GDB (gef)

GNU Debugger (GNU), with the gef wrapper to provide us with extended features.

GDB Command Reference - Index pageSysprogs

Top (Debugging with GDB)sourceware.org

GDB/GEF Cheatsheet - TrebledJ's PagesTrebledJ's Pages

Commands

Cheatsheet link

1. Run the program

run, r

gdb <binary>
gef> run

2. Breakpoints

2.1 Set breakpoint on the main function

gef> break main
gef> b main

2.2 Start command

a. start: sets a temporary breakpoint on the main procedure and starts executing the program (run command)

The main procedure is usually main (C/C++), but may vary with other languages

The start command does the equivalent of setting a temporary breakpoint at the beginning of the main procedure and then invoking the run command

b. starti: set a temporary breakpoint at the first instruction of the program execution and starts executing the program (run command)

2.3 Navigate through the program

a. nexti: go instruction by instruction through the program, without stepping into function calls

b. next: go through each line of code, without stepping into function calls

c. stepi: go instruction by instruction, while stepping into function calls

d. step: go through each line of code, while stepping into function calls

Summary table

Command

Navigate through?

Step into function calls (eg. puts())?

nexti

Instructions

next

Line of code (may consist of multiple instructions)

stepi

Instructions

YES

step

Line of code (may consist of multiple instructions)

YES

2.4 Example on a specific instruction

Eg. hello world function

gef> disassemble main # "disass" works too
Dump of assembler code for function main:
   xxx
   0x0804840f <+20>:	push   0x80484b0
   0x08048414 <+25>:	call   0x80482d0 <puts@plt>
   xxx
End of assembler dump.

Set breakpoint on the call to puts

gef> break *main+25
gef> break *0x08048414
gef> break *puts

2.5 Other commands

gef> info breakpoints
gef> delete <Num> # "del" or "d" works too

2.6 If Position-Independent Executable (PIE) is used

If PIE is present, the memory addresses of the code shown by the disassembler will not match the one actually used during runtime
To deal with this, we can simply run the binary first, and disassemble again, to view the runtime memory addresses

$ readelf -h <bin_file>
...
Type:     DYN (Position-Independent Executable file)
...

$ gdb <bin_file>
gdb> starti
gdb> disass main # or whatever function desired

3. Memory

gef> x/nfu <addresss>

n: How many units to print (default 1)
f: Format character (default x)
- x: hexadecimal (default)
- d:decimal
- o: octal
- u: unsigned decimal
- t: binary
- f: floating point
- a: address
- c: char
- s: string
- i: instruction
u: Unit (default w)
- b: byte
- h: halfword (16 bit, 2 bytes)
- w: word (32 bit, 4 bytes) (default)
- g: giant word (64 bits, 8 bytes)

gef> x/a <address> # print pointer address

gef> x/2cb <address> # print 2 bytes of character

gef> x/2dh <address> # print 2 decimal ('d') representation of half-words ('h': 16-bits, 2-bytes)

gef> x/s <address> # print as C string

gef> x/4xb # print 4 bytes of hex

4. Printing

Print values with C-like syntax, and can function as:
- Print registers
- Type conversion
- Calculator
General syntax: print/f, p/f

# print register values
gef>  p $rbp
$1 = (void *) 0x7fffffffdac0
####

# type conversion
gef> p/x 10 # “print as hex
gef> p/o 0x10 # print as octal
gef> p/d 0x10 # print as signed decimal

gef>  p (int)0x22
$x = 34
#####

# calculator
gef>  p/x (int)(0x00007fffffffdaa8 + 0x3) - (int)$rbp
$x = 0xffffffeb

gef> p/x 0x48 - 0x36
$x = 0x12
####

PreviousOverview NextGhidra

Last updated 1 day ago