RubyGems - metasm - Versions diffs - 1.0.1 → 1.0.2 - Mend

metasm 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (235) hide show

checksums.yaml +7 -0
data/.gitignore +1 -0
data/.hgtags +3 -0
data/Gemfile +1 -0
data/INSTALL +61 -0
data/LICENCE +458 -0
data/README +29 -21
data/Rakefile +10 -0
data/TODO +10 -12
data/doc/code_organisation.txt +2 -0
data/doc/core/DynLdr.txt +247 -0
data/doc/core/ExeFormat.txt +43 -0
data/doc/core/Expression.txt +220 -0
data/doc/core/GNUExports.txt +27 -0
data/doc/core/Ia32.txt +236 -0
data/doc/core/SerialStruct.txt +108 -0
data/doc/core/VirtualString.txt +145 -0
data/doc/core/WindowsExports.txt +61 -0
data/doc/core/index.txt +1 -0
data/doc/style.css +6 -3
data/doc/usage/debugger.txt +327 -0
data/doc/usage/index.txt +1 -0
data/doc/use_cases.txt +2 -2
data/metasm.gemspec +22 -0
data/{lib/metasm.rb → metasm.rb} +11 -3
data/{lib/metasm → metasm}/compile_c.rb +13 -7
data/metasm/cpu/arc.rb +8 -0
data/metasm/cpu/arc/decode.rb +425 -0
data/metasm/cpu/arc/main.rb +191 -0
data/metasm/cpu/arc/opcodes.rb +588 -0
data/{lib/metasm → metasm/cpu}/arm.rb +7 -5
data/{lib/metasm → metasm/cpu}/arm/debug.rb +2 -2
data/{lib/metasm → metasm/cpu}/arm/decode.rb +13 -12
data/{lib/metasm → metasm/cpu}/arm/encode.rb +23 -8
data/{lib/metasm → metasm/cpu}/arm/main.rb +0 -3
data/metasm/cpu/arm/opcodes.rb +324 -0
data/{lib/metasm → metasm/cpu}/arm/parse.rb +25 -13
data/{lib/metasm → metasm/cpu}/arm/render.rb +2 -2
data/metasm/cpu/arm64.rb +15 -0
data/metasm/cpu/arm64/debug.rb +38 -0
data/metasm/cpu/arm64/decode.rb +289 -0
data/metasm/cpu/arm64/encode.rb +41 -0
data/metasm/cpu/arm64/main.rb +105 -0
data/metasm/cpu/arm64/opcodes.rb +232 -0
data/metasm/cpu/arm64/parse.rb +20 -0
data/metasm/cpu/arm64/render.rb +95 -0
data/{lib/metasm/ppc.rb → metasm/cpu/bpf.rb} +2 -4
data/metasm/cpu/bpf/decode.rb +142 -0
data/metasm/cpu/bpf/main.rb +60 -0
data/metasm/cpu/bpf/opcodes.rb +81 -0
data/metasm/cpu/bpf/render.rb +41 -0
data/metasm/cpu/cy16.rb +9 -0
data/metasm/cpu/cy16/decode.rb +253 -0
data/metasm/cpu/cy16/main.rb +63 -0
data/metasm/cpu/cy16/opcodes.rb +78 -0
data/metasm/cpu/cy16/render.rb +41 -0
data/metasm/cpu/dalvik.rb +11 -0
data/{lib/metasm → metasm/cpu}/dalvik/decode.rb +35 -13
data/{lib/metasm → metasm/cpu}/dalvik/main.rb +51 -2
data/{lib/metasm → metasm/cpu}/dalvik/opcodes.rb +19 -11
data/metasm/cpu/ia32.rb +17 -0
data/{lib/metasm → metasm/cpu}/ia32/compile_c.rb +5 -7
data/{lib/metasm → metasm/cpu}/ia32/debug.rb +5 -5
data/{lib/metasm → metasm/cpu}/ia32/decode.rb +246 -59
data/{lib/metasm → metasm/cpu}/ia32/decompile.rb +7 -7
data/{lib/metasm → metasm/cpu}/ia32/encode.rb +19 -13
data/{lib/metasm → metasm/cpu}/ia32/main.rb +51 -8
data/metasm/cpu/ia32/opcodes.rb +1424 -0
data/{lib/metasm → metasm/cpu}/ia32/parse.rb +47 -16
data/{lib/metasm → metasm/cpu}/ia32/render.rb +31 -4
data/metasm/cpu/mips.rb +14 -0
data/{lib/metasm → metasm/cpu}/mips/compile_c.rb +1 -1
data/metasm/cpu/mips/debug.rb +42 -0
data/{lib/metasm → metasm/cpu}/mips/decode.rb +46 -16
data/{lib/metasm → metasm/cpu}/mips/encode.rb +4 -3
data/{lib/metasm → metasm/cpu}/mips/main.rb +11 -4
data/{lib/metasm → metasm/cpu}/mips/opcodes.rb +86 -17
data/{lib/metasm → metasm/cpu}/mips/parse.rb +1 -1
data/{lib/metasm → metasm/cpu}/mips/render.rb +1 -1
