Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge dev to beta #506

Merged
merged 121 commits into from Jul 29, 2018

Conversation

Projects
None yet
@disconnect3d
Copy link
Member

disconnect3d commented Jul 29, 2018

No description provided.

disconnect3d and others added some commits Jul 25, 2017

Fixes `u` command `module object is not callable` (#311)
pwndbg> u 0x404030
'u': Starting at the specified address, disassemble
    N instructions (default 5).
Traceback (most recent call last):
  File "/home/dc/installed/pwndbg/pwndbg/commands/__init__.py", line 99, in __call__
    return self.function(*args, **kwargs)
  File "/home/dc/installed/pwndbg/pwndbg/commands/__init__.py", line 191, in _OnlyWhenRunning
    return function(*a, **kw)
  File "/home/dc/installed/pwndbg/pwndbg/commands/windbg.py", line 292, in u
    pwndbg.commands.nearpc(where, n)
TypeError: 'module' object is not callable
refactored wrapper (#280)
* added command got to display status of the got table

Signed-off-by: degrigis <degrigis@gmail.com>

* return when checksec is not available and added decorator OnlyWhenRunning

Signed-off-by: degrigis <degrigis@gmail.com>

* removed duplicated code for pie and not pie binaries

Signed-off-by: degrigis <degrigis@gmail.com>

* inserted support function to get checksec output and performed all requirements check initially

Signed-off-by: degrigis <degrigis@gmail.com>

* corrected typo

Signed-off-by: degrigis <degrigis@gmail.com>

* reorganized the command got splitting the code in library routines and moved the checksec internal function in a separate module

Signed-off-by: degrigis <degrigis@gmail.com>

* handled exception directly inside functions and enhanced code

Signed-off-by: degrigis <degrigis@gmail.com>

* extracted only column in readelf output and enhanced exception handling

Signed-off-by: degrigis <degrigis@gmail.com>

* fix exception handling returning subprocess error

Signed-off-by: degrigis <degrigis@gmail.com>

* removed unused import and reordered

Signed-off-by: degrigis <degrigis@gmail.com>

* reordered imports

Signed-off-by: degrigis <degrigis@gmail.com>

* added wrappers module and refactored some code

Signed-off-by: degrigis <degrigis@gmail.com>

* removed not useful comment

Signed-off-by: degrigis <degrigis@gmail.com>

* removed unused import

Signed-off-by: degrigis <degrigis@gmail.com>

* moved comments in docstring

Signed-off-by: degrigis <degrigis@gmail.com>

* refactored code to use partial functions, simplified code

Signed-off-by: degrigis <degrigis@gmail.com>

* simplified a loc

Signed-off-by: degrigis <degrigis@gmail.com>

* capslock char fixed

Signed-off-by: degrigis <degrigis@gmail.com>

* removed unuseful pwndbg.arch.ptrsize check

Signed-off-by: degrigis <degrigis@gmail.com>

* refactored code and added the new module wrapper that contains every new wrapper module

Signed-off-by: degrigis <degrigis@gmail.com>

* used class style decorator for wrapper and improved code style

Signed-off-by: degrigis <degrigis@gmail.com>

* changed return with print for errors

Signed-off-by: degrigis <degrigis@gmail.com>

* removed prints debug and statically linked check moved at the top of the got function

Signed-off-by: degrigis <degrigis@gmail.com>

* refactored OnlyWithCommand decorator

Signed-off-by: degrigis <degrigis@gmail.com>

* wrappers are OnlyWithFile now

Signed-off-by: degrigis <degrigis@gmail.com>

* redirected stderr to stdout in subprocess.check_output and memoized the wrappers for readelf/file/checksec

