Comprehensive GDB with GEF Practical Reference: A Reverse Engineering and Exploitation Guide
Abstract
This comprehensive practical reference presents an exhaustive analysis of GNU Debugger (GDB) enhanced with GEF (GDB Enhanced Features) for advanced reverse engineering, exploit development, and dynamic binary analysis. We examine eighteen primary debugging categories across multiple architectures, providing detailed implementation examples, exploitation strategies, and detection evasion techniques. This manual serves as both theoretical foundation and practical implementation guide for security researchers, exploit developers, and reverse engineers.
1. Introduction
GDB with GEF constitutes the foundational toolset for modern reverse engineering and exploit development workflows. This enhanced debugging environment provides comprehensive dynamic analysis capabilities, memory inspection tools, and exploitation assistance features that transform the traditional GDB experience into a powerful security research platform.
1.1 GEF Architecture Overview
GEF operates as a Python-based enhancement layer over GDB, providing:
- Enhanced Interface: Modern, colorized output with comprehensive context information
- Architecture Agnostic: Support for x86/64, ARM, MIPS, PowerPC, and SPARC architectures
- Heap Analysis: Advanced heap inspection and exploitation assistance tools
- Memory Mapping: Comprehensive memory layout visualization and analysis
- Exploitation Assistance: Built-in tools for pattern generation, ROP gadget search, and shellcode analysis
1.2 Debugging Methodology Classification
GDB/GEF debugging methodologies can be systematically categorized into eight primary classes:
- Static Analysis: Binary inspection, function enumeration, and symbol analysis
- Dynamic Analysis: Runtime execution control, breakpoint management, and flow analysis
- Memory Analysis: Stack, heap, and memory mapping inspection
- Exploitation Development: ROP chain construction, shellcode testing, and vulnerability research
- Architecture-Specific: Platform-dependent debugging and analysis techniques
- Heap Exploitation: Glibc heap analysis, bin inspection, and corruption detection
- Format String Analysis: Format string vulnerability detection and exploitation
- Advanced Techniques: Remote debugging, process attachment, and automation
1.3 Tool Effectiveness Matrix
| Category | Commands | Architecture Support | Update Frequency | Analysis Depth | Learning Curve |
|---|---|---|---|---|---|
| Basic Debugging | 45+ | All Supported | Stable | High | Low |
| Memory Analysis | 25+ | All Supported | Frequent | Very High | Medium |
| Heap Exploitation | 15+ | x86/64, ARM | Frequent | Very High | High |
| Code Analysis | 20+ | All Supported | Stable | High | Medium |
| Exploitation Tools | 30+ | All Supported | Frequent | Very High | High |
| Architecture Specific | 40+ | Platform Dependent | Stable | High | Medium |
2. Installation and Environment Setup
The following commands assume you have appropriate system permissions and network connectivity. Substitute all placeholder values with those specific to your environment.
2.1 GEF Installation Methods
# Automated installation (recommended)
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
# Alternative wget method
bash -c "$(wget https://gef.blah.cat/sh -O -)"
# Manual installation
wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py
echo source ~/.gdbinit-gef.py >> ~/.gdbinit
# Installation verification
gdb -q
# Should display GEF banner and prompt
# Direct installation from GDB
gdb -q
(gdb) pi import urllib.request as u, tempfile as t; g=t.NamedTemporaryFile(suffix='-gef.py'); open(g.name, 'wb+').write(u.urlopen('https://tinyurl.com/gef-main').read()); gdb.execute('source %s' % g.name)
2.2 Environment Configuration
# GEF configuration management
gef config # Show all configuration options
gef config context.layout # Show current layout settings
gef config context.nb_lines_stack 10 # Set stack display lines
gef config context.nb_lines_code 5 # Set code display lines
gef config context.nb_lines_backtrace 3 # Set backtrace lines
# Theme and appearance customization
gef config theme.default_title_line "bright_red"
gef config theme.registers_register_name "blue"
gef config theme.dereference_string "yellow"
gef config theme.heap_chunk_size "green"
# Performance optimization
gef config context.redirect "/tmp/gef.txt" # Redirect context to file
gef config context.clear_screen False # Disable screen clearing
gef config glibc.main_arena 0x7ffff7e19b80 # Set manual arena address
2.3 Multi-Architecture Support
# ARM binary debugging setup
gdb-multiarch ./arm_binary
(gdb) set architecture arm
(gdb) set endian little
# MIPS binary analysis
gdb-multiarch ./mips_binary
(gdb) set architecture mips
(gdb) set endian big
# PowerPC debugging configuration
gdb-multiarch ./ppc_binary
(gdb) set architecture powerpc:common64
(gdb) set endian big
# Cross-compilation for testing
arm-linux-gnueabi-gcc -g -o arm_test test.c
mips-linux-gnu-gcc -g -o mips_test test.c
3. Basic GDB Operations with GEF Enhancement
Replace binary names, addresses, and symbols with your specific analysis targets. Ensure proper compilation flags for optimal debugging experience.
