danigargu / heap-viewer Goto Github PK

View Code? Open in Web Editor NEW

730.0 21.0 87.0 207 KB

IDA Pro plugin to examine the glibc heap, focused on exploit development

License: GNU General Public License v3.0

Python 95.70% Makefile 0.18% C 4.13%

python idapython idapython-plugin ida-plugin ida-pro exploitation exploit heap glibc

heap-viewer's Introduction

HeapViewer

An IDA Pro plugin to examine the heap, focused on exploit development.

Currently supports the glibc malloc implementation (ptmalloc2).

3rd place winner of the 2018 Hex-Rays Plugin Contest

Requirements

IDA Pro >= 7.0

Tested on

glibc 2.23 <= 2.31 (x86, x64)

Features

Heap tracer (malloc/free/calloc/realloc)
- Detection of overlaps and double-frees
- Visualization using villoc
Malloc chunk info
Chunk editor
Multi-arena info (chunks, top, last-remainder)
Bins info (fastbins, unsortedbin, smallbins y largebins)
Tcache info (glibc >= 2.26)
GraphView for linked lists (bins/tcache)
Structs view (malloc_state / malloc_par / tcache_perthread)
Magic utils:
- Unlink merge info
- Freeable/merge info
- Fake fastbin finder
- House of force helper
- Useful libc offsets
- Calc chunk size (request2size)
- IO_FILE structs

Install

Just drop the heap_viewer.py file and the heap_viewer folder into IDA's plugin directory.

To install just for the current user, copy the files into one of these directories:

OS	Plugin path
Linux/macOS	`~/.idapro/plugins`
Windows	`%AppData%\Hex-Rays\IDA Pro\plugins`

Configuration

Currently the plugin does not require to be configured, since it tries to obtain automatically the necessary offsets to analyze the heap.

However, in case the plugin fails, it is possible to set the different offsets in the configuration tab. To obtain these offsets, you can use any of the tools located in the utils folder.

If you find any inconsistency, let me know :)

Screenshots

Tracer

Arena & chunk info

Tcache entries

Bins

Bin graph

Fastbin graph

Tcache graph

Find fake fastbin

Unlink merge info

Useful libc offsets

Learning Resources

I'd recommend the following resources alongside this tool for learning heap exploiting.

shellphish's how2heap

Author

Daniel García Gutiérrez - @danigargu

Contributors 🍺

Special mention to my colleagues soez, wagiro and DiaLluvioso for give me some ideas during the development of the plugin. And of course, the @pwndbg project, from which I picked up some things about heap parsing.

Contributors

Bugs / Feedback / PRs

Any comment, issue or pull request will be highly appreciated :-)

heap-viewer's People

Contributors

Stargazers

Watchers

Forkers

jack51706 s3ize snyiu100 kernux techlord-rce explife0011 b1gw00d mk-z ga-ryo chubbymaggie heruix idkwim fcccode kernullist peterg75 gavz 5up3rc deelmind y11en ht13 victorgutierrez92 anarquias fatgrass thomasking2014 secice exiahan aidielse tracesrc hausferd 0x4e38 sigma-random c0frex limkokholefork pdkyll whulls lallouslab jamesshew supjerk perfectswpuboy1 crackercat modulexcite l9sk bird8693 forkitallsec fengjixuchui woozoo86 seabreg intrigus shalekesan imulmul hunagling mcgrady1 hisanmehmood lybobob1 chaitanyaharitash wxtlco hello-xbugs 5l1v3r1 mmg1 ykankaya lichtlos leedinh silentsoul04 0xc4se hpvca clayne tabhay thor509 kejripraveen sh4m2hwz idapluginproject fdlucifer mfkiwl polling-repo-continua kingking888 serfend arryboom nx6110a5100 jusorlee tinyx3k easy-forks data-gami 000xe4

heap-viewer's Issues

Can't access memory

Traceback (most recent call last):
  File "~/plugins\heap_viewer\plugin_gui.py", line 141, in reload_gui_info
    self.arena_widget.populate_table()
  File "~/plugins\heap_viewer\widgets\arena.py", line 131, in populate_table
    parsed_heap = self.heap.parse_heap(cur_arena)
  File "~/plugins\heap_viewer\ptmalloc.py", line 533, in parse_heap
    status = self.get_chunk(chunk_addr + real_size).prev_inuse
  File "~/plugins\heap_viewer\ptmalloc.py", line 466, in get_chunk
    return get_struct(address, self.malloc_chunk_s)
  File "~/plugins\heap_viewer\misc.py", line 25, in get_struct
    assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
AssertionError: Can't access memory at 0x939a000

heap-data:

Is not friendly for windows ida user?

emm,,,,I configure and install like the README.md

yeah ,something is ok, IDA reminder me "Please wait",so ,I wait,wait,wait....

And I find that the IDA are taking up more memory,,,finally the IDA crash

is memory leak?

[HeapViewer] Executable must be ELF fomat

When running the plugin I get the following message. [HeapViewer] Executable must be ELF fomat

How to handle this?

