Heap features from libheap

[zachriggle]

Whatever they're doing: https://github.com/cloudburst/libheap

[gsingh93]

Not sure what we need to have feature parity with libheap. All the useful stuff I've needed is in #36, and there are a bunch of little helper functions in libheap that I've never used and don't think are worth implementing.

[zachriggle]

Is this still necessary? We implemented a bunch of stuff for ptmalloc.

Pinging @cloudburst and @blendin to discuss.

[cloudburst]

This could probably be closed (and I would close #4, it provides the same functionality as pwndbg plus there is also python object tracking/memory usage stats (it knows about CPython PyObject etc)).

There are a few main differences as I see it to the pwndbg approach.

1. it relies on pwndbg.typeinfo.load for all of the symbols. This is clean and way more portable. I reimplemented all of the structs in python for my library because I wanted to be able to pass raw memory around python objects without having to rely on glibc symbols. I used to support guessing all of the offsets without glibc symbols but they have changed mp_ and other structs a bit lately, this would be good to add to pwndbg but it's a bit of work.
2. I implemented all of the glibc helper macros because these are really useful when tracing heap flow. Specifically if you just overwrite the heap with AAAAAAA, you can still parse it using the macros and applying python classes to them. This is currently missing from pwndbg I think (based on malloc chunk printing also being broken currently on overflow)?
3. I would like to at some point add radare2 support which just isn't a goal of pwndbg so that's part of my design too.

TLDR: I think any remaining libheap features are probably not goals of pwndbg and this could be closed.

[cloudburst]

I think pwndbg currently has:

• parse glibc symbols
• unsortedbin
• fastbins
• smallbins
• largebins
• print malloc_chunks
• wrap glibc helper macros/functions (declined for pwndbg)
• parse heap without symbols (dt without symbols, kind of related to 'dt' feature compiler issues #6 )
• parse heap without chunk metadata (debug a heap overflow)

Maybe other stuff, I have not looked too much.

GEF ( #178 ) added some logic parsing around checking all of the malloc_chunk headers to detect UAF.

angelheap has some functionality similar to pwndbg's unicorn emulation which traces what the heap will do on next free(). I used to have this in libheap but I took it out as this kind of thing breaks every single glibc since they are always moving the structures and malloc()/free() functions around. So I think it's more effort to support than it's worth.

[zachriggle]

Regarding bullet 2, how does that work? All of glibc's heap metadata is inline.

[cloudburst]

Just storing the heap state in a snapshot/trace somewhere else and diffing the heap against that. Shadow saves the state to pyrsistence. I used to take traces from Core's HeapDraw (which halvar rewrote now) and import those into my python classes (which is why I didn't go the typeinfo.load route).

[blendin]

I've been working on a new heap window for bullet 2 (much like our stack window) that has a view of the current heap and all broken free-lists.

I thought about implementing bullet point 1, but we wouldn't be able to use pwndbg.typeinfo

[gsingh93]

We can now parse the heap without symbols. I think that was the last remaining thing keeping this open. If not, let's make new issues for the specific missing functionality.