Skip to content

ptmalloc ¤

Classes:

Functions:

Attributes:

PREV_INUSE module-attribute ¤

PREV_INUSE = 1

IS_MMAPPED module-attribute ¤

IS_MMAPPED = 2

NON_MAIN_ARENA module-attribute ¤

NON_MAIN_ARENA = 4

SIZE_BITS module-attribute ¤

SIZE_BITS = PREV_INUSE | IS_MMAPPED | NON_MAIN_ARENA

NONCONTIGUOUS_BIT module-attribute ¤

NONCONTIGUOUS_BIT = 2

TheType module-attribute ¤

TheType = TypeVar('TheType', Type, Type[CStruct2GDB])

TheValue module-attribute ¤

TheValue = TypeVar('TheValue', Value, CStruct2GDB)

HEAP_MAX_SIZE module-attribute ¤

HEAP_MAX_SIZE: int = None

NBINS module-attribute ¤

NBINS = 128

BINMAPSIZE module-attribute ¤

BINMAPSIZE = 4

TCACHE_MAX_BINS module-attribute ¤

TCACHE_MAX_BINS = 64

NFASTBINS module-attribute ¤

NFASTBINS = 10

NSMALLBINS module-attribute ¤

NSMALLBINS = 64

BinType ¤

Bases: str, Enum

Methods:

Attributes:

TCACHE class-attribute instance-attribute ¤

TCACHE = 'tcachebins'

FAST class-attribute instance-attribute ¤

FAST = 'fastbins'

SMALL class-attribute instance-attribute ¤

SMALL = 'smallbins'

LARGE class-attribute instance-attribute ¤

LARGE = 'largebins'

UNSORTED class-attribute instance-attribute ¤

UNSORTED = 'unsortedbin'

NOT_IN_BIN class-attribute instance-attribute ¤

NOT_IN_BIN = 'not_in_bin'

valid_fields ¤

valid_fields() -> list[str]

Bin ¤

Bin(
    fd_chain: list[int],
    bk_chain: list[int] | None = None,
    count: int | None = None,
    is_corrupted: bool = False,
)

Methods:

Attributes:

fd_chain instance-attribute ¤

fd_chain = fd_chain

bk_chain instance-attribute ¤

bk_chain = bk_chain

count instance-attribute ¤

count = count

is_corrupted instance-attribute ¤

is_corrupted = is_corrupted

contains_chunk ¤

contains_chunk(chunk: int) -> bool

size_to_display_name staticmethod ¤

size_to_display_name(size: int | str) -> str

Bins ¤

Bins(bin_type: BinType)

Methods:

Attributes:

bins instance-attribute ¤

bins: OrderedDict[int | str, Bin] = OrderedDict()

bin_type instance-attribute ¤

bin_type = bin_type

contains_chunk ¤

contains_chunk(size: int, chunk: int)

ChunkField ¤

Bases: int, Enum

Attributes:

PREV_SIZE class-attribute instance-attribute ¤

PREV_SIZE = 1

SIZE class-attribute instance-attribute ¤

SIZE = 2

FD class-attribute instance-attribute ¤

FD = 3

BK class-attribute instance-attribute ¤

BK = 4

FD_NEXTSIZE class-attribute instance-attribute ¤

FD_NEXTSIZE = 5

BK_NEXTSIZE class-attribute instance-attribute ¤

BK_NEXTSIZE = 6

Chunk ¤

Chunk(addr: int, heap: Heap | None = None, arena: Arena | None = None)

Methods:

  • next_chunk
  • __contains__

    This allow us to avoid extra constructions like 'if start_addr <= ptr < end_addr', etc.

