Skip to content
/ HeapViz Public

Heap Visualizing plugin for pwndbg/gdb with browser display

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

VallarThorn/HeapViz

BranchesTags

Repository files navigation

HeapViz - Advanced Heap Exploitation Assistant

A powerful pwndbg plugin for visualizing and analyzing glibc heap structures, detecting vulnerabilities, and suggesting exploitation strategies during CTF pwn challenges.

Features

Heap Analysis

  • Complete heap parsing: malloc_state (arena), malloc_chunk, tcache_perthread_struct
  • Chunk visualization: Display all heap chunks with metadata and flags
  • Bin tracking: Visualize tcache, fastbins, smallbins, largebins, unsorted bins
  • Memory inspection: View raw chunk data and structure

Vulnerability Detection

  • Double-free detection: Identifies duplicate chunks in tcache/fastbins
  • Chunk overlap detection: Finds overlapping chunks from size corruption
  • Tcache poisoning: Detects corrupted tcache->next pointers
  • House of Force: Identifies corrupted top chunk sizes
  • Metadata corruption: Finds inconsistent PREV_INUSE flags
  • Unlink opportunities: Detects potentially exploitable free chunks

Exploitation Guidance

  • Attack suggestions: Provides exploitation strategies based on detected vulnerabilities
  • Prioritized findings: Sorts vulnerabilities by severity (critical → low)
  • Detailed chunk analysis: Deep dive into specific chunk metadata and contents

Future Enhancements

We're actively working to make HeapViz even more powerful! Here's what's on the roadmap:

  • Tcache improvements: Fix tcache parsing and enhance detection
  • Fastbin double-free detection: Extend coverage beyond tcache
  • Automated heap feng shui suggestions: Get smart recommendations for heap grooming
  • Backward heap walking: Navigate heap structures in reverse
  • Timeline/replay: Track and replay heap state changes over time
  • Safe-linking bypass detection: Support for glibc 2.32+ protections
  • Multi-arena support: Analyze complex multi-threaded heap layouts
  • House of Orange detection: Identify file stream exploitation opportunities
  • House of Force size calculator: Automate offset calculations
  • pwntools integration: Generate exploit templates automatically

Have ideas for other features? We'd love to hear them! See the Contributing section below.

Installation

Prerequisites

  • GDB with Python 3 support
  • pwndbg installed
  • Linux system with glibc heap

Quick Install

# Clone the repository
git clone https://github.com/VallarThorn/HeapViz.git
cd HeapViz

# Build test binaries
cd tests/test_binaries
make
cd ../..

Load in pwndbg

Add to your ~/.gdbinit for automatic loading:

# Add to ~/.gdbinit (replace with your actual path)
source ~/HeapViz/load.py

Or load manually in GDB:

gdb ./binary
(gdb) source ~/HeapViz/load.py

Usage

Basic Commands

heapviz

Primary command for complete heap analysis.

(gdb) run
(gdb) heapviz

Output includes:

  • Heap base address and arena information
  • List of all heap chunks with sizes and flags
  • Tcache bin contents
  • Detected vulnerabilities with severity levels
  • Exploitation suggestions

heapchunk <address>

Detailed analysis of a specific chunk.

(gdb) heapchunk 0x555555559000

Output includes:

  • Chunk metadata (size, prev_size, flags)
  • Status (free/in-use)
  • Free list pointers (fd/bk) if free
  • Raw memory dump (first 64 bytes)

Workflow Example

# 1. Start debugging your binary
gdb ./challenge

# 2. Set breakpoint after heap operations
(gdb) break main
(gdb) run

# 3. Step through to interesting point
(gdb) continue
(gdb) next

# 4. Analyze heap state
(gdb) heapviz

# 5. Investigate specific chunks
(gdb) heapchunk 0x555555559010

# 6. Review vulnerability findings and exploitation suggestions

Testing

Test Binaries

Three test binaries are included to demonstrate HeapViz capabilities:

1. Double-Free (double_free)

Demonstrates tcache double-free detection.

cd tests/test_binaries
gdb ./double_free
(gdb) source ../../load.py
(gdb) break double_free.c:33    # After double-free
(gdb) run
(gdb) heapviz

Expected detection:

  • CRITICAL: Double-free in tcache bin

2. Heap Overflow (heap_overflow)

Shows chunk metadata corruption and overlap detection.

gdb ./heap_overflow
(gdb) source ../../load.py
(gdb) run
(gdb) heapviz

Educational output:

  • Demonstrates chunk layout
  • Shows function pointer corruption concept

3. Use-After-Free (use_after_free)

Illustrates UAF exploitation via tcache reuse.

gdb ./use_after_free
(gdb) source ../../load.py
(gdb) break use_after_free.c:62  # After free, before reuse
(gdb) run
(gdb) heapviz

Demonstrates:

  • Tcache chunk reuse
  • Memory corruption via UAF

How It Works

Architecture

HeapViz Plugin
├── heap_parser.py        # Core heap structure parsing
│   ├── parse_chunk()     # Parse malloc_chunk metadata
│   ├── walk_heap()       # Traverse heap chunks
│   ├── parse_tcache()    # Parse tcache bins
│   └── analyze_heap()    # Main analysis entry point
│
├── attack_detector.py    # Vulnerability detection
│   ├── detect_double_free()
│   ├── detect_overlapping_chunks()
│   ├── detect_tcache_poisoning()
│   ├── detect_house_of_force()
│   └── analyze_heap_security()
│
└── __init__.py          # pwndbg command registration
    ├── heapviz          # Main command
    └── heapchunk        # Detailed chunk analysis

Heap Structure Parsing

malloc_chunk structure:

struct malloc_chunk {
    size_t prev_size;   // Size of previous chunk (if free)
    size_t size;        // Size of chunk | flags (P|M|N)

    // If free:
    struct malloc_chunk *fd;  // Forward pointer
    struct malloc_chunk *bk;  // Backward pointer
};

Flags:

  • P (PREV_INUSE): Previous chunk is in use
  • M (IS_MMAPPED): Chunk obtained via mmap
  • N (NON_MAIN_ARENA): Chunk belongs to non-main arena

Detection Algorithms

Double-Free Detection

  • Walks tcache free lists
  • Tracks visited addresses
  • Detects duplicates indicating double-free

Overlap Detection

  • Compares chunk boundaries
  • Identifies when chunk addresses fall within previous chunk ranges
  • Indicates size corruption or House of Force

Tcache Poisoning

  • Validates tcache->next pointers
  • Checks for non-canonical addresses
  • Detects suspiciously low addresses

Contributing

HeapViz is an open-source project and we welcome contributions from the community! Whether you're a seasoned exploit developer or just getting started with heap exploitation, there are many ways to get involved:

How You Can Help

  • Report bugs: Found an issue? Open a bug report with details about your environment and steps to reproduce
  • Suggest features: Have ideas for new vulnerability detections or analysis features? We'd love to hear them!
  • Improve documentation: Help us make the docs clearer and more comprehensive
  • Add test cases: Create new test binaries demonstrating different heap exploitation techniques
  • Submit pull requests: Implement new features, fix bugs, or improve existing code

Getting Started

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/your-feature-name
  3. Make your changes and test thoroughly with the included test binaries
  4. Submit a pull request with a clear description of your changes

Join the Community

  • Star this repository if you find it useful!
  • Share it with others working on CTF pwn challenges
  • Follow for updates on new features and vulnerability detections

Together, we can build the most comprehensive heap exploitation analysis tool for the CTF community!

License

MIT License - feel free to use HeapViz in your CTF competitions, security research, and educational projects.

About

Heap Visualizing plugin for pwndbg/gdb with browser display

Topics

plugin web gdb heap ctf pwndbg

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages