November
13th,
2020
Table of contents
- GDB
- Basic commands
- Symbol File
- Strace
- Compiling
- Core dumps
- Breakpoints
- Modifying Registers And Memory
GDB
Basic commands
Debug
gdb <FILE>
Run
r <ARGS>
OR
run <ARGS>
Attach an existing process
gdb -p <PID>
Disassemble
disas <FUNCTION_NAME>
Breakpoint
break <FUNCTION>
OR
break <ADDRESS>
Display content
print <NAME>
Display information
info <NAME>
Step in program
step
Step in one instruction
stepi
Continue
continue
c
Display memory locations
x/<NUMBER_OF_UNITS><DATA_TYPE><LOCATION_NAME>
Help for more infos :
help x
Example :
# Displays 20 words starting from where ESI points to
x/20w $esi
# Displays 10 instructions starting from where EIP points to
x/10i $eip
No debugging symbols
Recompiled with the right flag to add them to the binary.
gcc -ggdb <FILE>.c -o <FILE>
Popular debug symbol file type :
- DWARF 2
- COFF
- XCOFF
- Stabs
Symbol File
List the source file
Need the source code !
list
OR
list <LINE_NUMBER>
Show all sources
info sources
List all the functions from the binary
info functions
Print variables
Global and static variables
info variables
Local variables
info scope <FUNCTION>
Copy symbols file from a binary to a separate file
objcopy --only-keep-debug <BINARY> <SYMBOLS_FILE>
# Within GDB
maint print symbols <SYMBOLS_FILE>
Remove symbols file from a binary
strip --strip-debug <BINARY>
OR
# Remove unneded
strip --strip-debug --strip-unneeded <BINARY>
Adding debug symbols to a binary
Within GDB
symbol-file <SYMBOL_FILE>
Add it in the binary itself
objcopy --add-gnu-debuglink=<SYMBOLS_FILE> <BINARY>
Dump the symbols to a file
maint print symbols <SYMBOLS_FILE>
List symbols from object files
nm <BINARY>
Symbol types
If lowercase, the symbol is usually local; if uppercase, the symbol is global (external).
| Symbol TYPE | MEANING |
|---|---|
| A | Absolute Symbol |
| B | In the Uninitialized Data Section (BSS) |
| D | In the Initialized Data Section |
| N | Debugging Symbol |
| T | In the Text Section |
| U | Symbol Undefined right now |
To see the list of all symbol types use :
man nm
Example
nm example_binary
| Virtual address | Symbol type | Symbol name |
|---|---|---|
| 0000000000004038 | B | __bss_start |
| 0000000000004038 | b | completed.0 |
| w | __cxa_finalize@@GLIBC_2.2.5 | |
| 0000000000004028 | D | __data_start |
NM interesting flags
Sorted symbols
nm -n <BINARY>
External symbols
nm -g <BINARY>
Symbol size
nm -s <BINARY>
Strace
Traces all systems calls made by a program
# Normal usage
strace <BINARY>
# Filter by syscalls
strace -e write,mmap,ect <BINARY>
# Running process
strace -p <PID>
# Statistics about syscalls
strace -c <BINARY>
Compiling
32
gcc -m32 <FILE>.c -o <FILE>
64
gcc <FILE>.c -o <FILE>
Core dumps
Enable core dumps
ulimit -S -c unlimited
Disable core dumps
ulimit -S -c 0
Breakpoints
Basic usage
break <FUNCTION>
b <FUNCTION>
OR
break *<ADDRESS>
b *<ADDRESS>
OR
break <LINE_NUMBER>
b <LINE_NUMBER>
List breakpoints
info breakpoints
info b
i b
Disable breakpoint
disable <BREAKNPOINT_NUMBER>
Enable breakpoint
enable <BREAKNPOINT_NUMBER>
Delete breakpoint
delete <BREAKNPOINT_NUMBER>
Modifying Registers And Memory
Get variable type
whatis <VARIABLE_NAME>
Modifying a variable
set <VARIABLE_NAME> = <VALUE>
set <FUNCTION_NAME>::<VARIABLE_NAME> = <VALUE>
# For a string (size of string + 1 for \0)
set {char[5]} p = "test"
Modifying a register
set <REGISTER> = <VALUE>
# Example
set $eip = 0x56556244
Show registers
info registers
i r
Watch a variable
A watchpoint stops execution of your program whenever the value of an expression changes.
watch <VARIABLE_NAME>