Attributes:

__slots__ class-attribute instance-attribute ¤

__slots__ = (
    "_gdbValue",
    "address",
    "_prev_size",
    "_size",
    "_real_size",
    "_flags",
    "_non_main_arena",
    "_is_mmapped",
    "_prev_inuse",
    "_fd",
    "_bk",
    "_fd_nextsize",
    "_bk_nextsize",
    "_heap",
    "_arena",
    "_is_top_chunk",
)

address instance-attribute ¤

address = int(address)

prev_size property ¤

prev_size: int | None

size property ¤

size: int | None

real_size property ¤

real_size: int | None

flags property ¤

flags: dict[str, bool] | None

non_main_arena property ¤

non_main_arena: bool | None

is_mmapped property ¤

is_mmapped: bool | None

prev_inuse property ¤

prev_inuse: bool | None

fd property ¤

fd

bk property ¤

bk

fd_nextsize property ¤

fd_nextsize

bk_nextsize property ¤

bk_nextsize

heap property ¤

heap: Heap

arena property ¤

arena: Arena | None

is_top_chunk property ¤

is_top_chunk

__match_renamed_field ¤

__match_renamed_field(field: str)

next_chunk ¤

next_chunk()

__contains__ ¤

__contains__(addr: int) -> bool

This allow us to avoid extra constructions like 'if start_addr <= ptr < end_addr', etc.

Heap ¤

Heap(addr: int, arena: Arena | None = None)

1) main_arena - uses the sbrk heap 2) non-main arena - heap starts after its heap_info struct (and possibly an arena) 3) non-contiguous main_arena - just a memory region 4) no arena - for fake/mmapped chunks

Methods:

Attributes:

__slots__ class-attribute instance-attribute ¤

__slots__ = (
    "_gdbValue",
    "arena",
    "_memory_region",
    "start",
    "end",
    "_prev",
    "first_chunk",
)

arena instance-attribute ¤

arena = main_arena if arena is None else arena

start instance-attribute ¤

start: int = start

end instance-attribute ¤

end: int = end

first_chunk instance-attribute ¤

first_chunk = Chunk(start)

prev property ¤

prev

__iter__ ¤

__iter__()

__contains__ ¤

__contains__(addr: int) -> bool

__str__ ¤

__str__() -> str

Arena ¤

Arena(addr: int)

Methods:

Attributes:

__slots__ class-attribute instance-attribute ¤

__slots__ = (
    "_gdbValue",
    "address",
    "_is_main_arena",
    "_top",
    "_active_heap",
    "_heaps",
    "_mutex",
    "_flags",
    "_non_contiguous",
    "_have_fastchunks",
    "_fastbinsY",
    "_bins",
    "_binmap",
    "_next",
    "_next_free",
    "_system_mem",
)

address instance-attribute ¤

address = int(address)

is_main_arena property ¤

is_main_arena: bool

mutex property ¤

mutex: int | None

flags property ¤

flags: int | None

non_contiguous property ¤

non_contiguous: bool | None

have_fastchunks property ¤

have_fastchunks: int | None

top property ¤

top: int | None

fastbinsY property ¤

fastbinsY: list[int]

bins property ¤

bins: list[int]

binmap property ¤

binmap: list[int]

next property ¤

next: int | None

next_free property ¤

next_free: int | None

system_mem property ¤

system_mem: int | None

active_heap property ¤

active_heap: Heap

heaps property ¤

heaps

fastbins ¤

fastbins() -> Bins

__str__ ¤

__str__() -> str

GlibcMemoryAllocator ¤

GlibcMemoryAllocator()

Bases: MemoryAllocator, Generic[TheType, TheValue]

Methods:

Attributes:

largebin_reverse_lookup_32 class-attribute instance-attribute ¤

largebin_reverse_lookup_32 = (
    512,
    576,
    640,
    704,
    768,
    832,
    896,
    960,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_32_big class-attribute instance-attribute ¤

largebin_reverse_lookup_32_big = (
    1008,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    2944,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_64 class-attribute instance-attribute ¤

largebin_reverse_lookup_64 = (
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    3008,
    3072,
    3136,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

main_arena property ¤

main_arena: Arena | None

arenas property ¤

arenas: tuple[Arena, ...]