3.1 Binary Loading and Initial Analysis
# Load binary with enhanced information display
gdb ./target_binary
(gdb) file ./target_binary # Load binary file
(gdb) info file # Display file information
(gdb) info functions # List all functions
(gdb) info variables # List global variables
(gdb) info sources # List source files
# GEF-enhanced binary analysis
gef> checksec # Security mechanisms analysis
gef> info proc mappings # Memory mapping display
gef> vmmap # Enhanced memory map
gef> entry-break (alias start) # Find and break at the most obvious entry point
gef> got # Global Offset Table analysis
3.2 Enhanced Execution Control
# Program execution with GEF context
gef> start # Start with initial breakpoint
gef> run arg1 arg2 # Run with arguments
gef> continue # Continue execution
gef> kill # Kill current process
gef> quit # Exit GDB
# Advanced execution control
gef> finish # Execute until function return
gef> until # Execute until line number
gef> jump *0x400080 # Jump to specific address
gef> call function_name() # Call function directly
gef> return 42 # Force function return value
3.3 Enhanced Context Display
# Context information display
gef> context # Show full context
gef> context reg # Show only registers
gef> context stack # Show only stack
gef> context code # Show only code
gef> context mem # Show only memory
# Context customization
gef> gef config context.layout "legend regs stack code args memory"
gef> gef config context.nb_lines_stack 20
gef> gef config context.nb_lines_code 10
gef> gef config context.follow_child True
4. Advanced Memory Analysis
Adjust memory addresses, register names, and data types based on your target architecture and analysis requirements.
4.1 Memory Inspection and Manipulation
# Enhanced memory examination
gef> x/20gx $rsp # Examine 20 quad-words from stack pointer
gef> x/s 0x400000 # Examine string at address
gef> x/i $rip # Examine instruction at RIP
gef> telescope 0x7fffffffde00 # Enhanced memory telescope view
gef> telescope $rsp 50 # Telescope 50 entries from stack
# Memory searching capabilities
gef> search-pattern "password" # Search for string pattern
gef> search-pattern 0x41414141 # Search for hex pattern
gef> grep "main" $rsp $rsp+0x1000 # Search in memory range
gef> xor-memory display $rsp 32 # XOR decode memory region
# Memory modification
gef> set *0x601040 = 0x4141414141414141 # Set memory value
gef> patch byte 0x400080 0x90 # Patch single byte (NOP)
gef> patch string 0x400000 "AAAA" # Patch string value
gef> patch qword $rsp 0x1234567890abcdef # Patch quad-word
4.2 Register Analysis and Manipulation
# Enhanced register display
gef> registers # Show all registers with colors
gef> registers eax ebx ecx edx # Show specific registers
gef> info registers # Standard GDB register info
gef> info all-registers # Show all registers including FPU
# Register manipulation
gef> set $rax = 0x1337 # Set register value
gef> set $rip = 0x400080 # Modify instruction pointer
gef> set $rsp = $rsp + 8 # Adjust stack pointer
gef> print $rax # Print register value
gef> print/x $rbx # Print in hexadecimal
# Advanced register operations
gef> context reg # Register-focused context
gef> info frame # Current frame information
gef> info args # Function arguments
gef> info locals # Local variables
4.3 Stack Analysis
# Stack inspection with GEF enhancements
gef> stack # Enhanced stack display
gef> stack 20 # Show 20 stack entries
gef> backtrace # Function call backtrace
gef> bt full # Full backtrace with variables
# Stack frame analysis
gef> frame # Current frame info
gef> frame 2 # Switch to frame 2
gef> up # Move up one frame
gef> down # Move down one frame
gef> info frame # Detailed frame information
# Stack manipulation
gef> set $sp = $sp + 8 # Adjust stack pointer
gef> push 0x41414141 # Push value to stack (custom command)
gef> pop # Pop value from stack (custom command)
5. Breakpoint Management and Control Flow
Ensure breakpoint addresses and function names correspond to your specific binary analysis targets.
