GNU Debugger is a very handy tool for reverse engineering the binaries and helps to examine what is going inside the program during execution. It helps in debugging programs by creating the break points and analyzing the program exection flow. In this blog I am listing down some most frequently used gdb commands which will help to kick start the journey in the field of reverse engineering and assist in developing exploits for buffer overflows. Below are the list of some of the frequently used gdb commands along with their descriptions
Open an executable in the debugger
gdb [executable name]
e.g. gdb a.out
Get the assembly language code for a particular function(By default the syntax is for AT&T architecture)
disassemble [function name]
e.g. disassemble main
Set the architecture to intel
set disassembly-flavor intel
Set the architecture to AT&T
set disassembly-flavor att
Note:
Instruction format for default gdb (at&t) : OPCODE Source Destination
Instruction format for intel : OPCODE Destination Source
Add the break point at particular address
break *[address] or break *[function name]
e.g. break *0xaabbccdd or break *main
Delete the breakpoint
delete [breakpoint number] or delete : deletes all breakpoints
e.g. delete 2 or delete
Run the executable and start debugging
run [argument]
Get the content of all the registers
info register
Note: The program must be running to fetch the information regarding the registers.
Get the list of all the variables used in the program along with their memory address
info variables
Step Into the function
si or s
Step Over the function
ni or n
Continue program execution till the next break point of end of the program is encountered
continue or c
Alter the value of the register
set $[register]=value
e.g. set $eax = 0
Get the address of a function
print [function]
e.g. print main
Get the value of any register
print $[register] or print /x $[register]
e.g. print $eip or print /x $eip
Examine the content of the memory
x/[no. of memory locations to examine][format of output e.g hexadecimal,string,decimal][unit to examine e.g byte/word] [Starting memory address]
e.g. x/16wx 0xaabbccdd : Examine (x) 16 consecutive memory locations in words(w) format starting from address 0xaabbccdd and print the content of memory in hexadecimal format (x)
Examine the content of register
x/wx $[register]
e.g x/16wx $esp
Note: examine expects an address. It goes to the particular address and print its value. It returns error if incorrect address is provided.
Get the content of any any local variable (here character array)
x/ws [memory address]
e.g. x/24wx 0xffffaaaaa
Find the next instruction to be executed
x/i $eip
Get the return address (address fetched after returning from the sub function)
x/2wx $ebp : Second data is the return address
Running the list of commands at a break point
define hook-stop
[command 1]
[command 2]
end
Find the mapped address space for the program
info proc mapping
Get more information regarding any command
help [command]
e.g. help x
I hope this blog was useful. Feel free to leave you comments or suggestions about this post. I will be happy to receive the feedbacks. Also share if you find it useful. Follow me on twitter @PiyushSaurabh and LinkedIn to receive updates on my new post.
Happy Learning :)
Comments
Post a Comment