heapinfo 0.0.5 → 0.1.0

data/lib/heapinfo/libc.rb

@@ -2,15 +2,15 @@ module HeapInfo
   # Record libc's base, name, and offsets.
   class Libc < Segment
     include HeapInfo::Glibc
-    # Instantiate a <tt>HeapInfo::Libc</tt> object.
+    # Instantiate a {HeapInfo::Libc} object.
     #
-    # @param [Mixed] args See <tt>#HeapInfo::Segment.initialize</tt> for more information.
+    # @param [Mixed] args See {HeapInfo::Segment#initialize} for more information.
     def initialize(*args)
       super
       @offset = {}
     end
 
-    # Get the offset of <tt>main_arena</tt> in libc.
+    # Get the offset of +main_arena+ in libc.
     # @return [Integer]
     def main_arena_offset
       return @offset[:main_arena] if @offset[:main_arena]
@@ -18,17 +18,17 @@ module HeapInfo
       @offset[:main_arena]
     end
 
-    # Get the <tt>main_arena</tt> of libc.
+    # Get the +main_arena+ of libc.
     # @return [HeapInfo::Arena]
     def main_arena
       return @main_arena.reload! if @main_arena
       off = main_arena_offset
       return if off.nil?
-      @main_arena = Arena.new(off + self.base, size_t, dumper)
+      @main_arena = Arena.new(off + base, size_t, dumper)
     end
 
-    # @param [Array] maps See <tt>#HeapInfo::Segment.find</tt> for more information.
-    # @param [String] name See <tt>#HeapInfo::Segment.find</tt> for more information.
+    # @param [Array] maps See {HeapInfo::Segment#find} for more information.
+    # @param [String] name See {HeapInfo::Segment#find} for more information.
     # @param [Integer] bits Either 64 or 32.
     # @param [String] ld_name The loader's realpath, will be used for running subprocesses.
     # @param [Proc] dumper The memory dumper for fetch more information.
@@ -41,7 +41,8 @@ module HeapInfo
       obj
     end
 
-  private
+    private
+
     attr_accessor :ld_name
     # only for searching offset of main_arena now
     def exhaust_search(symbol)
@@ -51,23 +52,23 @@ module HeapInfo
     end
 
     def read_main_arena_offset
-      key = HeapInfo::Cache::key_libc_offset(self.name)
-      @offset = HeapInfo::Cache::read(key) || {}
-      return @offset[:main_arena] if @offset.key? :main_arena
+      key = HeapInfo::Cache.key_libc_offset(name)
+      @offset = HeapInfo::Cache.read(key) || {}
+      return @offset[:main_arena] if @offset.key?(:main_arena)
       @offset[:main_arena] = resolve_main_arena_offset
-      HeapInfo::Cache::write key, @offset
+      HeapInfo::Cache.write(key, @offset)
     end
 
     def resolve_main_arena_offset
-      tmp_elf = HeapInfo::TMP_DIR + "/get_arena"
-      libc_file = HeapInfo::TMP_DIR + "/libc.so.6"
-      ld_file = HeapInfo::TMP_DIR + "/ld.so"
+      tmp_elf = HeapInfo::TMP_DIR + '/get_arena'
+      libc_file = HeapInfo::TMP_DIR + '/libc.so.6'
+      ld_file = HeapInfo::TMP_DIR + '/ld.so'
       flags = "-w #{size_t == 4 ? '-m32' : ''}"
-      %x(cp #{self.name} #{libc_file} && \
+      `cp #{name} #{libc_file} && \
          cp #{ld_name} #{ld_file} && \
          gcc #{flags} #{File.expand_path('../tools/get_arena.c', __FILE__)} -o #{tmp_elf} 2>&1 > /dev/null && \
          #{ld_file} --library-path #{HeapInfo::TMP_DIR} #{tmp_elf} && \
-         rm #{tmp_elf} #{libc_file} #{ld_file}).to_i(16)
+         rm #{tmp_elf} #{libc_file} #{ld_file}`.to_i(16)
     end
   end
 end

data/lib/heapinfo/nil.rb

@@ -1,24 +1,30 @@
 module HeapInfo
-  # Self defined <tt>nil</tt> like class.
+  # Self define a +nil+ like class.
   #
-  # Be the return values of <tt>#dump</tt> or <tt>#dump_chunks</tt>, to prevent use the return value for calculating accidentally while exploiting remote.
+  # Can be the return value of {HeapInfo::Process#dump} and {HeapInfo::Process#dump_chunks},
+  # to prevent use the return value for calculating accidentally while exploiting remote.
   class Nil
     %i(nil? inspect to_s).each do |method_sym|
-      define_method(method_sym){|*args, &block| nil.send(method_sym, *args, &block)}
+      define_method(method_sym) { |*args, &block| nil.send(method_sym, *args, &block) }
     end
 
     # Hook all missing methods
-    # @return [HeapInfo::Nil] return <tt>self</tt> so that it can be a <tt>nil</tt> chain.
+    # @return [HeapInfo::Nil] return +self+ so that it can be a +nil+ chain.
     # @example
     #   # h.dump would return Nil when process not found
-    #   p h.dump(:heap)[8,8].unpack("Q*)
+    #   p h.dump(:heap)[8, 8].unpack('Q*')
     #   # => nil
     def method_missing(method_sym, *args, &block)
-      return nil.send(method_sym, *args, &block) if nil.respond_to? method_sym
-      self
+      return nil.send(method_sym, *args, &block) if nil.respond_to?(method_sym)
+      self || super
     end
 
-    # To prevent error raised when using <tt>puts Nil.new</tt>
+    # Yap
+    def respond_to_missing?(*)
+      super
+    end
+
+    # To prevent error raised when using +puts Nil.new+.
     # @return [Array] Empty array
     def to_ary
       []

data/lib/heapinfo/process.rb

@@ -1,13 +1,13 @@
-#encoding: ascii-8bit
+# encoding: ascii-8bit
 module HeapInfo
   # Main class of heapinfo.
   class Process
     # The default options of libaries,
     # use for matching glibc and ld segments in <tt>/proc/[pid]/maps</tt>
     DEFAULT_LIB = {
-      libc: /bc.*\.so/,
-      ld:   /\/ld-.+\.so/,
-    }
+      libc: /bc[^a-z]*\.so/,
+      ld:   %r{/ld-.+\.so}
+    }.freeze
     # @return [Fixnum, NilClass] return the pid of process, <tt>nil</tt> if no such process found
     attr_reader :pid
 
@@ -34,7 +34,7 @@ module HeapInfo
 
     # Use this method to wrapper all HeapInfo methods.
     #
-    # Since <tt>::HeapInfo</tt> is a tool(debugger) for local usage, 
+    # Since <tt>::HeapInfo</tt> is a tool(debugger) for local usage,
     # while exploiting remote service, all methods will not work properly.
     # So I suggest to wrapper all methods inside <tt>#debug</tt>,
     # which will ignore the block while the victim process is not found.
@@ -54,10 +54,13 @@ module HeapInfo
 
     # Dump the content of specific memory address.
     #
-    # Note: This method require you have permission of attaching another process. If not, a warning message will present.
+    # Note: This method require you have permission of attaching another process.
+    # If not, a warning message will present.
     #
     # @param [Mixed] args Will be parsed into <tt>[base, offset, length]</tt>, see Examples for more information.
-    # @return [String, HeapInfo::Nil] The content needed. When the request address is not readable or the process not exists, <tt>HeapInfo::Nil.new</tt> is returned.
+    # @return [String, HeapInfo::Nil]
+    #   The content needed. When the request address is not readable or the process not exists,
+    #   <tt>HeapInfo::Nil.new</tt> is returned.
     #
     # @example
     #   h = heapinfo('victim')
@@ -102,22 +105,27 @@ module HeapInfo
     #   # 0x1f0d000:      0x0000000000000000      0x0000000000002011
     #   # 0x1f0d010:      0x00007f892a9f87b8      0x00007f892a9f87b8
     #   # 0x1f0d020:      0x0000000000000000      0x0000000000000000
-    #   # 0x1f0d030:      0x0000000000000000      0x0000000000000000 
+    #   # 0x1f0d030:      0x0000000000000000      0x0000000000000000
     # @example
     #   h.x 3, 0x400000
     #   # 0x400000:       0x00010102464c457f      0x0000000000000000
     #   # 0x400010:       0x00000001003e0002
     def x(count, *commands, io: $stdout)
-      return unless load? and io.respond_to? :puts
+      return unless load? && io.respond_to?(:puts)
       dumper.x(count, *commands, io: io)
     end
 
     # Gdb-like command.
     #
     # Search a specific value/string/regexp in memory.
-    # @param [Integer, String, Regexp] pattern The desired search pattern, can be value(<tt>Integer</tt>), string, or regular expression.
-    # @param [Integer, String, Symbol] from Start address for searching, can be segment(<tt>Symbol</tt>) or segments with offset. See examples for more information.
-    # @param [Integer] length The search length limit, default is unlimited, which will search until pattern found or reach unreadable memory.
+    # @param [Integer, String, Regexp] pattern
+    #   The desired search pattern, can be value(<tt>Integer</tt>), string, or regular expression.
+    # @param [Integer, String, Symbol] from
+    #   Start address for searching, can be segment(<tt>Symbol</tt>) or segments with offset.
+    #   See examples for more information.
+    # @param [Integer] length
+    #   The search length limit, default is unlimited,
+    #   which will search until pattern found or reach unreadable memory.
     # @return [Integer, NilClass] The first matched address, <tt>nil</tt> is returned when no such pattern found.
     # @example
     #   h.find(0xdeadbeef, 'heap+0x10', 0x1000)
@@ -134,8 +142,8 @@ module HeapInfo
       dumper.find(pattern, from, length)
     end
 
-    # <tt>search</tt> is more intutive to me
-    alias :search :find
+    # +search+ is more intutive to me
+    alias search find
 
     # Pretty dump of bins layouts.
     #
@@ -146,8 +154,8 @@ module HeapInfo
     # @example
     #   h.layouts :fastbin, :unsorted_bin, :smallbin
     def layouts(*args, io: $stdout)
-      return unless load? and io.respond_to? :puts
-      io.puts self.libc.main_arena.layouts(*args)
+      return unless load? && io.respond_to?(:puts)
+      io.puts libc.main_arena.layouts(*args)
     end
 
     # Show simple information of target process.
@@ -157,16 +165,17 @@ module HeapInfo
     # @example
     #   puts h
     def to_s
-      return "Process not found" unless load?
+      return 'Process not found' unless load?
       "Program: #{Helper.color program.name} PID: #{Helper.color pid}\n" +
-      program.to_s +
-      heap.to_s + 
-      stack.to_s +
-      libc.to_s +
-      ld.to_s
+        program.to_s +
+        heap.to_s +
+        stack.to_s +
+        libc.to_s +
+        ld.to_s
     end
 
-  private
+    private
+
     attr_accessor :dumper
     def load?
       @pid != nil
@@ -192,7 +201,7 @@ module HeapInfo
 
     def clear_process
       ProcessInfo::EXPORT.each do |m|
-        self.class.send(:define_method, m) {Nil.new}
+        self.class.send(:define_method, m) { Nil.new }
       end
       false
     end
@@ -200,7 +209,7 @@ module HeapInfo
     def load_info! # :nodoc:
       @info = ProcessInfo.new(self)
       ProcessInfo::EXPORT.each do |m|
-        self.class.send(:define_method, m) {@info.send(m)}
+        self.class.send(:define_method, m) { @info.send(m) }
       end
       @dumper = Dumper.new(@info, mem_filename)
     end

data/lib/heapinfo/process_info.rb

@@ -1,13 +1,13 @@
-#encoding: ascii-8bit
+# encoding: ascii-8bit
 module HeapInfo
-  # for <tt>Process</tt> to record current info(s)
-  # <tt>Process</tt> has a <tt>process_info</tt> object iff the process found (pid not <tt>nil</tt>).
+  # for {Process} to record current info(s)
+  # {Process} has a +process_info+ object iff the process found (pid not +nil+).
   # Mainly records segments' base.
   class ProcessInfo
-    # Methods to be transparent to <tt>process</tt>.
-    # e.g. <tt>process.libc alias to process.info.libc</tt>
-    EXPORT = %i(libc ld heap elf program stack bits)
-   
+    # Methods to be transparent to +process+.
+    # e.g. +process.libc+ alias to +process.info.libc+.
+    EXPORT = %i(libc ld heap elf program stack bits).freeze
+
     # @return [Integer] 32 or 64.
     attr_reader :bits
     # @return [HeapInfo::Segment]
@@ -18,11 +18,11 @@ module HeapInfo
     attr_reader :libc
     # @return [HeapInfo::Segment]
     attr_reader :ld
-    alias :elf :program
+    alias elf program
 
-    # Instantiate a <tt>ProcessInfo</tt> object
+    # Instantiate a {ProcessInfo} object
     #
-    # @param [HeapInfo::Process] process Load information from maps/memory for <tt>process</tt>
+    # @param [HeapInfo::Process] process Load information from maps/memory for +process+.
     def initialize(process)
       @pid = process.pid
       options = process.instance_variable_get(:@options)
@@ -33,18 +33,19 @@ module HeapInfo
       # well.. stack is a strange case because it will grow in runtime..
       # should i detect stack base growing..?
       @ld = Segment.find(maps, match_maps(maps, options[:ld]))
-      @libc = Libc.find(maps, match_maps(maps, options[:libc]), @bits, @ld.name, ->(*args){ process.dump(*args) })
+      @libc = Libc.find(maps, match_maps(maps, options[:libc]), @bits, @ld.name, ->(*args) { process.dump(*args) })
     end
 
     # Heap will not be mmapped if the process not use heap yet, so create a lazy loading method.
     # Will re-read maps when heap segment not found yet.
     #
-    # @return [HeapInfo::Segment] The <tt>Segment</tt> of heap
+    # @return [HeapInfo::Segment] The {Segment} of heap
     def heap # special handle because heap might not be initialized in the beginning
       @heap ||= Segment.find(maps!, '[heap]')
     end
 
-  private
+    private
+
     attr_reader :maps
 
     # force reload maps
@@ -57,7 +58,7 @@ module HeapInfo
     end
 
     def match_maps(maps, pattern)
-      maps.map{|s| s[3]}.find{|seg| pattern.is_a?(Regexp) ? seg =~ pattern : seg.include?(pattern)}
+      maps.map { |s| s[3] }.find { |seg| pattern.is_a?(Regexp) ? seg =~ pattern : seg.include?(pattern) }
     end
   end
 end

data/lib/heapinfo/segment.rb

@@ -1,7 +1,6 @@
 module HeapInfo
   # Record the base address and name in maps
   class Segment
-
     # Base address of segment
     attr_reader :base
     # Name of segment
@@ -17,20 +16,22 @@ module HeapInfo
     # Hook <tt>#to_s</tt> for pretty printing
     # @return [String] Information of name and base address wrapper with color codes.
     def to_s
-      "%-28s\tbase @ #{Helper.color("%#x" % base)}\n" % Helper.color(name.split('/')[-1])
+      format("%-28s\tbase @ #{Helper.color(format('%#x', base))}\n", Helper.color(name.split('/')[-1]))
     end
 
