GNU Debugger is a very handy tool for reverse engineering the binaries and helps to examine what is going inside the program during execution. It helps in debugging programs by creating the break points and analyzing the program exection flow. In this blog I am listing down some most frequently used gdb commands which will help to kick start the journey in the field of reverse engineering and assist in developing exploits for buffer overflows. Below are the list of some of the frequently used gdb commands along with their  descriptions
 
Open an executable in the debugger 
gdb [executable name]
e.g. gdb a.out 
 
Get the assembly language code for a particular function(By default the syntax is for AT&T architecture)
disassemble [function name]
e.g. disassemble main
 
Set the architecture to intel
set disassembly-flavor intel
 
Set the architecture to AT&T
set disassembly-flavor att
 
Note
Instruction format for default gdb (at&t) : OPCODE Source Destination
Instruction format for intel : OPCODE Destination Source
 
Add the break point at particular address
break *[address] or  break *[function name]
e.g. break *0xaabbccdd or break *main
 
Delete the breakpoint
delete [breakpoint number] or delete : deletes all breakpoints
e.g. delete 2 or delete
Run the executable and start debugging
run [argument] 
 
Get the content of all the registers
info register
Note: The program must be running to fetch the information regarding the registers.
 
Get the list of all the variables used in the program along with their memory address
info variables
 
Step Into the function
si or s
 
Step Over the function
ni or n
 
Continue program execution till the next break point of end of the program is encountered
continue or c
 
Alter the value of the register
set $[register]=value
e.g. set $eax = 0
 
Get the address of a function
print [function]
e.g. print main
 
Get the value of any register
print $[register] or print /x $[register]
e.g. print $eip or print /x $eip
 
Examine the content of the memory
x/[no. of memory locations to examine][format of output e.g hexadecimal,string,decimal][unit to examine e.g byte/word] [Starting memory address]
e.g. x/16wx 0xaabbccdd : Examine (x) 16 consecutive memory locations in words(w) format starting from address 0xaabbccdd and print the content of memory in hexadecimal format (x)
 
Examine the content of register
x/wx $[register]
e.g x/16wx $esp
Note: examine expects an address. It goes to the particular address and print its value. It returns error if incorrect address is provided.
 
Get the content of any any local variable (here character array)
x/ws [memory address]
e.g. x/24wx 0xffffaaaaa
 
Find the next instruction to be executed
x/i $eip
 
Get the return address (address fetched after returning from the sub function)
x/2wx $ebp : Second data is the return address
 
Running the list of commands at a break point
define hook-stop
[command 1]
[command 2]
end
Find the mapped address space for the program
info proc mapping
Get more information regarding any command
help [command]
e.g. help x
 
I hope this blog was useful. Feel free to leave you comments or suggestions about this post. I will be happy to receive the feedbacks. Also share if you find it useful. Follow me on twitter @PiyushSaurabh and LinkedIn to receive updates on my new post.
 
Happy Learning 🙂
The author is a security enthusiast with interest in web application security, cloud-native application development and Kubernetes.

One Thought on “A quick reference guide to GNU Debugger”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.