GDB Enhanced Extensions
Vanilla GDB in its raw form has a rather uninformative interface and its syntax is arcane and difficult to approach. It sucks in terms of user experience and is terrible to use for reverse engineering and exploit development.
To make debugging easier and more productive, there are extensions for GDB such as GEF, pwndbg that provide a more informative view and additional commands.
GDB Enhanced#
Show current assembly instruction in GDB
Arm Assembly Internals and Reverse Engineering | Chapter 11 Dynamic Analysis - Command-Line Debugging
- pwndbg: Exploit Development and Reverse Engineering with GDB Made Easy
- GEF (GDB Enhanced Features): a modern experience for GDB with advanced debugging capabilities for exploit devs & reverse engineers on Linux
- PEDA - Python Exploit Development Assistance for GDB
- gdb-dashboard: Modular visual interface for GDB in Python
all in one#
Pwndbg + GEF + Peda — One for all, and all for one
Step 1 - git clone plugin:
$ cd ~ && mkdir gdbe
$ cd ~/gdbe
$ git clone https://github.com/pwndbg/pwndbg
$ cd pwndbg && ./setup.sh
$ echo "source ~/gdbe/pwndbg/gdbinit.py" > ~/.gdbinit-pwndbg
$ cd ~/gdbe
$ git clone https://github.com/hugsy/gef.git
# cp ~/gdbe/gef/gef.py ~/.gdbinit-gef.py
# ln -sf ~/gdbe/gef/gef.py ~/.gdbinit-gef.py
$ echo "source ~/gdbe/gef/gef.py" > ~/.gdbinit-gef
$ cd ~/gdbe
$ git clone https://github.com/cyrus-and/gdb-dashboard.git
$ ln -sf ~/gdbe/gdb-dashboard/.gdbinit ~/.gdbinit-dashboard
Step 2 - config .gitinit:
define init-pwndbg
source ~/.gdbinit-pwndbg
end
document init-pwndbg
Initializes PwnDBG
end
define init-gef
source ~/.gdbinit-gef
end
document init-gef
Initializes GEF (GDB Enhanced Features)
end
define init-dashboard
source ~/.gdbinit-dashboard
end
document init-dashboard
Initializes GDB Dashboard
end
Step 3 - create exec files in /usr/local/bin folder:
$ sudo vim /usr/local/bin/gdb-pwndbg
#!/bin/sh
exec gdb -q -ex init-pwndbg "$@"
$ sudo vim /usr/local/bin/gdb-gef
#!/bin/sh
exec gdb -q -ex init-gef "$@"
$ sudo vim /usr/local/bin/gdb-dashboard
#!/bin/sh
exec gdb -q -ex init-dashboard "$@"
$ sudo chmod +x /usr/local/bin/gdb-*
instant help#
Now you can test it by running either one of the three commands:
gdb:
- (gdb) help starti
- (gdb) help info
- (gdb) help breakpoints
- (gdb) help step
- (gdb) help x
gdb-pwndbg:
- pwndbg> pwndbg
- pwndbg> help pwndbg
- pwndbg> pwndbg -c start
- pwndbg> entry -h
- pwndbg> sstart -h
gdb-gef:
- gef➤ help gef
- gef➤ gef help
gdb-dashboard:
- >>> help dashboard
- >>> dashboard -layout source assembly registers stack
usage of gef#
GEF is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB.
context.layout#
gef allows you to configure your own setup for the display, by re-arranging the order with which contexts will be displayed.
gef➤ gef config context.layout
────────────────────────────────────── GEF configuration setting: context.layout ──────────────────────────────────────
context.layout (str) = "legend regs stack code args source memory threads trace extra"
Description:
Change the order/presence of the context sections
To hide a section, simply use the context.layout setting, and prepend the section name with - or just omit it.
This configuration will not display the legend, source, threads, and trace sections.
context.nb_lines_code#
nb_lines_code and nb_lines_code_prev configure how many lines to show after and before the PC, respectively(default is 6, 3).
gef➤ gef config context.nb_lines_code 10
# reload the settings during the session
gef➤ gef restore
# To save the current settings permanently
gef➤ gef save
usage of pwndbg#
pwndbg is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.
