The original code that searched for an arena's top chunk via the heuristic method of iterating through each chunk on a heap was written before the OnlyWithLibcDebugSyms decorator was added to all heap-related commands. This decorator makes the heuristic method unnecessary as the 'top' member of a heap's arena will always be accessible.
Remove the get_top_chunk_addr() function as it only uses the heuristic approach. Use symbols in top_chunk() and vis_heap_chunks() rather than heuristics. Use get_arena_for_chunk() in vis_heap_chunks() to find an arena, originally this used get_arena() with no arguments which always returned the main arena. Fix get_arena_for_chunk(), which misidentified a chunk as a malloc_state struct rather than a malloc_chunk struct, and use read_chunk() rather than memory.poi() which didn't account for the size/mchunk_size symbols used in different versions of GLIBC.
* Replace malloc initialization heuristics
Use the __libc_malloc_initialized symbol to determine whether malloc has been initialized rather than checking whether global_max_fast has been populated. This has the advantage of being compatible with older versions of GLIBC that don't have a global_max_fast symbol.
* Update pwndbg/heap/ptmalloc.py
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
Co-authored-by: Paweł Płatek <e2.8a.95@gmail.com>
* Configure context output per section
* banner respects width of target output
* Fixed context output help
* ui.banner optionaly force a width
* Allow python functions as context output
* Use is for StdOutput type comparison
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Use list-function as initial value of default dict
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Append final context linebreak only on stdout
* Documented context splitting feature
* Option to hide context section banners
* Option to set width per context section (currently only banner)
* Splitting screenshot
* Fixed empty lines when not clearing
* Fixed auto banner width (using stdin as before instead of stdout)
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* command: support alternatives including sub command wrapper like pwn
Additionally speed up the checksec logic by removing the --version
check. Simply try to shell out and use the first working option variant
as we can't easily detect the different available alternatives in a
bulletproof way.
This implementation allows to use the sub command wrapper 'pwn' to call
checksec in case pwntools has been installed using --only-use-pwn-command
To unconditionally unify the usage, the functions cmd attribute stores
the base command to execute in form of a list that can be used to
concatenate an array of options against it and pass the final list to
call_cmd
* checksec: allow a third option variant by only passing the file target
Lets try a third available version of checksec as the lowest order
variant in our cascade that works by only passing the target file
without additional specifier.
* vmmap: add QEMU kernel support
This feature uses GDB's `monitor info mem` to fetch
memory pages for QEMU in kernel mode.
However, at least on QEMU 3.0.0 on `qemu-system-x86_64`
the `monitor info mem` command returns memory pages without the
`executable` permission bit, so for now we assume that all pages are executable.
The `monitor info mem` works only in QEMU kernel mode
and in QEMU-user it does:
```
(gdb) monitor info mem
Target does not support this command.
```
* Update vmmap command docs
* Use monitor_info_mem only on X86/X64
* monitor_info_mem: fix comment about executable perm
* Update vmmap help
Modern maintained checksec >2.0 requires to use "--file=arg" which
we try to detect. The command call is cached anyway so lets try
to find out what version is running.
In case we can't find a verbose variant, we just fall back to the
common old fessioned "--file arg" variant as if nothing has happened.
Fixes#662
* Make size_t and ssize_t the correct sizes, and actually use them for inthook. Fix for #669 along with other issues.
* elif, pointer size support message
This commit adds support for xPSR to be used instead of cPSR on Cortex-M
ARMs. Prior to this commit, pwndbg would crash when attached to a
Cortex-M core. This commit adds a new internal arch "armcm" to describe
Cortex-M ARMs.
Closes#542, fixes the second issue in #264
* Initial setup of mkdocs
* Add documentation for every command. Also put them in some structure
* Fix typo
* Fix newline
* Update index
* fix some leakfind errors
* Some more fixes
* Fix search
* More fix
* Fix source code display
Fixes and simplifies source code display in `context code`. The
reasoning below.
---
It turns out that we determine the source code line for known code in a
tricky and buggy way. It is wrong when we are deep inside many calls and
we go to upper frame via e.g. `up` and then display the `context code`.
And this also occurs after applying the PR #637 before/after this fix.
We also do `except` all exceptions happening in the source code
retrieval which makes it hard to spot potential bugs in this code path.
This commit removes the `except` path and checks for particular edge
cases where we wouldn't have sources available.
---
Also note the `FileNotFoundError` path - in this case the debug symbols
have a source file path there, but it hasn't been found by us. It might
be because the program (or anything else) removed it OR maybe we debug
remotely etc (not sure if this is the case).
This being said, we could potentially inform the users about that BUT...
GDB already does that by itself - maybe in a bit vague way, as it does
it before us displaying the context e.g.:
```
pwndbg> r
Starting program: /home/dc/pwndbg/a.out
Program received signal SIGSEGV, Segmentation fault.
0x000055555555460a in foo () at ./a.c:2
2 ./a.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
// (the rest of the context here)
```
But I am fine with that for now - and I am not sure if we could even
suppress this warning (oh, maybe this string comes to us into prompt
hook/event? I don't know)
* Fix wrong code line if source startswith newlines
For some reason the `pygments.hightlight` remove newlines at start.
We need to preserve them in order to keep proper code lines.
* Use lexer's stripnl=False
TLDR:
1. We read registers from `newest_frame` instead of `selected_frame` for GDB>=7.9.
2. We have two ways to fetch registers - `regs.__getitem__` and
`regs.__getattr__` - one of them didn't invalidate cache and so after
fixing 1st, we still shown the old register after switching frames.
GDB's `up` and `down` commands trigger internal notification about
changed frame. It does not happen for `gdb.Frame.select()` which we use
in our own overrides for `up` and `down` commands.
Because of that, the `list` GDB command does not show proper source code
lines.
This can be worked around by firing `frame` command and this is what
this workaround/PR adds.
This bug has also been reported to GDB bugzilla at
https://sourceware.org/bugzilla/show_bug.cgi?id=24534
- fixed incorrect docs of dumpargs command (`--all` vs `--force`)
- dumpargs command does not require `--force` now if we are not on a
call instruction
* Bin annotations
* ASCII representation
* Addresses formatted w/o ':' (ease terminal copy/paste)
* Implicit addr support (pwndbg> vis_heap_chunks)
* Use top_chunk as sanity end-of-heap check, making it easier to use
during non-top_chunk heap corruption
* Added --naive (-n) to disable end-of-heap check
* Swapped arguments:
pwndbg> vis_heap_chunks addr count -> vis_heap_chunks count addr
Arguably, desired number of chunks v. heap addr is more readily
available
CptGibbon
Bet4
Chiller Dragon
Andrej Zieger
John McCann Cunniff Jr
Disconnect3d
Levente Polyak
Hye Sung Jung
pu1p
Keun Tae (Kevin) Park
Derrick McKee
Jinmo
Yuuoniy
Anatoly Korniltsev
Yanick Fratantonio
geoffbeier
Jan Mazur
Stuart Nevans Locke
NyaMisty
Paweł Płatek
Vesim
jaseg
StalkR
StalkR
Stuart Nevans Locke
Stefan Ilic
jebjerg