forked from Cr4sh/Code-coverage-analysis-tools
-
Notifications
You must be signed in to change notification settings - Fork 1
/
README.TXT
executable file
·169 lines (117 loc) · 7.01 KB
/
README.TXT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
Code coverage analysis tools for PIN.
Developed by:
Oleksiuk Dmitry, eSage Lab
mailto:dmitry@esagelab.com
http://www.esagelab.com/
My article about PIN and this tools:
http://d-olex.blogspot.com/2011/03/blog-post.html
(in Russian, use Google Translate)
==============================================================
ARCHIVE CONTENTS
==============================================================
./Coverager.dll - PIN instrumentation module for code coverage analysis.
./coverage_test.exe - Test application to buid code coverage map for Internet Explorer process.
./coverage_parse.py - Program for parsing the logs, that has been generated by instrumentation module.
./coverage_to_callgraph.py - Program to generates log files in Calltree Profile Format.
./symlib.pyd - PDB symbols library for Python 2.6 (see symlib_test.py for usage details).
./symlib25.pyd - PDB symbols library for Python 2.5
./EXAMPLES/ - Samples of output logs.
==============================================================
BUILDING CODE COVERAGE MAP BY FUNCTIONS AND BASIC BLOCKS
==============================================================
1) Download and install PIN toolkit (http://www.pintool.org).
2) Copy Coverager.dll into the PIN toolkit root directory.
3) Edit execute_pin.bat scenario and put PIN toolkit root directory path into the PINPATH variable.
4) Use execute_pin.bat from command line to run some aaplication and generate code coverage map for it.
Example:
> execute_pin.bat "C:\Program Files\Internet Explorer\iexplore.exe"
5) After the target applicaion termination 4 log files will be created (CoverageData.log, CoverageData.log.modules, CoverageData.log.routines and CoverageData.log.blocks).
6) Use coverage_parse.py program to extract information from the generated logs.
Example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\> python coverage_parse.py Coverager.log --dump-routines --modules "iexplore, ieframe" --outfile routines.txt
SYMLIB: DLL_PROCESS_ATTACH
SYMLIB: Symbols path is "C:\Symbols;SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols"
Code Coverage Analysis Tool for PIN
by Oleksiuk Dmitry, eSage Lab (dmitry@esagelab.com)
Filtering by module name "iexplore"
Filtering by module name "ieframe"
[+] Output file: "routines.txt"
[+] Parsing routines list, please wait...
SYMLIB: Module loaded from "c:\Program Files\Internet Explorer\iexplore.exe"
SYMLIB: 395 symbols loaded for "c:\Program Files\Internet Explorer\iexplore.exe"
SYMLIB: Module loaded from "C:\Windows\system32\IEFRAME.dll"
SYMLIB: 33516 symbols loaded for "C:\Windows\system32\IEFRAME.dll"
[+] Processed modules list:
#
# Routines count -- Module Name
#
3576 -- flash10n.ocx
47 -- jp2ssv.dll
195 -- wdmaud.drv
15 -- rasadhlp.dll
208 -- msls31.dll
... skipped ...
[+] DONE
SYMLIB: DLL_PROCESS_DETACH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sample log file from the coverage_parse.py can be found in ./EXAMPLES/IEXPLORE_Routines.txt
For detailed information about coverage_parse.py usage see comments in the Python source.
==============================================================
BUILDING AND EXPLORING CALL TREE MAP
==============================================================
1) To enable call tree logging execute your target applicaion with execute_pin_calls.bat scenario:
> execute_pin_calls.bat "C:\Program Files\Internet Explorer\iexplore.exe"
2) After the target applicaion termination in addidition to CoverageData.log, CoverageData.log.modules, CoverageData.log.routines and CoverageData.log.blocks also will be created a few files with the names like CoverageData.log.<N>, where <N> - thread number.
3) Use coverage_to_callgraph.py scenario to converting CoverageData.log.<N> files into the Calltree Profile Format (that uses in Valgrind):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\> python coverage_to_callgraph.py CoverageData.log *
SYMLIB: DLL_PROCESS_ATTACH
SYMLIB: Symbols path is "C:\Symbols;SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols"
Code Coverage Analysis Tool for PIN
by Oleksiuk Dmitry, eSage Lab (dmitry@esagelab.com)
[!] Psyco is not available
[+] Input file(s): CoverageData.log.0, CoverageData.log.1, CoverageData.log.10, CoverageData.lo
g.11, CoverageData.log.12, CoverageData.log.13, CoverageData.log.14, CoverageData.log.15, Cover
ageData.log.16, CoverageData.log.17, CoverageData.log.18, CoverageData.log.19, CoverageData.log
.2, CoverageData.log.20, CoverageData.log.21, CoverageData.log.22, CoverageData.log.3, Coverage
Data.log.4, CoverageData.log.5, CoverageData.log.6, CoverageData.log.7, CoverageData.log.8, Cov
erageData.log.9
[+] Output file: Callgrind.out
[+] 80 modules readed
[+] Parsing routines list, please wait...
[+] 27806 routines readed
[+] Parsing call tree, please wait...
SYMLIB: Module loaded from "C:\Windows\SYSTEM32\ntdll.dll"
SYMLIB: 4239 symbols loaded for "C:\Windows\SYSTEM32\ntdll.dll"
SYMLIB: Module loaded from "C:\Windows\system32\IEFRAME.dll"
SYMLIB: 33516 symbols loaded for "C:\Windows\system32\IEFRAME.dll"
SYMLIB: Module loaded from "C:\Windows\System32\mshtml.dll"
SYMLIB: 35150 symbols loaded for "C:\Windows\System32\mshtml.dll"
SYMLIB: Module loaded from "C:\Windows\system32\OLEAUT32.dll"
SYMLIB: 3940 symbols loaded for "C:\Windows\system32\OLEAUT32.dll"
... skipped ...
[+] DONE (15 mins., 33 secs.)
SYMLIB: DLL_PROCESS_DETACH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
coverage_to_callgraph.py creates Callgrind.out file, that can be explored with Kcachegrind program.
Sample Callgrind.out for Internet Explorer process execution can be found in ./EXAMPLES/ directory.
For detailed information about coverage_to_callgraph.py usage see comments in the Python source.
Useful liks:
- Official Kcachegrind page:
http://kcachegrind.sourceforge.net/html/Home.html
- Windows port of Kcachegrind (by Lailin Chen):
http://sourceforge.net/projects/precompiledbin/
- Calltree Profile Format specification:
http://valgrind.org/docs/manual/cl-format.html
--------------------------------------------------------------
==============================================================
==============================================================
==============================================================
Update 2018 by 0xcpu
symlib Python extension updated for Python 3.6
coverage_parse.py updated for Python3.6
==============================================================
==============================================================
==============================================================
--------------------------------------------------------------