GDB/GEF

root@rev:~$ gdb ./{executable}
gef> info func
 * this displays user-defined functions, etc
 * most malware doesn't debug symbols turned on
	   
gef> break * main
 * to find the main or entry point
	- this will grab the address of main
	- b means breakpoint or break
	- the * means grab the address of main
		
		
gef> CTRL+L clears the screen
gef> info breakpoint
 * this cmd displays breakpoint that are enabled
 
gef> disable #
 * this will disable the breakpoint but won't discard it
gef> info breakpoint
 * display live breakpoint again
 
gef> enable #
 * enable a breakpoint that's not discarded
gef> info breakpoint
gef> run
 * this will execute the program and will stop at any enabled breakpoint

# remove clutter
gef> gef config
 * this will display the configuration file for gef
context.layout (str) = "- legend regs stack code args -source memory -threads -trace -extra"

gef> gef config context.layout
 * this will display specifics
 
#modify to match instructor
gef> get config context.layout
 * the reason he removed "source" is to not get the student into the habit of seeing one. actual malwares don't have source so it is best to learn from doing!
    - anything that is prefixed with a - is removed from the dashboard

gef> gef config context.layout "-legend regs stack code args -source memory -threads -trace -extra"
gef> gef save

gef> ctx
 * this is short for context
 
gef> disass
 * get a better idea of what the code looks like
    - this will display code of functions?
	
	
#stepping through instructions
gef> si
 * this will single-step through the program instruction




#setting a breakpoint at an address
gef> breakpoint * {0x000055555555165}
 breakpoint 2 at xxxxxxxxx: file 10 printf_8args_x64.c, line 7
gef> info breakpoint
 1 ...
 2 ...

 * ALT: gef> breakpoint *main+48
    - in this cmd, the +48 offset was used to set a breakpoint there
	gef> info breakpoint

 
gef> context help
 * display options
gef> context regs
 * display the register window
 
 
gef> continue   // or c
gef> dissas
gef> finish
 * go to the function return - end of function
 
gef> info regs $rax
 * display what the printf function returned to rax
 
gef> next
 * this will step over a function that you don't care about
 
  * gef provides a nice color coordination

PreviousDEBUGGERS NextGEF

Last updated 2 months ago

root@rev:~$ gdb ./{executable} gef> info func * this displays user-defined functions, etc * most malware doesn't debug symbols turned on gef> break * main * to find the main or entry point - this will grab the address of main - b means breakpoint or break - the * means grab the address of main gef> CTRL+L clears the screen gef> info breakpoint * this cmd displays breakpoint that are enabled gef> disable # * this will disable the breakpoint but won't discard it gef> info breakpoint * display live breakpoint again gef> enable # * enable a breakpoint that's not discarded gef> info breakpoint gef> run * this will execute the program and will stop at any enabled breakpoint # remove clutter gef> gef config * this will display the configuration file for gef context.layout (str) = "- legend regs stack code args -source memory -threads -trace -extra" gef> gef config context.layout * this will display specifics #modify to match instructor gef> get config context.layout * the reason he removed "source" is to not get the student into the habit of seeing one. actual malwares don't have source so it is best to learn from doing! - anything that is prefixed with a - is removed from the dashboard gef> gef config context.layout "-legend regs stack code args -source memory -threads -trace -extra" gef> gef save gef> ctx * this is short for context gef> disass * get a better idea of what the code looks like - this will display code of functions? #stepping through instructions gef> si * this will single-step through the program instruction #setting a breakpoint at an address gef> breakpoint * {0x000055555555165} breakpoint 2 at xxxxxxxxx: file 10 printf_8args_x64.c, line 7 gef> info breakpoint 1 ... 2 ... * ALT: gef> breakpoint *main+48 - in this cmd, the +48 offset was used to set a breakpoint there gef> info breakpoint gef> context help * display options gef> context regs * display the register window gef> continue // or c gef> dissas gef> finish * go to the function return - end of function gef> info regs $rax * display what the printf function returned to rax gef> next * this will step over a function that you don't care about * gef provides a nice color coordination