* feature: Add `killthreads` command (closes#1580)
This command allows the user to quickly kill multiple threads by
specyfying their ids as arguments to this command. It also supports
the `--all` flag, which will kill overy thread except the currently
selected one. This is useful for use with the `checkpoint` command.
The killing is done by calling `pthread_exit(0)`.
* fix: try fixing building test binaries by enabling -lpthread
* fix: remove error message check when calling pthread_exit
Removed the message check, because the error messages difffer between
versions of GDB.
* fix: Improve UX of the killthreads command
Add an extended description of the command, some validation on the thread IDs
and suppress GDB output.
* fix: lint
* fix: put the multiline help text in the correct place
* tests: fix test failing due to a race condition when running in parrallel to other tests
Replaced asserts with loops which wait for a cundition to be met, so that the tests doesn't fail due to scheduling issues.
* tests: add more fixes for race conditions in test_killthreads
* fix: lint
* Update pwndbg/commands/killthreads.py
* tests: Wait for exactly three threads
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Fixed a crash that caused formatting failure in readlink when qemu returns None as the pid.
* Formated code
* Update pwndbg/arguments.py
* Assign a pid prevent repetitive calls.
* Format it
* remove the warning
* add a comment about the senario that PID is None in qemu
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Add some basic heap heuristics support for riscv and powerpc
Use the relocation section to find the main_arena address if possible
* Refactor the code we used to get the field offset
* Fix linux_ppc(64)_syscall abi
The system call number is specified in r0.
There is a maximum of 6 integer parameters to a syscall, passed in r3-r8.
* Fix ppc syscall revert r9 back
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Remove r6/x6 from arm/aarch64 syscall
* Update pwndbg/lib/abi.py
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
Now the installation process contains the following steps:
1. Check for any line with source <gdbinit.py> before installation
2. If any, ask the user if they want to proceed
3. After the installation, comment out old source <gdbinit.py> lines if any and add a new source <gdbinit.py> line.
A check for presence of the line set debuginfod enabled on is also added to avoid being appended repeatedly.
* Add largebin reverse lookup tables
* Don't use None value for bin 95 size on i386
* Clarify "bin 95" comment
* Add comment to tables
* Immutable tables
* Make tables class attributes
I can confirm the search bug to happen on GDB 9.2, but not on GDB 10.2:
```
pwndbg> version
Gdb: 9.2
Python: 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
Pwndbg: 1.1.1 build: a3f12bc
Capstone: 4.0.1024
Unicorn: 2.0.1
pwndbg> search "GNU C"
Searching for value: 'GNU C'
pwndbg> set remote search-memory-packet off
pwndbg> search "GNU C"
Searching for value: 'GNU C'
libc-2.31.so 0x7ffff7f85b80 0x694c204320554e47 ('GNU C Li')
libc-2.31.so 0x7ffff7f85c9e 'GNU CC version 9.3.0.\nlibc ABIs: UNIQUE IFUNC ABSOLUTE\nFor bug reporting instructions, please see:\n<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.\n'
```
* ai plugin
* ai plugin ready to ship
* ai plugin ready to use
* textwrap on the ai's answer
* linted ai.py
* relaxed openai version requirement
* added pandas to requirements
* removed dependency on openai module, using requests instead
* removed dependency on openai module, using requests instead
* incorporating suggestions on PR
* added types requests and bumped requests version up to the version i'm using here
* lowering version req on requests for ubuntu 18 compat
* removed some 'if True' kludges that i was using to debug things at one point
* better error handling
* more config parameters for ai
* fixed a few config issues
* fixed bug in gdb list command
* now uses chatgpt's gpt-3.5-turbo model, instead of text-davinci-003, and follows a conversational protocol instead of completion.
* ensuring backwards compatibility with older models, like text-davinci-003
* removed unneeded host and path vars
* Changing the arguments to vis_heap_chunks to be clearer
1. --native to --beyond_top
2. --display_all to --no_truncate
* Add print all chunks to vis_heap_chunks
* Preventing the use of the all_chunks argument together with the count argument in vis_heap_chunks
* Use linting for heap.py
* Fix test_vis_heap_chunks.py
According to cdd71a1d82 --display_all/-d moved to --no_truncate/-n
---------
Co-authored-by: Nerya Zadkani <nerya@tokagroup.com>
It seems this function is redundant. If you do:
```
gdbserver 0.0.0.0:1234 ./a.out
```
on a local machine and then do `gdb ./a.out --ex 'target remote :1234'`
the `_add_main_symbol_to_exe` will kick off and run its
`add-symbol-file` command to add the symbols from the binary. However,
the GDB already loaded the binary symbols and so we will do it for the
second time. As a result, we get something like this:
```
pwndbg> info symbol main
main in section .text of /pwndbg/bug/vaccine
main in section .text of /pwndbg/bug/vaccine
```
This function has been in Pwndbg since always and I am not sure why we
needed it. Perhaps an old GDB did not download the binary from the
remote target, but since now GDB does this automagically, this function
seems redundant.
Just for the sake of documenting it, here is how a symbol appears if you
connect to a remote target on a different machine without Pwndbg (the
GDB downloads the binary itself and loads its symbols):
```
(gdb) p main
$1 = {<text variable, no debug info>} 0x55555555466a <main>
(gdb) info symbol main
main in section .text of target:/home/dc/a.out
```
This commit adds a fix and tests for #1600 and #752.
* https://github.com/pwndbg/pwndbg/issues/1600
* https://github.com/pwndbg/pwndbg/issues/752
Generally, for an example like this:
```cpp
struct A {
void foo(int, int) { };
};
int main() {
A a;
a.foo(1, 1);
}
```
The output for `info symbol <address of A::foo>` returns:
```
'A::foo(int, int) [clone.isra.0] + 3 in section .text of /root/pwndbg/tests/gdb-tests/tests/binaries/a.out\n'
```
We then used this code to parse this:
```py
# Expected format looks like this:
# main in section .text of /bin/bash
# main + 3 in section .text of /bin/bash
# system + 1 in section .text of /lib/x86_64-linux-gnu/libc.so.6
# No symbol matches system-1.
a, b, c, _ = result.split(maxsplit=3)
if b == "+":
return "%s+%s" % (a, c)
if b == "in":
return a
return ""
```
The `result.split(maxsplit=3)` here splitted the string to:
```py
['A::foo(int,',
'int)',
'[clone.isra.0] + 3 in section .text of /root/pwndbg/tests/gdb-tests/tests/binaries/a.out\n']
```
And since `b` was not `"+"` or `"in"` we eventually returned an empty
string instead of the `A::foo(int, int)` which would be expected here.
* Fix the bug when using LD_PRELOAD to load libc
The heap heuristics will try to find `libc.so.6` in the output of `info sharedlibrary`, but if we load libc with `LD_PRELOAD`, the filename of the libc might not be `libc.so.6`.
* Add test for `glibc.get_libc_filename_from_info_sharedlibrary`
* ai plugin
* ai plugin ready to ship
* ai plugin ready to use
* textwrap on the ai's answer
* linted ai.py
* relaxed openai version requirement
* added pandas to requirements
* removed dependency on openai module, using requests instead
* removed dependency on openai module, using requests instead
* incorporating suggestions on PR
* added types requests and bumped requests version up to the version i'm using here
* lowering version req on requests for ubuntu 18 compat
* removed some 'if True' kludges that i was using to debug things at one point
* better error handling
* more config parameters for ai
* fixed a few config issues
* fixed bug in gdb list command
In some cases, we might not need to download the file if we can find the file locally, and this can be determined by the return value of the gdb command/API.
For example, the path we get from `pwndbg.gdblib.proc.exe` has different when gdb have loaded the file or not:
If we have executed `file /path/to/exe` before connecting to gdbserver:
```pycon
In [1]: pwndbg.gdblib.proc.exe
Out[1]: '/path/to/exe'
```
The output doesn't have "target:" prefix because gdb is able to find the file locally.
If we haven't executed `file /path/to/exe`, gdb can't find it locally, the output will be:
```pycon
In [1]: pwndbg.gdblib.proc.exe
Out[1]: 'target:/path/to/exe'
```
So if the "target:" prefix doesn't present when using `pwndbg.gdblib.file.get_file(pwndbg.gdblib.proc.exe)`, we don't need to download the file.
(The behavior of file path also occurred in `info files` and `info sharedlibrary` commands output.)
This commit aims to prevent downloading the file when the "target:" prefix doesn't present in the above cases.
* ai plugin
* ai plugin ready to ship
* ai plugin ready to use
* textwrap on the ai's answer
* linted ai.py
* relaxed openai version requirement
* added pandas to requirements
* removed dependency on openai module, using requests instead
* removed dependency on openai module, using requests instead
* incorporating suggestions on PR
* added types requests and bumped requests version up to the version i'm using here
* lowering version req on requests for ubuntu 18 compat
* removed some 'if True' kludges that i was using to debug things at one point
* Refactor `pwndbg.glibc`
- Add type hints
- Use `info sharedlibrary` to find libc
- Update the regex of libc filename
- Rename `get_data_address()` to `get_data_section_address()`
* Add a function to dump libc ELF file's .data section
* Use the new methods to find `main_arena` and `mp_`
With ELF of libc, we can use the default value of `main_arena` and `mp_` to find their address
* Drop some unreliable methods for the heap heuristics
* Update the tests for the heap heuristics
* Show `main_arena` address in the `arenas` command output
* Make the heap hueristics support statically linked targets
* Drop some deprecated TLS functions and refactor the command
- Drop some deprecated TLS functions for the deprecated heap heuristics
- Don't call `pthread_self()` in the `tls` command without `-p` option
- Show the page of TLS in the `tls` command output
* Update the hint for the heap heuristics for multi-threaded
* Fix the wrong usage of the exception
* Fix the outdated description
* Return the default global_max_fast when we cannot find the address
* Enhance the output of `arena` and `mp`
- Show the address of the arena we print in the output of `arena` command if we didn't specify the address by ourselves.
- Avoid the bug that `arena` command might get an error if thread_arena doesn't allocate yet.
- Show the address of `mp_` in the output of the `mp` command
* Remove wrong hint
* Support using brute-force to find the address of main_arena
If the user allows, brute-force the left and right sides of the TLS address to find the closest possible value to the TLS address.
* Refactor the code about thread_arena and add the new brute-force strategy
In the .got section, brute-force search for possible TLS-reference values to find possible thread_arena locations
* Add tests for thread_arena and global_max_fast
- Check if we can get default global_max_fast
- Check if we can use brute-force to find thread_arena
* Update the output of `arenas`
* Add the test for the `tls` command
Add two tests for the `tls` command:
```
test_tls_address_and_command[x86-64] PASSED
test_tls_address_and_command[i386] PASSED
```
* Update and refactor the heuristics for `thread_arena` and `tcache`
- We provide an option for users to brute force `tcache` like what we did for `thread_arena`
- Cache `thread_arena` even when we are single-threaded
- Refactor the code for `thread_arena`, to make it work for `tcache` as well
- Update the tests for `tcache`
- Remove some redundant hint
* Fix the wrong cache mechanism
Cache the address of the arena instead of the instance of `Arena`, because `Arena` will cache the value of the field, resulting in getting the old value the next time the same property is used
* Update the description of some configs about heap heuristics
* Handling the case when tcache is NULL
* Handling the case when thread_arena is NULL
* Fix a bug that occurred when the TLS address could not be found
* Fix#1550
* Show tid only if no address is specified
* Update pwndbg/commands/__init__.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
* Update pwndbg/commands/heap.py
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Fix lint
* Move some code into `pwndbg.gdblib.elf`
---------
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
CptGibbon
Albert Koczy
Disconnect3d
Alex Chen
Alan Li
Squirre17
Gulshan Singh
Xeonacid
Cycatz
Olivia Lucca Fraser
neryaz
Tommaso Fontana