TL;DR Use convolution to find type candidates, then solve system of equations to refine the result.

You are given a set of memory regions. And set of types (structures) that can possibly be present in the regions.

You can find locations of possible pointers (x86_64):

  • the positions are aligned to 8B,
  • values are from 0x0 to 0x7FFFFFFFFFFF,
  • values are of interest are aligned too.

You can thus distinguish pointer and non-pointer locations -- in the memory thanks to criteria above, within a structure type thanks to its declaration.

Let's denote c(x, t) a score that at memory location x is stored object of type t -- basically you NXOR pointer pattern of the type and [x, sizeof(t)) and count all ones. This will give you first estimate of what object might be in memory.

Further we define improved score as

s(x, t) = c(x, t) + sum(s(*(x+t), type) for offset, type in t.pointers)

I am not sure about analytic solution of s(x, t), however, an iterative method might converge to a valid result.

Why all this? Consider you have a core dump, where you mark all reachable (including glibc malloc internal structures) memory similarly to garbage collection operation. Then you take allocated (read allocator data) but unmarked memory and process it as desribed above. Voila, you should know now what types of objects your program leaked.

Looking for mad skills in:

Nothing? Add some keywords!

This project is part of:

Hack Week 15

Activity

  • about 2 years ago: mvidner liked Reverse engineer memory layout
  • about 2 years ago: mwilck liked Reverse engineer memory layout
  • about 2 years ago: wanghaisu liked Reverse engineer memory layout
  • about 2 years ago: vitezslav_cizek liked Reverse engineer memory layout
  • about 2 years ago: ptesarik started Reverse engineer memory layout
  • Show History

    Comments

    • mkoutny
      almost 2 years ago by mkoutny | Reply

      The idea is not completely stupid but there are still some challenges before being production ready. Good demo is with a systemd core. See README in the repo.

    Similar Projects

    This project is one of its kind!