Return a tuple of all current arenas.

thread_arena property ¤

thread_arena: Arena | None

thread_cache property ¤

thread_cache: TheValue | None

mp property ¤

mp: TheValue | None

global_max_fast property ¤

global_max_fast: int | None

heap_info property ¤

heap_info: TheType | None

malloc_chunk property ¤

malloc_chunk: TheType | None

malloc_state property ¤

malloc_state: TheType | None

tcache_perthread_struct property ¤

tcache_perthread_struct: TheType | None

tcache_entry property ¤

tcache_entry: TheType | None

mallinfo property ¤

mallinfo: TheType | None

malloc_par property ¤

malloc_par: TheType | None

malloc_alignment property ¤

malloc_alignment: int

Corresponds to MALLOC_ALIGNMENT in glibc malloc.c

size_sz property ¤

size_sz: int

Corresponds to SIZE_SZ in glibc malloc.c

malloc_align_mask property ¤

malloc_align_mask: int

Corresponds to MALLOC_ALIGN_MASK in glibc malloc.c

minsize property ¤

minsize: int

Corresponds to MINSIZE in glibc malloc.c

min_chunk_size property ¤

min_chunk_size: int

Corresponds to MIN_CHUNK_SIZE in glibc malloc.c

multithreaded property ¤

multithreaded: bool

Is malloc operating within a multithreaded environment.

tcache_next_offset property ¤

tcache_next_offset: int

largebin_reverse_lookup ¤

largebin_reverse_lookup(index: int) -> int

Pick the appropriate largebin_reverse_lookup_ function for this architecture.

largebin_size_range_from_index ¤

largebin_size_range_from_index(index: int)

can_be_resolved ¤

can_be_resolved() -> bool

has_tcache ¤

has_tcache() -> bool

chunk_flags ¤

chunk_flags(size: int) -> tuple[int, int, int]

chunk_key_offset ¤

chunk_key_offset(key: str) -> int | None

Find the index of a field in the malloc_chunk struct.

64bit example

prev_size == 0 size == 8 fd == 16 bk == 24 ...

get_heap ¤

get_heap(addr: int) -> TheValue | None

get_tcache ¤

get_tcache(tcache_addr: int | None = None) -> TheValue | None

get_sbrk_heap_region ¤

get_sbrk_heap_region() -> Page | None

get_region ¤

get_region(addr: int | Value | None) -> Page | None

Find the memory map containing 'addr'.

get_bins ¤

get_bins(bin_type: BinType, addr: int | None = None) -> Bins | None

fastbin_index ¤

fastbin_index(size: int)

fastbins ¤

fastbins(arena_addr: int | None = None) -> Bins | None

Returns: chain or None

tcachebins ¤

tcachebins(tcache_addr: int | None = None) -> Bins | None

Returns: tuple(chain, count) or None

check_chain_corrupted ¤

check_chain_corrupted(chain_fd: list[int], chain_bk: list[int]) -> bool

Checks if the doubly linked list (of a {unsorted, small, large} bin) defined by chain_fd, chain_bk is corrupted.

Even if the chains do not cover the whole bin, they still are expected to be of the same length.

Returns True if the bin is certainly corrupted, otherwise False.

bin_at ¤

bin_at(
    index: int, arena_addr: int | None = None
) -> tuple[list[int], list[int], bool] | None

Modeled after glibc's bin_at function - so starts indexing from 1 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/eglibc/trusty-security/view/head:/malloc/malloc.c#L1394

bin_at(1) returns the unsorted bin

Bin 1 - Unsorted BiN Bin 2 to 63 - Smallbins Bin 64 to 126 - Largebins

Returns: tuple(chain_from_bin_fd, chain_from_bin_bk, is_chain_corrupted) or None

unsortedbin ¤

unsortedbin(arena_addr: int | None = None) -> Bins | None

smallbins ¤

smallbins(arena_addr: int | None = None) -> Bins | None

largebins ¤

largebins(arena_addr: int | None = None) -> Bins | None

largebin_index_32 ¤

largebin_index_32(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1414

largebin_index_32_big ¤

largebin_index_32_big(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32_big macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1422

largebin_index_64 ¤

largebin_index_64(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_64 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1433

largebin_index ¤

largebin_index(sz: int)

Pick the appropriate largebin_index_ function for this architecture.

is_initialized ¤

is_initialized()

is_statically_linked ¤

is_statically_linked() -> bool

libc_has_debug_syms ¤

libc_has_debug_syms() -> bool

The struct malloc_chunk comes from debugging symbols and it will not be there for statically linked binaries

summarize ¤

summarize(address: int, **kwargs: Any) -> str

Returns a textual summary of the specified address.

