Memory Maps

    First, let’s see the help message for , the command which is responsible for handling memory maps:

    In this chapter, we’ll go over some of the most useful subcommands of dm using simple examples. For the following examples, we’ll use a simple helloworld program for Linux but it’ll be the same for every binary.

    First things first - open a program in debugging mode:

    1. $ r2 -d helloworld
    2. Process with PID 20304 started...
    3. = attach 20304 20304
    4. bin.baddr 0x56136b475000
    5. Using 0x56136b475000
    6. asm.bits 64
    7. [0x7f133f022fb0]>

    For those of you who prefer a more visual way, you can use dm= to see the memory maps using an ASCII-art bars. This will be handy when you want to see how these maps are located in the memory.

    If you want to know the memory-map you are currently in, use dm.:

    1. [0x7f133f022fb0]> dm.
    2. 0x00007f947eed9000 # 0x00007f947eefe000 * usr   148K s r-x /usr/lib/ld-2.27.so /usr/lib/ld-2.27.so ; map.usr_lib_ld_2.27.so.r_x

    Using dmm we can “List modules (libraries, binaries loaded in memory)”, this is quite a handy command to see which modules were loaded.

    Note that the output of dm subcommands, and dmm specifically, might be different in various systems and different binaries.

    1. [0x7fa80a19dfb0]> dcu entry0
    2. Continue until 0x55ca23a4a520 using 1 bpsize
    3. hit breakpoint at: 55ca23a4a518
    4. [0x55ca23a4a520]> dmm
    5. 0x7fa809de1000 /usr/lib/libc-2.27.so
    6. 0x7fa80a19d000 /usr/lib/ld-2.27.so

    Now we can see that libc-2.27.so was loaded as well, great!

    Speaking of libc, a popular task for binary exploitation is to find the address of a specific symbol in a library. With this information in hand, you can build, for example, an exploit which uses ROP. This can be achieved using the dmi command. So if we want, for example, to find the address of in the loaded libc, we can simply execute the following command:

    Similar to the dm. command, with dmi. you can see the closest symbol to the current address.

    Another useful command is to list the sections of a specific library. In the following example we’ll list the sections of ld-2.27.so:

    1. [0x55a7ebf09520]> dmS ld-2.27
    2. [Sections]
    3. 00 0x00000000     0 0x00000000     0 ---- ld-2.27.so.
    4. 01 0x000001c8    36 0x4652d1c8    36 -r-- ld-2.27.so..note.gnu.build_id
    6. 03 0x00000350   412 0x4652d350   412 -r-- ld-2.27.so..gnu.hash
    7. 04 0x000004f0   816 0x4652d4f0   816 -r-- ld-2.27.so..dynsym
    8. 05 0x00000820   548 0x4652d820   548 -r-- ld-2.27.so..dynstr
    9. 06 0x00000a44    68 0x4652da44    68 -r-- ld-2.27.so..gnu.version
    10. 07 0x00000a88   164 0x4652da88   164 -r-- ld-2.27.so..gnu.version_d
    11. 08 0x00000b30  1152 0x4652db30  1152 -r-- ld-2.27.so..rela.dyn
    12. 10 0x0001d0e0 17760 0x4654a0e0 17760 -r-- ld-2.27.so..rodata
    13. 11 0x00021640  1716 0x4654e640  1716 -r-- ld-2.27.so..eh_frame_hdr
    14. 12 0x00021cf8  9876 0x4654ecf8  9876 -r-- ld-2.27.so..eh_frame
    15. 13 0x00024660  2020 0x46751660  2020 -rw- ld-2.27.so..data.rel.ro
    16. 14 0x00024e48   336 0x46751e48   336 -rw- ld-2.27.so..dynamic
    17. 15 0x00024f98    96 0x46751f98    96 -rw- ld-2.27.so..got
    18. 16 0x00025000  3960 0x46752000  3960 -rw- ld-2.27.so..data
    19. 17 0x00025f78     0 0x46752f80   376 -rw- ld-2.27.so..bss
    20. 18 0x00025f78    17 0x00000000    17 ---- ld-2.27.so..comment
    21. 19 0x00025fa0    63 0x00000000    63 ---- ld-2.27.so..gnu.warning.llseek
    22. 20 0x00025fe0 13272 0x00000000 13272 ---- ld-2.27.so..symtab
    23. 21 0x000293b8  7101 0x00000000  7101 ---- ld-2.27.so..strtab
    24. 22 0x0002af75   215 0x00000000   215 ---- ld-2.27.so..shstrtab