data/{lib/metasm/dalvik.rb → metasm/cpu/msp430.rb} +1 -1
data/metasm/cpu/msp430/decode.rb +247 -0
data/metasm/cpu/msp430/main.rb +62 -0
data/metasm/cpu/msp430/opcodes.rb +101 -0
data/{lib/metasm → metasm/cpu}/pic16c/decode.rb +6 -7
data/{lib/metasm → metasm/cpu}/pic16c/main.rb +0 -0
data/{lib/metasm → metasm/cpu}/pic16c/opcodes.rb +1 -1
data/{lib/metasm/mips.rb → metasm/cpu/ppc.rb} +4 -4
data/{lib/metasm → metasm/cpu}/ppc/decode.rb +18 -12
data/{lib/metasm → metasm/cpu}/ppc/decompile.rb +3 -3
data/{lib/metasm → metasm/cpu}/ppc/encode.rb +2 -2
data/{lib/metasm → metasm/cpu}/ppc/main.rb +17 -12
data/{lib/metasm → metasm/cpu}/ppc/opcodes.rb +11 -5
data/metasm/cpu/ppc/parse.rb +55 -0
data/metasm/cpu/python.rb +8 -0
data/metasm/cpu/python/decode.rb +136 -0
data/metasm/cpu/python/main.rb +36 -0
data/metasm/cpu/python/opcodes.rb +180 -0
data/{lib/metasm → metasm/cpu}/sh4.rb +1 -1
data/{lib/metasm → metasm/cpu}/sh4/decode.rb +48 -17
data/{lib/metasm → metasm/cpu}/sh4/main.rb +13 -4
data/{lib/metasm → metasm/cpu}/sh4/opcodes.rb +7 -8
data/metasm/cpu/x86_64.rb +15 -0
data/{lib/metasm → metasm/cpu}/x86_64/compile_c.rb +28 -17
data/{lib/metasm → metasm/cpu}/x86_64/debug.rb +4 -4
data/{lib/metasm → metasm/cpu}/x86_64/decode.rb +57 -15
data/{lib/metasm → metasm/cpu}/x86_64/encode.rb +55 -26
data/{lib/metasm → metasm/cpu}/x86_64/main.rb +14 -6
data/metasm/cpu/x86_64/opcodes.rb +136 -0
data/{lib/metasm → metasm/cpu}/x86_64/parse.rb +10 -2
data/metasm/cpu/x86_64/render.rb +35 -0
data/metasm/cpu/z80.rb +9 -0
data/metasm/cpu/z80/decode.rb +313 -0
data/metasm/cpu/z80/main.rb +67 -0
data/metasm/cpu/z80/opcodes.rb +224 -0
data/metasm/cpu/z80/render.rb +59 -0
data/{lib/metasm/os/main.rb → metasm/debug.rb} +160 -401
data/{lib/metasm → metasm}/decode.rb +35 -4
data/{lib/metasm → metasm}/decompile.rb +15 -16
data/{lib/metasm → metasm}/disassemble.rb +201 -45
data/{lib/metasm → metasm}/disassemble_api.rb +651 -87
data/{lib/metasm → metasm}/dynldr.rb +220 -133
data/{lib/metasm → metasm}/encode.rb +10 -1
data/{lib/metasm → metasm}/exe_format/a_out.rb +9 -6
data/{lib/metasm → metasm}/exe_format/autoexe.rb +1 -0
data/{lib/metasm → metasm}/exe_format/bflt.rb +57 -27
data/{lib/metasm → metasm}/exe_format/coff.rb +11 -3
data/{lib/metasm → metasm}/exe_format/coff_decode.rb +53 -20
data/{lib/metasm → metasm}/exe_format/coff_encode.rb +11 -13
data/{lib/metasm → metasm}/exe_format/dex.rb +13 -5
data/{lib/metasm → metasm}/exe_format/dol.rb +1 -0
data/{lib/metasm → metasm}/exe_format/elf.rb +93 -57
data/{lib/metasm → metasm}/exe_format/elf_decode.rb +143 -34
data/{lib/metasm → metasm}/exe_format/elf_encode.rb +122 -31
data/metasm/exe_format/gb.rb +65 -0
data/metasm/exe_format/javaclass.rb +424 -0
data/{lib/metasm → metasm}/exe_format/macho.rb +204 -16
data/{lib/metasm → metasm}/exe_format/main.rb +26 -3
data/{lib/metasm → metasm}/exe_format/mz.rb +1 -0
data/{lib/metasm → metasm}/exe_format/nds.rb +7 -4
data/{lib/metasm → metasm}/exe_format/pe.rb +71 -8
data/metasm/exe_format/pyc.rb +167 -0
data/{lib/metasm → metasm}/exe_format/serialstruct.rb +67 -14
data/{lib/metasm → metasm}/exe_format/shellcode.rb +7 -3
data/metasm/exe_format/shellcode_rwx.rb +114 -0
data/metasm/exe_format/swf.rb +205 -0
data/{lib/metasm → metasm}/exe_format/xcoff.rb +7 -7
data/metasm/exe_format/zip.rb +335 -0