-    # Helper for create an <tt>Segment</tt>
+    # Helper for create a {HeapInfo::Segment}.
     #
-    # Search the specific <tt>pattern</tt> in <tt>maps</tt> and return a <tt>HeapInfo::Segment</tt> object.
+    # Search the specific <tt>pattern</tt> in <tt>maps</tt> and return a {HeapInfo::Segment} object.
     #
-    # @param [Array] maps <tt>maps</tt> is in the form of the return value of <tt>HeapInfo::Helper.parse_maps</tt>
-    # @param [Regexp, String] pattern The segment name want to match in maps. If <tt>String</tt> is given, the pattern is matched as a substring.
-    # @return [HeapInfo::Segment, NilClass] The request <tt>Segment</tt> object. If the pattern is not matched, <tt>nil</tt> will be returned.
+    # @param [Array] maps <tt>maps</tt> is in the form of the return value of <tt>HeapInfo::Helper.parse_maps</tt>.
+    # @param [Regexp, String] pattern
+    #   The segment name want to match in maps. If +String+ is given, the pattern is matched as a substring.
+    # @return [HeapInfo::Segment, NilClass]
+    #   The request {HeapInfo::Segment} object. If the pattern is not matched, <tt>nil</tt> will be returned.
     def self.find(maps, pattern)
       return Nil.new if pattern.nil?
-      needs = maps.select{|m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern)}
-      self.new needs.map{|m| m[0]}.min, needs[0][3] unless needs.empty?
+      needs = maps.select { |m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern) }
+      new(needs.map(&:first).min, needs[0][3]) unless needs.empty?
     end
   end
 end

data/lib/heapinfo/tools/get_arena.c

@@ -21,7 +21,6 @@ int main() {
   void *z = malloc(SZ); // prevent p merge with top chunk
   *p = z; // prevent compiler optimize
   free(p); // now *p must be the pointer of the (chunk_ptr) unsorted bin
-  //TODO: check if this offset change in different version glibc
   z = (void*)((*p) - (4 + 4 + SZ * 10 )); // mutex+flags+fastbin[]
   void* a = search_head((size_t)__builtin_return_address(0));
   printf("%p\n", z-a);

data/lib/heapinfo/version.rb

@@ -1,3 +1,3 @@
 module HeapInfo
-  VERSION = '0.0.5'.freeze
+  VERSION = '0.1.0'.freeze
 end

metadata

@@ -1,15 +1,85 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.1.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-03 00:00:00.000000000 Z
-dependencies: []
+date: 2017-02-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.0
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 description: create an interactive memory info interface while pwn / exploiting
 email:
 - david942j@gmail.com
@@ -37,19 +107,6 @@ files:
 - lib/heapinfo/segment.rb
 - lib/heapinfo/tools/get_arena.c
 - lib/heapinfo/version.rb
-- spec/cache_spec.rb
-- spec/chunk_spec.rb
-- spec/chunks_spec.rb
-- spec/dumper_spec.rb
-- spec/files/32bit_maps
-- spec/files/64bit_maps
-- spec/files/victim.cpp
-- spec/helper_spec.rb
-- spec/libc_spec.rb
-- spec/nil_spec.rb
-- spec/process_spec.rb
-- spec/spec_helper.rb
-- spec/string_spec.rb
 homepage: https://github.com/david942j/heapinfo
 licenses:
 - MIT
@@ -70,21 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: HeapInfo - interactive heap exploitation helper
-test_files:
-- spec/files/32bit_maps
-- spec/files/victim.cpp
-- spec/files/64bit_maps
-- spec/cache_spec.rb
-- spec/dumper_spec.rb
-- spec/process_spec.rb
-- spec/chunk_spec.rb
-- spec/chunks_spec.rb
-- spec/string_spec.rb
-- spec/spec_helper.rb
-- spec/helper_spec.rb
-- spec/nil_spec.rb
-- spec/libc_spec.rb
+test_files: []