GNU Debugger
Table of Contents
tags: Security Tools
Scenario
replace got
p &stdout
x/6gx &stdout
set stdout as stderr(stdout has been closed)
set *(long long*)0x601020 = 0x00007ffff7dd2540
print return address
可以看到printf的return address
x/60gx $rsp - 16
print memory with a struct
p/x *(struct link_map*)0x00007ffff7ffe168
print exact address of a variable
- when gdb is set to C language mode (and Objective-C).
p &buf - general
info address buf
Cheat Sheet
| Help Commands | |
| help command | Get help on a certain command |
| apropos keyword | Search help for a particular keyword |
| Starting and Quitting | |
| gdb [-tui] [-c core] [exename] | (Unix Command) Start gdb on an executable or standalone; specify "-tui" to start the TUI GUI; specify "-c" with a corefile name to see where a crash occurred |
| run [arg1] [arg2] [...] | Run the currently loaded program with the given command line arguments |
| quit | Exit the debugger |
| file exename | Load an executable file by name |
| Breakpoints and Watchpoints | |
| break location | Set a breakpoint at a location, line number, or file (e.g. "main", "5", or "hello.c:23") |
| watch expression | Break when a variable is written to |
| rwatch expression | Break when a variable is read from |
| awatch expression | Break when a variable is written to or read from |
| info break | Display breakpoint and watchpoint information and numbers |
| info watch | Same as info break |
| clear location | Clear a breakpoint from a location |
| delete num | Delete a breakpoint or watchpoint by number |
| Stepping and Running | |
| next | Run to the next line of this function |
| step | Step into the function on this line, if possible |
| stepi | Step a single assembly instruction |
| continue | Keep running from here |
| CTRL-C | Stop running, wherever you are |
| finish | Run until the end of the current function |
| advance location | Advance to a location, line number, or file (e.g. "somefunction", "5", or "hello.c:23") |
| jump location | Just like continue, except jump to a particular location first. |
| Examining and Modifying Variables | |
| display expression | Display the value of a variable or expression every step of the program—the expression must make sense in the current scope |
| info display | Show a list of expressions currently being displayed and their numbers |
| undisplay num | Stop showing an expression identified by its number (see info display) |
| print expression | Print the value of a variable or expression |
| printf formatstr expressionlist | Do some formatted output with printf() e.g. printf "i = %d, p = %s\n", i, p |
| set variable expression | Set a variable to value, e.g. set variable x=20 |
| set (expression) | Works like set variable |
| Window Commands | |
| info win | Shows current window info |
| focus winname | Set focus to a particular window bby name ("SRC", "CMD", "ASM", or "REG") or by position ("next" or "prev") |
| fs | Alias for focus |
| layout type | Set the window layout ("src", "asm", "split", or "reg") |
| tui reg type | Set the register window layout ("general", "float", "system", or "next") |
| winheight val | Set the window height (either an absolute value, or a relative value prefaced with "+" or "-") |
| wh | Alias for winheight |
| set disassembly-flavor flavor | Set the look-and-feel of the disassembly. On Intel machines, valid flavors are intel and att |
| Misc Commands | |
| RETURN | Hit RETURN to repeat the last command |
| backtrace | Show the current stack |
| bt | Alias for backtrace |
| attach pid | Attach to an already-running process by its PID |
| info registers | Dump integer registers to screen |
| info all-registers | Dump all registers to screen |
Origin Commands
about process
$ gdb a.out
attach / detach
$ ps aux
(gdb) attach $(Pid)
(gdb) detach # release程式
kill
kill
follow-fork-mode
不會因為system(“echo Hello”),害gdb跳掉
set follow-fork-mode parent
set follow-fork-mode child
general
r (run)
start
Run debugged program until the beginning of the main procedure.
disass (display assemble)
modifier:
/m print source <if available>
/r print assemble in hex
example:
disass main
disass /r main
disass 0x400530,0x400550 (start, end)
ni (nexti) / si (stepi)
執行一行組合語言 不同點在於假如遇到call function ni會執行到function結束
n (next) / s (step)
執行一行source code Execute next program line (step into/over any function calls in the line)
c (continue)
執行到下一個breakpoint
印出某個變數或 memory address 的數值 example:
(gdb) print x
$1 = 0
printf
一次印出兩個以上的變數
(gdb) print "%d,%d\n",x,y
5,2
p password[1]@5 印出password[1]之後5個陣列裡的值
l (list) <if available>
顯示目前程式執行到那一行
display
印出某些個變數或 memory address 的數值
display a
暫時關閉
disable display a
開啟
enable display a
刪除
delete display a
until
執行完當前的迴圈
until 13 一直執行到第13行停下來
finish
執行完當前的 function
x
x[/FMT] ADDRESS
Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char), s(string) and z(hex, zero padded on the left).
Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
example:
x /xw 0x80040000 以16進位顯示指定地址的值
x /8s 0x86468700 顯示指定地址開始的8个字符
x /50i main 顯示main開頭的50條指令
x /10i $pc
x /30gx 0x6020c0-0x10
set
set *ADDRESS=VALUE
set $ZF = 6
set *0xb6d2a908=0
set *(int *)0xb6daaaec=15
set *(int**)0x8048a548=0x55aa55aa
gdb> set *0x601030=0x4005a0
gdb> x/gx 0x601030
0x601030: 0x00007fff004005a0
gdb> set {uint64_t}0x601030=0x4005a0
gdb> x/gx 0x601030
0x601030: 0x00000000004005a0
commands
(gdb) commands 1
Type commands for breakpoint(s) 1, one per line.
End with a line saying just "end".
>print i
>print password[i]
>continue 繼續執行
>end 輸入完成
info
example:
info b 列出所有設定過的 breakpoint
info program print程式的狀態
info locals 印出所有區域變數的值
info registers [REGISTER]
info registers 察看所有暫存器的值(只包括常用暫存器)
info registers pc 察看PC暫存器的值(只包括常用暫存器)
info all-registers 查看所有暫存器(包括浮點暫存器)
about breakpoint
b (break)
break LOCATION [CONDITION]
b main Function: 當程式執行到 main 這個 function 時,程式會暫停
b *0x00000000004005f0 memory: 當程式執行到這個記憶體 address (ry
break 10 LineNumber
break main.c:20 FileName:LineNumber
break tcpdump.c:pcap_parse FileName:Function
加上條件判斷
break 50 if size>0 只在條件達成的時候斷點
condition
刪除斷點上的觸發條件
delete
delete 1 移除第一個 breakpoint
rbreak
rbreak REGEXP
rbreak pcap_* 給所有pcap_開頭的function添加breakpoint
about watch point
watch <if available>
用來偵測那個變數的值有被修改,當指定的變數被更改時,程式會暫停,並印出更改前後的數值
example:
watch str 觀察變數 str
watch (t > 10) 觀察變數 t 是否大於 10
rwatch
當指定表達式的值被讀取了,則程式停止
awatch
當指定表達式的值被讀取/更改了,則程式停止
about catch point
catch
catch [EVENT]
about frame
所有的程式,每一個 function 都會被分配到一個 frame ,每個 frame 都是一個 組語 stack ,存放所有組語指令,然後再一行一行的執行,例如當程式執行到 printf 這個 function 的時候,就會進入該 printf frame 。 執行中的function為0 呼叫0的為1 呼叫1的為2…
frame
進入 frame 1
up
進入上一個 frame
down
進入下一個 frame
bt (backtrace)
列出目前所有的 frame
about TUI
Tip: layout reg
layout src Standard layout—source on top, command window on the bottom
layout asm Just like the "src" layout, except it's an assembly window on top
layout split Three windows: source on top, assembly in the middle, and command at the bottom
layout reg Opens the register window on top of either source or assembly, whichever was opened last
tui reg general Show the general registers
tui reg float Show the floating point registers
tui reg system Show the "system" registers
tui reg next Show the next page of registers—this is important because there might be pages of registers that aren't in the "general", "float", or "system" sets
peda
-
elfsymbol : show elf .plt section 查看function .plt
-
vmmap : show memory mapping 查看 process mapping 可觀察權限
-
readelf : Get headers information from an ELF file 查看 section 位置 找data段
-
find/searchmem : Search for a pattern in memory search memeory 中的 patten(找字串)
find /bin/sh -
record : record every instruction at runtime
-
pattc : aaaaaaaabbbbbbbbccccccccddddddddd
angelheap
- heapinfo
- chunkinfo