census / shadow Goto Github PK

I am using the commit c54da79f2ab5215901ee3b3c7e804802e2ef4c79 and it failed like this:

[shadow] parsing structures from memory...
[shadow] 2021-11-03 18:13:59
[shadow] error: cannot evaluate arenas[0]
Python Exception <type 'exceptions.SystemExit'> <type 'exceptions.SystemExit'>: 
Error occurred in Python command: <type 'exceptions.SystemExit'>

if I use the latest version then it complained: Error occurred in Python command: No symbol "arena_bin_t" in current context

the jemalloc I am using is 5.2.1-0-gea6b3e973b477b8061e0076bb257dbd7f3faa756

How to know, what memory is still available for use in jemalloc.
I am using malloc_stats_print() function.
Or any other function mallctl_* available for this ?

This would be nice to have.

How to analyze other processes running on linux (jemalloc)? On GitHub, I can't find any other python scripts.

(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote:5039
Remote debugging using :5039
0xb6ec4864 in ?? ()
(gdb) source gdb_driver.py
(gdb) jeparse
[shadow] parsing structures from memory...
[shadow] 2017-10-03 17:29:56
Python Exception <class 'TypeError'> unsupported operand type(s) for *: 'NoneType' and 'int':
Error occurred in Python command: unsupported operand type(s) for *: 'NoneType' and 'int'

My python version is 2.7.6 and I use gdb-multiarch on Ubuntu and set architecture arm.

hey and thanks for this amazing project.
Im trying to work with it and it keeps getting crashed with some unknown error from python.
my phone is based on android7 64bit (and rooted of course) but when I run jeparse i get the following error exception
Reading /system/bin/linker64 from remote target...
0x0000007e6a11cb6c in __epoll_pwait () from target:/system/lib64/libc.so
(gdb) source /home/galel/Desktop/android_debug/gdb_shadow_env/shadow/gdb_driver.py
(gdb) jeparse -v -c /home/galel/Desktop/android_debug/gdb_shadow_env/shadow/cfg/android7_64.cfg
[shadow] parsing configuration...
[shadow] parsing structures from memory...
[shadow] 2020-03-24 06:24:38
Python Exception <type 'exceptions.KeyError'> ('542289989448',):
Error occurred in Python: ('542289989448',)

the debug.log file looks as follow -
parse_general()
parse_chunks()
chunk @ 0x7e42a00000
chunk @ 0x7e43000000
chunk @ 0x7e43200000
chunk @ 0x7e43400000
chunk @ 0x7e43600000
chunk @ 0x7e43800000
chunk @ 0x7e43a00000
chunk @ 0x7e44000000
chunk @ 0x7e46400000
chunk @ 0x7e47e00000
chunk @ 0x7e48c00000
chunk @ 0x7e49400000
chunk @ 0x7e49c00000
chunk @ 0x7e4a600000
skipping non-page aligned chunk address 0x7e5f5cb900
chunk @ 0x7e4cc00000
chunk @ 0x7e5f400000
chunk @ 0x7e62000000
chunk @ 0x7e69a00000
parse_all_runs()
parsing chunk @ 0x7e42a00000
[0000] mapelm = 0x441
small run
offset = 0x0
binind = 0x22
size = 0x3000
run_hdr = 0x7e42a01018
addr = 0x7e42a0c000
[0001] mapelm = 0x2441
small run
offset = 0x1000
[0002] mapelm = 0x4441
small run
offset = 0x2000
[0003] mapelm = 0x441
small run
offset = 0x0
binind = 0x22
size = 0x3000
run_hdr = 0x7e42a01120
addr = 0x7e42a0f000
[0004] mapelm = 0x2441
small run
offset = 0x1000
[0005] mapelm = 0x4441
small run
offset = 0x2000
[0006] mapelm = 0x3c1
small run
offset = 0x0
binind = 0x1e
size = 0x3000
run_hdr = 0x7e42a01228
addr = 0x7e42a12000
..
..
..
untill
[0476] mapelm = 0x6321
small run
offset = 0x3000
[0477] mapelm = 0x8321
small run
offset = 0x400
when it just stops here...

Ive used the gdbserver that youve added with the source of this proj and also tested the android ndk's last version gdbserver
for the client ive also used gdb from the linux86_64 prebuilt dir (complied with python 2.7.5) that works fine with everything besides the shadow plugin.
(tried with gdb-multiarch and it didnt went well also...)

Is shadow project is also okay to use for jemalloc-3.6 version ?
I am getting some symbol mismatch like errors.

I've managed to get it working. Please delete.

Hi Argp:

I want to use your wonderful tool - CENSUS/shadow to analysis coredump jemalloc layout. But when install all the tool include the pyrsistence, gdb for android and shadow. then load the coredump file with gdb. and parse the jemalloc with jeparse,but it always failed. can you kindly tell me why? does the shadow support the coredump local gdb mode? Thanks very much.

