GDB/GEF

LogoGDB: The GNU Project Debugger
root@rev:~$ gdb ./{executable}
gef> info func
 * this displays user-defined functions, etc
 * most malware doesn't debug symbols turned on
	   
gef> break * main
 * to find the main or entry point
	- this will grab the address of main
	- b means breakpoint or break
	- the * means grab the address of main
		
		
gef> CTRL+L clears the screen
gef> info breakpoint
 * this cmd displays breakpoint that are enabled
 
gef> disable #
 * this will disable the breakpoint but won't discard it
gef> info breakpoint
 * display live breakpoint again
 
gef> enable #
 * enable a breakpoint that's not discarded
gef> info breakpoint
gef> run
 * this will execute the program and will stop at any enabled breakpoint

# remove clutter
gef> gef config
 * this will display the configuration file for gef
context.layout (str) = "- legend regs stack code args -source memory -threads -trace -extra"

gef> gef config context.layout
 * this will display specifics
 
#modify to match instructor
gef> get config context.layout
 * the reason he removed "source" is to not get the student into the habit of seeing one. actual malwares don't have source so it is best to learn from doing!
    - anything that is prefixed with a - is removed from the dashboard

gef> gef config context.layout "-legend regs stack code args -source memory -threads -trace -extra"
gef> gef save

gef> ctx
 * this is short for context
 
gef> disass
 * get a better idea of what the code looks like
    - this will display code of functions?
	
	
#stepping through instructions
gef> si
 * this will single-step through the program instruction




#setting a breakpoint at an address
gef> breakpoint * {0x000055555555165}
 breakpoint 2 at xxxxxxxxx: file 10 printf_8args_x64.c, line 7
gef> info breakpoint
 1 ...
 2 ...

 * ALT: gef> breakpoint *main+48
    - in this cmd, the +48 offset was used to set a breakpoint there
	gef> info breakpoint

 
gef> context help
 * display options
gef> context regs
 * display the register window
 
 
gef> continue   // or c
gef> dissas
gef> finish
 * go to the function return - end of function
 
gef> info regs $rax
 * display what the printf function returned to rax
 
gef> next
 * this will step over a function that you don't care about
 
  * gef provides a nice color coordination
PreviousDEBUGGERSNextGEF

Last updated