Small cleanup for src/heap/heap.c and prepare CHANGES/README for new release

Author: t00sh

CHANGES

@@ -1,3 +1,13 @@
+rop-tool v2.2 (2015-05-15)
+- Port project on windows
+- Fix bugs in PE parser
+- Fix bugs in api/utils
+- Add --bad option in gadget and search command, to exclude bad bytes in address
+- Add NX bit on info command (ELF only)
+- New command : heap, used to visualize heap allocations (Linux/glibc only)
+- Fix bad behavior in 'search --all'
+- Gadgets which finished by syscall or int 0x80 instruction are now filtered
+
 rop-tool v2.1 (2015-04-05)
 - Renamed the project to rop-tool
 - Handle Mach-O file format

README.md

@@ -1,4 +1,4 @@
-rop-tool v2.1
+rop-tool v2.2
 ====
 
 A tool to help you writing binary exploits
@@ -7,7 +7,7 @@ A tool to help you writing binary exploits
 ### OPTIONS
 
 ```
-rop-tool v2.1
+rop-tool v2.2
 Help you to make binary exploits.
 
 Usage: rop-tool <cmd> [OPTIONS]
@@ -16,6 +16,7 @@ Commands :
    gadget      Search gadgets
    patch       Patch the binary
    info        Print info about binary
+   heap        Display heap structure
    search      Search on binary
    help        Print help
    version     Print version
@@ -87,8 +88,32 @@ OPTIONS:
 
 ```
 
+#### HEAP COMMAND
+
+```
+Usage : rop-tool heap [OPTIONS] [COMMAND]
+
+OPTIONS:
+  --help, -h               Print this help message
+  --library, -l     <l>    Specify the library path for libheap.so (default : ./libheap-x86-64.so)
+  --no-color, -N           Do not colorize output
+```
+
+**Small explication about output of heap command**
+
+Each line correspond to a malloc chunk, and the heap is dumped
+after each execution of heap functions (free, malloc, realloc, calloc)
+
+* addr: is the real address of the malloc chunk
+
+* usr_addr: is the address returned by malloc functions to user
+
+* size: is the size of the malloc chunk
+
+* flags: P is PREV_INUSE, M is IS_MAPED and A is NON_MAIN_ARENA
+
 ### FEATURES
-* String searching, Gadget searching, patching, info
+* String searching, Gadget searching, patching, info, heap visualization
 * Colored output
 * Intel and AT&T flavor
 * Support of ELF, PE and MACH-O binary format
@@ -100,27 +125,31 @@ OPTIONS:
 
 Basic gadget searching
 
-* rop-tool g ./program 
+* rop-tool gadget ./program 
 
 Display all gadgets with AT&T syntax
 
-* rop-tool g ./program -f att -a
+* rop-tool gadget ./program -f att -a
 
 Search in RAW file (not supported format)
 
-* rop-tool g ./program -r
+* rop-tool gadget ./program -r
 
 Search a "splitted" string in the binary
 
-* rop-tool s ./program -s "/bin/sh"
+* rop-tool search ./program -s "/bin/sh"
 
 Search all strings in binary
 
-* rop-tool s ./program -a
+* rop-tool search ./program -a
 
 Patch binary at offset 0x1000, with "\xaa\xbb\xcc\xdd" and save as "patched" :
 
-* rop-tool p ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched
+* rop-tool patch ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched
+
+Visualize heap allocation of /bin/ls command :
+
+* rop-tool heap /bin/ls
 
 ### SCREENSHOTS
 
@@ -148,6 +177,11 @@ rop-tool search /bin/ls -w 0x90
 
 ![ScreenShot](https://t0x0sh.org/repo/rop-tool/screens/screen4.png)
 
+```
+rop-tool heap ./a.out
+```
+
+![ScreenShot](https://t0x0sh.org/repo/rop-tool/screens/screen5.png)
 
 ### DEPENDENCIES
 - [capstone](http://capstone-engine.org/)

src/heap/heap.c

@@ -23,23 +23,18 @@
 #ifndef __WINDOWS__
 #include "rop_heap.h"
 
-#define HEAP_DEFAULT_FORMAT "ascii"
 #define HEAP_DEFAULT_LIBPATH "./libheap-" ARCHITECTURE ".so"
 
 char **heap_options_command = NULL;
 const char *heap_options_libpath = HEAP_DEFAULT_LIBPATH;
-const char *heap_options_output = NULL;
-const char *heap_options_format = HEAP_DEFAULT_FORMAT;
 const char *heap_options_color = "1";
 
 void heap_help(void) {
   printf("Usage : %s heap [OPTIONS] [COMMAND]\n\n", PACKAGE);
   printf("OPTIONS:\n");
-  printf("  --format, -f      <f>    Select output format (default: %s)\n", HEAP_DEFAULT_FORMAT);
   printf("  --help, -h               Print this help message\n");
   printf("  --library, -l     <l>    Specify the library path for libheap.so (default : %s)\n", HEAP_DEFAULT_LIBPATH);
   printf("  --no-color, -N           Do not colorize output\n");
-  printf("  --output, -O      <f>    Write trace in a file\n");
   printf("\n");
 }
 
@@ -49,11 +44,9 @@ void heap_options_parse(int argc, char **argv) {
   int opt;
 
   const struct option opts[] = {
-    {"format",        required_argument, NULL, 'f'},
     {"help",          no_argument,       NULL, 'h'},
     {"library",       required_argument, NULL, 'l'},
     {"no-color",      no_argument,       NULL, 'N'},
-    {"output",        required_argument, NULL, 'O'},
     {NULL,            0,                 NULL, 0  }
   };
 
@@ -74,14 +67,6 @@ void heap_options_parse(int argc, char **argv) {
       heap_options_color = "0";
       break;
 
-    case 'O':
-      heap_options_output = optarg;
-      break;
-
-    case 'f':
-      heap_options_format = optarg;
-      break;
-
     default:
       heap_help();
       exit(EXIT_FAILURE);
@@ -104,18 +89,6 @@ void heap_cmd(int argc, char **argv) {
     exit(EXIT_FAILURE);
   }
 
-  if(setenv("LIBHEAP_FORMAT", heap_options_format, 0) == -1) {
-    fprintf(stderr, "Can't set LIBHEAP_FORMAT environment variable\n");
-    exit(EXIT_FAILURE);
-  }
-
-  if(heap_options_output) {
-    if(setenv("LIBHEAP_OUTPUT", heap_options_output, 0) == -1) {
-      fprintf(stderr, "Can't set LIBHEAP_OUTPUT environment variable\n");
-      exit(EXIT_FAILURE);
-    }
-  }
-
   if(setenv("LIBHEAP_COLOR", heap_options_color, 0) == -1) {
     fprintf(stderr, "Can't set LIBHEAP_COLOR environment variable\n");
     exit(EXIT_FAILURE);