Skip to content

Vmmap

Routines to enumerate mapped memory, and attempt to associate address ranges with various ELF files and permissions.

The reason that we need robustness is that not every operating system has /proc/$$/maps, which backs 'info proc mapping'.

coredump_maps()

Parses info proc mappings and maintenance info sections and tries to make sense out of the result :)

get_known_maps()

Similar to vmmap.get(), except only returns maps in cases where the mappings are known, like if it's a coredump, or if process mappings are available.

info_auxv(skip_exe=False)

Extracts the name of the executable from the output of the command "info auxv". Note that if the executable path is a symlink, it is not dereferenced by info auxv and we also don't dereference it.

Parameters:

Name Type Description Default
skip_exe(bool)

Do not return any mappings that belong to the exe.

 required

Returns:

Type Description
Tuple[Page, ...]

A list of pwndbg.lib.memory.Page objects.

info_files()

info_proc_maps(parse_flags=True)

Parse the result of info proc mappings.

Example output:

Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    Start Addr           End Addr       Size     Offset  Perms  objfile
      0x400000           0x401000     0x1000        0x0  r--p   /root/hello_world/main
      0x401000           0x497000    0x96000     0x1000  r-xp   /root/hello_world/main
      0x497000           0x4be000    0x27000    0x97000  r--p   /root/hello_world/main
      0x4be000           0x4c3000     0x5000    0xbd000  r--p   /root/hello_world/main
      0x4c3000           0x4c5000     0x2000    0xc2000  rw-p   /root/hello_world/main
      0x4c5000           0x4cb000     0x6000        0x0  rw-p
      0x4cb000           0x4ed000    0x22000        0x0  rw-p   [heap]
0x7ffff7ff9000     0x7ffff7ffd000     0x4000        0x0  r--p   [vvar]
0x7ffff7ffd000     0x7ffff7fff000     0x2000        0x0  r-xp   [vdso]
0x7ffffffde000     0x7ffffffff000    0x21000        0x0  rw-p   [stack]

0xffffffffff600000 0xffffffffff601000 0x1000 0x0 --xp [vsyscall]

Note: this may return no pages due to a bug/behavior of GDB. See https://sourceware.org/bugzilla/show_bug.cgi?id=31207 for more information.

Returns:

Type Description
Page

A tuple of pwndbg.lib.memory.Page objects or an empty tuple if
...

info proc mapping is not supported on the target.

info_sharedlibrary()

Parses the output of info sharedlibrary.

Specifically, all we really want is any valid pointer into each library, and the path to the library on disk.

With this information, we can use the ELF parser to get all of the page permissions for every mapped page in the ELF.

Returns:

Type Description
Tuple[Page, ...]

A list of pwndbg.lib.memory.Page objects.

is_corefile()

For example output use

gdb ./tests/binaries/crash_simple.out -ex run -ex 'generate-core-file ./core' -ex 'quit'

And then use

gdb ./tests/binaries/crash_simple.out -core ./core -ex 'info target'

And: gdb -core ./core

As the two differ in output slighty.

parse_info_proc_mappings_line(line, perms_available, parse_flags)

Parse a line from info proc mappings and return a pwndbg.lib.memory.Page object if the line is valid.

Example lines

0x4c3000 0x4c5000 0x2000 0xc2000 rw-p /root/hello_world/main 0x4c5000 0x4cb000 0x6000 0x0 rw-p

The objfile column might be empty, and the permissions column is only present in GDB versions >= 12.1 https://github.com/bminor/binutils-gdb/commit/29ef4c0699e1b46d41ade00ae07a54f979ea21cc

Parameters:

Name Type Description Default
line str

A line from info proc mappings.

 required

Returns:

Type Description
Optional[Page]

A pwndbg.lib.memory.Page object or None.

proc_tid_maps()

Parse the contents of /proc/$TID/maps on the server. (TID == Thread Identifier. We do not use PID since it may not be correct)

Returns:

Type Description
Tuple[Page, ...] | None

A tuple of pwndbg.lib.memory.Page objects or None if
Tuple[Page, ...] | None

/proc/$tid/maps doesn't exist or when we debug a qemu-user target