Signed-off-by: degrigis <degrigis@gmail.com>

* reordered an import

Signed-off-by: degrigis <degrigis@gmail.com>

* removed pdb

Signed-off-by: degrigis <degrigis@gmail.com>

* fixed format string and removed desc from got command

Signed-off-by: degrigis <degrigis@gmail.com>

* consolidated decorators

Signed-off-by: degrigis <degrigis@gmail.com>

* merging

Signed-off-by: degrigis <degrigis@gmail.com>

* reordered import for travis

Signed-off-by: degrigis <degrigis@gmail.com>

* refactored some code

Signed-off-by: degrigis <degrigis@gmail.com>

* resolve travis complains

Signed-off-by: degrigis <degrigis@gmail.com>

* docstring for _extract_jumps

Signed-off-by: degrigis <degrigis@gmail.com>

* fixed isort

Signed-off-by: degrigis <degrigis@gmail.com>

* f*** isort

Signed-off-by: degrigis <degrigis@gmail.com>
Enhance canary command
Canary command:
* Displays telescope result of places where canaries are located
* Moved to its own file (`pwndbg/commands/canary.py`)
* Moved to `ArgparsedCommand` (as discussed in #244)
update for ida_script.py to handle ida 7.0 (#308)
* fix for ida 7.0

* using idaapi.save_database instead, change version cmp from == to >=
Fix the current year (#319)
This triggered me
checksec: cache output of command (#317)
* checksec: cache output of command

* checksec: use get_raw_out() for derived functions
cp fixes from stable: malloc chunk names, remote target search bug (#323
)

* Fix malloc chunk names (#318)

* heap: respect rename of malloc_chunk fields

newer glibc uses different names for the fields of malloc_chunk

* move value_from_type to typeinfo and rename to read_gdbvalue

* add comment about renaming of `[prev_]size`

* Workaround for gdb remote target search bug described in #321 (#322)
Move vmmap to ArgparsedCommand; add sloppy_gdb_parse (#285)
* Migrate vmmap command to ArgparsedCommand

* vmmap command: better msg for no mappings

* WIP: vmmap

* Review fixes

* isort fix
Dumpargs add --force to show all possible register arguments (#326)
* Added --all flag to dumpargs command

This gives possibility to dump all register argument even
if we failed to resolve arguments from metadatas.

* Display info when dumpargs not resolved call args

* Dumpargs: changed --all to --force

* Revert telescope changes as it fails when we are not on call instruction.

* Fix isort
Fix IDA Pro decompiled code not being displayed (#328)
* Fix withHexrays decorator not returning wrapper function

* IDA xmlrpc: add cfuncptr_t marshaller & better errors

* IDA xmlrpc server: add shutdown() which can be used for dev

* Small refactor of context.py

* Fix context Hexrays decompiled code display
Fix hard error when something else (not IDA) listens on IDA's port (#330
)

* Fix hard error when something else (not IDA) listens on IDA's port

The default IDA port is 8888 and it can happen that some other program (such as
a jupyter notebook) is listening on that address. This made pwndbg unusable,
because it would crash trying to connect to IDA.

* add timeout to ida connect
Fix exception if there is an indirect jump (#329)
This is a simple typo, but the error message that GDB gave was interesting:

Previously, if you stopped on an instruction that does an indirect jump, like
this:

```
jmp [ecx*4 + 0xdeadbeef]
```

then pwndbg would the following exception:

```
gdb.error: evaluation of this expression requires the program to have a function "malloc".
```

The reason is that the code used `memory_sz` and passed that to gdb.Value, thus
creating a string value. When casting the string to a pointer later, GDB tries
to allocate a string in the inferior which failed since malloc is not available.

The fix is, of course, to use the correct function (`memory`) that returns an
int and not a string.
Fix Python<=2.7.6 "TypeError: Struct() argument 1 must be string, not…
… unicode" (#336)

* Fix Python<=2.7.6 "TypeError: Struct() argument 1 must be string, not unicode"

Additional information is available here: http://python-future.org/stdlib_incompatibilities.html#struct-pack

* Completely remove libheap, as it is not ever referenced
Removed duplicate requirement (#339)
2 Lines stated "capstone"
Add nextproginstr command (#360)
* Add nextproginstr command

* Fix isort

* Update next.py

* Update next.py

* Update next.py
Merge stable to dev (#365)
* Fixes `u` command `module object is not callable` (#310)

pwndbg> u 0x404030
'u': Starting at the specified address, disassemble
    N instructions (default 5).
Traceback (most recent call last):
  File "/home/dc/installed/pwndbg/pwndbg/commands/__init__.py", line 99, in __call__
    return self.function(*args, **kwargs)
  File "/home/dc/installed/pwndbg/pwndbg/commands/__init__.py", line 191, in _OnlyWhenRunning
    return function(*a, **kw)
  File "/home/dc/installed/pwndbg/pwndbg/commands/windbg.py", line 292, in u
    pwndbg.commands.nearpc(where, n)
TypeError: 'module' object is not callable

