-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Heap scanning with data structure detection #15
Comments
Sure, why not, looks very useful. But this might be implemented at very last phases because I'm planning to finish debugger&code injection engine first in order to give scanmem team more time to develop libscanmem. Also, there are missing features in libscanmem, I'll try to help developing it when this project reaches code scanning phase. My current plan follows as: setup.py-->refactoring of libPINCE for OOP usage-->basic debugger-->breakpoints-->code injection(single line then code cave injection)-->signal bypassing&Anti anti-debugger tricks in general-->final GUI tweaks/refactoring-->memory scanning-->pointer scanning&this feature
Well, someone had to get the boulder rolling 😃 |
The data of hooking all malloc()s is huge and backtracing takes quite some time. So if you want to do this, then you should know what to look for and filter before backtracing. Otherwise, real-time libs like openGL notice a problem and exit the game. ugtrain already has dynamic memory discovery/hacking/adaption based on malloc() hooking and LD_PRELOAD. It has awesome Chromium B.S.U., Cube 2: Sauerbraten and Warzone 2100 examples based on this. |
Thanks @sriemer, I'll keep that in mind. Also I have a few concerns about LD_PRELOAD trick. Firstly, you have to restart the game, which is a huge drawback on games that has different state saving mechanisms(some games even disallow you from quitting, check OneShot rpg for instance), we should find a runtime solution for that. Secondly, some games have protected binary loaders and they might detect libraries loaded by LD_PRELOAD easily by checking /proc/$pid/maps for non-trusted paths. |
I made a pointer scanner, no need to rely on LD_PRELOAD, debuger and hook, it will not be detected by the game, only need a memory dump file, and then the game does not even need to run. Maybe it will help you: scanmem/scanmem#431 |
@kekeimiku That looks very cool! But integrating it into PINCE is a bit unlikely since it's a direct extension of the scanmem functionality and it feels like it should be integrated into scanmem instead If you would like to integrate it as a 3rd party tool, maybe we could look into changing PointerSearcher-X output format to PINCE cheat table format so they would be compatible. If you are up for it, I can create a new issue with detailed info on the format for this kind of integration. It's up to you |
The PINCE cheat table doesn't seem to support resolving something like |
PINCE uses gdb in the background for symbol resolving and gdb supports symbols such as function names. You also have to stop the process to use any gdb functionality. PINCE internally uses the gdb API function More info on the symbols and gdb expressions: Maybe the command |
I think parsing |
The question was more about which project should implement symbol resolving for shared libraries. But on the second thought, it makes sense for PINCE to have this functionality because otherwise you'd have to launch PointerSearcher everytime to create a new cheat table
Yeah I agree, PINCE already uses a package called PINCE stores cheat tables in
Save this as a pct file and load it in PINCE. You can also view it in here for clarity Both entries have "No Description" as their description. First entry has the base address of "0x561be37b2529" and only one offset, which is 12 (0xC). Second entry has the base address of "0x561be37cb604" and it has two offsets, 4 and 32 in that order. Both entries have the Int32 type which is indicated by |
Why is |
@brkzlr Thanks for the explanation. I'll add a little more information on this value_index: Type of the value
It's the children of the entry. The table has the structure of a tree. The one I sent you is basically a list, so it has no child entries. The table below has an entry that has exactly one child. Load it in PINCE and observe for yourself:
|
@kekeimiku I've realized something about memory pages while working on your request. Not everything is a so file, there are multiple pages with different file extensions. For instance, |
Currently pointer searches only care about regions that have For pince, you only need to search the first Example: maps
Output of pointersearch It should be parsed as Output of pointersearch It should be parsed as My English is terrible/bad. please feel free to contact me if anything is unclear. |
Your English is very clear, don't worry
But, how are we going to reference such region? As I understand, we are going to parse the path and get the library name. If there's no path, how are we supposed to reference it? Did I miss something? Or did you mean to exclude those? |
If there is no path, we can ignore it. Can return an error if an |
So, do we exclude those rules then? I mean, ignore if |
We only need areas where the pathname is binary file. others can be ignored. |
Aight, thanks for clearing it up |
How do you feel about doing this in pointersearch, then just call scanmem/pointersearch. I mean resolve the address of the pointer chain. |
Maybe we can move all pointer search related functions to scanmem, pince only needs to focus on scanmem. |
Users will eventually want to use .so symbols in their scripts, it makes sense for libpince to have this kind of symbol recognition. Don't worry, I'll most likely finish this by tomorrow. I was focused on some visual bugs that I noted in the past but I'm done with them now |
I've finished it but need to optimize it a bit before releasing, sorry for the delay |
Aight, I've finished it. Enjoy using this new feature. There's one caveat about this feature. |
How does pince resolve pointer chains? Seems to be different than expected. For example
|
This conversation has been moved to discord to not derail the original subject further |
As soon as memory scanning is implemented, an additional feature allowing to detect simple data structures would be great.
For example, one could hook all
malloc
calls using theLD_PRELOAD
environment variable in order to detect allocated units and graphically outline this in the memory viewer. Furthermore, if a byte sequence within a block of allocated memory represents a valid heap or stack address, this could be graphically highlighted as a possible pointer.Thank you for the efforts which you put into this great project.
The text was updated successfully, but these errors were encountered: