • Integrates with Burp Suite for seamless web application security testing
  • Provides a user-friendly GUI for exploring GraphQL schemas and queries

Cons of InQL

  • Limited to GraphQL-specific analysis, unlike Lighthouse's broader binary analysis capabilities
  • May require more manual effort for in-depth security assessments
  • Less suitable for reverse engineering complex binary applications

Code Comparison

InQL (Python):

def generate_queries(schema):
    queries = []
    for type_name, type_object in schema.types.items():
        if isinstance(type_object, GraphQLObjectType):
            query = generate_query_for_type(type_name, type_object)
            queries.append(query)
    return queries

Lighthouse (C++):

void Database::refresh_memory_flags()
{
  for (const auto &seg : m_segments)
  {
    seg->refresh_memory_flags();
  }
  m_memory_flags_dirty = false;
}

While both tools are used for analysis, InQL focuses on GraphQL schema exploration and query generation, whereas Lighthouse provides low-level binary analysis capabilities. InQL is more suitable for web application security testing, while Lighthouse excels in reverse engineering and binary analysis tasks.

chaitin logo

xray

10,226

一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

Pros of xray

  • Broader scope: Covers web security scanning, not just binary analysis
  • Active development: More recent updates and contributions
  • Larger community: More stars and forks on GitHub

Cons of xray

  • Less focused: Not specialized for binary analysis like Lighthouse
  • Steeper learning curve: Requires more setup and configuration
  • Language barrier: Some documentation is in Chinese

Code comparison

Lighthouse (Python):

def highlight_coverage(bv, addr):
    function = bv.get_functions_containing(addr)[0]
    for block in function.basic_blocks:
        for insn in block:
            highlight = HighlightStandardColor.GreenHighlightColor
            bv.set_instruction_highlight(insn.address, highlight)

xray (Go):

func (s *Scanner) Scan(target string) error {
    for _, plugin := range s.Plugins {
        if err := plugin.Check(target); err != nil {
            return err
        }
    }
    return nil
}

While both projects involve security analysis, their focus and implementation differ significantly. Lighthouse is tailored for binary analysis and reverse engineering, while xray is a more general-purpose web security scanner. The code snippets reflect these differences, with Lighthouse manipulating binary views and xray implementing a plugin-based scanning system.

sqlmapproject logo

sqlmap

31,882

Automatic SQL injection and database takeover tool

Pros of sqlmap

  • More comprehensive SQL injection testing capabilities
  • Larger and more active community, with frequent updates
  • Supports a wide range of database management systems

Cons of sqlmap

  • Steeper learning curve due to its extensive features
  • Can be slower for quick vulnerability assessments
  • May trigger security alerts due to its aggressive scanning

Code Comparison

sqlmap (Python):

def getPage(**kwargs):
    web = kwargs.get("web", None)
    url = kwargs.get("url", None)
    data = kwargs.get("data", None)
    method = kwargs.get("method", None)
    cookie = kwargs.get("cookie", None)
    headers = kwargs.get("headers", None)

Lighthouse (C++):

void Lighthouse::refresh_coverage(void)
{
    m_coverage.clear();
    m_coverage_blocks.clear();
    m_coverage_percent = 0.0;
    collect_coverage();
}

While sqlmap focuses on SQL injection testing with a complex codebase, Lighthouse is designed for code coverage visualization in binary analysis tools. The code snippets reflect their different purposes, with sqlmap handling web requests and Lighthouse managing code coverage data.

trailofbits logo

algo

28,648

Set up a personal VPN in the cloud

Pros of algo

  • Focuses on setting up secure VPN servers, providing a complete solution for privacy and security
  • Supports multiple cloud providers and platforms, offering flexibility in deployment
  • Actively maintained with regular updates and a larger community

Cons of algo

  • More complex setup process compared to Lighthouse's simpler interface
  • Requires more technical knowledge to configure and manage
  • Limited to VPN functionality, while Lighthouse offers broader reverse engineering capabilities

Code comparison

algo (setup script):

def install():
    update_apt_cache()
    install_apt_dependencies()
    install_pip_dependencies()
    install_virtualenv()

Lighthouse (IDA Pro plugin):

class Lighthouse(idaapi.plugin_t):
    def init(self):
        self.core = LighthouseCore()
        self.ui = LighthouseUI(self.core)
        return idaapi.PLUGIN_KEEP

While both projects are security-focused, they serve different purposes. algo is a VPN deployment tool, whereas Lighthouse is a code coverage exploration plugin for IDA Pro. The code snippets reflect their distinct functionalities, with algo focusing on system setup and Lighthouse on integrating with IDA Pro's reverse engineering environment.

gitleaks logo

gitleaks

17,352

Protect and discover secrets using Gitleaks 🔑

Pros of Gitleaks

  • Focused specifically on detecting secrets and sensitive information in Git repositories
  • Supports scanning multiple Git hosting services (GitHub, GitLab, Bitbucket)
  • Provides detailed reports and can be easily integrated into CI/CD pipelines

Cons of Gitleaks

  • Limited to secret detection, lacks broader code analysis capabilities
  • May produce false positives, requiring manual review of results
  • Does not offer real-time monitoring or visualization of code changes

Code Comparison

Gitleaks (Go):

func (s *Scanner) Scan(ctx context.Context, opts ...ScanOption) ([]Report, error) {
    for _, opt := range opts {
        opt(s)
    }
    return s.scan(ctx)
}

Lighthouse (Python):

def analyze_function(self, function):
    for basic_block in function.basic_blocks:
        self._analyze_basic_block(basic_block)
    self._update_function_metrics(function)

While both projects involve code analysis, they serve different purposes. Gitleaks focuses on secret detection in Git repositories, while Lighthouse is a code coverage explorer for reverse engineers. The code snippets reflect their distinct functionalities, with Gitleaks implementing a scanning mechanism and Lighthouse performing function analysis.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Lighthouse - A Coverage Explorer for Reverse Engineers

Lighthouse Plugin

Overview

Lighthouse is a powerful code coverage explorer for IDA Pro and Binary Ninja, providing software researchers with uniquely interactive controls to study execution maps for native applications without requiring symbols or source.

This project placed 2nd in IDA's 2017 Plug-In Contest and was later nominated in the 2021 Pwnie Awards for its contributions to the security research industry.

Special thanks to @0vercl0k for the inspiration.

Releases

  • v0.9 -- Python 3 support, custom coverage formats, coverage cross-refs, theming subsystem, much more.
  • v0.8 -- Binary Ninja support, HTML coverage reports, consistent styling, many tweaks, bugfixes.
  • v0.7 -- Frida, C++ demangling, context menu, function prefixing, tweaks, bugfixes.
  • v0.6 -- Intel pintool, cyclomatic complexity, batch load, bugfixes.
  • v0.5 -- Search, IDA 7 support, many improvements, stability.
  • v0.4 -- Most compute is now asynchronous, bugfixes.
  • v0.3 -- Coverage composition, interactive composing shell.
  • v0.2 -- Multifile support, performance improvements, bugfixes.
  • v0.1 -- Initial release

Installation

Lighthouse is a cross-platform (Windows, macOS, Linux) Python 2/3 plugin. It takes zero third party dependencies, making the code both portable and easy to install.

Use the instructions below for your respective disassembler.

IDA Installation

  1. From IDA's Python console, run the following command to find its plugin directory:
    • import idaapi, os; print(os.path.join(idaapi.get_user_idadir(), "plugins"))
  2. Copy the contents of this repository's /plugins/ folder to the listed directory.
  3. Restart your disassembler.

Binary Ninja Installation

Lighthouse can be installed through the plugin manager on Binary Ninja, supporting v3.5 and newer.

  1. Open Binary Ninja's plugin manager by navigating the following submenus:
    • Edit -> Preferences -> Manage Plugins
  2. Search for Lighthouse in the plugin manager, and click the Enable button in the bottom right.
  3. Restart your disassembler.

Usage

Once properly installed, there will be a few new menu entries available in the disassembler. These are the entry points for a user to load coverage data and start using Lighthouse.

Lighthouse Menu Entries

Lighthouse is able to load a few different 'flavors' of coverage data. To generate coverage data that can be loaded into Lighthouse, please look at the README in the coverage directory of this repository.

Coverage Painting

While Lighthouse is in use, it will 'paint' the active coverage data across all of the code viewers available in the disassembler. Specifically, this will apply to your linear disassembly, graph, and decompiler windows.

