danigargu / heap-viewer Goto Github PK

• IDA Ver: Using IDA 7.6
• Debugged binary: ELF, ARM

got the following message -

[HeapViewer] Tracer enabled
IDAPython: Error while calling Python callback :
Traceback (most recent call last):
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\plugin_gui.py", line 32, in OnCreate
self.setup_gui()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\plugin_gui.py", line 42, in setup_gui
self.magic_widget = MagicWidget(self)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 24, in init
self._create_gui()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 45, in _create_gui
self.io_file_widget = IOFileWidget(self)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 579, in init
self.cb_struct_changed(0)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 630, in cb_struct_changed
self.show_struct(address, struct_name)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\widgets\magic.py", line 687, in show_struct
io_file_struct = io_file.parse_structs(address)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\io_file.py", line 190, in parse_structs
io_jump_data = get_struct(io_file_data.vtable, structs.vtable)
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\misc.py", line 25, in get_struct
assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
AssertionError: Can't access memory at 0x0
Exception in ida_dbg.DBG_Hooks dispatcher function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\tracer.py", line 82, in dbg_bpt
ret_addr = self.get_return_address()
File "C:/Users/XXX/AppData/Roaming/Hex-Rays/IDA Pro/plugins\heap_viewer\tracer.py", line 65, in get_return_address
esp = get_reg_value(self.regs['SP'])
File "C:\Program Files\IDA Pro 7.6\python\3\ida_dbg.py", line 4532, in get_reg_val
return _ida_dbg.get_reg_val(*args)
Exception: Failed to retrieve register value

maybe its because its never tested on 7.6 or on ARM.. not sure.

The plugin can't work on my IDA 7.0

Traceback (most recent call last):
  File "D:/software/IDA 7.0/plugins\heap_viewer\plugin_gui.py", line 139, in reload_gui_info
    self.populate_arenas()
  File "D:/software/IDA 7.0/plugins\heap_viewer\plugin_gui.py", line 165, in populate_arenas
    for addr, arena in self.heap.arenas():
  File "D:/software/IDA 7.0/plugins\heap_viewer\ptmalloc.py", line 642, in arenas
    arena = self.get_arena() # main_arena
  File "D:/software/IDA 7.0/plugins\heap_viewer\ptmalloc.py", line 619, in get_arena
    return get_struct(address, self.malloc_state_s)
  File "D:/software/IDA 7.0/plugins\heap_viewer\misc.py", line 25, in get_struct
    assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
  File "D:\software\IDA 7.0\python\ida_bytes.py", line 284, in is_loaded
    return _ida_bytes.is_loaded(*args)
TypeError: Expected an ea_t type

It seems a type error

emm,,,,I configure and install like the README.md

yeah ,something is ok, IDA reminder me "Please wait",so ,I wait,wait,wait....

And I find that the IDA are taking up more memory,,,finally the IDA crash

is memory leak?

I may just be overlooking something, but I note that in the misc.py "add_malloc_chunk_struct" function, the struct size is declared as 56 bytes.

125: struct_size = 7*ptr_size

This struct only has six member, and on 64bit platforms, each of the structs in 8 bytes, so aasuming there is no odd struct padding/packing, shouldn't it only be 48 bytes? E.g.

struct_size = 6*ptr_size

A small C test program will also print the struct size out as 48.

#include <stdio.h>

int main() {

struct malloc_chunk;
typedef struct malloc_chunk* mchunkptr;

#define INTERNAL_SIZE_T size_t

struct malloc_chunk {

    INTERNAL_SIZE_T      mchunk_prev_size;  /* Size of previous chunk (if free).  */
    INTERNAL_SIZE_T      mchunk_size;       /* Size in bytes, including overhead. */

    struct malloc_chunk* fd;         /* double links -- used only if free. */
    struct malloc_chunk* bk;

    /* Only used for large blocks: pointer to next larger size.  */
    struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
    struct malloc_chunk* bk_nextsize;
};

  struct malloc_chunk getsize;

  printf("The size of the malloc_chunk struct is: %lu \n", sizeof(getsize));

}

Traceback (most recent call last):
  File "~/plugins\heap_viewer\plugin_gui.py", line 141, in reload_gui_info
    self.arena_widget.populate_table()
  File "~/plugins\heap_viewer\widgets\arena.py", line 131, in populate_table
    parsed_heap = self.heap.parse_heap(cur_arena)
  File "~/plugins\heap_viewer\ptmalloc.py", line 533, in parse_heap
    status = self.get_chunk(chunk_addr + real_size).prev_inuse
  File "~/plugins\heap_viewer\ptmalloc.py", line 466, in get_chunk
    return get_struct(address, self.malloc_chunk_s)
  File "~/plugins\heap_viewer\misc.py", line 25, in get_struct
    assert idaapi.is_loaded(address) == True, "Can't access memory at 0x%x" % address
AssertionError: Can't access memory at 0x939a000

heap-data:

Will there be a version for Windows Heap?

When running the plugin I get the following message. [HeapViewer] Executable must be ELF fomat

How to handle this?

Hi, when i open ida 7.0 on Mac, the plugin occours the error :"cannot import name PLUGNAME" in line 18.

Thank you for this great plugin!

I found a bug in Magic window's "useful libc offset" .

When I use "read(fd,buf,size)" function in ELF, it's imported and IDA Pro will name this as extern symbol.

extern:0000000000601060 extrn read:near 

And this causes bug below. (It was calculated as 0x601060 - libc_base)

open	0xf7030	
read	0x-7fe70ac0afa0	
write	0xf72b0	

As a reverse engineer, IDA is much more attractive than gdb!

cant detect freed chunk