├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | The software(Codemap) is free to use for non-commercial use. 3 | However, modifying and redistributing this software for commercial purpose is prohibited. 4 | Copyright (c) 2015 daehee. 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # codemap 2 | Codemap is IDA plugin for run trace visualization which can be very helpful for reversing a complex software. 3 | 4 | Imagine you are about to reverse-engineer the IE's javascript engine from scratch. 5 | with a brief research, you will notice that the javascript engine for IE is jscript9.dll 6 | 7 | so you open up that dll with IDA, and there are over 16 thousand complex functions. 8 | given that most of the programs are based on OOP(Object Oriented Programming) you cannot 9 | simply follow all the functions from the starting point(main function) and there is no main 10 | entry point in modules such as DLL. it is virtually impossible to understand codes and their 11 | relationship inside the huge DLL by just statically analyzing them. 12 | 13 | you probably want to narrow down the codes that are actually involved to your input script. 14 | so, you try to run the IE with sample script file and analyze it dynamically by debugging it. 15 | but you soon realize that you don't know where to set breakpoint among 16 thousand functions. 16 | 17 | it would take huge amount of time and effort to find the codes of your interest. 18 | if you are not patient, you will probably just give up. 19 | 20 | Luckily, you have a tool named Codemap. 21 | 22 | Unlike DBI(Dynamic Binary Instrumentation) based tools such as Intel PIN or QEMU, 23 | Codemap only uses 'breakpoints' for tracing the program. 24 | If program hits a breakpoint, the Codemap breakpoint handler is invoked as a callback function 25 | then proper action for tracing is taken then Codemap continues the program. 26 | 27 | The breakpoint event is sent to Codemap server side. The Codemap server saves this information inside Database 28 | and plot the event for graph generation. 29 | Codemap uses Dygraph (Javascript based visualization tool) to plot all the breakpoint events. 30 | 31 | Codemap has following features. 32 | - runtrace visualization. 33 | Codemap generates graphical representation of execution trace 34 | which can be useful to understand the program. 35 | 36 | - module breakpoint 37 | Most of the commercial softwares are consisted with multiple modules(.dll or .so) 38 | core functionality resides inside the same module. 39 | In order to trace functions inside a specific module, Codemap supports setting breakpoints to 40 | all functions inside the selected module with a single click. 41 | 42 | - function breakpoint 43 | In order to trace a specific function, Codemap supports setting breakpoints to 44 | all instructions inside a selected function with a single click. 45 | 46 | - flexible memory pattern searching 47 | This is the key feature of Codemap. For instance, you can search the input data pattern from the 48 | Codemap run trace memory dump and easily find out which function is responsible for parsing your data. 49 | As Codemap saves all the tracing logs into database, you can filter / manipulate the runtrace result 50 | using the SQL. This makes the tracing result suit to your interest. 51 | From the Codemap broser screen, search the memory pattern by typing the hex string 52 | or input the SQL statement to filter the trace result in your detailed favor. 53 | 54 | - IDA static windows integration 55 | When you debug a program with IDA, you can't see the analyzed functions as good as 56 | when you open up the single specific module with IDA for static analysis window. 57 | Normally, you have to recalculate the runtime EIP value into address that you can follow in IDA static window. 58 | To ease this with Codemap, you can just click the graph or navigate the graph with keyboard 59 | then, the statically analyzed IDA window(which is nice to see the codes) will automatically follow your runtime EIP. 60 | 61 | After processing legal stuff and fixing minor bugs, the first stable version of Codemap 62 | will be disclosed to public via GITHUB as opensource software. 63 | cheers! 64 | 65 | - daehee 66 | --------------------------------------------------------------------------------