data/metasm/gui.rb +13 -0
data/{lib/metasm → metasm}/gui/cstruct.rb +35 -41
data/{lib/metasm → metasm}/gui/dasm_coverage.rb +11 -11
data/{lib/metasm → metasm}/gui/dasm_decomp.rb +7 -20
data/{lib/metasm → metasm}/gui/dasm_funcgraph.rb +0 -0
data/metasm/gui/dasm_graph.rb +1695 -0
data/{lib/metasm → metasm}/gui/dasm_hex.rb +12 -8
data/{lib/metasm → metasm}/gui/dasm_listing.rb +43 -28
data/{lib/metasm → metasm}/gui/dasm_main.rb +310 -53
data/{lib/metasm → metasm}/gui/dasm_opcodes.rb +5 -19
data/{lib/metasm → metasm}/gui/debug.rb +93 -27
data/{lib/metasm → metasm}/gui/gtk.rb +162 -40
data/{lib/metasm → metasm}/gui/qt.rb +12 -2
data/{lib/metasm → metasm}/gui/win32.rb +179 -42
data/{lib/metasm → metasm}/gui/x11.rb +59 -59
data/{lib/metasm → metasm}/main.rb +389 -264
data/{lib/metasm/os/remote.rb → metasm/os/gdbremote.rb} +146 -54
data/{lib/metasm → metasm}/os/gnu_exports.rb +1 -1
data/{lib/metasm → metasm}/os/linux.rb +628 -151
data/metasm/os/main.rb +330 -0
data/{lib/metasm → metasm}/os/windows.rb +132 -42
data/{lib/metasm → metasm}/os/windows_exports.rb +141 -0
data/{lib/metasm → metasm}/parse.rb +26 -24
data/{lib/metasm → metasm}/parse_c.rb +221 -116
data/{lib/metasm → metasm}/preprocessor.rb +55 -40
data/{lib/metasm → metasm}/render.rb +14 -38
data/misc/hexdump.rb +2 -1
data/misc/lint.rb +58 -0
data/misc/txt2html.rb +9 -7
data/samples/bindiff.rb +3 -4
data/samples/dasm-plugins/bindiff.rb +15 -0
data/samples/dasm-plugins/bookmark.rb +133 -0
data/samples/dasm-plugins/c_constants.rb +57 -0
data/samples/dasm-plugins/colortheme_solarized.rb +125 -0
data/samples/dasm-plugins/cppobj_funcall.rb +60 -0
data/samples/dasm-plugins/dasm_all.rb +70 -0
data/samples/dasm-plugins/demangle_cpp.rb +31 -0
data/samples/dasm-plugins/deobfuscate.rb +251 -0
data/samples/dasm-plugins/dump_text.rb +35 -0
data/samples/dasm-plugins/export_graph_svg.rb +86 -0
data/samples/dasm-plugins/findgadget.rb +75 -0
data/samples/dasm-plugins/hl_opcode.rb +32 -0
data/samples/dasm-plugins/hotfix_gtk_dbg.rb +19 -0
data/samples/dasm-plugins/imm2off.rb +34 -0
data/samples/dasm-plugins/match_libsigs.rb +93 -0
data/samples/dasm-plugins/patch_file.rb +95 -0
data/samples/dasm-plugins/scanfuncstart.rb +36 -0
data/samples/dasm-plugins/scanxrefs.rb +26 -0
data/samples/dasm-plugins/selfmodify.rb +197 -0
data/samples/dasm-plugins/stringsxrefs.rb +28 -0
data/samples/dasmnavig.rb +1 -1
data/samples/dbg-apihook.rb +24 -9
data/samples/dbg-plugins/heapscan.rb +283 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c +155 -0
data/samples/dbg-plugins/heapscan/compiled_heapscan_win.c +128 -0
data/samples/dbg-plugins/heapscan/graphheap.rb +616 -0
data/samples/dbg-plugins/heapscan/heapscan.rb +709 -0
data/samples/dbg-plugins/heapscan/winheap.h +174 -0
data/samples/dbg-plugins/heapscan/winheap7.h +307 -0
data/samples/dbg-plugins/trace_func.rb +214 -0
data/samples/disassemble-gui.rb +35 -5
data/samples/disassemble.rb +31 -6
data/samples/dump_upx.rb +24 -12
data/samples/dynamic_ruby.rb +12 -3
data/samples/exeencode.rb +6 -5
data/samples/factorize-headers-peimports.rb +1 -1
data/samples/lindebug.rb +175 -381
data/samples/metasm-shell.rb +1 -2
data/samples/peldr.rb +2 -2
data/tests/all.rb +1 -1
data/tests/arc.rb +26 -0
data/tests/dynldr.rb +22 -4
data/tests/expression.rb +55 -0
