Skip to main content

Heap Visualization Tools

Heap viewers provide graphical and symbolic representations of heap operations, making it easier to understand complex heap states and trace exploitation techniques. These tools complement command-line debuggers by offering intuitive visualizations.
Visualization tools are particularly valuable when learning new techniques or debugging complex heap manipulations with multiple freelists.

Available Tools

heap-viewer

IDA Pro plugin for heap analysis

heaptrace

Symbolic heap operation visualization

heap-viewer

Overview

heap-viewer is an IDA Pro plugin designed to examine the glibc heap during static and dynamic analysis. It provides a graphical interface for navigating heap structures, viewing chunk metadata, and tracking allocations. Repository: https://github.com/danigargu/heap-viewer

Features

  • Visual heap layout - Graphical representation of heap chunks
  • Chunk inspection - Detailed metadata viewing
  • Arena tracking - Monitor multiple arenas
  • Tcache analysis - Examine tcache structures
  • Freelist visualization - See fastbins, smallbins, largebins
  • Integration with IDA - Seamless workflow within IDA Pro

Installation

# Clone the repository
git clone https://github.com/danigargu/heap-viewer.git

# Copy to IDA plugins directory
cd heap-viewer
cp -r heap_viewer.py ~/.idapro/plugins/
cp -r heap_viewer/ ~/.idapro/plugins/

# Or use IDA's plugin manager
# File -> Script file -> Navigate to heap_viewer.py
heap-viewer requires IDA Pro 7.x or later and works best with 64-bit Linux binaries.

Using with how2heap Examples

Setup

  1. Compile how2heap example with symbols
make base
# Binaries will have debug symbols for better analysis
  1. Load in IDA Pro
idat64 ./fastbin_dup
  1. Activate heap-viewer
  • Go to View -> Open subviews -> Heap Viewer
  • Or press Ctrl+Alt+H

Analyzing Techniques

Step 1: Set up dynamic debugging
  • In IDA, select Debugger -> Run
  • Set breakpoints at malloc/free calls
Step 2: View initial heap state
  • Open heap-viewer window
  • You’ll see the initial heap layout with the main arena
Step 3: Step through allocations
// After malloc(8) calls
// heap-viewer shows allocated chunks in green
Step 4: Track free operations
// After free(a)
// heap-viewer highlights the freed chunk
// Shows it in the fastbin freelist
Step 5: Observe double free
// After free(a) is called twice
// heap-viewer displays the corrupted fastbin
// You can see the circular reference

Workflow Integration

Static Analysis Workflow

  1. Identify heap operations
  • Use IDA’s cross-references to find malloc/free calls
  • heap-viewer can annotate these in the disassembly
  1. Analyze chunk structures
  • Right-click on memory addresses to view as heap chunks
  • Inspect chunk metadata (size, flags, fd, bk pointers)
  1. Track data flow
  • Follow pointers between heap structures
  • Understand relationships between chunks

Dynamic Analysis Workflow

  1. Set breakpoints
# In IDA Python console
import idaapi
idaapi.add_bpt(0x400123)  # Address of critical operation
  1. Run to breakpoint
  • Debugger will pause at key moments
  • heap-viewer updates with current heap state
  1. Inspect heap
  • View current chunk allocations
  • Check freelist states
  • Verify exploitation primitives
  1. Single-step through exploitation
  • Use F7 (step into) or F8 (step over)
  • Watch heap state change in real-time
heap-viewer’s graphical interface makes it excellent for presentations and teaching, as students can visually see heap corruption.

Limitations

  • Requires IDA Pro (commercial software)
  • Primarily supports glibc heap implementation
  • May have compatibility issues with latest glibc versions
  • Dynamic analysis requires IDA debugger setup

heaptrace

Overview

heaptrace is a lightweight tool that helps visualize heap operations by replacing memory addresses with symbolic names. It traces malloc, calloc, realloc, and free calls, producing human-readable output that makes understanding heap behavior much easier. Repository: https://github.com/Arinerron/heaptrace

Features

  • Symbolic addressing - Replaces addresses with readable names (e.g., chunk_0, chunk_1)
  • Operation tracking - Logs all heap operations with timestamps
  • Freelist visualization - Shows freelist state symbolically
  • Lightweight - Minimal performance overhead
  • No debugger required - Works through LD_PRELOAD

Installation

# Clone the repository
git clone https://github.com/Arinerron/heaptrace.git
cd heaptrace

# Build
make

# Install (optional)
sudo make install

Basic Usage

# Run any binary with heaptrace
./heaptrace ./your_binary

# Or use LD_PRELOAD
LD_PRELOAD=./heaptrace.so ./your_binary

# Save output to file
./heaptrace ./your_binary > heap_trace.log

Using with how2heap Examples

# Compile the example
make base

# Run with heaptrace
./heaptrace ./tcache_poisoning
Output will look like:
[+] malloc(128) = chunk_0 (0x555555559260)
[+] malloc(128) = chunk_1 (0x5555555592f0)
[+] free(chunk_0)
[!] tcache[128]: chunk_0 -> NULL
[+] Corrupting chunk_0->next to point to target
[+] malloc(128) = chunk_0 (0x555555559260)
[+] malloc(128) = target (0x7fffffffdb00)
[!] SUCCESS: malloc returned target address!
Note how addresses are replaced with symbolic names, making the exploitation flow clear.