Parameters:

  • address (int) –

    Address of the heap block to summarize.

Returns:

  • str

    A string.

containing ¤

containing(address: int) -> int

Returns the address of the allocation which contains 'address'.

Parameters:

  • address (int) –

    Address to look up.

Returns:

  • int

    An integer.

DebugSymsHeap ¤

DebugSymsHeap()

Bases: GlibcMemoryAllocator[Type, Value]

Methods:

Attributes:

main_arena property ¤

main_arena: Arena | None

thread_arena property ¤

thread_arena: Arena | None

thread_cache property ¤

thread_cache: Value | None

Locate a thread's tcache struct. If it doesn't have one, use the main thread's tcache.

mp property ¤

mp: Value | None

global_max_fast property ¤

global_max_fast: int | None

heap_info property ¤

heap_info: Type | None

malloc_chunk property ¤

malloc_chunk: Type | None

malloc_state property ¤

malloc_state: Type | None

tcache_perthread_struct property ¤

tcache_perthread_struct: Type | None

tcache_entry property ¤

tcache_entry: Type | None

mallinfo property ¤

mallinfo: Type | None

malloc_par property ¤

malloc_par: Type | None

largebin_reverse_lookup_32 class-attribute instance-attribute ¤

largebin_reverse_lookup_32 = (
    512,
    576,
    640,
    704,
    768,
    832,
    896,
    960,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_32_big class-attribute instance-attribute ¤

largebin_reverse_lookup_32_big = (
    1008,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    2944,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_64 class-attribute instance-attribute ¤

largebin_reverse_lookup_64 = (
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    3008,
    3072,
    3136,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

arenas property ¤

arenas: tuple[Arena, ...]

Return a tuple of all current arenas.

malloc_alignment property ¤

malloc_alignment: int

Corresponds to MALLOC_ALIGNMENT in glibc malloc.c

size_sz property ¤

size_sz: int

Corresponds to SIZE_SZ in glibc malloc.c

malloc_align_mask property ¤

malloc_align_mask: int

Corresponds to MALLOC_ALIGN_MASK in glibc malloc.c

minsize property ¤

minsize: int

Corresponds to MINSIZE in glibc malloc.c

min_chunk_size property ¤

min_chunk_size: int

Corresponds to MIN_CHUNK_SIZE in glibc malloc.c

multithreaded property ¤

multithreaded: bool

Is malloc operating within a multithreaded environment.

tcache_next_offset property ¤

tcache_next_offset: int

can_be_resolved ¤

can_be_resolved() -> bool

has_tcache ¤

has_tcache() -> bool

get_heap ¤

get_heap(addr: int) -> Value | None

Find & read the heap_info struct belonging to the chunk at 'addr'.

get_tcache ¤

get_tcache(tcache_addr: int | Value | None = None) -> Value | None

get_sbrk_heap_region ¤

get_sbrk_heap_region() -> Page | None

Return a Page object representing the sbrk heap region. Ensure the region's start address is aligned to SIZE_SZ * 2, which compensates for the presence of GLIBC_TUNABLES.

is_initialized ¤

is_initialized() -> bool

summarize ¤

summarize(address: int, **kwargs: Any) -> str

Returns a textual summary of the specified address.

Parameters:

  • address (int) –

    Address of the heap block to summarize.

Returns:

  • str

    A string.

containing ¤

containing(address: int) -> int

Returns the address of the allocation which contains 'address'.

Parameters:

  • address (int) –

    Address to look up.