data/tests/graph_layout.rb +285 -0
data/tests/ia32.rb +79 -26
data/tests/mips.rb +9 -2
data/tests/x86_64.rb +66 -18
metadata +330 -218
data/lib/metasm/arm/opcodes.rb +0 -177
data/lib/metasm/gui.rb +0 -23
data/lib/metasm/gui/dasm_graph.rb +0 -1354
data/lib/metasm/ia32.rb +0 -14
data/lib/metasm/ia32/opcodes.rb +0 -873
data/lib/metasm/ppc/parse.rb +0 -52
data/lib/metasm/x86_64.rb +0 -12
data/lib/metasm/x86_64/opcodes.rb +0 -118
data/samples/gdbclient.rb +0 -583
data/samples/rubstop.rb +0 -399

data/samples/dasm-plugins/stringsxrefs.rb ADDED

@@ -0,0 +1,28 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+# metasm dasm plugin
+# walks all disassembled instructions referencing an address
+# if this address points a C string, show that in the instruction comments
+# esp. useful after a disassemble_fast
+def stringsxrefs(maxsz = 32)
+	@decoded.each_value { |di|
+		next if not di.kind_of?(DecodedInstruction)
+		di.instruction.args.grep(Expression).each { |e|
+			if str = decode_strz(e) and str.length >= 4 and str =~ /^[\x20-\x7e]*$/
+				di.add_comment str[0, maxsz].inspect
+				add_xref(normalize(e), Xref.new(:r, di.address, 1))
+			end
+		}
+	}
+	nil
+end
+if gui
+	stringsxrefs
+	gui.gui_update
+end

data/samples/dasmnavig.rb CHANGED

@@ -115,7 +115,7 @@ class Viewer
 		$stdout.write Ansi::ClearScreen
 		begin
 			loop do
-				refresh if not s = IO.select([$stdin], nil, nil, 0)
+				refresh if not IO.select([$stdin], nil, nil, 0)
 				handle_key(Ansi.getkey)
 			end
 		ensure

data/samples/dbg-apihook.rb CHANGED

@@ -17,6 +17,8 @@
 require 'metasm'
 class ApiHook
+	attr_accessor :dbg
 	# rewrite this function to list the hooks you want
 	# return an array of hashes
 	def setup
@@ -33,19 +35,31 @@ class ApiHook
 			raise 'no such process' if not process
 			dbg = process.debugger
 		end
-		dbg.loadallsyms
 		@dbg = dbg
-		setup.each { |h| setup_hook(h) }
-		init_prerun if respond_to?(:init_prerun)	# allow subclass to do stuff before main loop
-		@dbg.run_forever
+		begin
+			setup.each { |h| setup_hook(h) }
+			init_prerun if respond_to?(:init_prerun)	# allow subclass to do stuff before main loop
+			@dbg.run_forever
+		rescue Interrupt
+			@dbg.detach #rescue nil
+		end
 	end
 	# setup one function hook
 	def setup_hook(h)
+		@las ||= false
+		if not h[:lib] and not @las
+			@dbg.loadallsyms
+			@las = false
+		elsif h[:lib]
+			# avoid loadallsyms if specified (regexp against pathname, not exported lib name)
+			@dbg.loadsyms(h[:lib])
+		end
 		pre  =  "pre_#{h[:hookname] || h[:function]}"
 		post = "post_#{h[:hookname] || h[:function]}"
-		@nargs = h[:nargs] || method(pre).arity if respond_to?(pre)
+		nargs = h[:nargs] || method(pre).arity if respond_to?(pre)
 		if target = h[:address]
 		elsif target = h[:rva]
@@ -56,7 +70,8 @@ class ApiHook
 			target = h[:function]
 		end
-		@dbg.bpx(target) {
+		@dbg.bpx(target, false, h[:condition]) {
+			@nargs = nargs
 			catch(:finish) {
 				@cur_abi = h[:abi]
 				@ret_longlong = h[:ret_longlong]
@@ -206,7 +221,8 @@ class MyHook < ApiHook
 		#patch_retval(42)
 		# finish messing with the args: fake the nrofbyteswritten
-		handle, pbuf, size, pwritten, overlap = arglistcopy
+		#handle, pbuf, size, pwritten, overlap = arglistcopy
+		size, pwritten = arglistcopy.values_at(2, 3)
