zer1t0/r2_heap_cheatsheet.org

## r2_heap_cheatsheet.org

      
    Raw
  

              r2_heap_cheatsheet.org
            
          
    Program architecture. i~machine:

[0x7f8491e94090]>i~machine[1-]
AMD x86-64 architecture

Program bits. i~bits:

[0x7f8491e94090]> i~bits[1]
64

glibc version. dm~libc:

[0x557602f15189]> dm~libc:0[9]
/usr/lib/x86_64-linux-gnu/libc-2.32.so

Arenas

List arenas. dmha:

[0x55e517c4f1da]> dmha
main_arena @ 0x7f393d58fc40
thread arena @ 0x7f3938000020

Show malloc_state. dmhm [@malloc_state]:

[0x55e517c4f1da]> dmhm
malloc_state @ 0x7f3938000020

struct malloc_state main_arena {
  mutex = 0x00000000
  flags = 0x00000002
  fastbinsY = {
 Fastbin 01
 chunksize: == 0032 0x0,
............................
 Fastbin 10
 chunksize: == 0176 0x0,
}
  top = 0x7f3938000f00,
  last_remainder = 0x0,
  bins {
 Bin 001: Unsorted Bin [ chunksize: undefined 0x7f3938000020->fd = 0x7f3938000080, 0x7f3938000020->bk = 0x7f3938000080, 
 Bin 002:              ┌ chunksize: == 000032  0x7f3938000030->fd = 0x7f3938000090, 0x7f3938000030->bk = 0x7f3938000090, 
 ......................│....
 Bin 032:   Small Bins │ chunksize: == 000512  0x7f3938000210->fd = 0x7f3938000270, 0x7f3938000210->bk = 0x7f3938000270, 
 ......................│....
 Bin 064:              └ chunksize: == 001024  0x7f3938000410->fd = 0x7f3938000470, 0x7f3938000410->bk = 0x7f3938000470, 
 Bin 065:              ┌ chunksize: >= 001088  0x7f3938000420->fd = 0x7f3938000480, 0x7f3938000420->bk = 0x7f3938000480, 
 ......................│....
 Bin 096:   Large Bins │ chunksize: >= 003072  0x7f3938000610->fd = 0x7f3938000670, 0x7f3938000610->bk = 0x7f3938000670, 
 ......................│....
 Bin 127:              └ chunksize: remaining 0x7f3938000800->fd = 0x7f3938000860, 0x7f3938000800->bk = 0x7f3938000860, 
  }
  binmap = {0x0,0x0,0x0,0x0}
  next = 0x7f393d58fc40,
  next_free = 0x0,
  system_mem = 0x21000,
  max_system_mem = 0x21000,
}

Heap

Show chunk. dmhc <@chunk>:

[0x5583f0e61282]> dmhc @0x5583f1f1f270
struct malloc_chunk @ 0x5583f1f1f270 {
  prev_size = 0x0,
  size = 0x20,
  flags: |N:0 |M:0 |P:1,
  fd = 0x5583f1f1f2a0,
  bk = 0x5583f1f1f010,
}
chunk data = 
0x5583f1f1f280  0x00005583f1f1f2a0  0x00005583f1f1f010   .....U.......U..

Look for main heap memory map. dm~heap]:

[0x5614183471c2]> dm~heap]
0x0000561418c3f000 - 0x0000561418c60000 - usr   132K s rw- [heap] [heap]

Show heap. dmh [malloc_state]:

[0x5564c637d1dd]> dmh

  Malloc chunk @ 0x5564c76f9250 [size: 0x3f0][free]
  Malloc chunk @ 0x5564c76f9640 [size: 0x120][allocated]
  Top chunk @ 0x5564c76f9760 - [brk_start: 0x5564c76f9000, brk_end: 0x5564c771a000]

Show heap_info. dmhi <@malloc_state>:

[0x559dfb80022e]> dmhi @0x7f3bd8000020
malloc_info @ 0x7f3bd8000000 {
  ar_ptr = 0x7f3bd8000020
  prev = 0x0
  size = 0x21000
  mprotect_size = 0x21000
}

Bins

Show bins. dmhb:

[0x7f8491e94090]> dmhb
  Bin 001:
  double linked list unsorted bin {
    0x7f8491df1ca0->fd = 0x7f8491df1ca0
    0x7f8491df1ca0->bk = 0x7f8491df1ca0
  }
  Bin 002:
  double linked list small bin {
    0x7f8491df1cb0->fd = 0x7f8491df1cb0
    0x7f8491df1cb0->bk = 0x7f8491df1cb0
  }
..............| Stripped Output |...................
  Bin 065:
  double linked list large bin {
    0x7f8491df20a0->fd = 0x7f8491df20a0
    0x7f8491df20a0->bk = 0x7f8491df20a0
  }
..............| Output stripped |...................
 Bin 127:
  double linked list large bin {
    0x7f8491df2480->fd = 0x7f8491df2480
    0x7f8491df2480->bk = 0x7f8491df2480
  }

}

Show specific bin. dmhb <index>:

[0x7f8491e94090]> dmhb 64
 Bin 064:
  double linked list small bin {
    0x7f8491df2090->fd = 0x5637a11c0030->fd = 0x7f8491df2090
    0x7f8491df2090->bk = 0x5637a11c0030->bk = 0x7f8491df2090
  }

Show bin of other arena. dmhb [index][:malloc_state]:

[0x55f3489b8250]> dmhb 1:0x7fbd44000020
  Bin 001:
  double linked list unsorted bin {
    0x7fbd44000080->fd = 0x7fbd44000080
    0x7fbd44000080->bk = 0x7fbd44000080
  }


Show bins with chunks. dmhb | grep -E 'fd =.+=' -C 2:

[0x7f8491e94090]> dmhb | grep -E 'fd =.+=' -C 2
 Bin 064:
  double linked list small bin {
    0x7f8491df2090->fd = 0x5637a11c0030->fd = 0x7f8491df2090
    0x7f8491df2090->bk = 0x5637a11c0030->bk = 0x7f8491df2090
  }

Show unsorted bin. dmhb 1:

[0x55b3cb19b27d]> dmhb 1
  Bin 001:
  double linked list unsorted bin {
    0x7ff8f1a9eca0->fd = 0x55b3cce31370->fd = 0x55b3cce31f90->fd = 0x7ff8f1a9eca0
    0x7ff8f1a9eca0->bk = 0x55b3cce31f90->bk = 0x55b3cce31370->bk = 0x7ff8f1a9eca0
  }

Show small bins. dmhb | grep 'small bin' -B 1 -A 3:

[0x7f8491e94090]> dmhb | grep 'small bin' -B 1 -A 3
 Bin 002:
  double linked list small bin {
    0x7f87dc2d77c8->fd = 0x202f000->fd = 0x202f040->fd = 0x7f87dc2d77c8
    0x7f87dc2d77c8->bk = 0x202f040->bk = 0x202f000->bk = 0x7f87dc2d77c8
  }
..............| Output stripped |...................
 Bin 063:
  double linked list small bin {
    0x7f87dc2d7b98->fd = 0x7f87dc2d7b98
    0x7f87dc2d7b98->bk = 0x7f87dc2d7b98
  }
 Bin 064:
  double linked list small bin {
    0x7f87dc2d7ba8->fd = 0x7f87dc2d7ba8
    0x7f87dc2d7ba8->bk = 0x7f87dc2d7ba8
  }

Show small bins with chunks. dmhb | grep 'small bin' -B 1 -A 3 | grep -E 'fd =.+=' -C 2:

[0x7f87dbf4bc37]> dmhb | grep 'small bin' -B 1 -A 3 | grep -E 'fd =.+=' -C 2
 Bin 002:
  double linked list small bin {
    0x7f87dc2d77c8->fd = 0x202f000->fd = 0x202f040->fd = 0x7f87dc2d77c8
    0x7f87dc2d77c8->bk = 0x202f040->bk = 0x202f000->bk = 0x7f87dc2d77c8
  }

Show large bins. dmhb | grep 'large' -B 1 -A 3:

[0x5583f0e61282]> dmhb | grep 'large' -B 1 -A 3
 Bin 065:
  double linked list large bin {
    0x7f981ba440a0->fd = 0x7f981ba440a0
    0x7f981ba440a0->bk = 0x7f981ba440a0
  }
 Bin 066:
  double linked list large bin {
    0x7f981ba440b0->fd = 0x7f981ba440b0
    0x7f981ba440b0->bk = 0x7f981ba440b0
  }
..........................................
 Bin 110:
  double linked list large bin {
    0x7f981ba44370->fd = 0x5583f1f1ff90->fd = 0x7f981ba44370
    0x7f981ba44370->bk = 0x5583f1f1ff90->bk = 0x7f981ba44370
  }
..........................................
 Bin 126:
  double linked list large bin {
    0x7f981ba44470->fd = 0x7f981ba44470
    0x7f981ba44470->bk = 0x7f981ba44470
  }
 Bin 127:
  double linked list large bin {
    0x7f981ba44480->fd = 0x7f981ba44480
    0x7f981ba44480->bk = 0x7f981ba44480
  }

Show large bins with chunks. dmhb | grep 'large' -B 1 -A 3 | grep -E 'fd =.+=' -C 2:

[0x5583f0e61282]> dmhb | grep 'large' -B 1 -A 3 | grep -E 'fd =.+=' -C 2
 Bin 110:
  double linked list large bin {
    0x7f981ba44370->fd = 0x5583f1f1ff90->fd = 0x7f981ba44370
    0x7f981ba44370->bk = 0x5583f1f1ff90->bk = 0x7f981ba44370
  }

Show fast bins. dmhf:

[0x5627a3a97306]> dmhf
fastbinY {
 Fastbin 01
  fastbin 1 @ 0x7f6e9df65c50 {
   0x5627a47d9760->fd = 0x5627a47d9740->fd = 0x5627a47d9720
  }
 Fastbin 02
  Empty bin  0x0
 Fastbin 03
  Empty bin  0x0
 Fastbin 04
  Empty bin  0x0
 Fastbin 05
  Empty bin  0x0
 Fastbin 06
  Empty bin  0x0
 Fastbin 07
  Empty bin  0x0
 Fastbin 08
  Empty bin  0x0
 Fastbin 09
  Empty bin  0x0
 Fastbin 10
  Empty bin  0x0
}

Show fast bins with chunks. dmhf | grep -w 'fastbin' -A 2:

[0x56173d3ee355]> dmhf | grep -w 'fastbin' -A 2
  fastbin 1 @ 0x7fcf8b64ec50 {
   0x56173f36d760->fd = 0x56173f36d740->fd = 0x56173f36d720
  }
--
  fastbin 4 @ 0x7fcf8b64ec68 {
   0x56173f36d9b0
  }

Show tcaches with chunks. dmht:

[0x7f8491e94090]> dmht
Tcache main arena @ 0x7f8491df1c40
bin : 1, items : 3, fd :0x5637a11c0000->0x5637a11be830->0x5637a11bffd0
bin : 2, items : 2, fd :0x5637a11bd910->0x5637a11bfd30
bin : 3, items : 2, fd :0x5637a11c0430->0x5637a11bfd70
bin : 5, items : 1, fd :0x5637a11bfb20
bin :33, items : 1, fd :0x5637a11bd620
bin :59, items : 1, fd :0x5637a11bf6c0

Enable Safe-Linking parsing. e dbg.glibc.demangle = true

[0x7f9694a1b8cb]> e dbg.glibc.demangle = true