Skip to content

Vmmap

Routines to enumerate mapped memory, and attempt to associate address ranges with various ELF files and permissions.

The reason that we need robustness is that not every operating system has /proc/$$/maps, which backs 'info proc mapping'.

auto_explore = pwndbg.config.add_param('auto-explore-pages', 'yes', 'whether to try to infer page permissions when memory maps missing (can cause errors)', param_class=pwndbg.lib.config.PARAM_ENUM, enum_sequence=['yes', 'warn', 'no']) module-attribute

custom_pages: List[pwndbg.lib.memory.Page] = [] module-attribute

explored_pages: List[pwndbg.lib.memory.Page] = [] module-attribute

kernel_vmmap = pwndbg.config.add_param('kernel-vmmap', 'page-tables', 'the method to get vmmap information when debugging via QEMU kernel', help_docstring="kernel-vmmap can be:\npage-tables - read /proc/$qemu-pid/mem to parse kernel page tables to render vmmap\nmonitor - use QEMU's `monitor info mem` to render vmmap\nnone - disable vmmap rendering; useful if rendering is particularly slow\n\nNote that the page-tables method will require the QEMU kernel process to be on the same machine and within the same PID namespace. Running QEMU kernel and GDB in different Docker containers will not work. Consider running both containers with --pid=host (meaning they will see and so be able to interact with all processes on the machine).\n", param_class=pwndbg.lib.config.PARAM_ENUM, enum_sequence=['page-tables', 'monitor', 'none']) module-attribute

kernel_vmmap_via_pt = pwndbg.config.add_param('kernel-vmmap-via-page-tables', 'deprecated', 'the deprecated config of the method get kernel vmmap', help_docstring='Deprecated in favor of `kernel-vmmap`') module-attribute

monitor_info_mem_not_warned = True module-attribute

add_custom_page(page)

check_aslr()

Detects the ASLR status. Returns True, False or None.

None is returned when we can't detect ASLR.

clear_custom_page()

clear_explored_pages()

clear_warn_cache()

coredump_maps()

Parses info proc mappings and maintenance info sections and tries to make sense out of the result :)

explore(address_maybe)

Given a potential address, check to see what permissions it has.

Returns:

Type Description
Page | None

Page object
Note

Adds the Page object to a persistent list of pages which are only reset when the process dies. This means pages which are added this way will not be removed when unmapped.

Also assumes the entire contiguous section has the same permission.

explore_registers()

find(address, *, should_explore=None)

find_boundaries(addr, name='', min=0)

Given a single address, find all contiguous pages which are mapped.

get()

Returns a tuple of Page objects representing the memory mappings of the target, sorted by virtual address ascending.

get_known_maps()

Similar to vmmap.get(), except only returns maps in cases where the mappings are known, like if it's a coredump, or if process mappings are available.

info_auxv(skip_exe=False)

Extracts the name of the executable from the output of the command "info auxv". Note that if the executable path is a symlink, it is not dereferenced by info auxv and we also don't dereference it.

Parameters:

Name Type Description Default
skip_exe(bool)

Do not return any mappings that belong to the exe.

 required

Returns:

Type Description
Tuple[Page, ...]

A list of pwndbg.lib.memory.Page objects.

info_files()

info_proc_maps(parse_flags=True)

Parse the result of info proc mappings.

Example output:

Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    Start Addr           End Addr       Size     Offset  Perms  objfile
      0x400000           0x401000     0x1000        0x0  r--p   /root/hello_world/main
      0x401000           0x497000    0x96000     0x1000  r-xp   /root/hello_world/main
      0x497000           0x4be000    0x27000    0x97000  r--p   /root/hello_world/main
      0x4be000           0x4c3000     0x5000    0xbd000  r--p   /root/hello_world/main
      0x4c3000           0x4c5000     0x2000    0xc2000  rw-p   /root/hello_world/main
      0x4c5000           0x4cb000     0x6000        0x0  rw-p
      0x4cb000           0x4ed000    0x22000        0x0  rw-p   [heap]
0x7ffff7ff9000     0x7ffff7ffd000     0x4000        0x0  r--p   [vvar]
0x7ffff7ffd000     0x7ffff7fff000     0x2000        0x0  r-xp   [vdso]
0x7ffffffde000     0x7ffffffff000    0x21000        0x0  rw-p   [stack]

0xffffffffff600000 0xffffffffff601000 0x1000 0x0 --xp [vsyscall]

Note: this may return no pages due to a bug/behavior of GDB. See https://sourceware.org/bugzilla/show_bug.cgi?id=31207 for more information.

Returns:

Type Description
Page

A tuple of pwndbg.lib.memory.Page objects or an empty tuple if
...

info proc mapping is not supported on the target.

info_sharedlibrary()

Parses the output of info sharedlibrary.

Specifically, all we really want is any valid pointer into each library, and the path to the library on disk.

With this information, we can use the ELF parser to get all of the page permissions for every mapped page in the ELF.

Returns:

Type Description
Tuple[Page, ...]

A list of pwndbg.lib.memory.Page objects.

is_corefile()

For example output use

gdb ./tests/binaries/crash_simple.out -ex run -ex 'generate-core-file ./core' -ex 'quit'

And then use

gdb ./tests/binaries/crash_simple.out -core ./core -ex 'info target'

And: gdb -core ./core

As the two differ in output slighty.

kernel_vmmap_via_monitor_info_mem()

Returns Linux memory maps information by parsing monitor info mem output from QEMU kernel GDB stub. Works only on X86/X64/RISC-V as this is what QEMU supports.

Consider using the kernel_vmmap_via_page_tables method as it is probably more reliable/better.

See also: https://github.com/pwndbg/pwndbg/pull/685 (TODO: revisit with future QEMU versions)

Example output from the command:

pwndbg> monitor info mem

ffff903580000000-ffff903580099000 0000000000099000 -rw

ffff903580099000-ffff90358009b000 0000000000002000 -r-

ffff90358009b000-ffff903582200000 0000000002165000 -rw

ffff903582200000-ffff903582803000 0000000000603000 -r-

kernel_vmmap_via_page_tables()

parse_info_proc_mappings_line(line, perms_available, parse_flags)

Parse a line from info proc mappings and return a pwndbg.lib.memory.Page object if the line is valid.

Example lines

0x4c3000 0x4c5000 0x2000 0xc2000 rw-p /root/hello_world/main 0x4c5000 0x4cb000 0x6000 0x0 rw-p

The objfile column might be empty, and the permissions column is only present in GDB versions >= 12.1 https://github.com/bminor/binutils-gdb/commit/29ef4c0699e1b46d41ade00ae07a54f979ea21cc

Parameters:

Name Type Description Default
line str

A line from info proc mappings.

 required

Returns:

Type Description
Optional[Page]

A pwndbg.lib.memory.Page object or None.

proc_tid_maps()

Parse the contents of /proc/$TID/maps on the server. (TID == Thread Identifier. We do not use PID since it may not be correct)

Returns:

Type Description
Tuple[Page, ...] | None

A tuple of pwndbg.lib.memory.Page objects or None if
Tuple[Page, ...] | None

/proc/$tid/maps doesn't exist or when we debug a qemu-user target