(gdb) source shadow-master/gdb_driver.py
[shadow]init
(gdb) jeparse -c shadow-master/cfg/android8_32.cfg
[shadow] configuration file found
[shadow] parsing configuration...
[shadow] parsing structures from memory...
[shadow] 2018-07-03 13:13:29
Python Exception <class 'gdb.error'> unable to handle request:
Error occurred in Python command: unable to handle request

my phone is based on android6 32bit but when I run jeparse , it returns run info as follows:
(gdb) jeparse
[shadow] parsing structures from memory...
[shadow] 2017-12-04 18:26:57
Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x12:
And I also tried with the "jeparse -c android6-32.cfg", it returns the same error. Is there something wrong with the cfg file?

e.g this computation only makes sense on 32 bit:
new_run.reg0_offset = dbg.read_memory(new_run.bin_addr +
(9 * jeheap.DWORD_SIZE), jeheap.DWORD_SIZE, proc)

Is it possible to use the debug information for these offsets instead of hardcoding offsets?

i got error when run symhex tool

> symhex.py C:\\Users\\huyna\\Desktop\\xul.pdb
Traceback (most recent call last):
  File "Z:\PhanTichLoi-Firefox\shadow\auxiliary\symhex.py", line 65, in <module>
    symbol_obj = symbol.symbol(udt_str[symbol_data.udtKind], symbol_data.name, \
AttributeError: 'module' object has no attribute 'symbol'

How can i fix it?

I run into this error when running jeparse:
[shadow] parsing structures from memory... [shadow] 2021-08-13 21:59:53 Python Exception <class 'gdb.error'> There is no member named reg_size.: /tmp/NuGetScratch/pwnFZf_Yt.gdb:4: Error in sourced command file: Error occurred in Python: There is no member named reg_size.

I'm running jemalloc 2.2.5 standalone debug build and GDB 10.1.90.20210103-git with a python 3.9.2 interpreter.

The path variable does not seem to get passed to EMList properly for some reason. Python really isn't my language of choice, so I don't really know how to fix it. I've tried to set the path variable with tempfile.gettempdir(). I can see that storage_path is set as a global variable and is set with tempfile.gettempdir(), so I thought doing that might remedy the problem, but it didn't.

0:084> !py C:\\Users\\aaa\\AppData\\Local\\Temp\\shadow\\pykd_driver.py jechunks


Traceback (most recent call last):

  File "C:\\Users\\aaa\\AppData\\Local\\Temp\\shadow\\pykd_driver.py", line 59, in <module>
    shadow.dump_chunks()

  File "C:\Users\aaa\AppData\Local\Temp\shadow\shadow.py", line 1344, in dump_chunks
    jeheap = load_jeheap(path)

  File "C:\Users\aaa\AppData\Local\Temp\shadow\shadow.py", line 151, in load_jeheap
    return jemalloc.jemalloc(path=path)

  File "C:\Users\aaa\AppData\Local\Temp\shadow\jemalloc.py", line 34, in __init__
    self.chunks = EMList(")/chunks" 7ffad203502bath)  <<<<<<<<<<<<<<<< An address. ????????

RuntimeError: Cannot open EMList

I am debuging on android 5.1.0. how can i create the cfg for my device

I've been trying to run shadow as i have followed the steps highlighted but i don't know why i kept getting something like a python compilation error, although typing
! load pykd.pyd
do not seem to work for me, everytime i run load pykd.pyd i kept getting

**"The call to LoadLibrary(pykd.pyd) failed, Win32 error 0n2

"The system cannot find the file specified."

Please check your debugger configuration and/or network access"**
this error
i instead i just use stick to using this
!load pykd
but after running !load pykd, running
!py c:\tmp\shadow\pykd_driver help gives error of

:000> !py C:\tmp\shadow\pykd_driver help

Traceback (most recent call last):

File "C:\tmp\shadow\pykd_driver.py", line 10, in

import shadow

File "C:\tmp\shadow\shadow.py", line 53, in
xul_version = dbg.get_xul_version()

File "C:\tmp\shadow\pykd_engine.py", line 65, in get_xul_version
version = pykd.loadCStr(pykd.module('xul').offset('gToolkitVersion'))

I just can't seem to get it to work, as i have moved the pykd 0.30 version dll file of the winext folder as stated in the installation file... i don't know why i cant get it to work.

Thanks for your time

How to use shadow for linux application purposes ?

Hello,

I am trying to exploit a double free bug on an android emulator as a learning exercise and would like to use shadow to help develop the exploit. I am trying to develop this exploit for Android 9 and there unfortunately is no Android 9 arm emulator available. I was wondering if there was an plans for support Android x86 and if not how would I go about adding support myself? Is it as simple as changing the values and offsets in the android9_32.cfg file to match what is true in the x86 version of jemalloc or would it be more complicated than that.

Thanks

Any ideas how to create the xul pkl files?

1:052> !py C:\Users\nopnopnop\Desktop\shadow-master\pykd_driver symbol -d 96

Traceback (most recent call last):

File "C:\Users\nopnopnop\Desktop\shadow-master\pykd_driver.py", line 189, in
from_xul = xul, from_dom = dom)

File "C:\Users\nopnopnop\Desktop\shadow-master\shadow.py", line 1047, in dump_symbol
pfd = open(xul_symbols_pickle, 'rb')

IOError: [Errno 2] No such file or directory: 'C:\Users\nopnopnop\Desktop\shadow-master\pdb\xul-50.0.pdb.pkl'