Returns:

  • int

    An integer.

libc_has_debug_syms ¤

libc_has_debug_syms() -> bool

The struct malloc_chunk comes from debugging symbols and it will not be there for statically linked binaries

largebin_reverse_lookup ¤

largebin_reverse_lookup(index: int) -> int

Pick the appropriate largebin_reverse_lookup_ function for this architecture.

largebin_size_range_from_index ¤

largebin_size_range_from_index(index: int)

chunk_flags ¤

chunk_flags(size: int) -> tuple[int, int, int]

chunk_key_offset ¤

chunk_key_offset(key: str) -> int | None

Find the index of a field in the malloc_chunk struct.

64bit example

prev_size == 0 size == 8 fd == 16 bk == 24 ...

get_region ¤

get_region(addr: int | Value | None) -> Page | None

Find the memory map containing 'addr'.

get_bins ¤

get_bins(bin_type: BinType, addr: int | None = None) -> Bins | None

fastbin_index ¤

fastbin_index(size: int)

fastbins ¤

fastbins(arena_addr: int | None = None) -> Bins | None

Returns: chain or None

tcachebins ¤

tcachebins(tcache_addr: int | None = None) -> Bins | None

Returns: tuple(chain, count) or None

check_chain_corrupted ¤

check_chain_corrupted(chain_fd: list[int], chain_bk: list[int]) -> bool

Checks if the doubly linked list (of a {unsorted, small, large} bin) defined by chain_fd, chain_bk is corrupted.

Even if the chains do not cover the whole bin, they still are expected to be of the same length.

Returns True if the bin is certainly corrupted, otherwise False.

bin_at ¤

bin_at(
    index: int, arena_addr: int | None = None
) -> tuple[list[int], list[int], bool] | None

Modeled after glibc's bin_at function - so starts indexing from 1 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/eglibc/trusty-security/view/head:/malloc/malloc.c#L1394

bin_at(1) returns the unsorted bin

Bin 1 - Unsorted BiN Bin 2 to 63 - Smallbins Bin 64 to 126 - Largebins

Returns: tuple(chain_from_bin_fd, chain_from_bin_bk, is_chain_corrupted) or None

unsortedbin ¤

unsortedbin(arena_addr: int | None = None) -> Bins | None

smallbins ¤

smallbins(arena_addr: int | None = None) -> Bins | None

largebins ¤

largebins(arena_addr: int | None = None) -> Bins | None

largebin_index_32 ¤

largebin_index_32(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1414

largebin_index_32_big ¤

largebin_index_32_big(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32_big macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1422

largebin_index_64 ¤

largebin_index_64(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_64 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1433

largebin_index ¤

largebin_index(sz: int)

Pick the appropriate largebin_index_ function for this architecture.

is_statically_linked ¤

is_statically_linked() -> bool

SymbolUnresolvableError ¤

SymbolUnresolvableError(symbol: str)

Bases: Exception

Attributes:

symbol instance-attribute ¤

symbol = symbol

HeuristicHeap ¤

HeuristicHeap()

Bases: GlibcMemoryAllocator[Type['pwndbg.aglib.heap.structs.CStruct2GDB'], 'pwndbg.aglib.heap.structs.CStruct2GDB']

Methods:

Attributes:

struct_module property ¤

struct_module: ModuleType | None

main_arena property ¤

main_arena: Arena | None

thread_arena property ¤

thread_arena: Arena | None

thread_cache property ¤

thread_cache: 'pwndbg.aglib.heap.structs.TcachePerthreadStruct' | None

Locate a thread's tcache struct. We try to find its address in Thread Local Storage (TLS) first, and if that fails, we guess it's at the first chunk of the heap.