* Fix malloc chunk names (#318)

* heap: respect rename of malloc_chunk fields

newer glibc uses different names for the fields of malloc_chunk

* move value_from_type to typeinfo and rename to read_gdbvalue

* add comment about renaming of `[prev_]size`

* Workaround for gdb remote target search bug described in #321 (#322)

* Fixes issue when we try to display context while selected thread is running #299 (#331)

* Fix tag_release (#348)

* Fix "dt" offsets which are sometimes floating-point (#355)

* Fixes #362 - broken entry command (#363)
fix ds and da for gdb 7.11 (#364)
* fix ds and da for gdb 7.11

* add max argument to da and ds
Support bare metal environment (#369)
* Add elf.find_elf_magic() and remove duplicate code

* Add pwndbg.abi.LinuxOnly decorator

* Support bare metal environment

Use @pwndbg.abi.LinuxOnly and pwndbg.abi.linux to disable
several util functions which search the memory to find
the AUXV, the ELF header, or the page bound.
Add xinfo command for extended offset information (#376)
This commit adds a `xinfo` command that calculates the offset of a
specified address to other interesting locations within the address
space:

* In the most general case, simply the offset of the pointer into the
current mapping is displayed.
* If the address specified is a stack adress, the offsets to the top and
the bottom of the stack, as well as to the current stack pointer,
frame pointer and stack canary are displayed.
* If the address points into a memory mapped file, the command
additionally shows the offset to the beginning of the file in memory and
on disk.
More badges in README
Add "Python 2&3" and "freenode: #pwndbg" badges created with https://shields.io/

Matir and others added some commits May 27, 2018

Command for calculating PIE offsets (#474)
* PIE command

* Kill compat in piebase command

* Improve piebase command

* Improve piebase command exe name introspection

* No longer rely on executeable segment for piebase
Fixes wrong pc/ip display in context introduced in 9fd5d35 (#477)
Before this PR we could get wrong RIP (like off by one) when single stepping through the code:

```
[...]

 RIP  0x555555559850 ◂— xor    ebp, ebp
───────────────────────[ DISASM ]──────────────────────
   0x555555559850    xor    ebp, ebp
 ► 0x555555559852    mov    r9, rdx <0x7ffff7de59a0>

[...]

pwndbg> i r rip
rip            0x555555559852	0x555555559852
```

The patch fixes the issue by reassigning GDB stop signal handler to getting register values.
Fixes 476 - segfault handling when using rr project (#478)
* Fixes #476 - segfault handling when using rr project

* Fix isort
Fix and enhance xinfo command (#480)
* Instead of unstable parsing of readelf output, use the elftools ELF wrapper for parsing PT_LOAD segments

* Fix #434 xinfo command doesn't show File(Disk) info on non-PIE binaries

Also remove some trailing whitespace

Also fix another bug in xinfo; now it can show the disk offset of all
mmap files, not just the primary executable

* New xinfo feature: Print containing ELF sections for file-backed addresses

* Only print header for ELF sections if at least 1 section contains the address

* Fix bug in section offset calculation when printing containing ELF sections

* Refactor ELF file parsing helpers for cleaner separtion of ELF metadata parsing and enrichment, and a specific use scenario (getting a list of segments/sections containing a given virtual addr). Also makes implementing caching parse results easier

Adjust xinfo command to these API changes

* Fix bug: Reference mem_end instead of file_end

* Don't use underscore variable names; change decorator to reset_on_objfile

* Update xinfo.py
ptmalloc multiple heaps per non-main arena support, related fixes (#479)
* Multiple ptmalloc enhancements:

* Adds support for multiple heaps per arena for the `arenas` command.

* Names every heap objfile to enable proper coloring in vmmap - fixes 451.

* Refactors the `heap` command to address issue 443.