 		written = @dbg.memory_read_int(pwritten)
 		if written == size
 			# if written everything, patch the value so that the program dont detect our intervention
@@ -217,8 +233,7 @@ class MyHook < ApiHook
 	end
 end
-# name says it all
-Metasm::WinOS.get_debug_privilege
+Metasm::OS.current.get_debug_privilege if Metasm::OS.current.respond_to? :get_debug_privilege
 # run our Hook engine on a running 'notepad' instance
 MyHook.new('notepad')

data/samples/dbg-plugins/heapscan.rb ADDED

@@ -0,0 +1,283 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+# metasm debugger plugin
+# adds some heap_* functions to interract with the target heap chunks
+# functions:
+#  heap_scan, scan for malloc chunks in the heaps and xrefs between them
+#  heap_scanstruct, scan for arrays/linkedlists in the chunk graph
+#  heap_chunk [addr], display a chunk
+#  heap_array [addr], display an array of chunks from their root
+#  heap_list [addr], display a linkedlist
+#  heap_strscan [str], scan the memory for a raw string, display chunks xrefs
+#  heap_snap, make a snapshot of the currently displayed structure, hilight fields change
+# use precompiled native version when available
+$heapscan_dir = File.join(File.dirname(plugin_filename).gsub('\\', '/'), 'heapscan')
+require File.join($heapscan_dir, 'heapscan')
+fname = case OS.current.shortname
+when 'linos'
+	'compiled_heapscan_lin'
+when 'winos'
+	case OS.current.version[0]
+	when 5; 'compiled_heapscan_win'
+	when 6; 'compiled_heapscan_win7'
+	end
+end
+fname = File.join($heapscan_dir, fname)
+if not File.exist?(fname + '.so') and File.exist?(fname + '.c')
+	puts "compiling native scanner..."
+	exe = DynLdr.host_exe.compile_c_file(DynLdr.host_cpu, fname + '.c')
+	DynLdr.compile_binary_module_hack(exe)
+	exe.encode_file(fname + '.so', :lib)
+end
+require fname if File.exist?(fname + '.so')
+def heapscan_time(s='')
+	@heapscan_time ||= nil
+	t = Time.now
+	log s + ' %.2fs' % (t-@heapscan_time) if @heapscan_time and s != ''
+	@heapscan_time = t
+	Gui.main_iter if gui
+end
+def heap; @heap ; end
+def heap=(h) ; @heap = h ; end
+def heapscan_scan(xr=true)
+	heaps = []
+	mmaps = []
+	libc = nil
+	pr = os_process
+	pr.mappings.each { |a, l, p, f|
+		case f.to_s
+		when /heap/
+			heaps << [a, l]
+		when /libc[^a-zA-Z]/
+			libc ||= a if p == 'r-xp'
+		when ''
+			mmaps << [a, l]
+		end
+	}
+	heapscan_time ''
+	@disassembler.parse_c ''
+	if pr and OS.current.name =~ /winos/i
+		if OS.current.version[0] == 5
+			@heap = WindowsHeap.new(self)
+			@heap.cp = @disassembler.c_parser
+			@heap.cp.parse_file File.join($heapscan_dir, 'winheap.h') unless @heap.cp.toplevel.struct['_HEAP']
+		else
+			@heap = Windows7Heap.new(self)
+			@heap.cp = @disassembler.c_parser
+			@heap.cp.parse_file File.join($heapscan_dir, 'winheap7.h') unless @heap.cp.toplevel.struct['_HEAP']
+		end
+		@heap.heaps = heaps
+	else
+		@heap = LinuxHeap.new(self)
+		@heap.cp = @disassembler.c_parser
+		@heap.mmaps = mmaps
+		@heap.scan_libc(libc)
+		heapscan_time "libc!main_arena #{'%x' % @heap.main_arena_ptr}"
+	end
+	hsz = 0
+	(heaps + mmaps).each { |a, l|
+		hsz += l
+		@heap.range.update a => l
+	}
+	log "#{hsz/1024/1024}M heap"
+	@heap.scan_chunks
+	heapscan_time "#{@heap.chunks.length} chunks"
+	return if not xr
+	@heap.scan_chunks_xr
