* Update heap implementation
* Heap commands default to using the debugged thread's arena, rather
than the main arena.
* Tcache commands are behind an OnlyWithTcache decorator.
* The "heap" & "top_chunk" commands only print relevant information
about chunks they encounter.
* Integrate _fetch_tcache_addr() into thread_cache().
* Move some code from get_region() into get_heap_boundaries().
* Rename some variables for clarity.
* Argparse descriptions are single-line so they don't get truncated.
* Some PEP8 changes such as whitespace & docstring width.
* Catch initialized heap but no thread arena case
When the main thread's arena has been initialized, but the debugged
thread's arena hasn't, default to the main arena when invoking
heap-related commands.
* Revert how cells are unpacked in vis_heap_chunks()
This corrects an error I introduced in 798bcb6, which resulted in
vis_heap_chunks() printing negative values on the heap with a minus sign
prepended.
* Add a --verbose flag to the heap() command
The -v or --verbose flag causes the heap() command to print every field
of every chunk it comes across, regardless of whether those fields are
in use.
* Remove unnecessary if statement from thread_cache()
Remove a check for whether the 'tcache' variable was 'None', when it
could never have been 'None'.
* Add alternate test for multiple threads
Some versions of GLIBC apparently don't have the __libc_multiple_threads
symbol. In these cases use GDB to determine whether there is more than
one active thread.
* Fixed alignment bug in vis_heap_chunks command
Used code from the "heap" command as a reference to fix this bug that sometimes causes "vis_heap_chunks" to print nothing due to an assumption that was being made in vis_heap_chunks (that the first chunk starts exactly on the heap region start). The specific target that I saw this bug behavior in was bcloud in https://github.com/ctfs/write-ups-2016/tree/master/bctf-2016/exploit/bcloud-200 (from a breakpoint before any heap exploit shenanigans, just legitimate mallocs). This patch fixes this behavior.
* Fixed additonal bug in vis_heap_chunks
* Feature: show ghidra decompiled code in context
With the help of radare2, r2pipe and r2ghidra-dec
* Update FEATURES.md
* Include review comments
* Removed embarrassing auto added guards
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Fix inaccuracies in vis_heap_chunks()
Correct boundary calculation of chunks adjacent to a top chunk and
use a list of boundary addresses to do so, rather than a dictionary of
every quadword in each printed chunk. Ensure that at least 1 chunk is
printed even when a non-sensical value of 0 is passed as the count argument.
* Avoid out-of-bounds read in vis_heap_chunks()
While processing a corrupt heap or using the --naive option, the
vis_heap_chunks command could read out-of-bounds. Add a check to
avoid this scenario.
* Use chunk_flags instead of constants
To find out whether a chunk's prev_inuse bit is set, use chunk_flags() rather than anding with constants.ptmalloc.PREV_INUSE.
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Use main_heap.size_sz
Use main_heap.size_sz in place of pwndbg.arch.ptrsize.
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Replace a magic number with ptr_size
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Calculate color_func variable in 1 line
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Fix crash in get_heap_boundaries()
Don't assume that because an address was supplied to
get_heap_boundaries() that it resides on a legitimate heap. Sometimes a
user may want to print fake chunks elsewhere in memory.
Co-authored-by: Paweł Płatek <e2.8a.95@gmail.com>
The original code that searched for an arena's top chunk via the heuristic method of iterating through each chunk on a heap was written before the OnlyWithLibcDebugSyms decorator was added to all heap-related commands. This decorator makes the heuristic method unnecessary as the 'top' member of a heap's arena will always be accessible.
Remove the get_top_chunk_addr() function as it only uses the heuristic approach. Use symbols in top_chunk() and vis_heap_chunks() rather than heuristics. Use get_arena_for_chunk() in vis_heap_chunks() to find an arena, originally this used get_arena() with no arguments which always returned the main arena. Fix get_arena_for_chunk(), which misidentified a chunk as a malloc_state struct rather than a malloc_chunk struct, and use read_chunk() rather than memory.poi() which didn't account for the size/mchunk_size symbols used in different versions of GLIBC.
* Replace malloc initialization heuristics
Use the __libc_malloc_initialized symbol to determine whether malloc has been initialized rather than checking whether global_max_fast has been populated. This has the advantage of being compatible with older versions of GLIBC that don't have a global_max_fast symbol.
* Update pwndbg/heap/ptmalloc.py
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
Co-authored-by: Paweł Płatek <e2.8a.95@gmail.com>
* Configure context output per section
* banner respects width of target output
* Fixed context output help
* ui.banner optionaly force a width
* Allow python functions as context output
* Use is for StdOutput type comparison
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Use list-function as initial value of default dict
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Append final context linebreak only on stdout
* Documented context splitting feature
* Option to hide context section banners
* Option to set width per context section (currently only banner)
* Splitting screenshot
* Fixed empty lines when not clearing
* Fixed auto banner width (using stdin as before instead of stdout)
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* command: support alternatives including sub command wrapper like pwn
Additionally speed up the checksec logic by removing the --version
check. Simply try to shell out and use the first working option variant
as we can't easily detect the different available alternatives in a
bulletproof way.
This implementation allows to use the sub command wrapper 'pwn' to call
checksec in case pwntools has been installed using --only-use-pwn-command
To unconditionally unify the usage, the functions cmd attribute stores
the base command to execute in form of a list that can be used to
concatenate an array of options against it and pass the final list to
call_cmd
* checksec: allow a third option variant by only passing the file target
Lets try a third available version of checksec as the lowest order
variant in our cascade that works by only passing the target file
without additional specifier.
* vmmap: add QEMU kernel support
This feature uses GDB's `monitor info mem` to fetch
memory pages for QEMU in kernel mode.
However, at least on QEMU 3.0.0 on `qemu-system-x86_64`
the `monitor info mem` command returns memory pages without the
`executable` permission bit, so for now we assume that all pages are executable.
The `monitor info mem` works only in QEMU kernel mode
and in QEMU-user it does:
```
(gdb) monitor info mem
Target does not support this command.
```
* Update vmmap command docs
* Use monitor_info_mem only on X86/X64
* monitor_info_mem: fix comment about executable perm
* Update vmmap help
Modern maintained checksec >2.0 requires to use "--file=arg" which
we try to detect. The command call is cached anyway so lets try
to find out what version is running.
In case we can't find a verbose variant, we just fall back to the
common old fessioned "--file arg" variant as if nothing has happened.
Fixes#662
* Make size_t and ssize_t the correct sizes, and actually use them for inthook. Fix for #669 along with other issues.
* elif, pointer size support message
This commit adds support for xPSR to be used instead of cPSR on Cortex-M
ARMs. Prior to this commit, pwndbg would crash when attached to a
Cortex-M core. This commit adds a new internal arch "armcm" to describe
Cortex-M ARMs.
Closes#542, fixes the second issue in #264
Paweł Płatek
CptGibbon
jkthecjer
bigben93
abrikos110
Bet4
苇子
Andrej Zieger
Chiller Dragon
John McCann Cunniff Jr
Disconnect3d
Levente Polyak
Hye Sung Jung
pu1p
Keun Tae (Kevin) Park
Derrick McKee
Jinmo
Yuuoniy
Anatoly Korniltsev
Yanick Fratantonio
geoffbeier
Jan Mazur
Stuart Nevans Locke
NyaMisty
Vesim
jaseg
StalkR
StalkR
Stuart Nevans Locke