Add support for Android binder

pwndbg/chain.py

@@ -26,6 +26,61 @@
 )
 
 
+def get_gen(
+ address,
+ limit=LIMIT,
+ offset=0,
+ hard_stop=None,
+ hard_end=0,
+ include_start=True,
+ safe_linking=False,
+):
+ """
+ Recursively dereferences an address. For bare metal, it will stop when the address is not in any of vmmap pages to avoid redundant dereference.
+
+ Arguments:
+ address(int): the first address to begin dereferencing
+ limit(int): number of valid pointers
+ offset(int): offset into the address to get the next pointer
+ hard_stop(int): address to stop at
+ hard_end: value to append when hard_stop is reached
+ include_start(bool): whether to include starting address or not
+ safe_linking(bool): whether this chain use safe-linking
+
+ Returns:
+ A list representing pointers of each ```address``` and reference
+ """
+ limit = int(limit)
+ if include_start:
+ yield address
+
+ for i in range(limit):
+ # Don't follow cycles, except to stop at the second occurrence.
+ # if result.count(address) >= 2:
+ # return
+
+ if hard_stop is not None and address == hard_stop:
+ # yield hard_end
+ return
+
+ try:
+ address = address + offset
+
+ # Avoid redundant dereferences in bare metal mode by checking
+ # if address is in any of vmmap pages
+ if not pwndbg.gdblib.abi.linux and not pwndbg.gdblib.vmmap.find(address):
+ return
+
+ next_address = int(pwndbg.gdblib.memory.poi(pwndbg.gdblib.typeinfo.ppvoid, address))
+ address = next_address ^ ((address >> 12) if safe_linking else 0)
+ address &= pwndbg.gdblib.arch.ptrmask
+ yield address
+ except gdb.MemoryError:
+ return
+
+ return
+
+
 def get(
  address,
  limit=LIMIT,

pwndbg/commands/__init__.py

@@ -585,6 +585,7 @@ def load_commands() -> None:
  import pwndbg.commands.aslr
  import pwndbg.commands.attachp
  import pwndbg.commands.auxv
+ import pwndbg.commands.binder
  import pwndbg.commands.canary
  import pwndbg.commands.checksec
  import pwndbg.commands.comments