Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Gdb"

From NetSec
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
GDB is a [[bash]] debugger for [[ELF]] binaries.
+
GDB is a [[bash]] debugger for [[ELF]] binaries, it's a powerful tool to disassemble and view the memory of a process, file or core dump. When inspecting core dumps, it's vital to import the proper debugging symbols to properly understand what generated the core dump. This will require compiling the program with the debugging option for gcc like so by passing the debug flag '-g':
 +
 
 +
<pre>
 +
gcc -o cfm -g cfm.c
 +
</pre>
 +
 
 +
Then, you will need load the coredump like this:
 +
 
 +
<pre>
 +
gdb cfm core-cfm.1129
 +
</pre>
 +
 
 +
Sometimes, you can find packages that have debugging symbols ready to go, they'll usually be named like package-dbg.
 +
 
 +
To view the stack trace, run:
 +
 
 +
<pre>
 +
bt full
 +
</pre>
 +
 
 +
To view all registers:
 +
<pre>
 +
i r
 +
or
 +
info registers
 +
</pre>
 +
 
 +
Select a stack frame to inspect:
 +
<pre>
 +
frame {0,}
 +
</pre>
 +
 
 +
List the source code (if you have imported debugging symbols only)
 +
<pre>
 +
list +
 +
list -
 +
list
 +
</pre>
 +
 
 +
Print/inspect memory regions:
 +
<pre>
 +
print <variable>
 +
(print 200 bytes) x/200bx <variable>
 +
(print 200 words) x/200wx $rip
 +
(print 200 bytes => int => ascii) x/200xc $rip
 +
</pre>
 +
 
 +
Print all variables in program (requires debugging symbols)
 +
<pre>
 +
info variables
 +
</pre>
 +
 
 +
A really useful command to walk through the source code while viewing the disassembled code:
 +
 
 +
<pre>
 +
layout split
 +
</pre>
  
 
{{expand}}
 
{{expand}}
 
[[Category:Reverse Engineering]]
 
[[Category:Reverse Engineering]]

Latest revision as of 06:08, 30 August 2015

GDB is a bash debugger for ELF binaries, it's a powerful tool to disassemble and view the memory of a process, file or core dump. When inspecting core dumps, it's vital to import the proper debugging symbols to properly understand what generated the core dump. This will require compiling the program with the debugging option for gcc like so by passing the debug flag '-g':

gcc -o cfm -g cfm.c

Then, you will need load the coredump like this:

gdb cfm core-cfm.1129

Sometimes, you can find packages that have debugging symbols ready to go, they'll usually be named like package-dbg.

To view the stack trace, run:

bt full

To view all registers:

i r
or
info registers

Select a stack frame to inspect:

frame {0,}

List the source code (if you have imported debugging symbols only)

list +
list -
list

Print/inspect memory regions:

print <variable>
(print 200 bytes) x/200bx <variable>
(print 200 words) x/200wx $rip
(print 200 bytes => int => ascii) x/200xc $rip

Print all variables in program (requires debugging symbols)

info variables

A really useful command to walk through the source code while viewing the disassembled code:

layout split
This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.