From ede2c4e99ff0ff9b361282b972ca1cbfad9c6565 Mon Sep 17 00:00:00 2001 From: Rakholiya Jenish Date: Thu, 14 Jan 2016 23:40:43 +0530 Subject: [PATCH 1/5] Add support for character search Add support to search number (for example: `1234`) in character string as characters instead of integers. It also supports searching of characters directly in hex form for characters such as `\xff`. --- pwndbg/commands/search.py | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/pwndbg/commands/search.py b/pwndbg/commands/search.py index 942f2a4b0..140af704e 100644 --- a/pwndbg/commands/search.py +++ b/pwndbg/commands/search.py @@ -13,17 +13,31 @@ import pwndbg.vmmap @pwndbg.commands.Command @pwndbg.commands.OnlyWhenRunning -def search(value): +def search(searchtype, value=None): """ Search memory for the specified value, provided either as a pointer-width integer, or a string. > search 0xdeadbeef > search "/bin/sh" + + To search 1234 in a character string instead of integer + > search/c 1234 + + To search for characters using hex values in string + > search/xc f0f1f2f3 + > search/xc \xf0\xf1\xf2\xf3 + > search/xc \\xf0\\xf1\\xf2\\xf3 """ + + if value: + searchtype = searchtype[1:] + else: + value, searchtype = searchtype, value + hits = set() - for address in pwndbg.search.search(value): + for address in pwndbg.search.search(value, searchtype): if not address: continue @@ -47,12 +61,23 @@ def search(value): @pwndbg.commands.Command @pwndbg.commands.OnlyWhenRunning -def searchmem(value): +def searchmem(searchtype, value=None): """ Search memory for the specified value, provided either as a pointer-width integer, or a string. > search 0xdeadbeef > search "/bin/sh" + + To search 1234 in a character string instead of integer + > search/c 1234 + + To search for characters using hex values in string + > search/xc f0f1f2f3 + > search/xc \xf0\xf1\xf2\xf3 + > search/xc \\xf0\\xf1\\xf2\\xf3 """ - return search(value) + if value: + return search(searchtype, value) + else: + return search(searchtype) From 9a993f46c6eafff0feb2a7037f2f74627301108d Mon Sep 17 00:00:00 2001 From: Rakholiya Jenish Date: Thu, 14 Jan 2016 23:43:03 +0530 Subject: [PATCH 2/5] Add support for character search Add support to search number (for example: `1234`) in character string as characters instead of integers. It also supports searching of characters directly in hex form for characters such as `\xff`. --- pwndbg/search.py | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/pwndbg/search.py b/pwndbg/search.py index e87b2e1db..83721b3c3 100644 --- a/pwndbg/search.py +++ b/pwndbg/search.py @@ -12,21 +12,31 @@ import pwndbg.typeinfo import pwndbg.vmmap -def search(searchfor): +def search(searchfor, searchtype=None): value = searchfor size = None - if searchfor.isdigit(): - searchfor = int(searchfor) - elif searchfor.startswith('0x') \ - and all(c in 'xABCDEFabcdef0123456789' for c in searchfor): - searchfor = int(searchfor, 16) - - if isinstance(searchfor, (long, int)): - if pwndbg.arch.ptrsize == 4: - searchfor = struct.pack('I', searchfor) - elif pwndbg.arch.ptrsize == 8: - searchfor = struct.pack('L', searchfor) + if searchtype != 'c' and searchtype != 'xc': + if searchfor.isdigit(): + searchfor = int(searchfor) + elif searchfor.startswith('0x') \ + and all(c in 'xABCDEFabcdef0123456789' for c in searchfor): + searchfor = int(searchfor, 16) + + if isinstance(searchfor, (long, int)): + if pwndbg.arch.ptrsize == 4: + searchfor = struct.pack('I', searchfor) + elif pwndbg.arch.ptrsize == 8: + searchfor = struct.pack('L', searchfor) + + elif searchtype == 'xc': + if '\\x' in searchfor: + searchfor = bytes.fromhex(''.join(searchfor.split('\\x'))) + elif 'x' in searchfor: + searchfor = bytes.fromhex(''.join(searchfor.split('x'))) + else: + searchfor = bytes.fromhex(''.join(searchfor[i:i+2] + for i in range(0, len(searchfor), 2))) i = gdb.selected_inferior() From 2e19f6245ac29ceffcb0856314bf1260df89c565 Mon Sep 17 00:00:00 2001 From: Rakholiya Jenish Date: Thu, 14 Jan 2016 23:44:54 +0530 Subject: [PATCH 3/5] Add comment --- pwndbg/search.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pwndbg/search.py b/pwndbg/search.py index 83721b3c3..79dcacbe1 100644 --- a/pwndbg/search.py +++ b/pwndbg/search.py @@ -16,7 +16,7 @@ def search(searchfor, searchtype=None): value = searchfor size = None - if searchtype != 'c' and searchtype != 'xc': + if searchtype != 'c' and searchtype != 'xc': #default search when used without any searchtype of invalid search type if searchfor.isdigit(): searchfor = int(searchfor) elif searchfor.startswith('0x') \ From ba6d14d5db5cdf47438717f4d179806fc164adf6 Mon Sep 17 00:00:00 2001 From: Rakholiya Jenish Date: Sat, 16 Jan 2016 02:24:28 +0530 Subject: [PATCH 4/5] Add searchb and searchd function. Deduplicate code. --- pwndbg/commands/search.py | 128 ++++++++++++++++++++++++++++---------- pwndbg/search.py | 26 +------- 2 files changed, 96 insertions(+), 58 deletions(-) diff --git a/pwndbg/commands/search.py b/pwndbg/commands/search.py index 140af704e..d8a69766c 100644 --- a/pwndbg/commands/search.py +++ b/pwndbg/commands/search.py @@ -11,33 +11,10 @@ import pwndbg.search import pwndbg.vmmap -@pwndbg.commands.Command -@pwndbg.commands.OnlyWhenRunning -def search(searchtype, value=None): - """ - Search memory for the specified value, provided - either as a pointer-width integer, or a string. - - > search 0xdeadbeef - > search "/bin/sh" - - To search 1234 in a character string instead of integer - > search/c 1234 - - To search for characters using hex values in string - > search/xc f0f1f2f3 - > search/xc \xf0\xf1\xf2\xf3 - > search/xc \\xf0\\xf1\\xf2\\xf3 - """ - - if value: - searchtype = searchtype[1:] - else: - value, searchtype = searchtype, value - +def print_search(value): hits = set() - for address in pwndbg.search.search(value, searchtype): + for address in pwndbg.search.search(value): if not address: continue @@ -46,7 +23,7 @@ def search(searchtype, value=None): hits.add(address) - vmmap = pwndbg.vmmap.find(address) + vmmap = pwndbg.vmmap.find(address) if vmmap: region = os.path.basename(vmmap.objfile) else: @@ -61,23 +38,106 @@ def search(searchtype, value=None): @pwndbg.commands.Command @pwndbg.commands.OnlyWhenRunning -def searchmem(searchtype, value=None): +def search(searchtype, value=None): """ Search memory for the specified value, provided either as a pointer-width integer, or a string. > search 0xdeadbeef > search "/bin/sh" - + To search 1234 in a character string instead of integer > search/c 1234 - + + To search for characters using hex values in string + > search/x f0f1f2f3 + > search/x \\xf0\\xf1\\xf2\\xf3 + > search/x \\\\xf0\\\\xf1\\\\xf2\\\\xf3 + """ + if value: + searchtype = searchtype[1:] + else: + value, searchtype = searchtype, value + + if searchtype: + if searchtype == 'c' or searchtype == 'x': + searchtype = '/' + searchtype + searchb(searchtype,value) + return + else: + print(pwndbg.color.red("Invalid option {0}".format(searchtype))) + return + + if value.isdigit(): + value = int(value) + elif value.startswith('0x') \ + and all(c in 'xABCDEFabcdef0123456789' for c in value): + value = int(value, 16) + + if isinstance(value, (long, int)): + if pwndbg.arch.ptrsize == 4: + value = struct.pack('I', value) + elif pwndbg.arch.ptrsize == 8: + value = struct.pack('L', value) + + print_search(value) + +@pwndbg.commands.Command +@pwndbg.commands.OnlyWhenRunning +def searchmem(searchtype, searchvalue=None): + """ + Search memory for the specified value, provided + either as a pointer-width integer, or a string. + + > searchmem 0xdeadbeef + > searchmem "/bin/sh" + + To search 1234 in a character string instead of integer + > searchmem/c 1234 + + To search for characters using hex values in string + > searchmem/x f0f1f2f3 + > searchmem/x \\xf0\\xf1\\xf2\\xf3 + > searchmem/x \\\\xf0\\\\xf1\\\\xf2\\\\xf3 + """ + return search(searchtype,searchvalue) + +@pwndbg.commands.Command +@pwndbg.commands.OnlyWhenRunning +def searchb(searchtype, value=None): + """ + Search memory for the specified value, provided + as a string of characters or hexadecimal values. + + > searchb 1234 + To search for characters using hex values in string - > search/xc f0f1f2f3 - > search/xc \xf0\xf1\xf2\xf3 - > search/xc \\xf0\\xf1\\xf2\\xf3 + > searchb/x f0f1f2f3 + > searchb/x \\xf0\\xf1\\xf2\\xf3 + > searchb/x \\\\xf0\\\\xf1\\\\xf2\\\\xf3 """ if value: - return search(searchtype, value) + searchtype = searchtype[1:] else: - return search(searchtype) + value, searchtype = searchtype, value + + if searchtype == 'x': + if '\\x' in value: + value = bytes.fromhex(''.join(value.split('\\x'))) + elif 'x' in value: + value = bytes.fromhex(''.join(value.split('x'))) + else: + value = bytes.fromhex(''.join(value[i:i+2] + for i in range(0, len(value), 2))) + print_search(value) + +@pwndbg.commands.Command +@pwndbg.commands.OnlyWhenRunning +def searchd(value): + """ + Searches memory for the specified value, + provided as a pointer-width integer. + + > searchd 0xdeadbeef + """ + return search(value) diff --git a/pwndbg/search.py b/pwndbg/search.py index 79dcacbe1..d275bba42 100644 --- a/pwndbg/search.py +++ b/pwndbg/search.py @@ -1,7 +1,7 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- """ -Search the address space for byte patterns or pointer values. +Search the address space for byte patterns. """ import struct @@ -12,32 +12,10 @@ import pwndbg.typeinfo import pwndbg.vmmap -def search(searchfor, searchtype=None): +def search(searchfor): value = searchfor size = None - if searchtype != 'c' and searchtype != 'xc': #default search when used without any searchtype of invalid search type - if searchfor.isdigit(): - searchfor = int(searchfor) - elif searchfor.startswith('0x') \ - and all(c in 'xABCDEFabcdef0123456789' for c in searchfor): - searchfor = int(searchfor, 16) - - if isinstance(searchfor, (long, int)): - if pwndbg.arch.ptrsize == 4: - searchfor = struct.pack('I', searchfor) - elif pwndbg.arch.ptrsize == 8: - searchfor = struct.pack('L', searchfor) - - elif searchtype == 'xc': - if '\\x' in searchfor: - searchfor = bytes.fromhex(''.join(searchfor.split('\\x'))) - elif 'x' in searchfor: - searchfor = bytes.fromhex(''.join(searchfor.split('x'))) - else: - searchfor = bytes.fromhex(''.join(searchfor[i:i+2] - for i in range(0, len(searchfor), 2))) - i = gdb.selected_inferior() maps = pwndbg.vmmap.get() From 84fd94949e14fd259f20aaa262de269a6cd804f0 Mon Sep 17 00:00:00 2001 From: Rakholiya Jenish Date: Sat, 16 Jan 2016 11:54:41 +0530 Subject: [PATCH 5/5] Correct the conversion of mem2chunk --- pwndbg/malloc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pwndbg/malloc.py b/pwndbg/malloc.py index 1ed36c799..9e0d379d4 100644 --- a/pwndbg/malloc.py +++ b/pwndbg/malloc.py @@ -22,4 +22,4 @@ def chunk2mem(p): def mem2chunk(mem): "conversion from user pointer to malloc header" - return p + (2-pwndbg.arch.ptrsize) + return mem - (2*pwndbg.arch.ptrsize)