An IDA Pro plugin (for now) to examine the heap, focused on exploit development.
Currently only supports glibc malloc (ptmalloc2).
- IDA Pro >= 6.9
- glibc <= 2.27 (x86, x64)
- Heap tracer (malloc/free)
- Malloc chunk info
- Multi-arena info (chunks, top, last-remainder)
- Bins info (fastbins, unsortedbin, smallbins y largebins)
- Tcache info (glibc >= 2.26)
- GraphView for linked lists (bins/tcache)
- Magic utils:
- Unlink merge info
- Fake fastbin finder
- House of force helper
- Useful libc offsets
Just drop the heap_viewer.py file and the heap_viewer folder into IDA's plugin directory.
Because IDA not load libc-dbg symbols in the debug session, is necesary generate a config file before using the plugin. To make this, simply install the libc6-dbg package in the remote linux machine and execute the script utils\get_config.py. Then, paste the content in the heap_viewer\config.json file.
$ python get_config.py
[*] config.json:
{
"libc_offsets": {
"32": {
"mp_": 1921312,
"main_arena": 1922976,
},
"64": {
"mp_": 3883648,
"main_arena": 3886144,
}
},
"libc_version": "2.27"
}
If you not have the dbg symbols for given libc (ex: CTFs ;D), you can use the get_main_arena tool, and get the main_arena offset for that libc. This is enough so the plugin works correctly. Simply put the main_arena offset in the config.json file.
Examples:
$ ./main_arena_offset
[*] libc version: 2.27
[*] libc file: /lib/i386-linux-gnu/libc-2.27.so
[*] libc address: 0xf7ceb000
[*] main_arena: 0xf7ec07a0
[*] main_arena offset: 0x1d57a0
$ LD_PRELOAD=./libc_64.so.6 ./main_arena_offset
...
Tracer
Arena & chunk info
Tcache entries
Bins
Bin graph
Find fake fastbin
Unlink merge info
Useful libc offsets
- Daniel García Gutiérrez - @danigargu
Special mention to my colleagues @soez, @wagiro and @DiaLluvioso for give me some ideas during the development of the plugin. And of course, the @pwndbg project, from which I picked up some things about heap parsing.
Any comment, issue or pull request will be highly appreciated :-)