Lighthouse Coverage Painting

In Binary Ninja, only the linear disassembly, graph, and IL views are supported. Support for painting decompiler output in Binary Ninja will be added to Lighthouse in the near future as the feature stabilizes.

Coverage Overview

The Coverage Overview is a dockable widget that will open up once coverage has been loaded into Lighthouse.

Lighthouse Coverage Overview

This interactive widget provides a function level view of the loaded coverage data. It also houses a number of tools to manage loaded data and drive more advanced forms of coverage analysis.

Context Menu

Right clicking the table in the Coverage Overview will produce a context menu with a few basic amenities to extract information from the table, or manipulate the database as part of your reverse engineering process.

Lighthouse Context Menu

If there are any other actions that you think might be useful to add to this context menu, please file an issue and they will be considered for a future release of Lighthouse.

Coverage ComboBox

Loaded coverage and user constructed compositions can be selected or deleted through the coverage combobox.

Lighthouse Coverage ComboBox

HTML Coverage Report

Lighthouse can generate rudimentary HTML coverage reports. A sample report can be seen here.

Lighthouse HTML Report

Coverage Shell

At the bottom of the coverage overview window is the coverage shell. This shell can be used to perform logic-based operations that combine or manipulate the loaded coverage sets.

Lighthouse Coverage Composition

This feature is extremely useful in exploring the relationships of program execution across multiple runs. In other words, the shell can be used to 'diff' execution between coverage sets and extract a deeper meaning that is otherwise obscured within the noise of their individual parts.

Composition Syntax

Coverage composition, or Composing as demonstrated above is achieved through a simple expression grammar and 'shorthand' coverage symbols (A to Z) on the composing shell.

Grammar Tokens

  • Logical Operators: |, &, ^, -
  • Coverage Symbol: A, B, C, ..., Z, *
  • Parenthesis: (...)

Example Compositions

  1. Executed code that is shared between coverage A and coverage B:
A & B
  1. Executed code that is unique only to coverage A:
A - B
  1. Executed code that is unique to A or B, but not C:
(A | B) - C

Expressions can be of arbitrary length or complexity, but the evaluation of the composition may occur right to left. So parenthesis are suggested for potentially ambiguous expressions.

Hot Shell

Additionally, there is a 'Hot Shell' mode that asynchronously evaluates and caches user compositions in real-time.

Lighthouse Hot Shell

The hot shell serves as a natural gateway into the unguided exploration of composed relationships.

Search

Using the shell, you can search and filter the functions listed in the coverage table by prefixing their query with /.

Lighthouse Search

The head of the shell will show an updated coverage % computed only from the remaining functions. This is useful when analyzing coverage for specific function families.

Jump

Entering an address or function name into the shell can be used to jump to corresponding function entries in the table.

Lighthouse Jump

Coverage Cross-references (Xref)

While using Lighthouse, you can right click any basic block (or instruction) and use the 'Coverage Xref' action to see which coverage sets executed the selected block. Double clicking any of the listed entries will instantly switch to that coverage set.

Lighthouse Xref

This pairs well with the 'Coverage Batch' feature, which allows you to quickly load and aggregate thousands of coverage files into Lighthouse. Cross-referencing a block and selecting a 'set' will load the 'guilty' set from disk as a new coverage set for you to explore separate from the batch.

Themes

Lighthouse ships with two default themes -- a 'light' theme, and a 'dark' one. Depending on the colors currently used by your disassembler, Lighthouse will attempt to select the theme that seems most appropriate.

Lighthouse Themes

The theme files are stored as simple JSON on disk and are highly configurable. If you are not happy with the default themes or colors, you can create your own themes and simply drop them in the user theme directory.

Lighthouse will remember your theme preference for future loads and uses.

Future Work

Time and motivation permitting, future work may include:

  • Nag Vector35 to fix HLIL highlighting (bug) in Binary Ninja
  • Asynchronous composition, painting, metadata collection
  • Multifile/coverage support
  • Profiling based heatmaps/painting
  • Coverage & profiling treemaps
  • Additional coverage sources, trace formats, etc
  • Improved pseudocode painting
  • Lighthouse console access, headless usage
  • Custom themes
  • Python 3 support

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors