initial commit

Author: two-heart

.gitignore

@@ -0,0 +1,9 @@
+# created by virtualenv automatically
+bin/
+lib/
+pwntools-doc/
+pyvenv.cfg
+examples/gdb_script.log
+examples/trace_example.py
+examples/.gdb_history
+.gdb_history

dbgtools/__init__.py

@@ -0,0 +1,5 @@
+from dbgtools.main import *
+from dbgtools.breakpoints import *
+from dbgtools import logger
+from dbgtools import gdbapi
+from dbgtools import commands

dbgtools/breakpoints.py

@@ -0,0 +1,114 @@
+import gdb
+from typing import Sequence, Callable, Optional
+from dbgtools.main import get_pie_base
+from dbgtools.logger import Logger
+
+
+def get_all_breakpoints() -> Sequence[gdb.Breakpoint]:
+    return gdb.breakpoints()
+
+
+def convert_to_gdb_bp_str(ptr: Optional[int] = None,
+                          func_name: Optional[str] = None,
+                          offset: Optional[int] = None) -> str:
+    if ptr is not None:
+        assert func_name is None and offset is None
+        return f"*{hex(ptr)}"
+    elif func_name is not None and offset is not None:
+        return f"*({func_name}+{hex(offset)})"
+    else:
+        msg = "Breakpoint string has to consist of either <pointer> or " \
+               + "<func_name, offset>"
+        raise ValueError(msg)
+
+
+class CustomBreakpoint(gdb.Breakpoint):
+    _action_funcs: list[Callable[[], None]]
+    _explicit_stop: bool
+
+    def __init__(self,
+                 bp_str: str,
+                 action_funcs: Optional[list[Callable[[], None]]] = None,
+                 enabled: bool = True,
+                 explicit_stop: bool = False,
+                 temporary: bool = False):
+        super().__init__(bp_str, temporary=temporary)
+        if action_funcs is None:
+            action_funcs = []
+        self._make_unique()
+        self._bp_str = bp_str
+        self.enabled = enabled
+        self._explicit_stop = explicit_stop
+        self._action_funcs = action_funcs
+        self._cond_func = None
+
+    @classmethod
+    def create_pt_bp(cls, ptr, *args, **kwargs):
+        return cls(convert_to_gdb_bp_str(ptr=ptr), *args, **kwargs)
+
+    @classmethod
+    def create_pie_bp(cls, ptr, *args, **kwargs):
+        return cls(convert_to_gdb_bp_str(ptr=get_pie_base() + ptr),
+                   *args, **kwargs)
+
+    @classmethod
+    def create_func_off_bp(cls, func_name, offset, *args, **kwargs):
+        return cls(convert_to_gdb_bp_str(func_name=func_name, offset=offset),
+                   *args, **kwargs)
+
+    def _make_unique(self):
+        for bp in get_all_breakpoints():
+            if bp.number != self.number:
+                bp.delete()
+
+    def set_condition_func(self, cond_func):
+        self._cond_func = cond_func
+
+    def reset_condition_func(self):
+        self._cond_func = None
+
+    def stop(self):
+        for bp_stop_func in self._action_funcs:
+            bp_stop_func()
+        if self._explicit_stop:
+            return True
+        if self._cond_func is not None:
+            return self._cond_func()
+        return False
+
+
+class LogBreakpoint(CustomBreakpoint):
+    logger_func: Callable[[], bytes]
+
+    def __init__(self,
+                 bp_str: str,
+                 logger_func: Callable[[], bytes],
+                 action_funcs: Optional[list[Callable[[], None]]] =None,
+                 enabled_default: bool = True,
+                 explicit_stop: bool = False,
+                 temporary: bool = False):
+        super().__init__(bp_str,
+                         action_funcs,
+                         enabled_default,
+                         explicit_stop,
+                         temporary)
+        self._logger_func = logger_func
+
+    def stop(self):
+        logger = Logger.get_instance()
+        log = self._logger_func()
+        if len(log) != 0:
+            logger.log_line(log)
+        return super().stop()
+
+
+class ActionBreakpoint(CustomBreakpoint):
+    def __init__(self,
+                 bp_str: str,
+                 action_funcs: Optional[list[Callable[[], None]]] ,
+                 explicit_stop: bool = False):
+        super().__init__(bp_str,
+                         action_funcs,
+                         enabled_default=True,
+                         explicit_stop=explicit_stop,
+                         temporary=False)

dbgtools/commands/breaknew.py

@@ -0,0 +1,20 @@
+import gdb
+from dbgtools.main import delete_all_breakpoints
+from dbgtools.gdbapi import execute_commands
+
+
+class BreakNewCmd(gdb.Command):
+    """Creates a breakpoint and delete all previous ones"""
+    def __init__(self):
+        super(BreakNewCmd, self).__init__("bn", gdb.COMMAND_USER)
+
+    def help(self):
+        print("Usage: bn <bp>")
+
+    def invoke(self, argument, from_tty):
+        argument = argument.split()
+        if len(argument) != 1:
+            self.help()
+        else:
+            delete_all_breakpoints()
+            execute_commands([f"b {argument[0]}"])

dbgtools/commands/breakpie.py

@@ -0,0 +1,40 @@
+import gdb
+from dbgtools.main import force_load_pie_base, get_pie_base, \
+                          set_manual_breakpoint
+from dbgtools.commands.utils import parse_tint
+
+
+class BreakPIECmd(gdb.Command):
+    """
+    Creates a breakpoint relative to the current PIE base.
+
+    While this is supported by pwndbg, we want to keep it because it works
+    before program start.
+    """
+    def __init__(self):
+        super(BreakPIECmd, self).__init__("bpie", gdb.COMMAND_USER)
+
+    def help(self):
+        print("Usage: bpie <relative bp offset>")
+
+    def invoke(self, argument, from_tty):
+        argument = argument.split()
+        if len(argument) != 1:
+            self.help()
+        else:
+            piebase = get_pie_base()
+            if piebase is None:
+                # program not running probably
+                print("Current PIE base could not be found.\n" +
+                            "Do you want to try and force PIE base loading (program will be executed!)")
+                choice = input("[y/n] > ")
+                if len(choice) >= 1 and choice[0].lower() == "y":
+                    piebase = force_load_pie_base()
+                    if piebase is None:
+                        print("Could not force load PIE base")
+                        return
+                else:
+                    return
+
+            bp_off = parse_tint(argument[0])
+            set_manual_breakpoint(piebase + bp_off)

dbgtools/commands/commands.py

@@ -0,0 +1,29 @@
+from dbgtools.commands.domalloc import DoMallocCmd
+from dbgtools.commands.dofree import DoFreeCmd
+from dbgtools.commands.libcbase import LibcBaseCmd
+from dbgtools.commands.heapbase import HeapBaseCmd
+from dbgtools.commands.libcsym import LibcSymCmd
+from dbgtools.commands.pwndump import PwnDumpCmd
+from dbgtools.commands.traceheap import TraceHeapCmd
+from dbgtools.commands.heaplookup import HeapPtrLookup
+from dbgtools.commands.tracer import TracerCmd
+from dbgtools.commands.breaknew import BreakNewCmd
+from dbgtools.commands.breakpie import BreakPIECmd
+from dbgtools.commands.mmap import MmapCmd
+from dbgtools.commands.mprotect import MprotectCmd
+
+
+
+DoMallocCmd()
+DoFreeCmd()
+LibcBaseCmd()
+HeapBaseCmd()
+LibcSymCmd()
+PwnDumpCmd()
+TraceHeapCmd()
+HeapPtrLookup()
+TracerCmd()
+BreakNewCmd()
+BreakPIECmd()
+MmapCmd()
+MprotectCmd()

dbgtools/commands/dofree.py

@@ -0,0 +1,30 @@
+import gdb
+from dbgtools.commands.utils import SupressedOutput, parse_tint
+from dbgtools.main import *
+
+
+class DoFreeCmd(gdb.Command):
+    """Performs free(ptr)"""
+    def __init__(self):
+        super(DoFreeCmd, self).__init__("dofree", gdb.COMMAND_USER)
+
+    def invoke(self, argument, from_tty):
+        argument = argument.split()
+        if len(argument) != 1:
+            self.help()
+        else:
+            ptr = parse_tint(argument[0])
+            try:
+                self._do_free(ptr)
+            except ValueError:
+                print("Address of free could not be found. Please specify it"
+                      + " manually!")
+
+    def _do_free(self, ptr: int):
+        with SupressedOutput():
+            free_addr = get_free_addr()
+            call_func1(free_addr, ptr)
+        gdb.execute(f"x/4gx {hex(ptr)}")
+        
+    def help(self):
+        print("Usage: dofree <ptr> [<ptr to free function>]")

dbgtools/commands/domalloc.py

@@ -0,0 +1,29 @@
+import gdb
+from dbgtools.commands.utils import SupressedOutput, parse_tint
+from dbgtools.main import get_malloc_addr, call_func1
+
+class DoMallocCmd(gdb.Command):
+    """Performs malloc(size)"""
+    def __init__(self):
+        super(DoMallocCmd, self).__init__("domalloc", gdb.COMMAND_USER)
+
+    def invoke(self, argument, from_tty):
+        argument = argument.split()
+        if len(argument) != 1:
+            self.help()
+        else:
+            size = parse_tint(argument[0])
+            try:
+                self._do_malloc(size)
+            except ValueError:
+                print("Address of malloc could not be found. Please specify it manually!")
+
+    def _do_malloc(self, size: int):
+        with SupressedOutput():
+            malloc_addr = get_malloc_addr()
+            malloc_chunk = call_func1(malloc_addr, size)
+        gdb.execute(f"x/{(size//8)+1}gx {hex(malloc_chunk)}")
+        print(f"malloc({hex(size)}) -> {hex(malloc_chunk)}")
+
+    def help(self):
+        print("Usage: domalloc <size> [<ptr to malloc function>]")

dbgtools/commands/heapbase.py

@@ -0,0 +1,32 @@
+import gdb
+from dbgtools.commands.utils import parse_tint
+from dbgtools.main import get_heap_base
+
+
+class HeapBaseCmd(gdb.Command):
+    """Looks up the base address of all existing heaps"""
+    def __init__(self):
+        super(HeapBaseCmd, self).__init__("heapbase", gdb.COMMAND_USER)
+
+    def invoke(self, argument, from_tty):
+        argument = argument.split()
+        if len(argument) != 1 and len(argument) != 0:
+            self.help()
+        else:
+            heap_addresses = get_heap_base()
+            if heap_addresses is None:
+                print("no heap found")
+            elif len(heap_addresses) == 1 and heap_addresses[0] != -1:
+                heap_ptr = heap_addresses[0]
+                if len(argument) == 1:
+                    ptr = parse_tint(argument[0])
+                    print(f"heap @ {hex(heap_ptr)} | off: {hex(ptr - heap_ptr)}")
+                else:
+                    print(f"heap @ {hex(heap_ptr)}")
+            elif len(heap_addresses) >= 2:
+                print("Found multiple heaps")
+                for hp in heap_addresses:
+                    print(f"heap @ {hex(hp)}")
+                
+    def help(self):
+        print("Usage: heapbase [<ptr>]")