Reprinted from: https://www.jianshu.com/p/7a06b0bda2d8
Commissioning and use of gdb
This should be a summary of the most detailed I've ever seen gdb debugging guidelines, and the blogger is a very strong person, on his blog Meng new more friendly, I always think that they can have their own powerful learned perfect who expressed the strongest
1. Debugging keyboard shortcuts
Peda functions with direct input commands, which will give tips (If not, the command can be basically without parameters). Here do not introduced
1.1 based debugging shortcuts
- s step, si into
- ni next instruction into n
- b breakpoint somewhere, can be used
- b * adrress
- b function_name
- View info b breakpoint information
- delete 1 delete the first breakpoint
- c Continue
- r execution
- disas addr before and after viewing the disassembled code at addr, may also be a function name
1.2 Display Data
- p series
- p system / main display address is a function
- p $ esp display register
- p/x p/a p/b p/s。。。
- p 0xff - 0xea Calculator
- print & VarName view the variable address
- p * 0xffffebac view the value of an address at
- p system / main display address is a function
- x series
- x / xw addr hex display the contents of an address at the start, if the symbol table is loaded symbol table
- x / x $ esp See esp register values
- x / s addr view string at addr
- x / b addr see the characters at addr
- x / i addr disassembly view results at addr
- Series info
- info register $ ebp ebp register to view the contents of the (abbreviated as ir ebp)
- Check the status register ir eflags
- ir ss View segment register
- ib see breakpoint information
- i functions to view all functions
- disas addr addr at the front and rear view of the disassembled code
- View 20 value stack 20 in the stack
- show args parameter View
- vmmap view the map with the situation peda
- readelf View peda start address of each segment with an elf file
- parseheap show heap status with peda
1.3 Finding Data
- find search string with peda
- searchmem search string with peda
- ropsearch "xor eax, eax; ret" 0x08048080 0x08050000 look with a certain period of rop peda
- ropgadget provide more pop | ret feasible with the results peda
1.4 modify the data
- set $ esp = 0x110 modified register value
- set * 0xf7ff3234 = 0x08042334 modification value memory
- set args "asdasg" "afdasgasg" "agasdsa" are assigned to the parameters 1,2,3
- args the SET "
python -c 'print "1234\x7f\xde"'" This parameter using python script rewrite a little, some characters can not be set correctly to avoid - r "arg1" "arg2" "arg3" set parameters
- run
$(perl -e 'print "A"x20')
1.5 peda plug
Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debugging.
Add commands to support debugging and exploit development (for a full list of commands use peda help):
aslr -- Show/set ASLR setting of GDB
checksec -- Check for various security options of binary
dumpargs -- Display arguments passed to a function when stopped at a call instruction
dumprop -- Dump all ROP gadgets in specific memory range
elfheader -- Get headers information from debugged ELF file
elfsymbol -- Get non-debugging symbol information from an ELF file
lookup -- Search for all addresses/references to addresses which belong to a memory range
patch -- Patch memory start at an address with string/hexstring/int
pattern -- Generate, search, or write a cyclic pattern to memory
procinfo -- Display various info from /proc/pid/
pshow -- Show various PEDA options and other settings
pset -- Set various PEDA options and other settings
readelf -- Get headers information from an ELF file
ropgadget -- Get common ROP gadgets of binary or library
ropsearch -- Search for ROP gadgets in memory
searchmem|find -- Search for a pattern in memory; support regex search
shellcode -- Generate or download common shellcodes.
skeleton -- Generate python exploit code template
vmmap -- Get virtual mapping address ranges of section(s) in debugged process
xormem -- XOR a memory region with a key
Installationvmmap: view the current program blocks of memory mapped
dumprop:
2. Find a plt, got, plt_2
- plt pwntools can be used directly in the ELF (elf) .symbols (function_name)
- pwntools got can be used directly in the ELF (elf) .got (function_name)
- plt_2 pwntools can be used directly in the ELF (lib) .symbols (function_name)
3. Find the program dynamic-link libraries
- file pwn3
- pwn3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=916959406d0c545f6971223c8e06bff1ed9ae74d, not stripped
- checksec pwn3
- [*] '/root/Desktop/Pwnable/fmt/normal/fmt_string_write_got/pwn3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
- [*] '/root/Desktop/Pwnable/fmt/normal/fmt_string_write_got/pwn3'
- ldd pwn3
- linux-gate.so.1 (0xf77ad000)
libc.so.6 => /lib32/libc.so.6 (0xf75d2000)
/lib/ld-linux.so.2 (0x56601000)
- linux-gate.so.1 (0xf77ad000)
4. Compile 32 executables
gcc -m32 test.c -o test
- Generally in this case 32-bit destination file, and can not generate debug information
gcc -m32 -g test.c -o test
The goal is to generate 32-bit files, and may utilize the operating system "native format (native format)" to generate debug
information. GDB can directly use this information, other debugger can also use this debugging information
Open other protection status, refer to the common protection mechanisms linux program
5. After debugging turned on PIE
After the open PIE, will address has been changed, which is not conducive to the gdb debugger, so that we should shut down the local ASLR
Commonly used methods are: echo 0> / proc / sys / kernel / randomize_va_space
Open way: echo 2> / proc / sys / kernel / randomize_va_space
6. runtime execution View Files
Do a question, when you do not execute, only to find the relative address, but the actual execution breakpoint required address. If you turn off PIE, then each will address the implementation of the same, this time on the need to find the start address of execution. peda common instruction has vmmap, you can find the actual address.
This question is very troubling is that, if you do run gdb, then will fall into the cycle can not be used vmmap, if forced to end, finally vmmap error. This time, there are a number of other ways:
- Execution ./pwn &, this time will pwn program into the background, and you can quickly know the PID of this program, this time the cat / proc / pwn the PID / maps, will be able to find an address corresponding to execution. After the kill PID -9 pwn
- Write a little script, any place a breakpoint, and open the gdb debugger, breakpoints will collapse this time, but gdb-peda used vmmap can still find the corresponding address