Posted on

Ultimate gdb cheat sheet

Hello boys and girls, today I will be sharing with you my cheat sheet for gdb. Hope that you will find it useful 🙂

First thing that you need to know about gdb commands is that for every word you would like to write in gdb terminal, you can type just the first few letters of it as long as it is the only word that starts like that. Use tab a lot for auto complete and always expend your cheat sheet.

Starting a debug session

start a new process (paused) with gdb attached
gdb ./binary_name
(inside gdb terminal) r/run will start the process.
attach to a by PID get debug symbols from bin_path(optional)
gdb -p <PID> <bin_path> 
will run the commands in gdbinit as gdb commands. similar to .bashrc but for gdb.
gdb -x gdbinit

basic commands

s - step (step into instruction)
si - step instruction
n - next line (step over instruction)
ni - next instruction
c - continue running the program 

p - print a variable or a register. 
    Use the same formatting as x command

i r l - info register list (prints list of registers)
i proc maps - prints a list of loaded binaries and their load addresses
info register eax - print eax

u - run until the line is greather the current line.
    good for exiting loops

fin/finish - run until a return from this function.

 Break Points

b * 0x1337 - break at an address.
b * function_name - break at function_name
b file_name:line - break at a cretine line in a file.
del break point number
del - deletes all breakpoints
i b - info breakpoint. list of breakpoints

Examining memory (de-referencing pointers)

x - print memory
x/w - print as a word (4 bytes)
x/d - print intiger
x/x - print as hex
x/i - print as instruction 
x/s - print as string
x/c - print as char
x/10s - print 10 strings

for example:
x/10s $eax - will print $eax as an array of 10 strings
x/10wx $eax - will print $eax as an array of 10 hex-words

for double deference we use casting
x/x * (int*) $eax - prints $eax as a pointer to pointer to int.

Disassemble

x/10i address - disassemble 10 instructions starting from address.
diss - disassmble current function.

 The gdbinit file

After forks, the debugger will stay with the child process and not the parent.

set follow-fork-mode child
Show Assembly in inel flavor (like you would expect after working with ida)
set disassembly-flavor intel
Show the 5 next opcodes every time the debugger stops.
display/5i $pc

Advanced shit

connects to a running process by name. run the commands in ./gdbinit. Usually I have a bash script (connect.sh) with this long line for each research project I am working on.

set -- `ps -ef | grep binary_name | grep -v defunct | head -n 1`;  gdb -x ./gdbinit --pid $2

Search for a  value in a memory range

find/<size> start_address + len, value

Add a watchpoint for an expression (program will stop every time expression changes.)

watch <expression>