Heappie! is an exploit-writing-oriented memory analysis tool. It assists vulnerability researchers in tracking heap sprays (as well as other memory patterns) by providing visualization of the memory state. Moreover, as samples are generated for each memory state, Heappie! can analyze these together and obtain their intersection. With this feature one can easily find commonalities between several runs, even when switching between software versions or platforms.
Heappie! counts with two main analysis types:
- Attach to a process
When using this type of analysis, Heappie! will attach to a selected process after which it starts analyzing its memory. Users can choose to start the analysis immediately or to start after an exception occurs.
This option is very useful when trying to add reliability to an almost-ready exploit by testing it against different platforms/software versions. Usually, the heap spray takes place just before triggering the vulnerability so if it is just a POC: the heap spray will occur, the exception will be raised and Heappie! will start the analysis. If the exploit is already working, you can replace the first byte of the shellcode for a xcc (int 3) to generate a Breakpoint exception.
- Import memory dump
This option lets the user analyze raw memory dumps generated in almost every existent platform/architecture. The mechanism of Heappie! is extremely simple: It finds memory patterns and shows the contiguous data chunks as blocks so users don't have to run Heappie! on the target platform to obtaion this information. Users can generate the memory dump with any available tool (gdb, for example, supports most of the platforms out there) and then analyze it with Heappie! in another platform.
- Tracking of memory patterns/heap-sprayed memory
- Localization of common heap-sprayed addresses between different scenarios (memory states, versions, platforms and architectures)
- Visualization of scattered shellcodes (using placeholders)
Heappie! Counts with 3 main scripts:
- heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the pattern and generates a log to be visualized with the viewer.
- heappie-viewer.py: The script that generates the graphics.
- Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process.
Note that the "heappie-analyzer.py" and "heappie-viewer.py" scripts can be run as stand-alone, and hence dependencies are reduced when running only one of these.
Heappie! relies on two libraries to do most of the work. vtrace (the amazing Kenshoto’s multi-platform debugging library) to analyze the process memory and Pygame to show the logs graphically.
You can find these packages here:
This software is provided under the 2-clause BSD license.
This tool was designed and developed by Anibal Sacco.
Whether you want to report a bug or give some suggestions on this package, drop us a few lines at oss- at -coresecurity.com.
Platforms: Windows, Linux, OSX
Release date : 2011-03-01
License type: 2-clause BSD