GDB/GEF

The GNU Debugger is widely used for analyzing and debugging compiled programs in C, C++, and other languages. It allows you to load a program, run it step by step, set breakpoints, inspect variables, examine memory, and modify program state at runtime. GDB is powerful but often verbose and not very user-friendly in its raw form

GEF (GDB Enhanced Features) is a plugin for GDB that improves usability by adding a modern interface, context-aware displays, and shortcuts tailored for exploit development and reverse engineering. With GEF, you get real-time views of registers, the stack, and memory mappings, as well as built-in commands for common tasks like searching memory, analyzing heap structures, or visualizing function calls. Together, GDB and GEF provide a robust environment for both traditional debugging and offensive security research, combining low-level control with enhanced visualization and workflow efficiency.

GitHub - hugsy/gef: GEF (GDB Enhanced Features) - a modern experience for GDB with advanced debugging features for exploit developers & reverse engineers ☢GitHub

INSTALLATION

GDB

PACKAGE

//GDB
root@dev:~$ sudo apt update
root@dev:~$ sudo apt search gdb
root@dev:~$ sudo apt install gdb

SOURCE

root@dev:~$ sudo apt update
root@dev:~$ sudo apt install build-essential texinfo libgmp-dev libmpfr-dev libmpc-dev python3-dev
root@dev:~$ curl -O https://sourceware.org/pub/gdb/releases/gdb-16.3.tar.gz
root@dev:~$ tar -xzf gdb-xx.x.tar.gz
root@dev:~$ cd gdb-xx.x

root@dev:~$ mkdir build && cd build
root@dev:~$ ../configure

root@dev:~$ make CXXFLAGS="-static-libstdc++" -j$(nproc)
root@dev:~$ sudo make install
root@dev:~$ gdb --version

 * use /usr/local/bin/gdb to call the newest version of gdb

UPDATE ALTERNATIVE

update-alternatives is a Debian and Ubuntu system tool that manages multiple versions of the same command or application in a clean, flexible way. Instead of manually overwriting binaries, it uses a system of symbolic links that point to the active version of a program, while still keeping other versions installed and available. Each alternative is assigned a priority, and the one with the highest priority is chosen automatically unless the user explicitly selects a different one. This is especially useful when multiple versions of tools like gdb, java, or python coexist on a system, since it lets you switch between them without breaking packages or needing to uninstall older versions. By running sudo update-alternatives --config <name>, you can interactively pick which version should be the default, while still being able to call other versions directly from their full path.

#verify both versions exists
root@dev:~$ /usr/bin/gdb --version
root@dev:~$ /usr/local/bin/gdb --version

#register both versions
root@dev:~$ sudo cp /usr/bin/gdb /usr/bin/gdb-9
 * this makes a backup copy of version 9
 
root@dev:~$ sudo mv /usr/bin/gdb /usr/bin/gdb-bak
 
root@dev:~$ sudo update-alternatives --install /usr/bin/gdb gdb /usr/bin/gdb-9 10
root@dev:~$ sudo update-alternatives --install /usr/bin/gdb gdb /usr/local/bin/gdb 20

 * the last number (10 vs 20) is the priority — higher wins by default.
    - here, /usr/local/bin/gdb (v16.3) will automatically be chosen as the default.
    
#pick a version to use
root@dev:~$ sudo update-alternatives --config gdb

 * After this, /usr/bin/gdb will be a symlink managed by update-alternatives, pointing 
   to whichever version was selected.
   
root@dev:~$ gdb --version
root@dev:~$ which gdb

GEF

# via the install script
## using curl
root@dev:~$ bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

## using wget
root@dev:~$ bash -c "$(wget https://gef.blah.cat/sh -O -)"

# or manually
root@dev:~$ wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py
root@dev:~$ echo source ~/.gdbinit-gef.py >> ~/.gdbinit

# or alternatively from inside gdb directly
root@dev:~$ gdb -q
(gdb) pi import urllib.request as u, tempfile as t; g=t.NamedTemporaryFile(suffix='-gef.py'); open(g.name, 'wb+').write(u.urlopen('https://tinyurl.com/gef-main').read()); gdb.execute('source %s' % g.name)

 * gef will be loaded automatically whenever gdb is run

RUNNING GDB

By default, GDB displays disassembled x86/x86_64 instructions in AT&T syntax, which places the source operand before the destination, uses % prefixes for registers, and $ prefixes for immediate values. While this syntax is standard in many Unix/Linux tools, Intel syntax is used widely in Windows debugging and exploit development places the destination before the source and omits these prefixes. GDB allows you to switch between the two with the command set disassembly-flavor intel for Intel syntax or set disassembly-flavor att to revert to AT&T. Changing the disassembly flavor can make debugging and reverse engineering easier, especially when following tutorials or working with Intel-focused documentation.

CHANGING DISPLAY SYNTAX: TEMPORARY

root@dev:~$ gdb -q ./{programName}
(gdb) set disassembly-flavor {intel | att}

CHANGING DISPLAY SYNTAX: PERMANENT

root@dev:~$ echo 'set disassembly-flavor intel' > ~/.gdbinit

REMNUX VERSION

root@dev:~$ gdb -q ./{binaryFilename}

 * -q runs in quiet mode
    - it suppresses the startup messages (like version, copyright, etc.)

UPDATED VERSION

root@dev:~$ /usr/local/bin/gdb -q ./{binaryFilename}

 * -q runs in quit mode

PreviousWINDBG NextVIEWING ADDRESSES

Last updated 5 days ago