Pwnning is an art.
HeapInspect is designed to make heap much more prettier.
Now this tool is a plugin of nadbg. Try it!
- Free of gdb and other requirement
- Multi glibc support
- 2.19, 2.23-2.27 (currently tested)
- both 32bit and 64bit
- Nice UI to show heap
HeapShower(detailed)PrettyPrinter(colorful, summary)
- Heapdiff (working)
- Corruption detect & exploit analysis (working)
- Also support gdb
- Python2 & Python3 compatible
A quick use of this tool.
You can also use it as a gdb plugin, very useful when pwndbg or other plugins failed to analysis heap.
sed -i "1i source `pwd`/gdbscript.py" ~/.gdbinit # alternatively, you can add that line manuallyNote
Pretty easy to use. I will make it a package later.
from heapinspect.core import *
hi = HeapInspector(1234) #pid here
hs = HeapShower(hi)
print(hs.fastbins)
print(hs.smallbins)
print(hs.largebins)
print(hs.unsortedbins)
print(hs.tcache_chunks)
hs.relative = 1 #relative mode, check Quick shot
print(hs.fastbins)
sleep(10)
#now assume that the heap state has changed
hs.update() #use this to refresh
pp = PrettyPrinter(hi)
print(pp.all) #pretty printer
pp.update() #use this to updateThere are some testcases.
heapinspect/tests/ $ python test.py #this will run all test cases for you to check this tool.
......
......
test case unsortedbins64 at test/testcases/libc-2.27/64bit
pid:6704
========================= fastbins =========================
========================= unsortedbins =========================
chunk(0x7f9aae2e6720): prev_size=0x0 size=0xb1 fd=0x7f9aacdfbca0 bk=0x7f9aae2e6880
chunk(0x7f9aae2e6880): prev_size=0x0 size=0xb1 fd=0x7f9aae2e6720 bk=0x7f9aacdfbca0
========================= smallbins =========================
========================= largebins =========================
========================= tcache =========================
tcache[9]:
chunk(0x7f9aae2e6670): prev_size=0x0 size=0xb1 fd=0x7f9aae2e65d0 bk=0x0
chunk(0x7f9aae2e65c0): prev_size=0x0 size=0xb1 fd=0x7f9aae2e6520 bk=0x0
chunk(0x7f9aae2e6510): prev_size=0x0 size=0xb1 fd=0x7f9aae2e6470 bk=0x0
chunk(0x7f9aae2e6460): prev_size=0x0 size=0xb1 fd=0x7f9aae2e63c0 bk=0x0
chunk(0x7f9aae2e63b0): prev_size=0x0 size=0xb1 fd=0x7f9aae2e6310 bk=0x0
chunk(0x7f9aae2e6300): prev_size=0x0 size=0xb1 fd=0x7f9aae2e6260 bk=0x0
chunk(0x7f9aae2e6250): prev_size=0x0 size=0xb1 fd=0x0 bk=0x0
Detailed docstrings have been written into the source code.
I have built a sphinx doc in docs. Just open docs/build/html/index.html with your browser.
- python3 support
- add support for gdb
docs update.
- update sphinx docs
- reshape file structure
not a functional update.
- PEP8
- docstrings
- performance update
first release
- better cmdline option
next version will be a release.
- CRLF to LF
- code refine
- readme refine
- pretty printer
- auto test
- code refine
this is not a stable version. im trying to fix bugs due to different glibc. i need help to test this.
- add multi libc support
- add x86 support
next version will add multi libc support. heapdiff and heap check will be added later.
HeapShower- relative heap & libc offset showing
- fix search loop bug
binsnow search frombkinstead offd, as the manner of glibc
HeapRecoder, I will make a heapdiffsmallbinsandlargebins
fastbinprototypeunsortedbinprototypebinsprototypetcacheprototype
- add
C_Structto handle c structure
- add
class HeapInspector - trying to parse more information of
arena
- add
class Procinproc_util - experimental test in
test.py