Skip to main content

Debugging Tools for Heap Exploitation

When working with how2heap examples, specialized GDB plugins provide crucial visibility into heap internals. These tools help you understand heap state, track allocations, and analyze exploitation techniques in real-time.
All three tools (Pwngdb, pwndbg, and gef) are GDB plugins that extend GDB’s functionality specifically for binary exploitation and heap analysis.

Available Tools

Pwngdb

Examine glibc heap structures in GDB

pwndbg

Exploitation-centric GDB plugin

gef

Enhanced GDB with heap inspection

Pwngdb

Overview

Pwngdb is a GDB plugin specifically designed to examine the glibc heap. It provides commands and visualizations that make understanding heap layout and structures more intuitive. Repository: https://github.com/scwuaptx/Pwngdb

Installation

# Clone the repository
git clone https://github.com/scwuaptx/Pwngdb.git
cd Pwngdb

# Install dependencies
./installPwngdb.sh

# Add to your .gdbinit
echo "source $(pwd)/pwngdb.py" >> ~/.gdbinit

Using with how2heap

When debugging how2heap examples, Pwngdb helps you:
  1. View heap chunks - Visualize chunk headers and metadata
  2. Track freelists - Examine fastbin, tcache, and unsorted bin states
  3. Analyze heap layout - Understand memory organization
# Compile a how2heap example
make base

# Debug with GDB
gdb ./fastbin_dup

# Set breakpoints at key points
(gdb) break malloc
(gdb) break free
(gdb) run
Pwngdb is particularly useful for understanding the state of freelists before and after exploitation primitives.

pwndbg

Overview

pwndbg is an exploitation-centric GDB plugin that provides comprehensive heap analysis capabilities. It offers commands to view and manipulate the glibc heap with detailed formatting and color coding. Repository: https://github.com/pwndbg/pwndbg

Installation

# Clone the repository
git clone https://github.com/pwndbg/pwndbg
cd pwndbg

# Install (automatically updates .gdbinit)
./setup.sh

Key Features

pwndbg provides several heap-specific commands:
  • heap - Display heap chunks
  • bins - Show fastbins, tcache, and other freelists
  • arena - Display arena information
  • vis_heap_chunks - Visual representation of heap layout
  • find_fake_fast - Find potential fake fastbin targets

Using with how2heap Examples

# Debug a how2heap technique
gdb ./tcache_poisoning

# In GDB with pwndbg
(gdb) start
(gdb) heap              # View heap chunks
(gdb) bins              # Check freelist state
(gdb) continue
(gdb) bins              # Observe changes after exploitation

# Compile the example
make base

# Start debugging
gdb ./fastbin_dup

# Set breakpoint after first free
(gdb) break fastbin_dup.c:25
(gdb) run

# Examine fastbin state
(gdb) bins
# You'll see the freed chunk in the fastbin

# Continue to double free
(gdb) continue

# Check fastbin again
(gdb) bins
# Notice the duplicated entry

gef

Overview

gef (GDB Enhanced Features) is another excellent GDB plugin with robust heap examination capabilities. It provides a modern, user-friendly interface with extensive heap analysis commands. Repository: https://github.com/hugsy/gef

Installation

# Install via bash one-liner
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

# Or manual installation
wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py
echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit
gef, pwndbg, and Pwngdb can conflict if sourced in the same .gdbinit. Use separate GDB initialization files or comment out plugins you’re not using.

Key Features

gef provides comprehensive heap commands:
  • heap chunks - Display all heap chunks
  • heap bins - Show freelist contents
  • heap arenas - List all arenas
  • heap analysis - Perform security checks on heap
  • heap-analysis-helper - Find exploitable conditions

Using with how2heap

# Debug a technique
gdb ./house_of_spirit

# In GDB with gef
gef➤ start
gef➤ heap chunks          # View current heap state
gef➤ heap bins            # Check freelist state
gef➤ break *0x400123      # Set breakpoint
gef➤ continue
gef➤ heap analysis        # Run security analysis

Integration with how2heap Examples

gef excels at visualizing complex heap states: 
# Example: Debugging overlapping_chunks
gdb ./overlapping_chunks

gef➤ break overlapping_chunks.c:40
gef➤ run
gef➤ heap chunks
# Observe chunk sizes and positions

gef➤ continue
gef➤ heap chunks
# See the overlapping chunk after exploitation

Tool Comparison

FeaturePwngdbpwndbggef
Heap visualization✓✓✓✓
Freelist inspection✓✓✓✓
Active development
Ease of installation✓✓
Documentation✓✓
Community support✓✓
Recommendation: For beginners, start with gef for its excellent documentation and user-friendly interface. Advanced users often prefer pwndbg for its comprehensive feature set.

Workflow for Debugging how2heap Examples

Basic Workflow

  1. Compile the example
make base
# Or for specific glibc version
H2H_USE_SYSTEM_LIBC=N make v2.31
  1. Start debugging
gdb ./example_binary
  1. Set strategic breakpoints
(gdb) break malloc
(gdb) break free
(gdb) break main
  1. Run and observe
(gdb) run
(gdb) heap chunks    # or appropriate command for your plugin
(gdb) bins
  1. Step through exploitation
(gdb) next
(gdb) bins           # Observe freelist changes
(gdb) continue

Advanced Debugging Techniques

# Break when specific chunk is freed
(gdb) break free if $rdi == 0x555555559260

# Break on specific malloc size
(gdb) break malloc if $rdi == 0x80

# Watch for writes to chunk metadata
(gdb) watch *(unsigned long*)0x555555559250

# Watch tcache structure
(gdb) watch tcache_perthread_struct

# Save as heap_watch.py
import gdb

class HeapWatcher(gdb.Command):
    def __init__(self):
        super(HeapWatcher, self).__init__("heapwatch", gdb.COMMAND_USER)
    
    def invoke(self, arg, from_tty):
        # Custom heap analysis logic
        gdb.execute("heap chunks")
        gdb.execute("bins")

HeapWatcher()
Load in GDB:
(gdb) source heap_watch.py
(gdb) heapwatch

Tips for Effective Debugging

Use Context

Keep the context command enabled to see registers, stack, and code simultaneously

Save Sessions

Use save breakpoints and GDB’s logging to preserve debugging sessions

Compare States

Take heap snapshots before and after operations to understand changes

Read Source

Always have the source code open alongside GDB to correlate execution with code

Next Steps

Heap Viewers

Visualize heap operations with specialized tools

Tutorials

Learn from comprehensive heap exploitation tutorials

Build docs developers (and LLMs) love

Get started for freeTalk to us