Skip to content
Branch: master
Find file History
Type Name Latest commit message Commit time
Failed to load latest commit information. updated's Dec 7, 2017 Make coverage saving more robust Jul 10, 2018

In this folder you will find the code coverage collection script that run ontop of the Frida DBI toolkit. This script will produce code coverage (using Frida) in a log format compatible with Lighthouse.

Frida is best supported on mobile platforms such as iOS or Android, claiming some support for Windows, MacOS, Linux, and QNX. Practically speaking, should only be used for collecting coverage data on mobile applications.

This script is labeled only as a prototype.


To use, you must have Frida installed. This can be done via python's pip:

sudo pip install frida


Once frida is installed, the script in this repo can be used to collect coverage against a running process as demonstrated below. By default, the code coverage data will be written to the file frida-drcov.log at the end of execution.

python <process name | pid>

Here is an example of us instrumenting the running process bb-bench.

$ sudo python bb-bench
[+] Got module info
Starting to stalk threads...
Stalking thread 775
Done stalking threads.
[*] Now collecting info, control-D to terminate....
[*] Detaching, this might take a second... # ^d
[+] Detached. Got 320 basic blocks.
[*] Formatting coverage and saving...
[!] Done
$ ls -lh frida-cov.log # this is the file you will load into lighthouse
-rw-r--r--  1 root  staff   7.2K 21 Oct 11:58 frida-cov.log

Using the -o flag, one can specify a custom name/location for the coverage log file:

python -o more-coverage.log foo

Module Whitelisting

One can whitelist specific modules inside the target process. Say you have binary foo which imports the libraries libfoo, libbar, and libbaz. Using the -w flag (whitelist) on the command line, we can explicitly target modules of interest:

$ python -w libfoo -w libbaz foo

This will reduce the amount of information collected and improve performance. If no -w arguments are supplied, will trace all loaded images.

Thread Targeting

On multi-threaded applications, tracing all threads can impose significant overhead. For these cases you can filter coverage collection based on thread id if you only care about specific threads.

In the following example, we target thread id 543, and 678 running in the process named foo.

python -t 543 -t 678 foo

Without the -t flag, all threads that exist in the process at the time of attach will be traced.


You can’t perform that action at this time.