Questions about this topic? Sign up to ask in the talk tab.

Gdb

From Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools
Jump to: navigation, search
Gdb requires a basic understanding of assembly and linux assembly


GDB is a bash debugger for ELF binaries (the standard executable format for Linux).

Contents

Starting or attaching to a process

  • It is always good practice to load the debugging symbols of the application you are debugging. To do this, you can use the following command:
Terminal

localhost:~ $ gdb -q /path/to/binary

Once the binary has been loaded, you can simply press 'r' to run the program. If you wanted to use any flags or parameters with the program, you can simply append them to the `r' character, for example, if you were loading the program /bin/bash and wanted it to be interactive, you could type:

   (gdb) r -i

Which would be equivilent to "bash -i".

  • GDB is also capable of attaching to a process by its PID, or process identifier. To do this, you can use the following command:
Terminal

localhost:~ $ gdb -p PID

  • If you dont know the PID of the process, something like the following should suffice:
Terminal

localhost:~ $ gdb -p $(pidof -n processname)

  • Once attached, you can continue main execution by typing `c':
   (gdb) c
   continuing
  • If you want to step a particular number of instructions:
   (gdb) step 1
  • For only one instruction step:
   (gdb) si

Setting breakpoints

  • Setting breakpoints can be accomplished by location or by dynamic symbol. For example, one can set a breakpoint on printf:
   (gdb) break printf
  • It is also possible to set a breakpoint on locally defined functions, for example:
   (gdb) break main
  • Or, to set a breakpoint at a location, for example 0x404130:
   (gdb) break *0x404130

Examining data

To examine any data, the program must be stopped after it has started execution. This could happen by breakpoint, segmentation fault, or by initially attaching to the process.

Registers

  • It is possible to view registers by typing the following:
   (gdb) i r
  • To view a specific register, for example, %rsp:
   (gdb) i r $rsp
  • To set the value of a register:
   (gdb) set $rdi = 0
  • Values can also be set at specific locations:
   (gdb) set *0x7fffffffdc38 = 0
   (gdb) i var

Call stacks

A call stack will show the most recent call first, and contain pointers for a return chain. The command for this is an abbreviation for `backtrace':

   (gdb) bt

You can get a more detailed look at the backtrace, including the values of arguments, locals, structs, etc with(you're going to need to compile the binary with debugging symbols(add -g to your CFLAGS and recompile) or if you're on Ubuntu you get to download *-dbg packages, hurray!):

   (gdb) bt full

You can also examine single stack frames, which is incredibly useful for examining frame pointers and address values. This will give you the first stack frame, but you can add a number to the end to get other stack frames:

   (gdb) info frame
   (gdb) info frame 1

This can be done shorthand as well with:

   (gdb) i f
   (gdb) i f 1

Data in RAM

RAM may contain pointers, strings, and other binary data (for function arguments).

Strings

The command to observe a string is x/s, it can be passed a register or a location. If you want to view multiple strings, you can use x/2s, or x/3s, where 2 and 3 are the number of strings to display. Addresses are referenced in this capacity without a *, for example, 0x4000020

   (gdb) x/s $rsp
   (gdb) x/2s 0x4000020

It is also possible to pass an offset from a subregister or manually specified:

   (gdb) x/s $rsp + $ax
   (gdb) x/s $rsp + 0x31

Binary

It is possible to analyse raw hexadecimal and binary using x/x or x/2x, similar to observe a string, for example:

   (gdb) x/x $rsp
   (gdb) x/2x 0x4000020

Instructions

To view the instructions at %rip:

   (gdb) x/i $rip

Similarly to other commands, you can view multiple instructions:

   (gdb) x/20i $rip

This command also takes locations, for example:

   (gdb) x/20i 0x4000178
Personal tools
 


VPS-Heaven now accepting BitCoin!



Our research is made possible by your support.