heapinfo 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b734871451b91231d5c1c159633f1de9ad3255bb
-  data.tar.gz: 2742c1043b6466cad49415191c9753819e499e2d
+  metadata.gz: 0fcd356865d018666cc16677f3c7ab5052f8a43d
+  data.tar.gz: f5125e3505ff162b159edacec8d7b00c81e50bb2
 SHA512:
-  metadata.gz: 93861f6cd8f05a68666e2e67caff87d810f784f42aac009a4db4ca7b90031dc792a6643f780f316e7e5b43211e34c18eb5bd4a9dab3634dfad44a17d43c9de24
-  data.tar.gz: e6349ece2cba17b12af3daafb2a62dad995e4a03b0ca83e33a35661ed6985db16cc26e4d50810dedc411ceef497537c964a2804c84a081887cddd3cb1159f4f1
+  metadata.gz: f0386440f6b738e43b882473eb913420b2fa92b3b9e5b186d96c680cb25d65a8e2608c2dd25866cd1eb0805f9f0b0ea2a068c533296cf027ae6b4d69bd42ffa7
+  data.tar.gz: e31e4a02718653ed6909ca9f644d7101ba58b5eabcb508485bb390a66ac076cb856d5bd8ab380a297e4d0e0b256a465f988e2cce518f379389a73e7700b61d47

data/README.md

@@ -10,10 +10,10 @@
 As pwn lovers, while playing CTF with heap exploitation, we always need a debugger (e.g. gdb) for tracking memory layout. But we don't really need gdb if we want to see whether the heap layout same as our imagine or not. Hope this small tool helps us exploit easier ;).
 
 ### Why
-**HeapInfo** is very helpful when binary has somehow anti-debugger limitations, e.g being ptraced.
+**HeapInfo** is very helpful when binary has somehow anti-debugger limitations, e.g. being ptraced.
 **HeapInfo** still works because it doesn't use ptrace.
 
-Implement with ruby because I love ruby :P. But might also implement with Python (if no others did) in the future.
+Implement with Ruby because I love Ruby :P. But might implement with Python (if no others did) in the future.
 
 If you prefer [pwntools](https://github.com/Gallopsled/pwntools) for exploiting, you can still use **HeapInfo** in irb/pry as a small debugger.
 
@@ -33,13 +33,11 @@ $ gem install heapinfo
 * `layouts` - Show the current bin layouts, very useful for heap exploitation.
 * `offset` - Show the offset between given address and segment. Very useful for calculating relative offset.
 * `canary` - Fetch the value of stack guard!
-* `x` - Provide gdb-like commands.
-* `find` - Provide gdb-like commands.
+* `x` - Provide gdb-like command.
+* `s` - Provide gdb-like command.
+* `find` - Provide gdb-like command.
 * More features and details can be found in [RDoc](http://www.rubydoc.info/github/david942j/heapinfo/master/)
 
-### Under developing
-* `free` - Show what will happend when calling `glibc#free` an address.
-
 ## Usage
 
 #### Load
@@ -48,7 +46,7 @@ $ gem install heapinfo
 require 'heapinfo'
 # ./victim is running
 h = heapinfo('victim') 
-# or use h = heapinfo(20568) to specific pid
+# or use h = heapinfo(20568) to specify a pid
 
 # will present simple info when loading:
 # Program: /home/heapinfo/victim PID: 20568
@@ -119,6 +117,11 @@ h.layouts :unsorted, :small
 ```
 ![smallbin layouts](https://github.com/david942j/heapinfo/blob/master/examples/unsorted_smallbin_layouts.png?raw=true)
 
+```ruby
+h.layouts :tcache
+```
+![tcache layouts](https://github.com/david942j/heapinfo/blob/master/examples/tcache_layouts.png?raw=true)
+
 #### offset
 ```ruby
 h.offset(0x7fda86fe8670)
@@ -169,3 +172,5 @@ h.offset(h.find('/bin/sh', :libc))
 * libc-2.23
 * libc-2.24
 * libc-2.25
+* libc-2.26
+* libc-2.27

data/lib/heapinfo.rb

@@ -1,6 +1,9 @@
 # Basic requirements from standard library
 require 'fileutils'
 
