* Added install to apt line: fixed bug mentioned by @martinclauss in #748 that might be needed for Ubuntu <20.04.
* Added git to apt-get, which is needed for a docker run -it ubuntu
This commit fixes the issue described in #749.
During disasm output, we enhance the display to show additional information of the instructions.
When a future instruction executes a branch instruction (jmp/call), we fetch the next instruction based on the jmp/call target, as long as we can calculate it statically.
If we can calculate it statically, we will then display the target of the jmp/call as the next instruction, as e.g. in here:
```
> 0x5555555545fe <main+4> jmp main+4 <0x5555555545fe>
v
> 0x5555555545fe <main+4> jmp main+4 <0x5555555545fe>
```
The issue is, that we mark both instructions as "current", highlighting both of them, making it a bit unambigous "where we are".
While this view is _kinda valid_ as the PC is really the same, we want to mark/hightlight only the first instruction we are on, as it is the one that is being executed right now and the program might go some other path in the future.
This commit fixes this display by simply making it so that the `nearpc` function/command used to display disasm shows the marker only once, for the first time it shows the current PC instruction.
This should fix#726. I am not 100% sure if this is a complete fix, but lets see if it breaks for a few days and if not, we can make a last release with py2 support.
* Update heap implementation
* Heap commands default to using the debugged thread's arena, rather
than the main arena.
* Tcache commands are behind an OnlyWithTcache decorator.
* The "heap" & "top_chunk" commands only print relevant information
about chunks they encounter.
* Integrate _fetch_tcache_addr() into thread_cache().
* Move some code from get_region() into get_heap_boundaries().
* Rename some variables for clarity.
* Argparse descriptions are single-line so they don't get truncated.
* Some PEP8 changes such as whitespace & docstring width.
* Catch initialized heap but no thread arena case
When the main thread's arena has been initialized, but the debugged
thread's arena hasn't, default to the main arena when invoking
heap-related commands.
* Revert how cells are unpacked in vis_heap_chunks()
This corrects an error I introduced in 798bcb6, which resulted in
vis_heap_chunks() printing negative values on the heap with a minus sign
prepended.
* Add a --verbose flag to the heap() command
The -v or --verbose flag causes the heap() command to print every field
of every chunk it comes across, regardless of whether those fields are
in use.
* Remove unnecessary if statement from thread_cache()
Remove a check for whether the 'tcache' variable was 'None', when it
could never have been 'None'.
* Add alternate test for multiple threads
Some versions of GLIBC apparently don't have the __libc_multiple_threads
symbol. In these cases use GDB to determine whether there is more than
one active thread.
* Fixed alignment bug in vis_heap_chunks command
Used code from the "heap" command as a reference to fix this bug that sometimes causes "vis_heap_chunks" to print nothing due to an assumption that was being made in vis_heap_chunks (that the first chunk starts exactly on the heap region start). The specific target that I saw this bug behavior in was bcloud in https://github.com/ctfs/write-ups-2016/tree/master/bctf-2016/exploit/bcloud-200 (from a breakpoint before any heap exploit shenanigans, just legitimate mallocs). This patch fixes this behavior.
* Fixed additonal bug in vis_heap_chunks
* Feature: show ghidra decompiled code in context
With the help of radare2, r2pipe and r2ghidra-dec
* Update FEATURES.md
* Include review comments
* Removed embarrassing auto added guards
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* Fix inaccuracies in vis_heap_chunks()
Correct boundary calculation of chunks adjacent to a top chunk and
use a list of boundary addresses to do so, rather than a dictionary of
every quadword in each printed chunk. Ensure that at least 1 chunk is
printed even when a non-sensical value of 0 is passed as the count argument.
* Avoid out-of-bounds read in vis_heap_chunks()
While processing a corrupt heap or using the --naive option, the
vis_heap_chunks command could read out-of-bounds. Add a check to
avoid this scenario.
* Use chunk_flags instead of constants
To find out whether a chunk's prev_inuse bit is set, use chunk_flags() rather than anding with constants.ptmalloc.PREV_INUSE.
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Use main_heap.size_sz
Use main_heap.size_sz in place of pwndbg.arch.ptrsize.
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Replace a magic number with ptr_size
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Calculate color_func variable in 1 line
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
* Fix crash in get_heap_boundaries()
Don't assume that because an address was supplied to
get_heap_boundaries() that it resides on a legitimate heap. Sometimes a
user may want to print fake chunks elsewhere in memory.
Co-authored-by: Paweł Płatek <e2.8a.95@gmail.com>
The original code that searched for an arena's top chunk via the heuristic method of iterating through each chunk on a heap was written before the OnlyWithLibcDebugSyms decorator was added to all heap-related commands. This decorator makes the heuristic method unnecessary as the 'top' member of a heap's arena will always be accessible.
Remove the get_top_chunk_addr() function as it only uses the heuristic approach. Use symbols in top_chunk() and vis_heap_chunks() rather than heuristics. Use get_arena_for_chunk() in vis_heap_chunks() to find an arena, originally this used get_arena() with no arguments which always returned the main arena. Fix get_arena_for_chunk(), which misidentified a chunk as a malloc_state struct rather than a malloc_chunk struct, and use read_chunk() rather than memory.poi() which didn't account for the size/mchunk_size symbols used in different versions of GLIBC.
* Replace malloc initialization heuristics
Use the __libc_malloc_initialized symbol to determine whether malloc has been initialized rather than checking whether global_max_fast has been populated. This has the advantage of being compatible with older versions of GLIBC that don't have a global_max_fast symbol.
* Update pwndbg/heap/ptmalloc.py
Co-Authored-By: Paweł Płatek <e2.8a.95@gmail.com>
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
Co-authored-by: Paweł Płatek <e2.8a.95@gmail.com>
* Configure context output per section
* banner respects width of target output
* Fixed context output help
* ui.banner optionaly force a width
* Allow python functions as context output
* Use is for StdOutput type comparison
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Use list-function as initial value of default dict
Co-Authored-By: Disconnect3d <dominik.b.czarnota@gmail.com>
* Append final context linebreak only on stdout
* Documented context splitting feature
* Option to hide context section banners
* Option to set width per context section (currently only banner)
* Splitting screenshot
* Fixed empty lines when not clearing
* Fixed auto banner width (using stdin as before instead of stdout)
Co-authored-by: Disconnect3d <dominik.b.czarnota@gmail.com>
* command: support alternatives including sub command wrapper like pwn
Additionally speed up the checksec logic by removing the --version
check. Simply try to shell out and use the first working option variant
as we can't easily detect the different available alternatives in a
bulletproof way.
This implementation allows to use the sub command wrapper 'pwn' to call
checksec in case pwntools has been installed using --only-use-pwn-command
To unconditionally unify the usage, the functions cmd attribute stores
the base command to execute in form of a list that can be used to
concatenate an array of options against it and pass the final list to
call_cmd
* checksec: allow a third option variant by only passing the file target
Lets try a third available version of checksec as the lowest order
variant in our cascade that works by only passing the target file
without additional specifier.
* vmmap: add QEMU kernel support
This feature uses GDB's `monitor info mem` to fetch
memory pages for QEMU in kernel mode.
However, at least on QEMU 3.0.0 on `qemu-system-x86_64`
the `monitor info mem` command returns memory pages without the
`executable` permission bit, so for now we assume that all pages are executable.
The `monitor info mem` works only in QEMU kernel mode
and in QEMU-user it does:
```
(gdb) monitor info mem
Target does not support this command.
```
* Update vmmap command docs
* Use monitor_info_mem only on X86/X64
* monitor_info_mem: fix comment about executable perm
* Update vmmap help
Modern maintained checksec >2.0 requires to use "--file=arg" which
we try to detect. The command call is cached anyway so lets try
to find out what version is running.
In case we can't find a verbose variant, we just fall back to the
common old fessioned "--file arg" variant as if nothing has happened.
Fixes#662
Disconnect3d
WeSeekAfterKnowledge
Bet4
layderv
Weston
tabell
Paweł Płatek
Jan Mazur
CptGibbon
jkthecjer
bigben93
abrikos110
苇子
Andrej Zieger
Chiller Dragon
John McCann Cunniff Jr
Levente Polyak
Hye Sung Jung
pu1p
Keun Tae (Kevin) Park
Derrick McKee
Jinmo
Yuuoniy
Anatoly Korniltsev
Yanick Fratantonio
geoffbeier
Stuart Nevans Locke