Basic commands

Launch

General syntax for selecting an executable file for analysis

gdb program_name

To run the program

run | r

Join gdbserver

target remote host:port

Join the process, disconnect from it

attach PID / detach

Log out of gdb

quit | q
CTRL + D

Static analysis

Select Assembly language syntax

set disassembly-flavor intel/att

View information about the architecture, sections

info file 

Getting a list of functions

info functions | i func

Getting an asm listing of a function

disas func_name
disas address 

If you have the source code (we can build it with the-g3 option for gcc) or the program under study contains debugging information, we can view the listing of its source code

list func_name

Dynamic analysis

Set the arguments for each run of the program and see them

set args
show args

The allocation of virtual memory

info proc mappings

Viewing registers

registers

Debugging

Step with entering the function

step | s

Step with a jump through the called subroutine

next | n

Run to the desired line, address

until | u number_of_list_string
until | u *func_name+offset
until | u *address

Information about function arguments, local variables (for files containing debugging information) , and the frame of the current function

info args
info locals
info frame

View the list of processes and select the one you are interested in

info threads
thread number

Ways to set up breakpoints

b func_name
b *func_name+offset
b *address

View a list of breakpoints, enable or disable them, and delete breakpoints

info break
disable/enable breakpoint_number
delete breakpoint_number
ignore breakpoint_number n  //  остановится на этой точке пройдя ее n раз

Continue execution until the next breakpoint

continue | c

Viewing the stack

telescope
telescope $rsp+64

To display the value at the specified address, use the x command, where the output format is specified using”/”.

x/i - инструкция
x/x - hex
x/s - строка
x/a - адрес

as well as the output size

x/b - 8-bit
x/h - 16-bit
x/w - 32-bit
x/g - 64-bit

Example

x/64bx
x/i $pc

Passing a command-line argument

run $(python -c "print('A'*32 + '\xde\xad')")
run $(echo "asdf\\xde\xad")

To pass values to input functions

run <<< $(python -c "print('A1'*3)")
run <<< $(echo "asdf\xde\xad")

Gdb Server

Start the gdb server for debugging

gdbserver host:port program

Reverse Debug

We all went through this awkward moment when during debugging we missed the function we were interested in, and now we need to restart the debugger again, go through the same path on CFG, etc.To avoid this, gdb has such a feature as Reverse Debug, which allows you to save the program state and debug back to it.

To do this, after starting the debugger, we will tell gdb that we want to start using reverse debug and that we should save the program States

record

After that, the following commands will be available:

reverse-step
reverse-next

Creating a dump

Dump a section of memory ( often necessary when working with decompressors )

dump memory output_file start_addr end_addr

Setting up for work

To fix the output of a command, such as viewing instructions during debugging and displaying registers, you can use the display command

display/5i $pc
display/g $rax
display/g $rbx
display/g $rcx

Making life easier with GEF

For efficient use of gdb, it is better to use the gef plugin. it already includes a convenient pinned output used for dynamic analysis, as well as a set of custom commands that expand the capabilities of our universal debugger. Let’s look at some of the most useful ones.

View ASLR status, enable / disable it

aslr
aslr on/off

To check the executable file for ASLR, Canary, PIE, etc.

checksec

View chunks

heap chunks

While in the function, we can get the value of the Canary and the address where it is located

canary

Slightly more convenient output than info proc mappings

vmmap

Viewing the flag register and changing it

flags
flags -Flag_name +Flag_name

Help for finding format string vulnerabilities (setting breakpoints on them, information on found functions)

format-string-helper

Creating a pattern and searching for it

pattern create 128
pattern search 0x61616167
pattern search $rbp

Search for strings by pattern

search-pattern pattern

Patching

patch byte/word/dword/qword address value

Print an array in a format that is easy to copy into python code. Parameter b must be 8/16/32/64, l controls the length of the array

Example

print-format -b 64 -l 1  $rsp

To search for shellcode by template

shellcode search pattern
shellcode get shellcode_number

XOR values in memory and registers

xor display address/register size xor_key
xor patch address/register size xor_key