probeleak
usage: probeleak [-h] [--max-distance MAX_DISTANCE] [--point-to POINT_TO]
[--max-ptrs MAX_PTRS] [--flags FLAGS]
[address] [count]
Pointer scan for possible offset leaks.
Positional arguments
| Positional Argument | Help |
| address | Leak memory address (default: $sp) |
| count | Leak size in bytes (default: 64) |
Optional arguments
| Short | Long | Help |
| -h | --help | show this help message and exit |
| --max-distance | Max acceptable distance between memory page boundary and leaked pointer (default: 0) |
| --point-to | Mapping name of the page that you want the pointers point to |
| --max-ptrs | Stop search after find n pointers, default 0 (default: 0) |
| --flags | flags of the page that you want the pointers point to. [e.g. rwx] |
Examples
> probeleak $rsp 0x64
Leaks 0x64 bytes starting at stack pointer and search for valid pointers.
> probeleak $rsp 0x64 --max-dist 0x10
As above, but pointers may point 0x10 bytes outside of memory page.
> probeleak $rsp 0x64 --point-to libc --max-ptrs 1 --flags rwx
Leaks 0x64 bytes starting at stack pointer and search for one valid pointer
which points to a libc rwx page.