Improved heap exploration

[Grazfather]

• heap next or heap chunk next (and prev)
  • Basically will follow FD/BK for freed chunks. For in-use chunks heap next should instead add size
    • Should we distinguish between moving between free blocks and inuse blocks?
  • Needs to maintain a 'last viewed chunk'. Should be wiped out when the process is restarted, or at least when a new binary is loaded.
• Make chunk viewing look more like a C structure.
  • Could we leverage the dt command?

[hugsy]

Can also mix features with :

• https://github.com/Mipu94/peda-heap
• https://github.com/scwuaptx/Pwngdb

Already a lot of overlap / primitives are there in GEF.

[iromise]

Curious about this Enhanced Feature still on the way?

[Grazfather]

Some ideas: https://github.com/scwuaptx/Pwngdb/tree/master/angelheap

[iromise]

so we just use the repo you mention？

[Grazfather]

You could use that for now, it would be interesting to improve it. I haven't tried it.

[iromise]

ok, thanks.

[hugsy]

Before BlackHat I firmly intended to integrate those projects directly, only to find that their approach is (just like PEDA) very NOT Pythonic (massive use of gdb.execute(), using regexp for parsing etc.) So it had to be done in a cleaner/more efficient way to be able to work transparently on all GDB releases and on all archs GEF supports, which required to much work at that time.

FWIW gef already implements many of the commands from those tools, and the rest will probably come when I have a chance^Htime to re-work on the heap again.

Otherwise, feel free to implement it in as an external script if you want , we do love Pull Requests 😄

[hugsy]

Commit e750c8d introduces a new subcommand heap set-arena that allows to set a custom address for the main_arena. This useful when libc6-dbg is not installed.

Commit f1f47f8 enumerates all chunks via a new subcommand heap chunks. It also accepts an argument which is the base address of the first chunk to enumerate:

gef➤  heap chunks 0x0000555555775000                                     
Chunk(addr=0x555555775010, size=0x250, flags=PREV_INUSE)                                                                                                                                          
Chunk(addr=0x555555775260, size=0x230, flags=PREV_INUSE)   
Chunk(addr=0x555555775490, size=0x80, flags=PREV_INUSE)    
Chunk(addr=0x555555775510, size=0x410, flags=PREV_INUSE)   
Chunk(addr=0x555555775920, size=0x206f0, flags=PREV_INUSE)  ←  top chunk

After documenting and adding unit tests for those, I will close this ticket unless you have more (specific) ideas of new features to implement. GEF now includes more heap related functionalities than angelheap (plus they are all portable).

Cheers