+require 'heapinfo/ext/string.rb'
+require 'heapinfo/process'
+
 # HeapInfo - an interactive debugger for heap exploitation
 #
 # HeapInfo makes pwning life easier with ruby style memory dumper.
@@ -46,9 +49,7 @@ module HeapInfo
   #   p h.ld.name
   #   #=> "/home/heapinfo/ld-linux-x86-64.so.2"
   def self.heapinfo(prog, options = {})
-    h = HeapInfo::Process.new(prog, options)
-    puts h
-    h
+    HeapInfo::Process.new(prog, options).tap { |h| $stdout.puts h }
   end
 end
 
@@ -58,17 +59,3 @@ end
 def heapinfo(*args)
   ::HeapInfo.heapinfo(*args)
 end
-
-require 'heapinfo/helper'
-require 'heapinfo/nil'
-require 'heapinfo/cache'
-require 'heapinfo/process_info'
-require 'heapinfo/process'
-require 'heapinfo/segment'
-require 'heapinfo/glibc/glibc'
-require 'heapinfo/libc'
-require 'heapinfo/chunk'
-require 'heapinfo/chunks'
-require 'heapinfo/arena'
-require 'heapinfo/dumper'
-require 'heapinfo/ext/string.rb'

data/lib/heapinfo/arena.rb

@@ -1,3 +1,6 @@
+require 'heapinfo/chunk'
+require 'heapinfo/helper'
+
 module HeapInfo
   # Records status of an arena, including bin(s) and top chunk.
   class Arena
@@ -18,8 +21,8 @@ module HeapInfo
     # Instantiate a {HeapInfo::Arena} object.
     #
     # @param [Integer] base Base address of arena.
-    # @param [Integer] size_t Either 8 or 4
-    # @param [Proc] dumper For dump more data
+    # @param [Integer] size_t Either 8 or 4.
+    # @param [Proc] dumper For dumping more data.
     def initialize(base, size_t, dumper)
       @base = base
       @size_t = size_t
@@ -35,22 +38,18 @@ module HeapInfo
       top_ptr = Helper.unpack(size_t, @dumper.call(top_ptr_offset, size_t))
       @fastbin = []
       return self if top_ptr.zero? # arena not init yet
-      @top_chunk = Chunk.new size_t, top_ptr, @dumper
-      @last_remainder = Chunk.new size_t, top_ptr_offset + 8, @dumper
+      @top_chunk = Chunk.new(size_t, top_ptr, @dumper)
+      @last_remainder = Chunk.new(size_t, top_ptr_offset + 8, @dumper)
       # this offset diff after 2.23
       @system_mem = Array.new(2) do |off|
         Helper.unpack(size_t, @dumper.call(top_ptr_offset + 258 * size_t + 16 + off * size_t, size_t))
       end.find { |val| val >= 0x21000 && (val & 0xfff).zero? }
       @fastbin = Array.new(7) do |idx|
-        f = Fastbin.new(size_t, @base + 8 - size_t * 2 + size_t * idx, @dumper, head: true)
-        f.index = idx
-        f
+        Fastbin.new(size_t, @base + 8 - size_t * 2 + size_t * idx, @dumper, head: true).tap { |f| f.index = idx }
       end
       @unsorted_bin = UnsortedBin.new(size_t, top_ptr_offset, @dumper, head: true)
       @smallbin = Array.new(62) do |idx|
-        s = Smallbin.new(size_t, @base + 8 + size_t * (12 + 2 * idx), @dumper, head: true)
-        s.index = idx
-        s
+        Smallbin.new(size_t, @base + 8 + size_t * (12 + 2 * idx), @dumper, head: true).tap { |s| s.index = idx }
       end
       self
     end
@@ -86,10 +85,10 @@ module HeapInfo
 
     # Instantiate a {HeapInfo::Fastbin} object.
     #
-    # @param [Mixed] args See {HeapInfo::Chunk} for more information.
-    def initialize(*args)
+    # @see HeapInfo::Chunk
+    def initialize(_size_t, base, *)
       super
-      @fd = Helper.unpack(size_t, @data[0, @size_t])
+      @fd = fd_of(base)
     end
 
     # Mapping index of fastbin to chunk size.
@@ -110,7 +109,7 @@ module HeapInfo
     # @return [String] fastbin layouts wrapper with color codes.
     def inspect
       title + list.map do |ptr|
-        next "(#{ptr})\n" if ptr.is_a? Symbol
+        next "(#{ptr})\n" if ptr.is_a?(Symbol)
         next " => (nil)\n" if ptr.nil?
         format(' => %s', Helper.color(format('%#x', ptr)))
       end.join
@@ -135,6 +134,14 @@ module HeapInfo
       ret << nil
     end
 
