Browse Source

Add DynamoRIO cover script and update README

ben 2 years ago
  1. 27
  2. 80


@ -1,4 +1,4 @@
Various [scripts]( to extend [Gidhra]( features.
Various [scripts]( for [Gidhra]( reverse engineering (SRE) suite.
## Installation
@ -9,9 +9,9 @@ git clone
In the Ghidra Script Manager click the "Script Directories" icon in the toolbar and add the path where scripts are saved.
Scripts from this collection will appear in the "Hackade scripts" category.
### Qemu cover script
### Qemu code coverage script
[]( is code coverage plugin that visualize Qemu logged instructions.
[]( is a plugin to visualize traces from Qemu logged instructions.
#### How to use
@ -28,3 +28,24 @@ Then execute script, select the generated trace file (file.trace i
<video controls src="">Demo</video>
### DynamoRIO code covererage script
[]( is a plugin to visualize traces from DynamoRIO code coverage tool.
#### How to use
First you need to generate log file (in text format) from DynamoRIO code coverage tool:
bin64\drrun.exe -t drcov -dump_text -- target.exe
The execute script, select the generated trace file and choose a color.
#### Demo
<video controls src="">Demo</video>


@ -0,0 +1,80 @@
# DynamoRIO coverage visualization script
#@author hackade <>
#@category Hackade Scripts
from os.path import basename
from os import linesep
from import ColorizingService
from import GhidraScript
from docking.options.editor import GhidraColorChooser
from ghidra.program.model.listing import Program
from ghidra.program.model.mem import Memory, MemoryBlock
from ghidra.program.model.address import Address
from ghidra.program.model.address import AddressSet
from ghidra.util import Msg
from java.awt import Color
from java.lang import IllegalArgumentException
print "DynamoRIO coverage visualization"
# Get executables addresses ranges
executable_addr_range = []
image_base = currentProgram.getImageBase().getOffset()
print "Image base is 0x%x" % int(image_base)
filename = basename(currentProgram.getExecutablePath())
print filename
blocks = currentProgram.getMemory().getBlocks()
for block in blocks:
if block.isExecute():
start = block.getStart().getOffset() - image_base
end = block.getEnd().getOffset() - image_base
executable_addr_range.append((start, end))
# Select the trace file
trace_file = askFile("FILE", "Choose a file")
except IllegalArgumentException as error:
Msg.warn(self, "Error during headless processing: " + error.toString())
addresses = AddressSet()
Module_Table_Found = False
Target_Module_Found = False
with open(str(trace_file), "r") as f:
for line in f.readlines():
if not Module_Table_Found:
if line.startswith("Module Table"):
Module_Table_Found = True
print "Module table found"
if Module_Table_Found and not Target_Module_Found:
if line.endswith(filename + linesep):
Target_Module_Found = True
target_module = int(line.split(",")[0])
print "Target module ID is %d" % target_module
if Target_Module_Found:
module_str = ("module[%3d]:" % target_module)
if line.startswith(module_str):
iaddr = int(line.split(':')[1].split(',')[0],16)
size = int(line.split(',')[1])
for block in executable_addr_range:
if iaddr >= block[0] and iaddr <= block[1]:
saddr = ("0x%x" % (iaddr+int(image_base)))
addr_start = currentProgram.parseAddress(saddr)[0]
addr_end = addr_start.add(size)
addr = addr_start
while addr != addr_end:
addr =
# Choose a color
colorchooser = GhidraColorChooser()
color = colorchooser.showDialog(None)
# Taints addrresses
service = state.getTool().getService(ColorizingService)
if service is None:
print "Can't find ColorizingService service"
service.setBackgroundColor(addresses, color)