Villoc is a heap visualisation tool, it's a python script that renders a static html file. An example can be seen here: https://wapiflapi.github.io/villoc/, this is villoc running on an exploit of PlaidCTF 2015's challenge PlaidDB.

The easiest way to use villoc is probably to run the following command and open out.html in a browser.

ltrace ./target |& villoc.py - out.html;

It is probably a good idea to disable ASLR for repeatable results and to use a file to pass the ltrace to villoc because otherwise the target's error output will be interleaved and might confuse villoc sometimes.

setarch x86_64 -R ltrace -o trace ./target; villoc.py trace out.html;

The problem with ltrace is that it doesn't track calls to malloc from other libraries or from within libc itself.

Please check https://github.com/wapiflapi/villoc/tree/master/tracers/dynamorio for (easy!) instructions for using a DynamoRIO tool to achieve full tracing.

Villoc's input should look like ltrace's output, other tracers should output compatible logs. Villoc also listens to annotations of the following form:

@villoc(comma separated annotations) = <void>`

When using this it's possible to mark certain block as being significant which makes analyzing villoc's output that much easier.

When using the dynamorio tracer there is a hack to easily inject annotations from a target's source code:

sscanf("Format string %d %d, FOO %s", "@villoc", 1, 2, "BAR");

Will inject Format string 1 2 into villoc's log and add the FOO and BAR tags to the block affected by the next memory operation.

This has been made with glibc's dl_malloc in mind. But it should work for other implementations, especially if you play with the --header and --footer options to indicate how much overhead the targeted malloc adds to the user data.