From a4d13c9b817a6a1ab45550d2dbbf20aad75dc901 Mon Sep 17 00:00:00 2001 From: Gregoire Lodi Date: Sun, 7 May 2017 20:44:19 +0200 Subject: [PATCH 1/4] heap command --- lib/utils.py | 10 ++++++++++ peda.py | 42 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/lib/utils.py b/lib/utils.py index 62a4558..44788c0 100644 --- a/lib/utils.py +++ b/lib/utils.py @@ -244,6 +244,16 @@ def trim(docstring): # Return a single string: return '\n'.join(trimmed) +def less(text): + """ + Pipe output into less + """ + from os import popen + + pipe = popen("less -R", "w") + pipe.write(text) + pipe.close() + def pager(text, pagesize=None): """ Paging output, mimic external command less/more diff --git a/peda.py b/peda.py index 0215410..3dd1b6e 100644 --- a/peda.py +++ b/peda.py @@ -3146,6 +3146,30 @@ def help(self, *arg): return help.options = commands + + def heap(self, *arg): + """ + Prints the program's heap + Usage: + MYNAME + """ + + heap = peda.get_vmmap("[heap]") + if len(heap) != 1: + msg("No heap found.") + return + + start = heap[0][0] + stop = heap[0][1] + + msg("Heap goes from 0x%s to 0x%s." % (start, stop)) + heap = peda.dumpmem(start, stop) + + count = stop - start + self.hexdump(start, count, skip_zeroes=True) + + return + def pyhelp(self, *arg): """ Wrapper for python built-in help @@ -3357,7 +3381,7 @@ def hexprint(self, *arg): return - def hexdump(self, *arg): + def hexdump(self, *arg, skip_zeroes=False): """ Display hex/ascii dump of data in memory Usage: @@ -3389,14 +3413,26 @@ def ascii_char(ch): linelen = 16 # display 16-bytes per line i = 0 text = "" + toggle = 0 while bytes_: buf = bytes_[:linelen] hexbytes = " ".join(["%02x" % ord(c) for c in bytes_iterator(buf)]) asciibytes = "".join([ascii_char(c) for c in bytes_iterator(buf)]) - text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) + + if skip_zeroes: + if asciibytes != "." * 16: + text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) + toggle = 1 + elif toggle: + text += "*\n" + toggle = 0 + else: + text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) + bytes_ = bytes_[linelen:] i += 1 - pager(text) + + less(text) return From df53429948c651fd1d8c64f663048b7f1152f675 Mon Sep 17 00:00:00 2001 From: Gregoire Lodi Date: Sun, 7 May 2017 20:48:45 +0200 Subject: [PATCH 2/4] hexbytes instead of asciibytes --- peda.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peda.py b/peda.py index 3dd1b6e..3fe8644 100644 --- a/peda.py +++ b/peda.py @@ -3420,7 +3420,7 @@ def ascii_char(ch): asciibytes = "".join([ascii_char(c) for c in bytes_iterator(buf)]) if skip_zeroes: - if asciibytes != "." * 16: + if hexbytes != "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00": text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) toggle = 1 elif toggle: From 3a186ff78b6780d3840246bc3186c6cfb565f492 Mon Sep 17 00:00:00 2001 From: Gregoire Lodi Date: Sun, 7 May 2017 21:06:53 +0200 Subject: [PATCH 3/4] hexdump a bit better --- peda.py | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/peda.py b/peda.py index 3fe8644..3c321c0 100644 --- a/peda.py +++ b/peda.py @@ -3411,26 +3411,22 @@ def ascii_char(ch): warning_msg("cannot retrieve memory content") else: linelen = 16 # display 16-bytes per line - i = 0 + i = -1 text = "" - toggle = 0 + while bytes_: buf = bytes_[:linelen] + i += 1 + bytes_ = bytes_[linelen:] + + if skip_zeroes and list(buf) == [0] * 16: + if text[-2:] != "*\n": text += "*\n" + continue + hexbytes = " ".join(["%02x" % ord(c) for c in bytes_iterator(buf)]) asciibytes = "".join([ascii_char(c) for c in bytes_iterator(buf)]) - if skip_zeroes: - if hexbytes != "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00": - text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) - toggle = 1 - elif toggle: - text += "*\n" - toggle = 0 - else: - text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) - - bytes_ = bytes_[linelen:] - i += 1 + text += '%s : %s %s\n' % (blue(to_address(address+i*linelen)), hexbytes.ljust(linelen*3), asciibytes) less(text) From 44f46ef8100d21d06e9c8b68ab7b59b63b29593d Mon Sep 17 00:00:00 2001 From: Gregoire Lodi Date: Sun, 7 May 2017 21:08:33 +0200 Subject: [PATCH 4/4] updated readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8878ab1..f8ac024 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ PEDA - Python Exploit Development Assistance for GDB * `dumprop` -- Dump all ROP gadgets in specific memory range * `elfheader` -- Get headers information from debugged ELF file * `elfsymbol` -- Get non-debugging symbol information from an ELF file + * `heap` -- Print program's heap using less * `lookup` -- Search for all addresses/references to addresses which belong to a memory range * `patch` -- Patch memory start at an address with string/hexstring/int * `pattern` -- Generate, search, or write a cyclic pattern to memory