Windows Heap View

Will there be a version for Windows Heap?

TypeError: Expected an ea_t type

The plugin can't work on my IDA 7.0

Traceback (most recent call last):
  File "D:/software/IDA 7.0/plugins\heap_viewer\plugin_gui.py", line 139, in reload_gui_info
    self.populate_arenas()
  File "D:/software/IDA 7.0/plugins\heap_viewer\plugin_gui.py", line 165, in populate_arenas
    for addr, arena in self.heap.arenas():
  File "D:/software/IDA 7.0/plugins\heap_viewer\ptmalloc.py", line 642, in arenas
    arena = self.get_arena() # main_arena
  File "D:/software/IDA 7.0/plugins\heap_viewer\ptmalloc.py", line 619, in get_arena
    return get_struct(address, self.malloc_state_s)
  File "D:/software/IDA 7.0/plugins\heap_viewer\misc.py", line 25, in get_struct
    assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
  File "D:\software\IDA 7.0\python\ida_bytes.py", line 284, in is_loaded
    return _ida_bytes.is_loaded(*args)
TypeError: Expected an ea_t type

It seems a type error

ptmalloc malloc_chunk size may be wrong

I may just be overlooking something, but I note that in the misc.py "add_malloc_chunk_struct" function, the struct size is declared as 56 bytes.

125: struct_size = 7*ptr_size

This struct only has six member, and on 64bit platforms, each of the structs in 8 bytes, so aasuming there is no odd struct padding/packing, shouldn't it only be 48 bytes? E.g.

struct_size = 6*ptr_size

A small C test program will also print the struct size out as 48.

#include <stdio.h>

int main() {

struct malloc_chunk;
typedef struct malloc_chunk* mchunkptr;

#define INTERNAL_SIZE_T size_t

struct malloc_chunk {

    INTERNAL_SIZE_T      mchunk_prev_size;  /* Size of previous chunk (if free).  */
    INTERNAL_SIZE_T      mchunk_size;       /* Size in bytes, including overhead. */

    struct malloc_chunk* fd;         /* double links -- used only if free. */
    struct malloc_chunk* bk;

    /* Only used for large blocks: pointer to next larger size.  */
    struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
    struct malloc_chunk* bk_nextsize;
};

  struct malloc_chunk getsize;

  printf("The size of the malloc_chunk struct is: %lu \n", sizeof(getsize));

}

Error for glibc 2.31

cant detect freed chunk

Any plan about adding support for glibc 2.32~2.36?

As a reverse engineer, IDA is much more attractive than gdb!

Error when debugging ARM sample on linux

IDA Ver: Using IDA 7.6
Debugged binary: ELF, ARM

got the following message -

[HeapViewer] Tracer enabled
IDAPython: Error while calling Python callback :
Traceback (most recent call last):
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\plugin_gui.py", line 32, in OnCreate
self.setup_gui()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\plugin_gui.py", line 42, in setup_gui
self.magic_widget = MagicWidget(self)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 24, in init
self._create_gui()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 45, in _create_gui
self.io_file_widget = IOFileWidget(self)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 579, in init
self.cb_struct_changed(0)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 630, in cb_struct_changed
self.show_struct(address, struct_name)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 687, in show_struct
io_file_struct = io_file.parse_structs(address)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\io_file.py", line 190, in parse_structs
io_jump_data = get_struct(io_file_data.vtable, structs.vtable)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\misc.py", line 25, in get_struct
assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
AssertionError: Can't access memory at 0x0
Exception in ida_dbg.DBG_Hooks dispatcher function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\tracer.py", line 82, in dbg_bpt
ret_addr = self.get_return_address()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\tracer.py", line 65, in get_return_address
esp = get_reg_value(self.regs['SP'])
File "C:\Program Files\IDA Pro 7.6\python\3\ida_dbg.py", line 4532, in get_reg_val
return _ida_dbg.get_reg_val(*args)
Exception: Failed to retrieve register value

maybe its because its never tested on 7.6 or on ARM.. not sure.

cannot import name PLUGNAME

Hi, when i open ida 7.0 on Mac, the plugin occours the error :"cannot import name PLUGNAME" in line 18.

Useful libc offset's bug when function is imported.

Thank you for this great plugin!

I found a bug in Magic window's "useful libc offset" .

When I use "read(fd,buf,size)" function in ELF, it's imported and IDA Pro will name this as extern symbol.

extern:0000000000601060 extrn read:near

And this causes bug below. (It was calculated as 0x601060 - libc_base)

open	0xf7030	
read	0x-7fe70ac0afa0	
write	0xf72b0

danigargu / heap-viewer Goto Github PK

heap-viewer's Introduction

HeapViewer

Requirements

Tested on

Features

Install

Configuration

Screenshots

Learning Resources

Author

Contributors 🍺

Bugs / Feedback / PRs

heap-viewer's People

Contributors

Stargazers

Watchers

Forkers

heap-viewer's Issues

heap-data:

Recommend Projects

Recommend Topics

Recommend Org