* Adds comment for HEAP_MAX_SIZE

* Refactors Arena and HeapInfo into classes

* Adds additional comment
Objfile event dispatching fix (#486)
* Fixes objfile caching bug.

* Disables vmmap exploration when the target isn't alive.
@Segflow

This comment has been minimized.

Copy link
Contributor

Segflow commented on dfb69bd Jun 22, 2018

This code path is the reason of the bug discussed in #485

Actually with no argument the function is modifying gdb vmmap in a wrong way.

> $ gdb -q -ex 'set exception-verbose on' -ex 'entry' -ex "vmmap" -ex "pi pwndbg.heap.current.get_region()"  -ex "vmmap" -ex "quit" /bin/ls
pwndbg: loaded 172 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from /bin/ls...(no debugging symbols found)...done.

Temporary breakpoint 1 at 0x4049a0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Temporary breakpoint 1, 0x00000000004049a0 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x41e000 r-xp    1e000 0      /bin/ls
          0x61d000           0x61e000 r--p     1000 1d000  /bin/ls
          0x61e000           0x61f000 rw-p     1000 1e000  /bin/ls
          0x61f000           0x641000 rw-p    22000 0      [heap]
...

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x41e000 r-xp    1e000 0      /bin/ls
          0x61d000           0x61e000 r--p     1000 1d000  /bin/ls
          0x61e000           0x61f000 rw-p     1000 1e000  /bin/ls
          0x620000           0x642000 rw-p    22000 0      [heap]
    ....

Check how calling it changed the vmmap of heap.

This is mainly because pwndbg.vmmap.get() returns a reference and not a copy.

This comment has been minimized.

Copy link
Contributor Author

andigena replied Jun 22, 2018

The problem is that with ASLR disabled, the actual heap and the vm region named [heap] are not in sync.

tukan@farm:~/t$ gdb -ex 'aslr off'  -ex 'entry' /bin/ls
...
ASLR is OFF
Temporary breakpoint 1 at 0x4049a0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Temporary breakpoint 1, 0x00000000004049a0 in ?? ()
...
Breakpoint *0x4049a0
pwndbg> info proc mappings 
process 16678
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x41e000    0x1e000        0x0 /bin/ls
            0x61d000           0x61e000     0x1000    0x1d000 /bin/ls
            0x61e000           0x61f000     0x1000    0x1e000 /bin/ls
            0x61f000           0x641000    0x22000        0x0 [heap]
...
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x41e000 r-xp    1e000 0      /bin/ls
          0x61d000           0x61e000 r--p     1000 1d000  /bin/ls
          0x61e000           0x61f000 rw-p     1000 1e000  /bin/ls
          0x61f000           0x641000 rw-p    22000 0      [heap]
...

pwndbg> mp
{
  trim_threshold = 131072, 
  top_pad = 131072, 
  mmap_threshold = 131072, 
  arena_test = 8, 
  arena_max = 0, 
  n_mmaps = 0, 
  n_mmaps_max = 65536, 
  max_n_mmaps = 0, 
  no_dyn_threshold = 0, 
  mmapped_mem = 0, 
  max_mmapped_mem = 0, 
  max_total_mem = 0, 
  sbrk_base = 0x620000 ""
}
pwndbg> tel 0x620000
00:0000│   0x620000 ◂— 0x0
01:0008│   0x620008 ◂— 0x21001
02:0010│   0x620010 ◂— 0xfbad240c
03:0018│   0x620018 ◂— 0x0
... ↓
pwndbg> heap
0x620000 PREV_INUSE {
  prev_size = 0, 
  size = 135169, 
  fd = 0xfbad240c, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
prev: 620000, next: 641000
Exception occured: malloc_chunk: Cannot access memory at address 0x641000 (<class 'gdb.MemoryError'>)
For more info invoke `set exception-verbose on` and rerun the command
'heap': Prints out chunks starting from the address specified by `addr`.
Exception occured: heap: 'NoneType' object is not subscriptable (<class 'TypeError'>)
For more info invoke `set exception-verbose on` and rerun the command
pwndbg> tel 0x61f000
00:0000│   0x61f000 ◂— 0x0
... ↓

Notice that mp_.sbrk_base is 0x620000. It is set in the glibc malloc implementation from the return value of the very first sbrk call and is used as the first address in the heap but the actual mapping starts from 0x61f000. When we set the page vaddr in get_region to sbrk_base, the memsz is preserved, so the heap is believed to be 0x1000 bytes larger than in reality, which causes the memory access error when that unmapped address is reached.