+	heapscan_time "#{@heap.xrchunksto.length} src, #{@heap.xrchunksfrom.length} dst"
+end
+def heapscan_structs
+	heapscan_time
+	@heap.bucketize
+	heapscan_time "#{@heap.buckets.length} buckets"
+	@heap.find_arrays
+	heapscan_time "#{@heap.allarrays.length} arrays (#{@heap.allarrays.flatten.length} elems)"
+	@heap.find_linkedlists
+	heapscan_time "#{@heap.alllists.length} lists (#{@heap.alllists.flatten.length} elems)"
+end
+def heapscan_kernels
+	heapscan_time
+	@heap.find_kernels
+	heapscan_time "#{@heap.kernels.length} kernels"
+end
+def heapscan_roots
+	heapscan_time
+	@heap.find_roots
+	heapscan_time "#{@heap.roots.length} roots"
+end
+def heapscan_graph
+	heapscan_time
+	@heap.dump_graph
+	heapscan_time 'graph.gv'
+end
+def gui_show_list(addr)
+	a = resolve(addr)
+	#@heap.cp.parse("struct ptr { void *ptr; };") if not @heap.cp.toplevel.struct['ptr']
+	h = @heap.linkedlists[a]
+	off = h.keys.first
+	lst = h[off]
+	if not st = lst.map { |l| @heap.chunk_struct[l] }.compact.first
+		st = Metasm::C::Struct.new
+		st.name = "list_#{'%x' % lst.first}"
+		st.members = []
+		(@heap.chunks[lst.first] / 4).times { |i|
+			n = "u#{i}"
+			t = Metasm::C::BaseType.new(:int)
+			if i == off/4
+				n = "next"
+				t = Metasm::C::Pointer.new(st)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] = st
+	end
+	lst.each { |l| @heap.chunk_struct[l] = st }
+	$ghw.addr_struct = {}
+	lst.each { |aa|
+		$ghw.addr_struct[aa] = @heap.cp.decode_c_struct(st.name, @memory, aa)
+	}
+	gui.parent_widget.mem.focus_addr(lst.first, :graphheap)
+end
+def gui_show_array(addr)
+	head = resolve(addr)
+	e = @heap.xrchunksto[head].to_a.find { |ee| @heap.arrays[ee] and @heap.arrays[ee][head] }
+	return if not e
+	lst = @heap.arrays[e][head]
+	if not st = @heap.chunk_struct[head]
+		st = Metasm::C::Struct.new
+		st.name = "array_#{'%x' % head}"
+		st.members = []
+		(@heap.chunks[head] / 4).times { |i|
+			n = "u#{i}"
+			v = @memory[head+4*i, 4].unpack('L').first
+			if @heap.chunks[v]
+				t = Metasm::C::Pointer.new(Metasm::C::BaseType.new(:void))
+			else
+				t = Metasm::C::BaseType.new(:int)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] ||= st
+	end
+	@heap.chunk_struct[head] = st
+	$ghw.addr_struct = { head => @heap.cp.decode_c_struct(st.name, @memory, head) }
+	if not st = lst.map { |l| @heap.chunk_struct[l] }.compact.first
+		e = lst.first
+		st = Metasm::C::Struct.new
+		st.name = "elem_#{'%x' % head}"
+		st.members = []
+		(@heap.chunks[e] / 4).times { |i|
+			n = "u#{i}"
+			v = @memory[e+4*i, 4].unpack('L').first
+			if @heap.chunks[v]
+				t = Metasm::C::Pointer.new(Metasm::C::BaseType.new(:void))
+			else
+				t = Metasm::C::BaseType.new(:int)
+			end
+			st.members << Metasm::C::Variable.new(n, t)
+		}
+		@heap.cp.toplevel.struct[st.name] ||= st
+	end
+	lst.each { |l| @heap.chunk_struct[l] = st }
+	lst.each { |aa|
+		$ghw.addr_struct[aa] = @heap.cp.decode_c_struct(st.name, @memory, aa)
+	}
+	gui.parent_widget.mem.focus_addr(head, :graphheap)
+end
+if gui
+	require File.join($heapscan_dir, 'graphheap')
+	$ghw = Metasm::Gui::GraphHeapWidget.new(@disassembler, gui.parent_widget.mem)
+	gui.parent_widget.mem.addview :graphheap, $ghw
+	$ghw.show if $ghw.respond_to?(:show)
+	gui.new_command('heap_scan', 'scan the heap(s)') { |*a| heapscan_scan ; $ghw.heap = @heap }
