Vmmap
Routines to enumerate mapped memory, and attempt to associate address ranges with various ELF files and permissions.
The reason that we need robustness is that not every operating system has /proc/$$/maps, which backs 'info proc mapping'.
auto_explore = pwndbg.config.add_param('auto-explore-pages', 'yes', 'whether to try to infer page permissions when memory maps missing (can cause errors)', param_class=pwndbg.lib.config.PARAM_ENUM, enum_sequence=['yes', 'warn', 'no']) module-attribute ¶
custom_pages: List[pwndbg.lib.memory.Page] = [] module-attribute ¶
explored_pages: List[pwndbg.lib.memory.Page] = [] module-attribute ¶
inside_no_proc_maps_search = False module-attribute ¶
kernel_vmmap = pwndbg.config.add_param('kernel-vmmap', 'page-tables', 'the method to get vmmap information when debugging via QEMU kernel', help_docstring="kernel-vmmap can be:\npage-tables - read /proc/$qemu-pid/mem to parse kernel page tables to render vmmap\nmonitor - use QEMU's `monitor info mem` to render vmmap\nnone - disable vmmap rendering; useful if rendering is particularly slow\n\nNote that the page-tables method will require the QEMU kernel process to be on the same machine and within the same PID namespace. Running QEMU kernel and GDB in different Docker containers will not work. Consider running both containers with --pid=host (meaning they will see and so be able to interact with all processes on the machine).\n", param_class=pwndbg.lib.config.PARAM_ENUM, enum_sequence=['page-tables', 'monitor', 'none']) module-attribute ¶
kernel_vmmap_via_pt = pwndbg.config.add_param('kernel-vmmap-via-page-tables', 'deprecated', 'the deprecated config of the method get kernel vmmap', help_docstring='Deprecated in favor of `kernel-vmmap`') module-attribute ¶
add_custom_page(page) ¶
clear_custom_page() ¶
clear_explored_pages() ¶
clear_warn_cache() ¶
coredump_maps() ¶
Parses info proc mappings and maintenance info sections and tries to make sense out of the result :)
explore(address_maybe) ¶
Given a potential address, check to see what permissions it has.
Returns:
| Type | Description |
|---|---|
Page | None | Page object |
Note
Adds the Page object to a persistent list of pages which are only reset when the process dies. This means pages which are added this way will not be removed when unmapped.
Also assumes the entire contiguous section has the same permission.
explore_registers() ¶
find(address, *, should_explore=None) ¶
find_boundaries(addr, name='', min=0) ¶
Given a single address, find all contiguous pages which are mapped.
get() ¶
Returns a tuple of Page objects representing the memory mappings of the target, sorted by virtual address ascending.
get_known_maps() ¶
Similar to vmmap.get(), except only returns maps in cases where the mappings are known, like if it's a coredump, or if process mappings are available.
info_auxv(skip_exe=False) ¶
Extracts the name of the executable from the output of the command "info auxv". Note that if the executable path is a symlink, it is not dereferenced by info auxv and we also don't dereference it.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
skip_exe(bool) | Do not return any mappings that belong to the exe. | required |
Returns:
| Type | Description |
|---|---|
Tuple[Page, ...] | A list of pwndbg.lib.memory.Page objects. |
info_files() ¶
info_proc_maps(parse_flags=True) ¶
Parse the result of info proc mappings.
Example output:
| Text Only | |
|---|---|
1 2 3 4 5 6 7 8 9 10 11 | |
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 --xp [vsyscall]
Note: this may return no pages due to a bug/behavior of GDB. See https://sourceware.org/bugzilla/show_bug.cgi?id=31207 for more information.
Returns:
| Type | Description |
|---|---|
Page | A tuple of pwndbg.lib.memory.Page objects or an empty tuple if |
... | info proc mapping is not supported on the target. |
info_sharedlibrary() ¶
Parses the output of info sharedlibrary.
Specifically, all we really want is any valid pointer into each library, and the path to the library on disk.
With this information, we can use the ELF parser to get all of the page permissions for every mapped page in the ELF.
Returns:
| Type | Description |
|---|---|
Tuple[Page, ...] | A list of pwndbg.lib.memory.Page objects. |
is_corefile() ¶
For example output use
gdb ./tests/binaries/crash_simple.out -ex run -ex 'generate-core-file ./core' -ex 'quit'
And then use
gdb ./tests/binaries/crash_simple.out -core ./core -ex 'info target'
And: gdb -core ./core
As the two differ in output slighty.
parse_info_proc_mappings_line(line, perms_available, parse_flags) ¶
Parse a line from info proc mappings and return a pwndbg.lib.memory.Page object if the line is valid.
Example lines
0x4c3000 0x4c5000 0x2000 0xc2000 rw-p /root/hello_world/main 0x4c5000 0x4cb000 0x6000 0x0 rw-p
The objfile column might be empty, and the permissions column is only present in GDB versions >= 12.1 https://github.com/bminor/binutils-gdb/commit/29ef4c0699e1b46d41ade00ae07a54f979ea21cc
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
line | str | A line from | required |
Returns:
| Type | Description |
|---|---|
Optional[Page] | A pwndbg.lib.memory.Page object or None. |
proc_tid_maps() ¶
Parse the contents of /proc/$TID/maps on the server. (TID == Thread Identifier. We do not use PID since it may not be correct)
Returns:
| Type | Description |
|---|---|
Tuple[Page, ...] | None | A tuple of pwndbg.lib.memory.Page objects or None if |
Tuple[Page, ...] | None | /proc/$tid/maps doesn't exist or when we debug a qemu-user target |