mp property ¤

mp: 'pwndbg.aglib.heap.structs.CStruct2GDB'

global_max_fast property ¤

global_max_fast: int

heap_info property ¤

heap_info: type['pwndbg.aglib.heap.structs.HeapInfo'] | None

malloc_chunk property ¤

malloc_chunk: type['pwndbg.aglib.heap.structs.MallocChunk'] | None

malloc_state property ¤

malloc_state: type['pwndbg.aglib.heap.structs.MallocState'] | None

tcache_perthread_struct property ¤

tcache_perthread_struct: (
    type["pwndbg.aglib.heap.structs.TcachePerthreadStruct"] | None
)

tcache_entry property ¤

tcache_entry: type['pwndbg.aglib.heap.structs.TcacheEntry'] | None

mallinfo property ¤

mallinfo: type['pwndbg.aglib.heap.structs.CStruct2GDB'] | None

malloc_par property ¤

malloc_par: type['pwndbg.aglib.heap.structs.MallocPar'] | None

largebin_reverse_lookup_32 class-attribute instance-attribute ¤

largebin_reverse_lookup_32 = (
    512,
    576,
    640,
    704,
    768,
    832,
    896,
    960,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_32_big class-attribute instance-attribute ¤

largebin_reverse_lookup_32_big = (
    1008,
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    2944,
    3072,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

largebin_reverse_lookup_64 class-attribute instance-attribute ¤

largebin_reverse_lookup_64 = (
    1024,
    1088,
    1152,
    1216,
    1280,
    1344,
    1408,
    1472,
    1536,
    1600,
    1664,
    1728,
    1792,
    1856,
    1920,
    1984,
    2048,
    2112,
    2176,
    2240,
    2304,
    2368,
    2432,
    2496,
    2560,
    2624,
    2688,
    2752,
    2816,
    2880,
    2944,
    3008,
    3072,
    3136,
    3584,
    4096,
    4608,
    5120,
    5632,
    6144,
    6656,
    7168,
    7680,
    8192,
    8704,
    9216,
    9728,
    10240,
    10752,
    12288,
    16384,
    20480,
    24576,
    28672,
    32768,
    36864,
    40960,
    65536,
    98304,
    131072,
    163840,
    262144,
    524288,
)

arenas property ¤

arenas: tuple[Arena, ...]

Return a tuple of all current arenas.

malloc_alignment property ¤

malloc_alignment: int

Corresponds to MALLOC_ALIGNMENT in glibc malloc.c

size_sz property ¤

size_sz: int

Corresponds to SIZE_SZ in glibc malloc.c

malloc_align_mask property ¤

malloc_align_mask: int

Corresponds to MALLOC_ALIGN_MASK in glibc malloc.c

minsize property ¤

minsize: int

Corresponds to MINSIZE in glibc malloc.c

min_chunk_size property ¤

min_chunk_size: int

Corresponds to MIN_CHUNK_SIZE in glibc malloc.c

multithreaded property ¤

multithreaded: bool

Is malloc operating within a multithreaded environment.

tcache_next_offset property ¤

tcache_next_offset: int

can_be_resolved ¤

can_be_resolved() -> bool

has_tcache ¤

has_tcache() -> bool

prompt_for_brute_force_thread_arena_permission ¤

prompt_for_brute_force_thread_arena_permission() -> bool

Check if the user wants to brute force the thread_arena's value.

prompt_for_brute_force_thread_cache_permission ¤

prompt_for_brute_force_thread_cache_permission() -> bool

Check if the user wants to brute force the tcache's value.

prompt_for_tls_address ¤

prompt_for_tls_address() -> int

Check if we can determine the TLS address and return it.

brute_force_tls_reference_in_got_section ¤

brute_force_tls_reference_in_got_section(
    tls_address: int, validator: Callable[[int], bool]
) -> tuple[int, int] | None

Brute force the TLS-reference in the .got section to that can pass the validator.

brute_force_thread_local_variable_near_tls_base ¤

brute_force_thread_local_variable_near_tls_base(
    tls_address: int, validator: Callable[[int], bool]
) -> tuple[int, int] | None

Brute force the thread-local variable near the TLS base address that can pass the validator.

get_heap ¤

get_heap(addr: int) -> 'pwndbg.aglib.heap.structs.HeapInfo' | None

Find & read the heap_info struct belonging to the chunk at 'addr'.

get_tcache ¤

get_tcache(
    tcache_addr: int | None = None,
) -> "pwndbg.aglib.heap.structs.TcachePerthreadStruct" | None

get_sbrk_heap_region ¤

get_sbrk_heap_region() -> Page

Return a Page object representing the sbrk heap region. Ensure the region's start address is aligned to SIZE_SZ * 2, which compensates for the presence of GLIBC_TUNABLES. This heuristic version requires some sanity checks and may raise SymbolUnresolvableError if malloc's mp_ struct can't be resolved.

is_initialized ¤

is_initialized() -> bool

summarize ¤

summarize(address: int, **kwargs: Any) -> str

Returns a textual summary of the specified address.