Advanced Features

Filtering Output

# Show only malloc calls
./heaptrace ./binary | grep malloc

# Show only tcache operations
./heaptrace ./binary | grep tcache

# Track specific chunk
./heaptrace ./binary | grep chunk_3

Visualizing Freelists

heaptrace displays freelist states after each operation: 
[!] fastbin[32]: chunk_5 -> chunk_3 -> chunk_1 -> NULL
[!] tcache[64]: chunk_2 -> chunk_4 -> NULL
[!] unsorted_bin: chunk_7 <-> chunk_6 <-> NULL
This makes it easy to verify exploitation primitives:
  • Fastbin dup creates circular references
  • Tcache poisoning shows corrupted next pointers
  • Double free appears as duplicate entries

Integration with how2heap Learning

Workflow for Learning New Techniques

  1. Read the source code
cat glibc_2.35/house_of_botcake.c
  1. Run with heaptrace
./heaptrace ./house_of_botcake > output.log
  1. Analyze the trace
cat output.log
# Observe the sequence of operations
# See how chunks move between freelists
  1. Correlate with source
  • Match heap operations in trace with source code lines
  • Understand the technique’s mechanism
  • Verify exploitation primitives work as expected
heaptrace is excellent for beginners because it removes the cognitive load of tracking raw addresses.

Comparing Execution Traces

# Trace normal execution
./heaptrace ./binary > normal.log

# Trace with exploitation
./heaptrace ./binary_exploit > exploit.log

# Compare
diff -u normal.log exploit.log
This helps identify exactly what changes during exploitation.

Combining Tools for Maximum Insight

Step 1

heaptrace for high-level operation flow

Step 2

GDB with pwndbg/gef for detailed debugging

Step 3

heap-viewer for visual analysis in IDA

Example: Comprehensive Analysis of house_of_spirit

  1. Initial understanding with heaptrace
./heaptrace ./house_of_spirit
# Understand the allocation/free sequence
# Identify the fake chunk creation
  1. Detailed inspection with GDB
gdb ./house_of_spirit
(gdb) break house_of_spirit.c:30
(gdb) run
(gdb) heap chunks
# Examine chunk metadata in detail
# Verify fake chunk passes size checks
  1. Visual verification with IDA + heap-viewer
  • Load binary in IDA Pro
  • Use heap-viewer to see memory layout graphically
  • Verify fake chunk is in the expected location
  • Confirm malloc returns the target address

Automation Scripts

#!/usr/bin/env python3
import subprocess
import sys

def analyze_heap_trace(binary):
    """Run heaptrace and analyze output"""
    result = subprocess.run(
        ['./heaptrace', binary],
        capture_output=True,
        text=True
    )
    
    lines = result.stdout.split('\n')
    
    mallocs = [l for l in lines if 'malloc' in l]
    frees = [l for l in lines if 'free' in l]
    corruptions = [l for l in lines if 'Corrupt' in l]
    
    print(f"Total mallocs: {len(mallocs)}")
    print(f"Total frees: {len(frees)}")
    print(f"Detected corruptions: {len(corruptions)}")
    
    if corruptions:
        print("\nCorruptions detected:")
        for c in corruptions:
            print(f"  {c}")

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <binary>")
        sys.exit(1)
    
    analyze_heap_trace(sys.argv[1])
Usage:
python3 analyze_trace.py ./fastbin_dup

Visualization Best Practices

For Learning

  1. Start simple - Begin with basic allocations before complex techniques
  2. Use heaptrace first - Get the big picture before diving into details
  3. Draw diagrams - Sketch heap layouts on paper while observing traces
  4. Take snapshots - Capture heap state at key moments

For CTF Competitions

  1. Quick triage with heaptrace - Rapidly understand binary behavior
  2. GDB for exploitation - Develop and test exploits interactively
  3. Verify with visualization - Confirm exploitation primitives work

For Vulnerability Research

  1. IDA for static analysis - Find potential heap vulnerabilities
  2. heap-viewer for validation - Confirm vulnerabilities are exploitable
  3. heaptrace for PoC - Generate clean proof-of-concept traces
Visualization tools are learning aids. Understanding the underlying concepts is essential for effective exploitation.

Troubleshooting

heaptrace Issues

Problem: heaptrace doesn’t show output 
# Solution: Ensure LD_PRELOAD is working
LD_PRELOAD=./heaptrace.so ldd ./binary
# Should show heaptrace.so is loaded
Problem: Symbols not resolved 
# Solution: Compile with debug symbols
gcc -g -o binary binary.c

heap-viewer Issues

Problem: Plugin doesn’t load in IDA 
# Solution: Check IDA Python console for errors
# Ensure plugin path is correct
import sys
print(sys.path)
Problem: Heap structures not recognized
  • Ensure you’re debugging a glibc-based binary
  • Check that symbols are available
  • Verify glibc version compatibility

Next Steps

Debugging Tools

Master GDB plugins for heap analysis

CTF Challenges

Apply visualization skills to real challenges

Build docs developers (and LLMs) love

Get started for freeTalk to us