+    private
+
+    def addr_of(ptr, offset)
+      t = dump(ptr + size_t * offset, size_t)
+      return nil if t.nil?
+      Helper.unpack(size_t, t)
+    end
+
     # @param [Integer] ptr Get the +fd+ value of chunk at +ptr+.
     # @return [Integer] The +fd+.
     def fd_of(ptr)
@@ -146,14 +153,6 @@ module HeapInfo
     def bk_of(ptr)
       addr_of(ptr, 3)
     end
-
-    private
-
-    def addr_of(ptr, offset)
-      t = dump(ptr + size_t * offset, size_t)
-      return nil if t.nil?
-      Helper.unpack(size_t, t)
-    end
   end
 
   # Class for record unsorted bin type chunk.
@@ -178,7 +177,7 @@ module HeapInfo
       title + pretty_list(list) + "\n"
     end
 
-    # Wrapper the double-linked list with color codes.
+    # Wrapper the doubly linked list with color codes.
     # @param [Array<Integer>] list The list from {#link_list}.
     # @return [String] Wrapper with color codes.
     def pretty_list(list)
@@ -190,9 +189,9 @@ module HeapInfo
         next "#{color_c}(invalid)" if fwd.nil? # invalid c
         bck = bk_of(c)
         if center.nil? # bk side
-          Helper.color(format('%s%s', color_c, fwd == list[idx + 1] ? nil : format('(%#x)', fwd)))
+          format('%s%s', color_c, fwd == list[idx + 1] ? nil : Helper.color(format('(%#x)', fwd)))
         else # fd side
-          Helper.color(format('%s%s', bck == list[idx - 1] ? nil : format('(%#x)', bck), color_c))
+          format('%s%s', bck == list[idx - 1] ? nil : Helper.color(format('(%#x)', bck)), color_c)
         end
       end.join(' === ')
     end
@@ -210,16 +209,15 @@ module HeapInfo
         sz = 0
         dup = {}
         while ptr != @base && sz < expand_size
-          append.call ptr
-          break if ptr.nil? # invalid pointer
-          break if dup[ptr] # looped
+          append.call(ptr)
+          break if ptr.nil? || dup[ptr] # invalid or duplicated pointer
           dup[ptr] = true
-          ptr = send(nxt, ptr)
+          ptr = __send__(nxt, ptr)
           sz += 1
         end
       end
       work.call(@fd, :fd_of, ->(ptr) { list << ptr })
-      work.call(@bk, :bk_of, ->(ptr) { list.unshift ptr })
+      work.call(@bk, :bk_of, ->(ptr) { list.unshift(ptr) })
       list
     end
   end

data/lib/heapinfo/cache.rb

@@ -1,4 +1,6 @@
 require 'digest'
+require 'fileutils'
+
 module HeapInfo
   # Self implment file-base cache manager.
   #
@@ -10,12 +12,12 @@ module HeapInfo
 
     # Define class methods.
     module ClassMethods
-      # Get the key for store libc offsets.
+      # Get the key for storing libc info.
       #
       # @param [String] libc_path The realpath to libc file.
-      # @return [String] The key for cache read/write.
-      def key_libc_offset(libc_path)
-        File.join('libc', Digest::MD5.hexdigest(IO.binread(libc_path)), 'offset')
+      # @return [String] The key for cache to read/write.
+      def key_libc_info(libc_path)
+        File.join('libc', Digest::MD5.hexdigest(IO.binread(libc_path)), 'info')
       end
 
       # Write cache to file.
@@ -55,7 +57,7 @@ module HeapInfo
         FileUtils.mkdir_p(CACHE_DIR)
       rescue Errno::EACCES
         # To prevent ~/ is not writable.
-        send(:remove_const, :CACHE_DIR)
+        __send__(:remove_const, :CACHE_DIR)
         const_set(:CACHE_DIR, File.join(HeapInfo::TMP_DIR, '.cache/heapinfo'))
         FileUtils.mkdir_p(CACHE_DIR)
       end

data/lib/heapinfo/chunk.rb

@@ -1,3 +1,5 @@
+require 'heapinfo/helper'
+
 module HeapInfo
   # The object of a heap chunk
   class Chunk
@@ -23,7 +25,7 @@ module HeapInfo
     #   # create a chunk with chunk size 0x21
     def initialize(size_t, base, dumper, head: false)
       raise ArgumentError, 'size_t can be either 4 or 8' unless [4, 8].include?(size_t)
-      self.class.send(:define_method, :dump) { |*args| dumper.call(*args) }
+      self.class.__send__(:define_method, :dump) { |*args| dumper.call(*args) }
       @size_t = size_t
       @base = base
       sz = dump(@base, size_t * 2)

data/lib/heapinfo/dumper.rb

@@ -1,4 +1,11 @@
+# encoding: ascii-8bit
+
+require 'heapinfo/helper'
+require 'heapinfo/nil'
+
 module HeapInfo
+  # @api private
+  #
   # Class for memory dump relation works
   class Dumper
     # Default dump length
@@ -67,8 +74,22 @@ module HeapInfo
       puts str
     end
 
-    # @api private
+    # Dump data from +address+ until reach null-byte.
     #
+    # @return [String]
+    def cstring(address)
+      base = base_of(address)
+      len = 1
+      cur = ''
+      loop do
+        cur << (dump(base + len - 1, len) || '')
+        break if cur.index("\x00")
+        len <<= 1
+        return cur if cur.size != len - 1 # reached undumpable memory
+      end
+      cur[0, cur.index("\x00")]
+    end
+
     # Search a specific value/string/regexp in memory.
     # +#find+ only return the first matched address.
     # @param [Integer, String, Regexp] pattern
@@ -98,6 +119,20 @@ module HeapInfo
       ret
     end
 
+    # @return [Array<Integer>]
+    def scan(pattern, from, length)
+      from = base_of(from)
+      cur = from
+      result = []
+      loop do
+        addr = find(pattern, cur, length, false)
+        break if addr.nil?
+        result << addr - from
+        cur = addr + @match_length
+      end
+      result
+    end
+
     private
 
     def need_permission
@@ -151,15 +186,20 @@ module HeapInfo
     end
 
     def find_integer(value, from, length)
+      @match_length = size_t
       find_string([value].pack(size_t == 4 ? 'L*' : 'Q*'), from, length)
     end
 
     def find_string(string, from, length)
+      @match_length = string.size
       batch_dumper(from, length) { |str| str.index(string) }
     end
 
     def find_regexp(pattern, from, length)
-      batch_dumper(from, length) { |str| str =~ pattern }
+      batch_dumper(from, length) do |str|
+        str.match(pattern).tap { |m| @match_length = m[0].size if m }
+        str =~ pattern
+      end
     end
 
     def batch_dumper(from, remain_size)

data/lib/heapinfo/ext/string.rb

@@ -1,3 +1,6 @@
+require 'heapinfo/chunk'
+require 'heapinfo/chunks'
+
 module HeapInfo
   # Define extensions of naive objects.
   module Ext
@@ -36,4 +39,4 @@ module HeapInfo
   end
 end
 
-::String.send(:include, HeapInfo::Ext::String::InstanceMethods)
+::String.__send__(:include, HeapInfo::Ext::String::InstanceMethods)

data/lib/heapinfo/helper.rb

@@ -1,6 +1,7 @@
 require 'dentaku'
 require 'shellwords'
 require 'time'
+require 'tmpdir'
 
 module HeapInfo
   # Some helper functions.
@@ -151,9 +152,6 @@ module HeapInfo
       def evaluate(formula, store: {})
         calc = Dentaku::Calculator.new
         formula = formula.delete(':')
-        formula.gsub!(/0x[\da-z]+/) do |s|
-          s.to_i(16).to_s
-        end
         calc.store(store).evaluate(formula)
       end
 

data/lib/heapinfo/libc.rb

@@ -1,3 +1,13 @@
+require 'fileutils'
+require 'json'
+
+require 'heapinfo/arena'
+require 'heapinfo/cache'
+require 'heapinfo/glibc/glibc'
+require 'heapinfo/helper'
+require 'heapinfo/segment'
+require 'heapinfo/tcache'
+
 module HeapInfo
   # Record libc's base, name, and offsets.
   class Libc < Segment
@@ -7,15 +17,12 @@ module HeapInfo
     # @param [Mixed] args See {HeapInfo::Segment#initialize} for more information.
     def initialize(*args)
       super
-      @offset = {}
     end
 
     # Get the offset of +main_arena+ in libc.
     # @return [Integer]
     def main_arena_offset
-      return @offset[:main_arena] if @offset[:main_arena]
-      return nil unless exhaust_search :main_arena
-      @offset[:main_arena]
+      info['main_arena_offset']
     end
 
     # Get the +main_arena+ of libc.
@@ -27,50 +34,69 @@ module HeapInfo
       @main_arena = Arena.new(off + base, size_t, dumper)
     end
 
