The GNU Debugger (GDB) is widely used for debugging software on Linux and UNIX variants. This cheat sheet includes some common commands that can be useful when performing reverse engineering, or developing exploits.
Starting and Running a Program
| Command | Description | Example |
|---|---|---|
| Start GDB | Launch GDB with the specified program. | gdb ./a.out |
| Run Program | Start the execution of the program inside GDB. | run |
| Set Program Arguments | Set command-line arguments for the program. | set args foo bar |
Breakpoints and Execution Control
| Command | Description | Example |
|---|---|---|
| Set a Breakpoint | Set a breakpoint at a function or a line. | break main break myfile.c:42 |
| List Breakpoints | List all breakpoints. | info breakpoints |
| Delete Breakpoint | Delete a breakpoint by number. | delete 1 |
| Disable Breakpoint | Disable a specific breakpoint. | disable 1 |
| Enable Breakpoint | Re-enable a specific breakpoint. | enable 1 |
| Conditional Breakpoint | Set a breakpoint with a condition. | break main if x > 5 |
| Continue Execution | Continue the program after hitting a breakpoint. | continue |
| Interrupt Execution | Interrupt running program and return control to GDB. | Ctrl + C |
Stepping Through Code
| Command | Description | Example |
|---|---|---|
| Step into a Function | Step into a function (execute the first instruction). | step |
| Step Over a Function | Step over a function (execute the whole function). | next |
| Step by Instruction | Step through a single machine instruction. | stepi |
| Step Over Instruction | Step over a single machine instruction. | nexti |
Inspecting Program State
| Command | Description | Example |
|---|---|---|
| Disassemble a Specific Function | Disassemble the instructions of a function. | disas main |
| Show Function Argument Values | Display the values of function arguments. | info args |
| Print Variable | Print the value of a variable or expression. | print x print 3 + 4 |
| Print a Hexadecimal Value | Print a variable as a hexadecimal value. | print /x x |
| Auto-Display Variable Value | Display a variable automatically when program stops. | display x |
| List Source Code | List source code around the current line. | list list 42 list main |
| Print Specific Register | Print the value of a specific register. | print $rax print $rbx |
| Inspect Registers | Display the contents of CPU registers. | info registers |
| Inspect Local Variables | Show local variables in the current function. | info locals |
| Show Stack Contents | View current stack information. | info stack |
Memory Inspection
Memory can be inspected using x followed by the number of units to display. A format modifier can then be supplied.
x/<count><format><size> <address>
The below table lists some common format modifiers.
| Modifier | Description | Example Usage |
|---|---|---|
| x | Hexadecimal | x/16x 0x7fffffffe000 — 16 hexadecimal values |
| d | Signed decimal | x/16d 0x7fffffffe000 — 16 signed decimal values |
| u | Unsigned decimal | x/16u 0x7fffffffe000 — 16 unsigned decimal values |
| o | Octal | x/16o 0x7fffffffe000 — 16 octal values |
| t | Binary | x/16t 0x7fffffffe000 — 16 binary values |
| f | Floating-point | x/16f 0x7fffffffe000 — 16 floating-point values |
| a | Address (pointer) | x/16a 0x7fffffffe000 — 16 pointer addresses |
| i | Instruction (disassemble) | x/16i 0x7fffffffe000 — 16 disassembled instructions |
Memory can be examined using a direct address, or via a register. I.e x/4xw $rsp will inspect memory at the stack pointer.
Core Dump and Multi-Threading
| Command | Description | Example |
|---|---|---|
| Start with Core Dump | Load a core dump file for debugging. | gdb ./a.out core |
| Analyze Core Dump (Backtrace) | Get a backtrace to identify where the crash occurred. | backtrace |
| Show Threads | Show all threads in the program. | info threads |
| Switch to a Specific Thread | Switch to a thread by ID. | thread 2 |
| Show Stack Trace for All Threads | Show stack trace for all threads. | thread apply all bt |
Waypoints and Conditional Debugging
| Command | Description | Example |
|---|---|---|
| Set Watchpoint | Set a watchpoint (break when a variable changes). | watch x |
| Set Breakpoint on Address | Set a breakpoint at a specific memory address. | break *0x7fffffffe000 |
| Set Conditional Breakpoint | Set a breakpoint with a condition. | break main if x > 5 |
Exploit Development Extensions
There are a number of useful extensions that can help speed up exploit development.
GEF – GDB Enhanced Features
GEF works well with multiple architectures, including MIPS and ARM64. It can be installed using;
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
PEDA – Python Exploit Development Assistance for GDB
Unfortunately, this doesn’t appear to have be maintained in a while, although it can still come in handy. PEDA can be installed with the following commands.
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"
pwndbg
Pwndbg is probably the most commonly used and feature rich exploit development environment. It can be installed using the following commands.
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh