* Add support for breaking on UAF
* Small fixes and documentation
* Add a command to enable and disable tracking, better diagnostics
* Add initial support for calloc and realloc
* Better safeguard against matching ld.so malloc
* Small fixes
* Better interface for managing the heap tracker. More terse and information dense diagnostics
* Add warning and fix lints
* Update poetry lock
* Add initial implementation of Link Map parsing and draft Dynamic Segment parsing based on it
* Before changing into a better way to determine NN for ElfNN_Sym.
* Add support for reading relocation entries from the DYNAMIC segment
* Add initial infrastructure to implement the GOT tracker
* Non-coalesced watchpoints
* Finish initial draft implementation
* Update __init__.py
* Better diagnostics and move back to gdb.Breakpoint.stop() for most things
* Fixed the disabling procedure, and a bunch of cosmetics:
- Calling shellcode functions no longer force the context to show
- Better command to access the GOT tracker
* Disable broken r_brk hooks, for now.
* Mixed up the two columns
* Update pwndbg/commands/got_tracking.py
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
This commit adds a command that traverses the linked list beginning at a given
element, dumping its contents and the contents of all the elements that come
after it in the list. Traversal is configurable and can handle multiple types
of chains.
This commit adds the `break-if-taken` and `break-if-not-taken` commands,
which attach breakpoints to branch instructions that will stop the
inferior if said branch is taken or is not taken, respectively. It adds
an extra class, `pwndbg.gdblib.bpoint.Breakpoint`, which clears caches
before calling `stop()`, allowing for the use of register values inside
that function in breakpoint classes that derive from it. Additionally,
checking of whether the conditions for a branch to be taken have been
fulfilled is done through `DisassemblyAssistant.condition()`.
* Add OnlyWhenUserspace Decorator #1459
* The decorator is implemented as the inverse of OnlyWhenQemuKernel
* Apply the decorator to all of the heap commands and tls, auxv and environ/envp
* Update pwndbg/commands/__init__.py
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* feature: Add `killthreads` command (closes#1580)
This command allows the user to quickly kill multiple threads by
specyfying their ids as arguments to this command. It also supports
the `--all` flag, which will kill overy thread except the currently
selected one. This is useful for use with the `checkpoint` command.
The killing is done by calling `pthread_exit(0)`.
* fix: try fixing building test binaries by enabling -lpthread
* fix: remove error message check when calling pthread_exit
Removed the message check, because the error messages difffer between
versions of GDB.
* fix: Improve UX of the killthreads command
Add an extended description of the command, some validation on the thread IDs
and suppress GDB output.
* fix: lint
* fix: put the multiline help text in the correct place
* tests: fix test failing due to a race condition when running in parrallel to other tests
Replaced asserts with loops which wait for a cundition to be met, so that the tests doesn't fail due to scheduling issues.
* tests: add more fixes for race conditions in test_killthreads
* fix: lint
* Update pwndbg/commands/killthreads.py
* tests: Wait for exactly three threads
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* ai plugin
* ai plugin ready to ship
* ai plugin ready to use
* textwrap on the ai's answer
* linted ai.py
* relaxed openai version requirement
* added pandas to requirements
* removed dependency on openai module, using requests instead
* removed dependency on openai module, using requests instead
* incorporating suggestions on PR
* added types requests and bumped requests version up to the version i'm using here
* lowering version req on requests for ubuntu 18 compat
* removed some 'if True' kludges that i was using to debug things at one point
* Refactor `pwndbg.glibc`
- Add type hints
- Use `info sharedlibrary` to find libc
- Update the regex of libc filename
- Rename `get_data_address()` to `get_data_section_address()`
* Add a function to dump libc ELF file's .data section
* Use the new methods to find `main_arena` and `mp_`
With ELF of libc, we can use the default value of `main_arena` and `mp_` to find their address
* Drop some unreliable methods for the heap heuristics
* Update the tests for the heap heuristics
* Show `main_arena` address in the `arenas` command output
* Make the heap hueristics support statically linked targets
* Drop some deprecated TLS functions and refactor the command
- Drop some deprecated TLS functions for the deprecated heap heuristics
- Don't call `pthread_self()` in the `tls` command without `-p` option
- Show the page of TLS in the `tls` command output
* Update the hint for the heap heuristics for multi-threaded
* Fix the wrong usage of the exception
* Fix the outdated description
* Return the default global_max_fast when we cannot find the address
* Enhance the output of `arena` and `mp`
- Show the address of the arena we print in the output of `arena` command if we didn't specify the address by ourselves.
- Avoid the bug that `arena` command might get an error if thread_arena doesn't allocate yet.
- Show the address of `mp_` in the output of the `mp` command
* Remove wrong hint
* Support using brute-force to find the address of main_arena
If the user allows, brute-force the left and right sides of the TLS address to find the closest possible value to the TLS address.
* Refactor the code about thread_arena and add the new brute-force strategy
In the .got section, brute-force search for possible TLS-reference values to find possible thread_arena locations
* Add tests for thread_arena and global_max_fast
- Check if we can get default global_max_fast
- Check if we can use brute-force to find thread_arena
* Update the output of `arenas`
* Add the test for the `tls` command
Add two tests for the `tls` command:
```
test_tls_address_and_command[x86-64] PASSED
test_tls_address_and_command[i386] PASSED
```
* Update and refactor the heuristics for `thread_arena` and `tcache`
- We provide an option for users to brute force `tcache` like what we did for `thread_arena`
- Cache `thread_arena` even when we are single-threaded
- Refactor the code for `thread_arena`, to make it work for `tcache` as well
- Update the tests for `tcache`
- Remove some redundant hint
* Fix the wrong cache mechanism
Cache the address of the arena instead of the instance of `Arena`, because `Arena` will cache the value of the field, resulting in getting the old value the next time the same property is used
* Update the description of some configs about heap heuristics
* Handling the case when tcache is NULL
* Handling the case when thread_arena is NULL
* Fix a bug that occurred when the TLS address could not be found
* Fix#1550
* Show tid only if no address is specified
* Update pwndbg/commands/__init__.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Fix lint
* Move some code into `pwndbg.gdblib.elf`
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
Rizin is a fork of Radare2 with almost near perfect command compatibility with r2. Any r2 related plugins need to be replaced with their rz counter parts. Solves #1566
* lib/memory.py: use 'if collection' instead of 'if len(collection) > 0'
* commands/__init__.py: use 'not line' instead of 'len(line)==0'
* hexdump.py: use 'not data' instead of 'len(data)==0'
* commands/nearpc.py: use `if p` instead of `if len("%s" % p)>0`
I double checked that this works fine:
```
pwndbg> set nearpc-branch-marker-contiguous
Set contiguous branch marker line for nearpc command to ''.
pwndbg> pi str(pwndbg.commands.nearpc.nearpc_branch_marker_contiguous)
''
pwndbg> pi bool(pwndbg.commands.nearpc.nearpc_branch_marker_contiguous)
False
```
- Fix wrong output of `heap_config` command
- Implement auto mode for heap heuristic
- In auto mode, pwndbg will try to resolve the heap using heuristics if debug symbols are missing
* Fix some issues for GDB < 9.x
* GDB < 9.x doesn't have `gdb.lookup_static_symbol`
* GDB < 9.x doesn't have `gdb.PARAM_ZUINTEGER_UNLIMITED`
* Better error handling for the heap commands
* Inform users to `set exception-* on` when they encounter some error during using some heap commands
* Bug fix for heap region finding of `HeuristicHeap`
* Before this commit, `get_heap_boundaries()` of `HeuristicHeap` will always return the page whose name is `[heap]`, this won't work for multithreaded cases and won't work if the heap region of the main thread is not `[heap]` (e.g., when using QEMU, sometimes the name of heap region is something like: `[anon_deadbeaf]`)
* Fallback to `gdb.lookup_symbol` if we do not have `gdb.lookup_static_symbol`
Matt
Disconnect3d
OB
Tomasz Kowalik
smiley
duckl1ng
Gulshan Singh
dan "smiley" murray
_|+
Albert Koczy
Olivia Lucca Fraser
Alan Li
Maria