5.1 Enhanced Breakpoint Operations
# Basic breakpoint management
gef> break main # Break at main function
gef> break *0x400080 # Break at specific address
gef> break file.c:42 # Break at source line
gef> break function_name # Break at function
# Conditional breakpoints
gef> break main if $rax == 0x1337 # Conditional break
gef> break *0x400080 if $rdi > 100 # Address-based conditional
gef> condition 1 $rsp == 0x7fff0000 # Add condition to existing breakpoint
# Advanced breakpoint features
gef> rbreak ^main.* # Regex breakpoint
gef> awatch *0x601040 # Access watchpoint
gef> watch *0x601040 # Write watchpoint
gef> rwatch *0x601040 # Read watchpoint
# Breakpoint management
gef> info breakpoints # List all breakpoints
gef> disable 1 # Disable breakpoint 1
gef> enable 1 # Enable breakpoint 1
gef> delete 1 # Delete breakpoint 1
gef> clear main # Clear breakpoints at main
5.2 Advanced Control Flow Analysis
# Step debugging with enhanced visualization
gef> step # Step into function calls
gef> stepi # Step single instruction
gef> next # Step over function calls
gef> nexti # Next instruction (step over)
# Advanced stepping
gef> advance *0x400080 # Advance to specific address
gef> advance main+50 # Advance to offset in function
gef> until # Execute until current line
gef> reverse-stepi # Reverse step (if supported)
# Flow control visualization
gef> context code # Enhanced code context
gef> disassemble main # Disassemble function
gef> disassemble $rip $rip+50 # Disassemble from current location
gef> cf # Control flow analysis
5.3 Exception and Signal Handling
# Signal handling configuration
gef> info signals # Show signal handling
gef> handle SIGSEGV stop print # Stop on segmentation fault
gef> handle SIGINT nostop # Don't stop on interrupt
gef> signal SIGUSR1 # Send signal to program
# Exception analysis
gef> catch throw # Catch C++ exceptions
gef> catch exec # Catch exec calls
gef> catch fork # Catch fork events
gef> catch syscall # Catch all system calls
gef> catch syscall write # Catch specific syscall
6. Heap Analysis and Exploitation
The following examples target glibc heap implementations. Adjust heap structure addresses and chunk sizes based on your specific target environment.