I agree that we shouldn't modify the actual Page object in get_region but return a new Page object that is adjusted properly (vaddr from sbrk_base, size appropriately decreased). This doesn't seem to be an issue with ASLR enabled.

tukan@farm:~/t$ gdb -ex 'aslr on'  -ex 'entry' /bin/ls
...
ASLR is ON
...
 ► f 0           4049a0
Breakpoint *0x4049a0
pwndbg> heap
0x1bbd000 PREV_INUSE {
  prev_size = 0, 
  size = 135169, 
  fd = 0xfbad240c, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
prev: 1BBD000, next: 1BDE000
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x41e000 r-xp    1e000 0      /bin/ls
          0x61d000           0x61e000 r--p     1000 1d000  /bin/ls
          0x61e000           0x61f000 rw-p     1000 1e000  /bin/ls
          0x61f000           0x620000 rw-p     1000 0      
         0x1bbd000          0x1bde000 rw-p    21000 0      [heap]
...
pwndbg> info proc mappings
process 17070
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000           0x41e000    0x1e000        0x0 /bin/ls
            0x61d000           0x61e000     0x1000    0x1d000 /bin/ls
            0x61e000           0x61f000     0x1000    0x1e000 /bin/ls
            0x61f000           0x620000     0x1000        0x0 
           0x1bbd000          0x1bde000    0x21000        0x0 [heap]
...
pwndbg> mp
{
  trim_threshold = 131072, 
  top_pad = 131072, 
  mmap_threshold = 131072, 
  arena_test = 8, 
  arena_max = 0, 
  n_mmaps = 0, 
  n_mmaps_max = 65536, 
  max_n_mmaps = 0, 
  no_dyn_threshold = 0, 
  mmapped_mem = 0, 
  max_mmapped_mem = 0, 
  max_total_mem = 0, 
  sbrk_base = 0x1bbd000 ""
}
pwndbg> 

I'll only be able to do this on Monday, though.

anthraxx and others added some commits Jul 1, 2018

Heap: allocator initialization check & global_max_fast bug fix (#485)
* Bug fix: global_max_fast symbol contains the actual value not the address

* heap: return from find_fake_fast if allocator is not initialized

* Bug fix: address method should return the symbol address if it's an intergral symbols

* Revert commit c35152d

* add OnlyWhenHeapIsInitialized decorator

* Update heap.py
Refactors heap.get_region, adds special case for get_heap_boundaries. (
…#489)

Occasionally, the [heap] vm region and the actual start of the heap are
different, e.g. [heap] starts at 0x61f000 but mp_.sbrk_base is 0x620000.
Return an adjusted Page object if this is the case. Also changes the
callers of these functions where appropriate.
Leak offset probing tool (#492)
* PIE command

* Kill compat in piebase command

* Improve piebase command

* Improve piebase command exe name introspection

* No longer rely on executeable segment for piebase

* Leak probing tool

* Fix description for probeleak

* Update probeleak.py

Changed `%x` to `0x%x` in edge case scenario print/reporting.

* Reorder imports

* Improve probeleak printing
add vis_heap_chunks (#496)
* add vis_heap_chunks

* Add top_chunk suffix only when needed

* use ArgparsedCommand and pwndbg.arch.unpack + better formatting

* Minor improvements, fix isort
Run each test in a separate GDB session (#498)
* it would be cool to have tests that run within GDB so that we don't have to parse GDB output and deal with weird problems
* we can't run all tests in one GDB session as `file x; entry; <some pwndbg command>; file y; entry; <some wndbg command>;` may have different results - it seems either us or GDB fails to cleanup everything properly
Fix nearpc following jumps when used w/o emulation (#499)
* Tests launcher: show passed and failed count