CheatSheet → The most important and commonly used commands for easy reference.
Documentation → Learn how pwndbg works and explore the official docs.
context Print out the current register, instruction, and stack context.
help#
gdb: help cmd, e.g., help starti, refer to GDB manual & help.
pwndbg: cmd [-h|--help], e.g., entry -h, sstart -h.
config#
configShows pwndbg-specific configuration.configfileGenerates a configuration file for the current pwndbg options.
pwndbg> config
Name Value (Default) Documentation
-----------------------------------------------------------------------------------------------------------------------------------------
ai-anthropic-api-key '' Anthropic API key (will default to ANTHROPIC_API_KEY environment variable if not set)
ai-history-size 3 maximum number of successive questions and answers to maintain in the prompt for the ai command
context-backtrace-lines 8 number of lines to print in the backtrace context
context-clear-screen False whether to clear the screen before printing the context
context-code-lines 10 number of additional lines to print in the code context
context-ghidra 'never' when to try to decompile the current function with ghidra (slow and requires radare2/r2pipe or rizin/rzpipe) (valid values: always, never, if-no-source)
context-max-threads 4 maximum number of threads displayed by the context command
context-output 'stdout' where pwndbg should output ("stdout" or file/tty).
context-sections 'regs disasm code ghidra stack backtrace expressions threads heap-tracker' which context sections are displayed (controls order)
context-source-code-lines 10 number of source code lines to print by the context command
context-source-code-tabstop 8 number of spaces that a <tab> in the source code counts for
context-stack-lines 8 number of lines to print in the stack context
dereference-limit 5 max number of pointers to dereference in a chain
disasm-annotations True Display annotations for instructions to provide context on operands and results
disasm-telescope-depth 3 Depth of telescope for disasm annotations
emulate 'on' Unicorn emulation of code from the current PC register
emulate-annotations True Unicorn emulation for register and memory value annotations on instructions
hexdump-bytes 64 number of bytes printed by hexdump command
hexdump-group-width -1 number of bytes grouped in hexdump command (If -1, the architecture's pointer size is used)
hexdump-width 16 line width of hexdump command
ida-enabled False whether to enable ida integration
kernel-vmmap 'page-tables' the method to get vmmap information when debugging via QEMU kernel
left-pad-disasm True whether to left-pad disassembly
nearpc-lines 10 number of additional lines to print for the nearpc command
nearpc-num-opcode-bytes 0 number of opcode bytes to print for each instruction
nearpc-opcode-separator-bytes 1 number of spaces between opcode bytes
r2decompiler 'radare2' framework that your ghidra plugin installed (radare2/rizin)
show-compact-regs False whether to show a compact register view with columns
show-compact-regs-columns 2 the number of columns (0 for dynamic number of columns)
show-compact-regs-min-width 20 the minimum width of each column
show-compact-regs-separation 4 the number of spaces separating columns
show-flags False whether to show flags registers
show-retaddr-reg False whether to show return address register
syntax-highlight True Source code / assembly syntax highlight
telescope-framepointer-offset True print offset to framepointer for each address, if sufficiently small
telescope-lines 8 number of lines to printed by the telescope command
You can set config variable with `set <config-var> <value>`
You can generate configuration file using `configfile` - then put it in your .gdbinit after initializing pwndbg
show a compact register view:
Show flags(CPSR) and retaddr-reg(LR) register:
pwndbg> set show-flags on
Set whether to show flags registers to 'on'.
pwndbg> set show-retaddr-reg on
Set whether to show return address register to 'on'.
Increase number of DISASM/SOURCE/STACK lines to print:
pwndbg> set context-code-lines 12
Set number of additional lines to print in the code context to 12.
pwndbg> set context-source-code-lines 12
Set number of source code lines to print by the context command to 12.
# View sp[00:1f], 32 machine words, 256 bytes in AArch64.
# refer to stack [-h] [-f] [-i] [count] [offset]
pwndbg> set context-stack-lines 32
Set number of lines to print in the stack context to 32.
Increase number of code lines for nearpc command output:
pwndbg> set nearpc-lines 12
Set number of additional lines to print for the nearpc command to 12.
pwndbg> nearpc
Type context to takes effect immediately.
Type configfile to show the changed configs:
pwndbg> configfile
Showing only changed values:
# context-code-lines: number of additional lines to print in the code context
# default: 10
set context-code-lines 12
# context-source-code-lines: number of source code lines to print by the context command
# default: 10
set context-source-code-lines 12
# nearpc-lines: number of additional lines to print for the nearpc command
# default: 10
set nearpc-lines 12
# show-compact-regs: whether to show a compact register view with columns
# default: off
set show-compact-regs on
# show-flags: whether to show flags registers
# default: off
set show-flags on
# show-retaddr-reg: whether to show return address register
# default: off
set show-retaddr-reg on
To save the current settings for pwndbg to the file system to have those options persist across all your future pwndbg sessions, copy the above output into ~/.gdbinit_pwndbg:
$ cat ~/.gdbinit_pwndbg
source ~/gdbe/pwndbg/gdbinit.py
################################################################################
# configfile
################################################################################
# show-compact-regs: whether to show a compact register view with columns
# default: off
set show-compact-regs on
# show-flags: whether to show flags registers
# default: off
set show-flags on
# show-retaddr-reg: whether to show return address register
# default: off
set show-retaddr-reg on
theme#
themeShows pwndbg-specific theme configuration.themefileGenerates a configuration file for the current pwndbg theme options.
pwndbg> theme
Name Value (Default) Documentation
-----------------------------------------------------------------------
backtrace-address-color none color for backtrace (address)
backtrace-frame-label '' frame number label for backtrace
code-prefix '►' prefix marker for 'context code' command
code-prefix-color none color for 'context code' command (prefix marker)
disable-colors False whether to color the output or not
disasm-branch-color bold color for disasm (branch/call instruction)
hexdump-address-color none color for hexdump command (address label)
hexdump-ascii-block-separator '│' block separator char of the hexdump command
hexdump-byte-separator ' ' separator of single bytes in hexdump (does NOT affect group separator)
hexdump-colorize-ascii True whether to colorize the hexdump command ascii section
highlight-color green,bold color added to highlights like source/pc
highlight-pc True whether to highlight the current instruction
highlight-source True whether to highlight the closest source line
memory-code-color red color for executable memory
memory-data-color purple color for all other writable memory
memory-heap-color blue color for heap memory
memory-rodata-color normal color for all read only memory
memory-rwx-color underline color added to all RWX memory
memory-stack-color yellow color for stack memory
nearpc-prefix '►' prefix marker for nearpc command
nearpc-prefix-color none color for nearpc command (prefix marker)
nearpc-symbol-color normal color for nearpc command (symbol)
nearpc-syscall-name-color red color for nearpc command (resolved syscall name)
syntax-highlight-style 'monokai' Source code / assembly syntax highlight stylename of pygments module
You can set config variable with `set <theme-var> <value>`
You can generate configuration file using `themefile` - then put it in your .gdbinit after initializing pwndbg
Colors not friendly for light terminal · Issue #503 · pwndbg/pwndbg
It looks like the code syntax highlighting specifically relies on pygments, and its built-in styles. The default is monokai.
Set default looks great with solarized light:
pwndbg> set syntax-highlight-style default
Set Source code / assembly syntax highlight stylename of pygments module to 'default'.
pwndbg> context # takes effect immediately
Type themefile to show the changed configs:
pwndbg> themefile
Showing only changed values:
# syntax-highlight-style: Source code / assembly syntax highlight stylename of pygments module
# default: monokai
set syntax-highlight-style default
To save the current settings for pwndbg to the file system to have those options persist across all your future pwndbg sessions, copy the above output into ~/.gdbinit_pwndbg:
cat ~/.gdbinit_pwndbg
source ~/gdbe/pwndbg/gdbinit.py
################################################################################
# configfile
################################################################################
# show-compact-regs: whether to show a compact register view with columns
# default: off
set show-compact-regs on
# show-flags: whether to show flags registers
# default: off
set show-flags on
# show-retaddr-reg: whether to show return address register
# default: off
set show-retaddr-reg on
################################################################################
# themefile
################################################################################
# syntax-highlight-style: Source code / assembly syntax highlight stylename of pygments module
# default: monokai
set syntax-highlight-style default