heaptrace: heap debugger for tracking glibc heap operations

by do son · December 5, 2021

heaptrace

heaptrace is a heap debugger for tracking glibc heap operations in ELF64 (x86_64) binaries. Its purpose is to help visualize heap operations when debugging binaries or doing heap pwn.

Prints out heap operations using symbols instead of pointers. This allows users to understand what is going on on the heap without having to compare pointer values at each operation.
Detects some forms of heap corruption, double-free vulnerabilities, and memory leakage issues.
Allows users to set “breakpoints” at any heap operation via –break <number> and –break-after <number>. When heaptrace reaches the requested heap operation number, it immediately detaches itself from the tracee (the target binary) and attaches the GNU debugger (gdb). This allows users to easily debug the heap interactively at any point.
Automatically resolves symbols if available. If the binary is stripped, it attempts to automatically identify function offsets based on function signatures.

Use

heaptrace can debug a stripped ELF64, regardless of whether it’s dynamically linked with ASLR or statically linked with PIE. In some cases, heaptrace can identify glibc function signatures in stripped binaries. But often it is not able to find the function addresses it needs. In those cases, users need to provide the addresses using the argument -s/--symbols.

If the binary is not stripped and heaptrace was able to resolve the symbols, users can still override the symbols with the argument.

Argument Format

-s/--symbols is a comma-separated list of symbol_name=symbol_value_exp pairs.

The symbol name may be one of malloc, free, realloc, and calloc.
The symbol value expression is a value or simple arithmetic expression (supports + and - operations only).

The symbol value expression may contain decimal integers (base 10), hexadecimal integers (base 16) prefixed with 0x, octal integers (base 8) prefixed with 0o, binary (base 2) integers prefixed with 0b, and one of two variable names: libc and bin.

The libc variable is the base of the glibc library at runtime. This is useful for specifying function offsets in glibc if the shared library’s binary is stripped.
The bin variable is the base of the ELF binary at runtime. This is useful in case PIE randomizes the position of the binary.