* Build nearpc, emulate, u, pdisass test binaries

* Add tests for emulate, nearpc, pdisass, u

* Refactored disasm and emulator

* Fix nearpc following jumps w/o emulation

* Prevent tests from calling start_binary twice

* Add test for emulate_disasm_loop

* Fix isort

* Add nasm to travis install

* Add --eval-command quit to tests invocation

This should prevent travis from staying in gdb/stalled build when something fails in weird way (like a file is missing)
```
[+] Building 'emulate_disasm.o'
make: nasm: Command not found
make: *** [emulate_disasm.o] Error 127
gdbinit.py: No such file or directory.
pytests_collect.py: No such file or directory.
No output has been received in the last 10m0s, this potentially indicates a stalled build or something wrong with the build itself.
Check the details on how to adjust your build configuration on: https://docs.travis-ci.com/user/common-build-problems/#Build-times-out-because-no-output-was-received
```

* Add test binaries
Inform about `exception-debugger` on exceptions (#501)
Instead of hiding this feature just for devs who reads our dev guide or just knows that this exists lets make pwndbg development great again and show this command to the world!
Fixes piebase and breakrva on remote debugging (#500)
Three things here:

1. This fixes `piebase` and `breakrva` commands - a bug with remote targets mentioned in #488 (comment).

2. It also adds a check if result address is still in the memory pages belonging to the given module. This works now as:

```
pwndbg> breakrva main
Offset 0x555555554601 rebased to module /home/dc/pwndbg_bug/a.out as 0xaaaaaaaa8601 is beyond module's memory pages:
    0x555555554000     0x555555555000 r-xp     1000 0      /home/dc/pwndbg_bug/a.out
    0x555555754000     0x555555755000 r--p     1000 0      /home/dc/pwndbg_bug/a.out
    0x555555755000     0x555555756000 rw-p     1000 1000   /home/dc/pwndbg_bug/a.out
```

3. It gives a better output for `piebase`:
```
pwndbg> piebase 1
Calculated VA from /home/dc/pwndbg_bug/a.out = 0x555555554001
```

---

To reproduce the fixed bug, launch any binary on a gdbserver:

```
gdbserver 127.0.0.1:4444 ./a.out
```

Then start a debugging session:

```
gdb -q -ex 'target remote 127.0.0.1:4444' ./a.out
```

and fire e.g. `breakrva 123`.

---

Below you can see the bug case and explanation why it occured:

```
pwndbg> breakrva 1
There are no mappings for specified address or module.
'breakrva': Break at RVA from PIE base.
Traceback (most recent call last):
  File "/home/dc/pwndbg/pwndbg/commands/__init__.py", line 109, in __call__
    return self.function(*args, **kwargs)
  File "/home/dc/pwndbg/pwndbg/commands/__init__.py", line 200, in _OnlyWhenRunning
    return function(*a, **kw)
  File "/home/dc/pwndbg/pwndbg/commands/pie.py", line 61, in breakrva
    spec = "*%#x" % (addr)
TypeError: %x format: an integer is required, not NoneType
```

So what is the issue here?

1. We have the same logic in both `piebase` and `breakrva` - if the user doesn't specify second argument - a module name - we retrieve it with `get_exe_name`:

```python
def breakrva(offset=None, module=None):
    offset = int(offset)
    if not module:
        module = get_exe_name()

    addr = translate_addr(offset, module)
    spec = "*%#x" % (addr)

    # [ ... - some more code, not important here ]
```

2. The `get_exe_name` returns just `pwndbg.auxv.get().get('AT_EXECFN', pwndbg.proc.exe)`. The difference is important here. On the case shown above the `pwndbg.auxv.get()['AT_EXECFN']` returns `./a.out` while `pwndbg.proc.exe` returns the full path: `/home/dc/pwndbg_bug/a.out`.
3. This `module` is then passed to `translate_addr` as can be seen on the code above.
4. The `translate_addr` tries to retrieve memory page (`Page` instance) which belongs to the module:
```python
def translate_addr(offset, module):
    mod_filter = lambda page: module in page.objfile
    pages = list(filter(mod_filter, pwndbg.vmmap.get()))

    if not pages:
        print('There are no mappings for specified address or module.')
        return

    # [ ... - some more code, not important here ]
```
5. The `translate_addr` returns `None` because the `page.objfile` for e.g. binary objfile returns its full path as can be seen below:
```
(Pdb) pwndbg.vmmap.get()[0].objfile
'/home/dc/pwndbg_bug/a.out'
```

6. Because we returned `None`, the `spec = "*%#x" % (addr)` string formatting for breakrva or `print(hex(addr))` for piebase fails.
Fixes piebase and breakrva on remote debugging (#502)
Fixes the issue caught by ecx86 in:
#500 (comment)

The commands broke when we debugged a remote target which was
hosted on a remote gdbserver (NOT a local one).