+    # Does this glibc support tcache?
+    #
+    # @return [Boolean]
+    #   +true+ or +false+.
+    def tcache?
+      info['tcache_enable']
+    end
+
+    # The tcache object.
+    #
+    # @return [HeapInfo::Tcache?]
+    #   Returns +nil+ if this libc doesn't support tcache.
+    def tcache
+      return unless tcache?
+      @tcache ||= Tcache.new(tcache_base, size_t, dumper)
+    end
+
     # @param [Array] maps See {HeapInfo::Segment#find} for more information.
     # @param [String] name See {HeapInfo::Segment#find} for more information.
-    # @param [Integer] bits Either 64 or 32.
-    # @param [String] ld_name The loader's realpath, will be used for running subprocesses.
-    # @param [Proc] dumper The memory dumper for fetch more information.
+    #
+    # @option options [Integer] bits Either 64 or 32.
+    # @option options [String] ld_name The loader's realpath, will be used for running subprocesses.
+    # @option options [Proc] dumper The memory dumper for fetch more information.
+    # @option options [Proc] method_heap Method for getting heap segment.
+    #
     # @return [HeapInfo::Libc] libc segment found in maps.
-    def self.find(maps, name, bits, ld_name, dumper)
-      obj = super(maps, name)
-      obj.size_t = bits / 8
-      obj.send(:ld_name=, ld_name)
-      obj.send(:dumper=, dumper)
-      obj
+    def self.find(maps, name, **options)
+      super(maps, name).tap do |obj|
+        obj.size_t = options[:bits] / 8
+        %i[ld_name dumper method_heap].each do |sym|
+          obj.__send__("#{sym}=", options[sym])
+        end
+      end
     end
 
     private
 
-    attr_accessor :ld_name
-    # only for searching offset of main_arena now
-    def exhaust_search(symbol)
-      return false if symbol != :main_arena
-      read_main_arena_offset
-      true
+    attr_accessor :ld_name, :method_heap
+    # Get libc's info.
+    def info
+      return @info if @info
+      # Try to fetch from cache first.
+      key = HeapInfo::Cache.key_libc_info(name)
+      @info = HeapInfo::Cache.read(key)
+      @info ||= execute_libc_info.tap { |i| HeapInfo::Cache.write(key, i) }
     end
 
-    def read_main_arena_offset
-      key = HeapInfo::Cache.key_libc_offset(name)
-      @offset = HeapInfo::Cache.read(key) || {}
-      return @offset[:main_arena] if @offset.key?(:main_arena)
-      @offset[:main_arena] = resolve_main_arena_offset
-      HeapInfo::Cache.write(key, @offset)
-    end
-
-    def resolve_main_arena_offset
+    def execute_libc_info
       dir = HeapInfo::Helper.tempfile('')
       FileUtils.mkdir(dir)
-      tmp_elf = File.join(dir, 'get_arena')
+      tmp_elf = File.join(dir, 'libc_info')
       libc_file = File.join(dir, 'libc.so.6')
       ld_file = File.join(dir, 'ld.so')
       flags = "-w #{size_t == 4 ? '-m32' : ''}"
-      `cp #{name} #{libc_file} && \
+      JSON.parse(`cp #{name} #{libc_file} && \
          cp #{ld_name} #{ld_file} && \
-         gcc #{flags} #{File.expand_path('../tools/get_arena.c', __FILE__)} -o #{tmp_elf} 2>&1 > /dev/null && \
+         gcc #{flags} #{File.expand_path('tools/libc_info.c', __dir__)} -o #{tmp_elf} 2>&1 > /dev/null && \
          #{ld_file} --library-path #{dir} #{tmp_elf} && \
-         rm -fr #{dir}`.to_i(16)
+         rm -fr #{dir}`)
+    end
+
+    def tcache_base
+      method_heap.call.base + 2 * size_t
     end
   end
 end

data/lib/heapinfo/nil.rb

@@ -5,7 +5,7 @@ module HeapInfo
   # to prevent use the return value for calculating accidentally while exploiting remote.
   class Nil
     %i[nil? inspect to_s].each do |method_sym|
-      define_method(method_sym) { |*args, &block| nil.send(method_sym, *args, &block) }
+      define_method(method_sym) { |*args, &block| nil.__send__(method_sym, *args, &block) }
     end
 