Parameters:

  • address (int) –

    Address of the heap block to summarize.

Returns:

  • str

    A string.

containing ¤

containing(address: int) -> int

Returns the address of the allocation which contains 'address'.

Parameters:

  • address (int) –

    Address to look up.

Returns:

  • int

    An integer.

libc_has_debug_syms ¤

libc_has_debug_syms() -> bool

The struct malloc_chunk comes from debugging symbols and it will not be there for statically linked binaries

largebin_reverse_lookup ¤

largebin_reverse_lookup(index: int) -> int

Pick the appropriate largebin_reverse_lookup_ function for this architecture.

largebin_size_range_from_index ¤

largebin_size_range_from_index(index: int)

chunk_flags ¤

chunk_flags(size: int) -> tuple[int, int, int]

chunk_key_offset ¤

chunk_key_offset(key: str) -> int | None

Find the index of a field in the malloc_chunk struct.

64bit example

prev_size == 0 size == 8 fd == 16 bk == 24 ...

get_region ¤

get_region(addr: int | Value | None) -> Page | None

Find the memory map containing 'addr'.

get_bins ¤

get_bins(bin_type: BinType, addr: int | None = None) -> Bins | None

fastbin_index ¤

fastbin_index(size: int)

fastbins ¤

fastbins(arena_addr: int | None = None) -> Bins | None

Returns: chain or None

tcachebins ¤

tcachebins(tcache_addr: int | None = None) -> Bins | None

Returns: tuple(chain, count) or None

check_chain_corrupted ¤

check_chain_corrupted(chain_fd: list[int], chain_bk: list[int]) -> bool

Checks if the doubly linked list (of a {unsorted, small, large} bin) defined by chain_fd, chain_bk is corrupted.

Even if the chains do not cover the whole bin, they still are expected to be of the same length.

Returns True if the bin is certainly corrupted, otherwise False.

bin_at ¤

bin_at(
    index: int, arena_addr: int | None = None
) -> tuple[list[int], list[int], bool] | None

Modeled after glibc's bin_at function - so starts indexing from 1 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/eglibc/trusty-security/view/head:/malloc/malloc.c#L1394

bin_at(1) returns the unsorted bin

Bin 1 - Unsorted BiN Bin 2 to 63 - Smallbins Bin 64 to 126 - Largebins

Returns: tuple(chain_from_bin_fd, chain_from_bin_bk, is_chain_corrupted) or None

unsortedbin ¤

unsortedbin(arena_addr: int | None = None) -> Bins | None

smallbins ¤

smallbins(arena_addr: int | None = None) -> Bins | None

largebins ¤

largebins(arena_addr: int | None = None) -> Bins | None

largebin_index_32 ¤

largebin_index_32(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1414

largebin_index_32_big ¤

largebin_index_32_big(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_32_big macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1422

largebin_index_64 ¤

largebin_index_64(sz: int) -> int

Modeled on the GLIBC malloc largebin_index_64 macro.

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f7cd29bc2f93e1082ee77800bd64a4b2a2897055;hb=9ea3686266dca3f004ba874745a4087a89682617#l1433

largebin_index ¤

largebin_index(sz: int)

Pick the appropriate largebin_index_ function for this architecture.

is_statically_linked ¤

is_statically_linked() -> bool

heap_for_ptr ¤

heap_for_ptr(ptr: int) -> int

Round a pointer to a chunk down to find its corresponding heap_info struct, the pointer must point inside a heap which does not belong to the main arena.

fetch_chunk_metadata ¤

fetch_chunk_metadata(
    address: int, include_only_fields: set[ChunkField] | None = None
)