This is because we used `pwndbg.proc.exe` (changed in previous commit)
which is a local path to the binary which was then used to filter out
memory pages belonging to the binary.

To fix the issue, the AUXV's AT_EXECFN is used first which was used
before previous commit but the returned path is now normalized
(as in previous version it didn't work because if it returned path './a.out'
it couldn't match it with binary's Page.objfile which was e.g. '/blabla/a.out').
Merge branch 'dev' into beta
* dev: (120 commits)
  Bump version (#505)
  Fixes piebase and breakrva on remote debugging (#502)
  Fixes piebase and breakrva on remote debugging (#500)
  Inform about `exception-debugger` on exceptions (#501)
  Fix nearpc following jumps when used w/o emulation (#499)
  Run each test in a separate GDB session (#498)
  add vis_heap_chunks (#496)
  Fixes #488: wrong regs display on threaded targets (#495)
  Fix isort (#493)
  Leak offset probing tool (#492)
  Refactors heap.get_region, adds special case for get_heap_boundaries. (#489)
  Heap: allocator initialization check & global_max_fast bug fix (#485)
  isort: fix import order to make travis pass (#490)
  Resets the objfile cache to the proper type on exit. (#487)
  Objfile event dispatching fix (#486)
  ptmalloc multiple heaps per non-main arena support, related fixes (#479)
  Fix and enhance xinfo command (#480)
  bug fix: tcache bin (#482)
  Fixes 476 - segfault handling when using rr project (#478)
  Fixes wrong pc/ip display in context introduced in 9fd5d35 (#477)
  ...

@disconnect3d disconnect3d merged commit 63820d2 into pwndbg:beta Jul 29, 2018

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details

@disconnect3d disconnect3d deleted the disconnect3d:beta branch Jul 29, 2018

disconnect3d added a commit to disconnect3d/pwndbg that referenced this pull request Jul 29, 2018

Merge branch 'beta' into stable
* beta:
  Merge dev to beta (pwndbg#506)
  Better exception msg (pwndbg#300)
  handle window resize event and set width accordingly (pwndbg#291)
  Remove pwndbg/linkmap.py and malloc.py (pwndbg#303)
  Fix got command (pwndbg#306)
  Fire isort so travis won't complain (pwndbg#302)
  extend next_call to take optional symbol/target to break on (pwndbg#290)
  got command: possibility to filter results (pwndbg#284)
  ROPGadget: return when not installed (pwndbg#283)
  Fix parsed commands (pwndbg#282)
  added command 'got' to display status of the GOT table (pwndbg#256)
  Clean up some unnecessary closures in pwndbg.commands (pwndbg#278)
  Fix missing exception in pwndbg/exception.py (pwndbg#277)
  Fix input issue after screen resize: pagination off (pwndbg#276)
  Simplify command exception debugging and make stdio work correctly (pwndbg#251)
  Add Command.repeat property for repeated commands (pwndbg#272)
  support for multiple arenas (pwndbg#262)
  Fix Python2 long types and inthook (pwndbg#250)
  fixed GDB remote get command (pwndbg#241)
  Add CONTRIBUTING and ISSUE_TEMPLATE (pwndbg#238)

disconnect3d added a commit that referenced this pull request Jul 29, 2018

Merge branch 'beta' into dev
* beta:
  Merge dev to beta (#506)
  Fixes #362 - broken entry command (#363)
  Fix "dt" offsets which are sometimes floating-point (#355)
  Fix tag_release (#348)
  Fixes issue when we try to display context while selected thread is running #299 (#331)
  Workaround for gdb remote target search bug described in #321 (#322)
  Fix malloc chunk names (#318)
  Fixes `u` command `module object is not callable` (#310)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.