     # Hook all missing methods
@@ -15,7 +15,7 @@ module HeapInfo
     #   p h.dump(:heap)[8, 8].unpack('Q*')
     #   #=> nil
     def method_missing(method_sym, *args, &block)
-      return nil.send(method_sym, *args, &block) if nil.respond_to?(method_sym)
+      return nil.__send__(method_sym, *args, &block) if nil.respond_to?(method_sym)
       self || super
     end
 

data/lib/heapinfo/process.rb

@@ -1,5 +1,10 @@
 # encoding: ascii-8bit
 
+require 'heapinfo/dumper'
+require 'heapinfo/helper'
+require 'heapinfo/nil'
+require 'heapinfo/process_info'
+
 module HeapInfo
   # Main class of heapinfo.
   class Process
@@ -110,15 +115,14 @@ module HeapInfo
     #   #=> 0x9637a0 after :heap
     def offset(addr, sym = nil)
       return unless load?
-      segment = @info.send(sym) if HeapInfo::ProcessInfo::EXPORT.include?(sym)
-      segment = nil unless segment.is_a?(HeapInfo::Segment)
+      segment = @info.to_segment(sym)
       if segment.nil?
         sym, segment = @info.segments
                             .select { |_, seg| seg.base <= addr }
                             .min_by { |_, seg| addr - seg }
       end
-      return puts "Invalid address #{Helper.hex(addr)}" if segment.nil?
-      puts Helper.color(Helper.hex(addr - segment)) + ' after ' + Helper.color(sym, sev: :sym)
+      return $stdout.puts "Invalid address #{Helper.hex(addr)}" if segment.nil?
+      $stdout.puts Helper.color(Helper.hex(addr - segment)) + ' after ' + Helper.color(sym, sev: :sym)
     end
     alias off offset
 
@@ -147,6 +151,19 @@ module HeapInfo
       dumper.x(count, address)
     end
 
+    # Gdb-like command
+    #
+    # Dump a string until reach the null-byte.
+    # @param [String, Symbol, Integer] address The base address to be dumped.
+    #   See {#dump}.
+    #
+    # @return [String]
+    #   The string *without* null-byte.
+    def s(address)
+      return Nil.new unless load?
+      dumper.cstring(address)
+    end
+
     # Gdb-like command.
     #
     # Search a specific value/string/regexp in memory.
@@ -176,23 +193,51 @@ module HeapInfo
       return Nil.new unless load?
       dumper.find(pattern, from, length, rel)
     end
-
-    # +search+ is more intutive to me
     alias search find
 
-    # Pretty dump of bins layouts.
+    # Find pattern in all segments with pretty output.
+    #
+    # @param [Integer, String, Regexp] pattern
+    #   The desired search pattern, can be value(+Integer+), string, or regular expression.
+    # @param [Symbol, Array<Symbol>] segment
+    #   Only find pattern in these symbols.
+    #
+    # @return [void]
+    def find_all(pattern, segment = :all)
+      return Nil.new unless load?
+      segments = segment == :all ? %i[elf heap libc ld stack] : Array(segment)
+      result = findall_raw(pattern, segments).reject { |(_, _, ary)| ary.empty? }
+      target = pattern.is_a?(Integer) ? Helper.hex(pattern) : pattern.inspect
+      str = ["Searching #{Helper.color(target)}:\n"]
+      str.concat(result.map do |(sym, base, ary)|
+        "In #{Helper.color(sym, sev: :bin)} (#{Helper.color(Helper.hex(base))}):\n" +
+        ary.map { |v| "  #{Helper.color(sym, sev: :bin)}+#{Helper.color(Helper.hex(v))}\n" }.join
+      end)
+      $stdout.puts str
+    end
+    alias findall find_all
+
+    # Pretty dump of bins' layouts.
     #
     # The request layouts will output to +stdout+.
     # @param [Array<Symbol>] args Bin type(s) you want to see.
     # @return [void]
     # @example
     #   h.layouts(:fast, :unsorted, :small)
+    #   # ...
+    #   h.layouts(:tcache)
+    #   # ...
+    #   h.layouts(:all) # show all bin(s), includes tcache
     def layouts(*args)
       return unless load?
-      puts libc.main_arena.layouts(*args)
+      str = ''
+      str << libc.tcache.layouts if libc.tcache? && (%w[all tcache] & args.map(&:to_s)).any?
+      str << libc.main_arena.layouts(*args)
+      $stdout.puts str
     end
 
