Information Security Lab 4 | GDB Vs. PWN Debugger

Series: Information Security Lab

Information Security Lab 4 | GDB Vs. PWN Debugger

  1. GDB

In the previous section, we have discussed the GNU debugger and PWN debugger. Now, let’s summarize the basic usage of them.

  • Initiate debugging
$ gdb <filename>
  • Set breakpoint at a specific location (e.g. main)
(gdb) b main
  • Run the debugged program
(gdb) r
  • Check the register values
(gdb) i r
  • Examine (briefly, x) the memory contents of an instruction
(gdb) x/1i 0x80492c9
  • Examine (briefly, x) the memory contents of one instruction and its next 9 instructions
(gdb) x/10i 0x80492c9
  • Examine (briefly, x) the memory contents of a string
(gdb) x/1s 0x80492c9
  • Show the value of a specific register by a dollar sign (i.e. $), p means print
(gdb) p $esp
  • Know the detail of each command, we can always type help with the command name as its argument. For example,
(gdb) help x
  • Execute the following instruction in the function, we can type,
(gdb) si
  • Print the value of expression whenever stopped
(gdb) x/i $eip
  • Execute until the current function returns
(gdb) finish
  • Execute the next instruction without going into the functions, we can type,
(gdb) ni
  • Continue executing the program until the next breakpoint,
(gdb) c
  • Send an interrupt signal to the program by pressing ctrl+C ,
^c
  • Check the frame information or where we are in the program, we can use backtrace. We can see the code chain from the main function all the way down to the system call.
(gdb) bt
  • Add a breakpoint at a memory address (e.g. 0x80492c9)
(gdb) b *0x80492c9
  • Delete a breakpoint at the current location
(gdb) clear
  • Terminate a gdb section
(gdb) q

2. PWN Debugger

An advanced plugin for GDB specifically designed for reverse engineering is called pwndbg. Here are the common usages,

  • Initiate PWN debugging
$ gdb-pwndbg <filename>
  • Set the breakpoint at the main function and run
> start
  • Display the basic information about the process (e.g. pid, tid, gid, fd, etc.)
> procinfo
  • Display section mapping information of the ELF file
> elfheader
  • Show the virtual memory map
> vmmap
  • Examine memory for recursive differences
> telescope <addr>
  • Display contents of registers
> regs
  • Disassembly near the program counter (PC)
> nearpc
  • Search strings, pointers, and integer values
> search <something>