Dealing with a Stripped Binary

heaptrace can debug a stripped ELF64, regardless of whether it's dynamically linked with ASLR or statically linked with PIE. In most cases, heaptrace can identify glibc function signatures in stripped binaries.

But, if it is not able to find the function addresses, users need to provide the addresses using the argument -s/--symbols. Users can also use this argument to override symbols.

Argument Format

-s/--symbols is a comma-separated list of symbol_name=symbol_value_exp pairs.

• The symbol name may be one of malloc, free, realloc, and calloc.
• The symbol value expression is an value or simple arithmetic expression (supports + and - operations only).

The symbol value expression may contain decimal integers (base 10), hexadecimal integers (base 16) prefixed with 0x, octal integers (base 8) prefixed with 0o, binary (base 2) integers prefixed with 0b, and one of two variable names: libc and bin.

• The libc variable is the base of the glibc library at runtime. This is useful for specifying function offsets in glibc if the shared library's binary is stripped.
• The bin variable is the base of the ELF binary at runtime. This is useful in case PIE randomizes the position of the binary.

Examples

Statically linked, PIE, stripped ELF (malloc and free only)

./heaptrace --symbols 'malloc=bin+0x18b7,free=bin+0x19f8' ./test

Statically linked, no PIE, stripped ELF (malloc and free only)

./heaptrace --symbols 'malloc=0x4018b7,free=0x4019f8' ./test

Dynamically linked, stripped glibc (malloc only)

./heaptrace --symbols 'malloc=libc+0x8b320' ./test

Example complex arithmetic expression

./heaptrace --symbols 'malloc=libc+0x123-0o32-0b11010+13,realloc=bin+1234,calloc=3-bin+bin,free=0' ./test