     # Show simple information of target process.
+    #
     # Contains program names, pid, and segments' info.
     #
     # @return [String]
@@ -257,7 +302,7 @@ module HeapInfo
 
     def clear_process
       ProcessInfo::EXPORT.each do |m|
-        self.class.send(:define_method, m) { Nil.new }
+        self.class.__send__(:define_method, m) { Nil.new }
       end
       false
     end
@@ -265,13 +310,21 @@ module HeapInfo
     def load_info! # :nodoc:
       @info = ProcessInfo.new(self)
       ProcessInfo::EXPORT.each do |m|
-        self.class.send(:define_method, m) { @info.send(m) }
+        self.class.__send__(:define_method, m) { @info.__send__(m) }
       end
       @dumper = Dumper.new(mem_filename) do |sym|
-        @info.send(sym) if @info.respond_to?(sym)
+        @info.__send__(sym) if @info.respond_to?(sym)
       end
     end
 
+    def findall_raw(pattern, segments)
+      segments.map do |sym|
+        seg = @info.to_segment(sym)
+        next unless seg
+        [sym, seg.base, dumper.scan(pattern, sym, :unlimited)]
+      end.compact
+    end
+
     def mem_filename
       "/proc/#{pid}/mem"
     end

data/lib/heapinfo/process_info.rb

@@ -1,5 +1,11 @@
 # encoding: ascii-8bit
 
+require 'stringio'
+
+require 'heapinfo/segment'
+require 'heapinfo/libc'
+require 'heapinfo/helper'
+
 module HeapInfo
   # For {Process} to record basic process information.
   #
@@ -42,7 +48,13 @@ module HeapInfo
       @auxv = parse_auxv(Helper.auxv_of(@pid))
       ld_seg = maps.find { |m| m[0] == @auxv[:ld_base] } # nil if static-linked elf
       @ld = ld_seg.nil? ? Nil.new : Segment.new(@auxv[:ld_base], ld_seg.last)
-      @libc = Libc.find(maps, match_maps(maps, options[:libc]), @bits, @ld.name, ->(*args) { process.dump(*args) })
+      @libc = Libc.find(
+        maps, match_maps(maps, options[:libc]),
+        bits: @bits,
+        ld_name: @ld.name,
+        dumper: ->(*args) { process.dump(*args) },
+        method_heap: method(:heap)
+      )
     end
 
     # Heap will not be mmapped if the process not use heap yet, so create a lazy loading method.
@@ -59,11 +71,22 @@ module HeapInfo
     # @return [Hash{Symbol => Segment}] The segments in hash format.
     def segments
       EXPORT.map do |sym|
-        seg = send(sym)
+        seg = __send__(sym)
         [sym, seg] if seg.is_a?(Segment)
       end.compact.to_h
     end
 
+    # Convert symbol to segment.
+    #
+    # @return [HeapInfo::Segment?]
+    #   The segment object.
+    def to_segment(sym)
+      return nil unless EXPORT.include?(sym)
+      seg = __send__(sym)
+      return nil unless seg.is_a?(Segment)
+      seg
+    end
+
     private
 
     def load_maps

data/lib/heapinfo/segment.rb

@@ -1,3 +1,6 @@
+require 'heapinfo/helper'
+require 'heapinfo/nil'
+
 module HeapInfo
   # Record the base address and name in maps
   class Segment

data/lib/heapinfo/tcache.rb

@@ -0,0 +1,55 @@
+require 'heapinfo/arena'
+
+module HeapInfo
+  # Fetch tcache structure and show its content.
+  class Tcache
+    # #define TCACHE_MAX_BINS 64
+    MAX_BINS = 64
+    # Instantiate a {HeapInfo::Tcache} object.
+    #
+    # @param [Integer] base Base address of +tcache+.
+    # @param [Integer] size_t Either 8 or 4.
+    # @param [Proc] dumper For dumping more data.
+    def initialize(base, size_t, dumper)
+      @base = base
+      @size_t = size_t
+      @dumper = dumper
+    end
+
+    # Pretty dump of tcache entries.
+    #
+    # @return [String] Tcache entries that wrapper with color codes.
+    def layouts
+      entries.map(&:inspect).join
+    end
+
+    private
+
+    def entries
+      Array.new(MAX_BINS) do |idx|
+        TcacheEntry.new(@size_t, @base + 64 + @size_t * idx, @dumper, head: true).tap { |f| f.index = idx }
+      end
+    end
+  end
+
+  # A tcache entry.
+  #
+  # Though this class inherited from {Chunk} ({Fastbin}), tcache entries are *not* chunks.
+  class TcacheEntry < Fastbin
+    # For pretty inspect.
+    #
+    # @return [String]
+    #   Empty string is returned if this entry contains nothing.
+    def inspect
+      return '' if fd_of(@base).zero? # empty
+      super
+    end
+
+    private
+
+    # Hack +fd_of+ method here then everything works.
+    def fd_of(ptr)
+      addr_of(ptr, 0)
+    end
+  end
+end

data/lib/heapinfo/tools/libc_info.c

@@ -0,0 +1,51 @@
+/*
+ @author: david942j
+ Getting libc's information, such as:
+ - main_arena offset
+ - is tcache enabled?
+ Sample Usage
+ > ./libc_info
+ > LD_LIBRARY_PATH=. ./libc_info
+ > ./ld-linux.so.2 --library-path . ./libc_info
+ */
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define SZ sizeof(size_t)
+#define PAGE_SIZE 0x1000
+
+void *search_head(size_t e) {
+  e = (e >> 12) << 12;
+  while(strncmp((void*)e, "\177ELF", 4)) e -= PAGE_SIZE;
+  return (void*) e;
+}
+
+void* main_arena_offset() {
+  void **p = (void**)malloc(SZ * 128 * 2); // a large chunk
+  void *z = malloc(SZ); // prevent p merge with top chunk
+  *p = z; // prevent compiler optimize
+  free(p); // now *p must be the pointer of the (chunk_ptr) unsorted bin
+  z = (void*)((*p) - (4 + 4 + SZ * 10)); // mutex+flags+fastbin[]
+  void* a = search_head((size_t)__builtin_return_address(1));
+  return (void*)(z - a);
+}
+
+int tcache_enable() {
+  void **p = malloc(SZ * 32); // smallbin size
+  *p = (void*) 0xdeadbeefu;
+  // if tcache is enabled, this free will put p into tcache_entry;
+  // otherwise, either merge with top_chunk or put into unsorted_bin
+  free(p);
+  if(*p == 0) return 1; // tcache_entry, fd set as zero
+  return 0;
+}
+
+int main(int argc, char **argv) {
+  printf("{" \
+  "\"main_arena_offset\": %u," \
+  "\"tcache_enable\": %s" \
+  "}\n", main_arena_offset(), tcache_enable() ? "true" : "false");
+  return 0;
+}

data/lib/heapinfo/version.rb

@@ -1,4 +1,4 @@
 module HeapInfo
   # Current gem version.
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.2.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-08 00:00:00.000000000 Z
+date: 2018-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dentaku
@@ -16,84 +16,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '0.54'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '0.54'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: 0.16.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: 0.16.0
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: '0.9'
 description: |
   Create an interactive memory info interface while pwn / exploiting.
   Useful for rubiers writing exploit scripts.
@@ -123,7 +123,8 @@ files:
 - lib/heapinfo/process.rb
 - lib/heapinfo/process_info.rb
 - lib/heapinfo/segment.rb
-- lib/heapinfo/tools/get_arena.c
+- lib/heapinfo/tcache.rb
+- lib/heapinfo/tools/libc_info.c
 - lib/heapinfo/version.rb
 homepage: https://github.com/david942j/heapinfo
 licenses:

data/lib/heapinfo/tools/get_arena.c

@@ -1,28 +0,0 @@
-/*
- @author: david942j
- use for get libc's main_arena offset
- Sample Usage
- > ./get_arena
- > LD_LIBRARY_PATH=. ./get_arena
- > ./ld-linux.so.2 --library-path . ./get_arena
- */
-#include <stdlib.h>
-#include <stdio.h>
-#include <stddef.h>
-#define SZ sizeof(size_t)
-#define PAGE_SIZE 0x1000
-void *search_head(size_t e) {
-  e = (e >> 12) << 12;
-  while(strncmp((void*)e, "\177ELF", 4)) e -= PAGE_SIZE;
-  return (void*) e;
-}
-int main() {
-  void **p = (void**)malloc(SZ*16); // small bin with chunk size SZ*18
-  void *z = malloc(SZ); // prevent p merge with top chunk
-  *p = z; // prevent compiler optimize
-  free(p); // now *p must be the pointer of the (chunk_ptr) unsorted bin
-  z = (void*)((*p) - (4 + 4 + SZ * 10 )); // mutex+flags+fastbin[]
-  void* a = search_head((size_t)__builtin_return_address(0));
-  printf("%p\n", z-a);
-  return 0;
-}