Basic implementation of heap commands

[gsingh93]

Implemented commands for printing heap chunks and fast bins.

[zachriggle]

Can you put the shebang and utf line back? It avoids Python2/3 issues in weird cases

[gsingh93]

Oops. Will do.

[zachriggle]

@Revisiting structure creation;

Assuming that you can do this:

(gdb) p *(struct malloc_chunk*) 0xaddr

You can do the following:

addr = pwndbg.regs.pc # for example
gdb_type = pwndbg.typeinfo.load('struct malloc_chunk')
chunk = gdb.Value(addr).cast(gdb_type.pointer()).dereference()
for field in chunk.type.fields():
    print("+%#04x %-15r %#x" % (field.bitpos / 8, field.name, int(chunk[field.name]) & pwndbg.arch.ptrmask))

I get the following (note that I'm using $pc instead of an actual heap entry, so the values are weird).

+0x00 'prev_size'     0x89485ed18949ed31
+0x08 'size'          0x4c5450f0e48348e2
+0x10 'fd'            0x8d4800010c88058d
+0x18 'bk'            0x3d8d4800010c110d
+0x20 'fd_nextsize'   0xfffaa5e8fffffe0a
+0x28 'bk_nextsize'   0x8d4800401f0ff4ff

You can see that this code is actually already implemented in the dt module:

pwndbg> dt 'struct malloc_chunk'
struct malloc_chunk
    +0x0000 prev_size            : size_t
    +0x0008 size                 : size_t
    +0x0010 fd                   : struct malloc_chunk *
    +0x0018 bk                   : struct malloc_chunk *
    +0x0020 fd_nextsize          : struct malloc_chunk *
    +0x0028 bk_nextsize          : struct malloc_chunk *
pwndbg> dt 'struct malloc_chunk' $pc
struct malloc_chunk @ 0x555555558e32
    +0x0000 prev_size            : -0x76b7a12e76b612cf
    +0x0008 size                 : 0x4c5450f0e48348e2
    +0x0010 fd                   : 0x8d4800010c88058d
    +0x0018 bk                   : 0x3d8d4800010c110d
    +0x0020 fd_nextsize          : 0xfffaa5e8fffffe0a
    +0x0028 bk_nextsize          : 0x8d4800401f0ff4ff

The dt module is also intended to do runtime compilation to create structure definitions for symbol-stripped, statically-linked binaries. However, this functionality is terribly broken since it relies on a blacklist of headers instead of a whitelist.

[zachriggle]

pwndbg.typeinfo.size_t.sizeof

[zachriggle]

Actually, they're not size_t, they're pvoid. This should use pwndbg.typeinfo.pvoid.sizeof

[zachriggle]

And in before "they're the same", see x32 ABI with 4-byte pointers and 8-byte size_t 😛

[gsingh93]

Where do you see a pointer being used? The two fields we're skipping are prev_size and size, which are both INTERNAL_SIZE_T which is just size_t.

[zachriggle]

Ah, I see that we're skipping over the prevsize and size field (size_t sized), I thought we were calculating an index into the fastbinsY array (pointer-sized).

[gsingh93]

Updated. Because the dynamic type parsing is broken, this is still broken when you don't have symbols. I think that's fine for now, since installing debugging symbols is trivial (at least on Ubuntu).

[zachriggle]

It turns out even with dynamic type generation, this doesn't work, since no
headers define these types :-(
On Thu, Jun 2, 2016 at 8:31 PM Gulshan Singh notifications@github.com
wrote:

Updated. Because the dynamic type parsing is broken, this is still broken
when you don't have symbols. I think that's fine for now, since installing
debugging symbols is trivial (at least on Ubuntu).

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#36 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AAG0GHAPWkyY2jy8vCslzyHd2-0QZhDfks5qH4P1gaJpZM4Ipm9u
.

[zachriggle]

Though we could do the super ghetto stuff I used to do. Which would
basically just be to include a copy of dlmalloc headers, and use those.
On Thu, Jun 2, 2016 at 11:24 PM Zach Riggle zachriggle@gmail.com wrote:

It turns out even with dynamic type generation, this doesn't work, since
no headers define these types :-(
On Thu, Jun 2, 2016 at 8:31 PM Gulshan Singh notifications@github.com
wrote:

Updated. Because the dynamic type parsing is broken, this is still broken
when you don't have symbols. I think that's fine for now, since installing
debugging symbols is trivial (at least on Ubuntu).

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#36 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AAG0GHAPWkyY2jy8vCslzyHd2-0QZhDfks5qH4P1gaJpZM4Ipm9u
.