6.1 Heap Structure Analysis
# Basic heap inspection
gef> heap # Show heap information
gef> heap chunks # Display all heap chunks
gef> heap arenas # Show arena information
gef> heap bins # Display bin information
# Advanced heap analysis
gef> heap chunks --summary # Summarized chunk view
gef> heap chunks --resolve # Resolve chunk types via vtable
gef> heap chunks --min-size 32 # Filter chunks by minimum size
gef> heap chunks --max-size 128 # Filter chunks by maximum size
gef> heap chunks --count 20 # Limit output to 20 chunks
# Specific arena analysis
gef> heap set-arena 0x7ffff7e19b80 # Set specific arena
gef> heap chunk 0x602010 # Analyze specific chunk
gef> heap arenas --resolved # Show resolved arena addresses
6.2 Bin Analysis and Exploitation
# Fastbin analysis
gef> heap bins fast # Show fastbin chains
gef> heap bins tcache # Show tcache bins
gef> heap bins small # Show small bins
gef> heap bins large # Show large bins
gef> heap bins unsorted # Show unsorted bin
# Detailed bin inspection
gef> heap bins fast 0x20 # Show specific fastbin size
gef> heap bins tcache 0x30 # Show specific tcache size
gef> heap analysis # Automated heap analysis
# Exploitation assistance
gef> heap-analysis-helper # Enable heap exploitation detection
gef> heap set-arena main_arena+0x10 # Manual arena setting
gef> search-pattern 0x602010 # Search for chunk addresses
6.3 Heap Exploitation Detection
# Automated vulnerability detection
gef> heap-analysis-helper # Start heap analysis helper
gef> gef config heap-analysis-helper.check_double_free True
gef> gef config heap-analysis-helper.check_uaf True
gef> gef config heap-analysis-helper.check_weird_free True
gef> gef config heap-analysis-helper.check_free_null True
# Manual heap corruption analysis
gef> heap chunk 0x602010 # Analyze potentially corrupted chunk
gef> x/20gx 0x602010 # Manual chunk inspection
gef> heap bins # Check bin consistency
gef> search-pattern deadbeef # Search for corruption patterns
# Heap exploitation workflow
gef> break malloc # Break on allocations
gef> break free # Break on deallocations
gef> break __libc_malloc # Break on glibc malloc
gef> break __libc_free # Break on glibc free
7. Advanced Code Analysis and Disassembly
Replace function names, addresses, and instruction patterns with your specific analysis targets.
7.1 Enhanced Disassembly Operations
# Advanced disassembly with GEF
gef> disassemble main # Disassemble function
gef> disassemble $rip $rip+100 # Disassemble range
gef> context code # Code context display
gef> context code 20 # Show 20 lines of code context
# Architecture-specific disassembly
gef> set disassembly-flavor intel # Intel syntax (x86/64)
gef> set disassembly-flavor att # AT&T syntax
gef> set endian little # Little endian display
gef> set architecture i386:x86-64 # Specific architecture
# Advanced analysis features
gef> capstone-disassemble $rip 10 # Capstone engine disassembly
gef> ropper --search "pop rdi" # ROP gadget search
gef> ksymaddr # Kernel symbol addresses
gef> got # GOT table analysis
7.2 Function and Symbol Analysis
# Function analysis and navigation
gef> info functions # List all functions
gef> info functions main # Filter functions by pattern
gef> info address main # Get function address
gef> info symbol 0x400080 # Symbol at address
# Advanced symbol operations
gef> symbol-file binary.debug # Load debug symbols
gef> add-symbol-file lib.so 0x7fff0000 # Add library symbols
gef> maintenance info sections # Show all sections
gef> info sharedlibrary # Show loaded libraries
# Dynamic symbol resolution
gef> entry-point # Show entry point
gef> plt # Show PLT entries
gef> got # Show GOT entries
gef> canary # Show stack canary value
7.3 Cross-References and Code Flow
# Code reference analysis
gef> info line main # Source line information
gef> list main # Show source code
gef> directory /path/to/source # Add source directory
gef> set substitute-path /old /new # Substitute source paths
# Control flow analysis
gef> disassemble main # Function disassembly
gef> x/20i main # Instruction examination
gef> trace # Execution tracing
gef> record # Record execution for replay
8. Exploitation Techniques and Tools
Adjust payload addresses, ROP gadgets, and shellcode based on your specific exploitation scenario.
8.1 Pattern Generation and Analysis
# Pattern generation for exploitation
gef> pattern create 200 # Create 200-byte pattern
gef> pattern create 1000 file.txt # Create pattern to file
gef> pattern search # Search for pattern in registers
gef> pattern search $rsp # Search pattern at specific location
# Offset calculation
gef> pattern search 0x41414141 # