{"id":19947635,"url":"https://github.com/googleprojectzero/drsancov","last_synced_at":"2026-03-08T23:32:20.090Z","repository":{"id":46024098,"uuid":"205825805","full_name":"googleprojectzero/DrSancov","owner":"googleprojectzero","description":"DynamoRIO plugin to get ASAN and SanitizerCoverage compatible output for closed-source executables","archived":false,"fork":false,"pushed_at":"2021-09-17T17:15:07.000Z","size":15,"stargazers_count":210,"open_issues_count":0,"forks_count":36,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-09-04T18:56:40.847Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/googleprojectzero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-02T09:44:26.000Z","updated_at":"2025-08-03T00:56:56.000Z","dependencies_parsed_at":"2022-07-18T16:28:57.601Z","dependency_job_id":null,"html_url":"https://github.com/googleprojectzero/DrSancov","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/googleprojectzero/DrSancov","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2FDrSancov","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2FDrSancov/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2FDrSancov/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2FDrSancov/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/googleprojectzero","download_url":"https://codeload.github.com/googleprojectzero/DrSancov/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleprojectzero%2FDrSancov/sbom","scorecard":{"id":440941,"data":{"date":"2025-08-11","repo":{"name":"github.com/googleprojectzero/DrSancov","commit":"c01fdea2890f9f8f44cbeb791d40906e2d80a310"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/3 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-19T05:34:05.693Z","repository_id":46024098,"created_at":"2025-08-19T05:34:05.694Z","updated_at":"2025-08-19T05:34:05.694Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30276940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T20:45:49.896Z","status":"ssl_error","status_checked_at":"2026-03-08T20:45:49.525Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T00:36:55.789Z","updated_at":"2026-03-08T23:32:20.071Z","avatar_url":"https://github.com/googleprojectzero.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DrSancov\r\n\r\nDrSancov is a small DBI module based on [DynamoRIO](https://github.com/DynamoRIO/dynamorio), which aims to combine the basic functionality of [AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) and [SanitizerCoverage](https://clang.llvm.org/docs/SanitizerCoverage.html), while being similar to [DrCov](http://dynamorio.org/docs/page_drcov.html) (hence the name). In other words, it mimics the behavior of the two compiler instrumentations, by printing out ASAN-like reports upon SIGSEGV and similar program crashes, and saving code coverage information to `.sancov` files compatible with those generated by SanitizerCoverage. The purpose of the tool is to make it easier to test closed-source software using existing fuzzing pipelines which expect the target to be compiled with ASAN/SanitizerCoverage. It works with x86 and x86-64 applications.\r\n\r\nPlease note that the project does not improve memory error detection; it only produces ASAN compatible reports for conditions that would result in a hard crash anyway. For better sanitization of heap memory accesses in compiled binaries, check e.g. AFL's [libdislocator](https://github.com/google/AFL/tree/master/libdislocator).\r\n\r\nThe code coverage information is collected with a basic block granularity.\r\n\r\n## Building\r\n\r\nA Makefile for GNU/Linux is provided, and the end result is a `libdrsancov.so` library. The Makefile assumes that DynamoRIO resides in a `../dynamorio` directory relative to itself, for example:\r\n\r\n```\r\n.\r\n|-- code\r\n|   |-- common.cc\r\n|   |-- common.h\r\n|   |-- drsancov.cc\r\n|   |-- Makefile\r\n|   |-- tokenizer.cc\r\n|   `-- tokenizer.h\r\n|-- dynamorio\r\n|   |-- ACKNOWLEDGEMENTS\r\n|   |-- bin32\r\n|   |   |-- drconfig\r\n|   |   |-- drconfig.debug\r\n[...]\r\n```\r\n\r\nThen, compilation should run smoothly as follows:\r\n\r\n```\r\n$ cd code\r\n$ make\r\nclang++ -c -o drsancov.o drsancov.cc -O2 -fPIC -I../dynamorio/include -I../dynamorio/ext/include -DX86_64 -DLINUX -fno-stack-protector\r\nclang++ -c -o common.o common.cc -O2 -fPIC -I../dynamorio/include -I../dynamorio/ext/include -DX86_64 -DLINUX -fno-stack-protector\r\nclang++ -c -o tokenizer.o tokenizer.cc -O2 -fPIC -I../dynamorio/include -I../dynamorio/ext/include -DX86_64 -DLINUX -fno-stack-protector\r\nclang++ -shared -o libdrsancov.so drsancov.o common.o tokenizer.o -Wl,-hash-style=both ../dynamorio/lib64/debug/libdynamorio.so ../dynamorio/ext/lib64/debug/libdrsyms.so ../dynamorio/ext/lib64/debug/libdrmgr.so\r\n$\r\n```\r\n\r\n## Usage\r\n\r\nIn order to use DrSancov, prepend the usual target command line with `drrun -c libdrsancov.so -- `, which will run the program under our instrumentation. Let's consider the following program:\r\n\r\n```\r\n$ cat -n tests/test.cc\r\n     1  #include \u003ccstdio\u003e\r\n     2  #include \u003ccstdlib\u003e\r\n     3\r\n     4  int main(int argc, char **argv) {\r\n     5    if (argc \u003e= 2 \u0026\u0026 argv[1][0] == 'F' \u0026\u0026 argv[1][1] == 'U' \u0026\u0026 argv[1][2] == 'Z' \u0026\u0026 argv[1][3] == 'Z') {\r\n     6      int *x = (int *)0x12345678;\r\n     7      *x = 0x41414141;\r\n     8    }\r\n     9\r\n    10    return 0;\r\n    11  }\r\n$ g++ tests/test.cc -o tests/test\r\n$\r\n```\r\n\r\nFor argument \"FUZZ\", we'd typically see a standard \"Segmentation fault\" message:\r\n\r\n```\r\n$ tests/test FUZZ\r\nSegmentation fault\r\n$\r\n```\r\n\r\nWith DrSancov enabled, we get a familiar report:\r\n\r\n```\r\n$ dynamorio/bin64/drrun -c code/libdrsancov.so -- tests/test FUZZ\r\nASAN:SIGSEGV\r\n=================================================================\r\n==7548==ERROR: AddressSanitizer: SEGV on unknown address 0x12345678 (pc 0x7f114701a196 sp 0x7ffe0837a830 bp 0x7ffe0837a830 T0)\r\n    #0 0x7f114701a196 in test+1196\r\n\r\n==7548==CONTEXT\r\n  rax=0000000012345678 rbx=0000000000000000 rcx=0000000000000080 rdx=00007ffe0837a930\r\n  rsi=00007ffe0837a918 rdi=0000000000000002 rsp=00007ffe0837a830 rbp=00007ffe0837a830\r\n   r8=00007f1149d8ad80  r9=0000000000000000 r10=00007f114701f010 r11=0000000000000000\r\n  r12=00007f114701a040 r13=00007ffe0837a910 r14=0000000000000000 r15=0000000000000000\r\n  rip=00007f1137b63a18 rflags=0000000000010246\r\nAccessed address: 0x12345678\r\nFaulting code:\r\n  0x00007f1137b63a18 mov    dword ptr [rax], 0x41414141\r\n\r\n==7548==ABORTING\r\n$\r\n```\r\n\r\nIn addition to the somewhat standarized ASAN header, there is also extra information printed out in the \"context\" section.\r\n\r\nSimilarly to ASAN, DrSancov can be controlled with the `ASAN_OPTIONS` environment variable. The currently supported switches are `coverage`, `exitcode`, `log_path` and `coverage_dir`. Let's try to obtain some code coverage for two inputs:\r\n\r\n```\r\n$ ASAN_OPTIONS=coverage=1 dynamorio/bin64/drrun -c code/libdrsancov.so -- tests/test FU\r\nDrSanitizerCoverage: ./test.20345.sancov: 25 PCs written\r\n$ ASAN_OPTIONS=coverage=1 dynamorio/bin64/drrun -c code/libdrsancov.so -- tests/test FUZ\r\nDrSanitizerCoverage: ./test.20361.sancov: 26 PCs written\r\n$ xxd -e -g8 -c8 test.20345.sancov | awk '{print $2}' \u003ecov1\r\n$ xxd -e -g8 -c8 test.20361.sancov | awk '{print $2}' \u003ecov2\r\n$ diff cov1 cov2\r\n19a20\r\n\u003e 0000000000001174\r\n$\r\n```\r\n\r\nHere, we can see that the difference in coverage between \"FU\" and \"FUZ\" is a single basic block at offset 0x1174, which turns out to be the verification of the final letter of the parameter:\r\n\r\n```\r\n$ objdump -d tests/test\r\n[...]\r\n    1174:       48 8b 45 e0             mov    -0x20(%rbp),%rax\r\n    1178:       48 83 c0 08             add    $0x8,%rax\r\n    117c:       48 8b 00                mov    (%rax),%rax\r\n    117f:       48 83 c0 03             add    $0x3,%rax\r\n    1183:       0f b6 00                movzbl (%rax),%eax\r\n    1186:       3c 5a                   cmp    $0x5a,%al\r\n    1188:       75 12                   jne    119c \u003cmain+0x77\u003e\r\n[...]\r\n```\r\n\r\nThis demonstrates basic output compatibility between the DBI and the Sanitizer-family instrumentations.\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleprojectzero%2Fdrsancov","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogleprojectzero%2Fdrsancov","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleprojectzero%2Fdrsancov/lists"}