Heap Viewer - An IDA Pro Plugin To Examine The Glibc Heap, Focused On Exploit Development

An IDA Pro plugin (for now) to examine the heap, focused on exploit development.
Currently only supports glibc malloc (ptmalloc2).

Requirements

IDA Pro >= 6.9

Tested on

glibc <= 2.27 (x86, x64)

Features

Heap tracer (malloc/free/calloc/realloc)
Malloc chunk info
Multi-arena info (chunks, top, last-remainder)
Bins info (fastbins, unsortedbin, smallbins y largebins)
Tcache info (glibc >= 2.26)
GraphView for linked lists (bins/tcache)
Magic utils:
- Unlink merge info
- Fake fastbin finder
- House of force helper
- Useful libc offsets

Install
Just drop the heap_viewer.py file and the heap_viewer folder into IDA's plugin directory.
Because IDA not load libc-dbg symbols in the debug session, is necesary generate a config file before using the plugin. To make this, simply install the libc6-dbg package in the remote linux machine and execute the script utils\get_config.py. Then, paste the content in the heap_viewer\config.json file.

get_config.py

$ python get_config.py
[*] config.json:

{
  "libc_offsets": {
    "32": {
      "mp_": 1921312,
      "main_arena": 1922976,
    },
    "64": {
      "mp_": 3883648,
      "main_arena": 3886144,
    }
  },
  "libc_version": "2.27"
}

If you not have the dbg symbols for given libc (ex: CTFs ;D), you can use the get_main_arena tool, and get the main_arena offset for that libc. This is enough so the plugin works correctly. Simply put the main_arena offset in the config.json file.
Examples:

$ ./main_arena_offset
[*] libc version:       2.27
[*] libc file:          /lib/i386-linux-gnu/libc-2.27.so
[*] libc address:       0xf7ceb000
[*] main_arena:         0xf7ec07a0
[*] main_arena offset:  0x1d57a0

$ LD_PRELOAD=./libc_64.so.6 ./main_arena_offset
...

Screenshots
Tracer