+	gui.new_command('heap_scan_noxr', 'scan the heap(s), no xrefs') { |*a| heapscan_scan(false) ; $ghw.heap = @heap }
+	gui.new_command('heap_scan_xronly', 'scan the heap(s) for xrefs') { |*a| $ghw.heap.scan_chunks_xr }
+	gui.new_command('heap_scanstructs', 'scan the heap for arrays/lists') { |*a| heapscan_structs }
+	gui.new_command('heap_list', 'show a linked list') { |a|
+		if a.to_s != ''
+			gui_show_list(a)
+		else
+			l = [['addr', 'len']]
+			@heap.alllists.each { |al|
+				l << [Expression[al.first], al.length]
+			}
+			gui.listwindow('lists', l) { |*aa| gui_show_list(aa[0][0]) }
+		end
+	}
+	gui.new_command('heap_array', 'show an array') { |a|
+		if a.to_s != ''
+			gui_show_array(a)
+		else
+			l = [['addr', 'len']]
+			@heap.allarrays.each { |al|
+				l << [Expression[al.first], al.length]
+			}
+			gui.listwindow('arrays', l) { |*aa| gui_show_array(aa[0][0]) }
+		end
+	}
+	gui.new_command('heap_chunk', 'show a chunk') { |a|
+		a = resolve(a)
+		gui.parent_widget.mem.focus_addr(a, :graphheap)
+		$ghw.do_focus_addr(a)
+	}
+	gui.new_command('heap_strscan', 'scan a string') { |a|
+		sa = pattern_scan(a)
+		log "found #{sa.length} strings : #{sa.map { |aa| Expression[aa] }.join(' ')}"
+		sa.each { |aa|
+			next if not ck = @heap.find_chunk(aa)
+			log "ptr #{Expression[aa]} in chunk #{Expression[ck]} (#{Expression[@heap.chunks[ck]]}) in list #{@heap.linkedlists && @heap.linkedlists[ck] && true} in array #{@heap.arrays[ck].map { |k, v| "#{Expression[k]} (#{v.length})" }.join(', ') if @heap.arrays and @heap.arrays[ck]}"
+		}
+	}
+	gui.new_command('heap_ptrscan', 'scan a pointer') { |a|
+		a = resolve(a)
+		if @heap.chunks[a]
+			pa = @heap.xrchunksfrom[a].to_a
+		else
+			pa = pattern_scan(Expression.encode_imm(a, @cpu.size/8, @cpu.endianness))
+		end
+		log "found #{pa.length} pointers : #{pa.map { |aa| Expression[aa] }.join(' ')}"
+		pa.each { |aa|
+			next if not ck = @heap.find_chunk(aa)
+			log "ptr @#{Expression[aa]} in chunk #{Expression[ck]} (#{Expression[@heap.chunks[ck]]}) in list #{@heap.linkedlists && @heap.linkedlists[ck] && true} in array #{@heap.arrays[ck].map { |k, v| "#{Expression[k]} (#{v.length})" }.join(', ') if @heap.arrays and @heap.arrays[ck]}"
+		}
+	}
+	gui.new_command('heap_snap', 'snapshot the current heap struct') { |a|
+		$ghw.snap
+	}
+	gui.new_command('heap_snap_add', 'snapshot, ignore fields changed between now and last snap') { |a|
+		$ghw.snap_add
+	}
+end

data/samples/dbg-plugins/heapscan/compiled_heapscan_lin.c ADDED

@@ -0,0 +1,155 @@
+#ifdef __ELF__
+asm .pt_gnu_stack rw;
+#endif
+typedef uintptr_t VALUE;
+static VALUE const_File;
+static VALUE const_LinuxHeap;
+VALUE rb_ary_new(void);
+VALUE rb_ary_push(VALUE, VALUE);
+extern VALUE *rb_cObject __attribute__((import));
+VALUE rb_const_get(VALUE, VALUE);
+void rb_define_method(VALUE, char*, VALUE(*)(), int);
+VALUE rb_funcall(VALUE recv, unsigned int id, int nargs, ...);
+VALUE rb_gv_get(const char*);
+VALUE rb_intern(char*);
+VALUE rb_ivar_get(VALUE, unsigned int);
+VALUE rb_iv_get(VALUE, char*);
+void *rb_method_node(VALUE, unsigned int);
+VALUE rb_obj_as_string(VALUE);
+VALUE rb_str_append(VALUE, VALUE);
+VALUE rb_str_cat2(VALUE, const char*);
+VALUE rb_str_new2(const char*);
+VALUE rb_hash_aset(VALUE, VALUE, VALUE);
+VALUE rb_hash_aref(VALUE, VALUE);
+VALUE rb_uint2inum(VALUE);
+VALUE rb_num2ulong(VALUE);
+char *rb_string_value_ptr(VALUE*);
+int printf(char*, ...);
+static VALUE heap_entry(void *heap, VALUE idx, VALUE psz)
+{
+	if (psz == 4)
+		return (VALUE)(((__int32*)heap)[idx]);
+	return (VALUE)(((__int64*)heap)[idx]);
+}
+static VALUE m_LinuxHeap23scan_heap(VALUE self, VALUE vbase, VALUE vlen, VALUE ar)
+{
+	VALUE *heap;
+	VALUE chunks;
+	VALUE base = rb_num2ulong(vbase);
+	VALUE len = vlen >> 1;
+	VALUE sz, clen;
+	VALUE page;
+	VALUE psz = rb_iv_get(self, "@ptsz") >> 1;
+	VALUE ptr = 0;
+	chunks = rb_iv_get(self, "@chunks");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vbase, vlen);
+	heap = rb_string_value_ptr(&page);
+	sz = heap_entry(heap, 1, psz);
+	if (heap_entry(heap, 0, psz) != 0 || (sz & 1) != 1)
+		return 4;
+	base += 8;
+	for (;;) {
+		clen = sz & -8;
+		ptr += clen/psz;
+		if (ptr >= len/psz || clen == 0)
+			break;
+		sz = heap_entry(heap, ptr+1, psz);
+		if (sz & 1)
+			rb_hash_aset(chunks, rb_uint2inum(base), ((clen-psz)<<1)|1);
+		base += clen;
+	}
+	rb_funcall(self, rb_intern("del_fastbin"), 1, ar);
+	return 4;
+}
+static VALUE m_LinuxHeap23scan_heap_xr(VALUE self, VALUE vbase, VALUE vlen)
+{
+	VALUE *heap;
+	VALUE chunks, xrchunksto, xrchunksfrom;
+	VALUE psz = rb_iv_get(self, "@ptsz") >> 1;
+	VALUE base = rb_num2ulong(vbase) + 2*psz;
+	VALUE len = vlen >> 1;
+	VALUE sz, clen;
+	VALUE page;
+	chunks = rb_iv_get(self, "@chunks");
+	xrchunksto = rb_iv_get(self, "@xrchunksto");
+	xrchunksfrom = rb_iv_get(self, "@xrchunksfrom");
+	page = rb_funcall(self, rb_intern("pagecache"), 2, vbase, vlen);
+	heap = rb_string_value_ptr(&page);
+	sz = heap_entry(heap, 1, psz);
+	if (heap_entry(heap, 0, psz) != 0 || (sz & 1) != 1)
+		return 4;
+	/* re-walk the heap, simpler than iterating over @chunks */
+	VALUE ptr = 0;
+	VALUE ptr0, ptrl;
+	for (;;) {
+		clen = sz & -8;
+		ptr0 = ptr+2;
+		ptrl = clen/psz-1;
+		ptr += clen/psz;
+		if (ptr >= len/psz || clen == 0)
+			break;
+		sz = heap_entry(heap, ptr+1, psz);
+		if ((sz & 1) &&
+		    ((rb_hash_aref(chunks, rb_uint2inum(base))|4) != 4)) {
+			VALUE tabto = 0;
+			VALUE tabfrom;
+			while (ptrl--) {
+				VALUE p = heap_entry(heap, ptr0++, psz);
+				//if (p == base)	// ignore self-references
+				//	continue;
+				if ((rb_hash_aref(chunks, rb_uint2inum(p))|4) != 4) {
+					if (!tabto) {
+						tabto = rb_ary_new();
+						rb_hash_aset(xrchunksto, rb_uint2inum(base), tabto);
+					}
+					rb_ary_push(tabto, rb_uint2inum(p));
+					tabfrom = rb_hash_aref(xrchunksfrom, rb_uint2inum(p));
+					if ((tabfrom|4) == 4) {
+						tabfrom = rb_ary_new();
+						rb_hash_aset(xrchunksfrom, rb_uint2inum(p), tabfrom);
+					}
+					rb_ary_push(tabfrom, rb_uint2inum(base));
+				}
+			}
+		}
+		base += clen;
+	}
+	return 4;
+}
+static void do_init_once(void)
+{
+	const_LinuxHeap = rb_const_get(*rb_cObject, rb_intern("Metasm"));
+	const_LinuxHeap = rb_const_get(const_LinuxHeap, rb_intern("LinuxHeap"));
+	rb_define_method(const_LinuxHeap, "scan_heap", m_LinuxHeap23scan_heap, 3);
+	rb_define_method(const_LinuxHeap, "scan_heap_xr", m_LinuxHeap23scan_heap_xr, 2);
+}
+int Init_compiled_heapscan_lin __attribute__((export))(void)
+{
+	do_init_once();
+	return 0;
+}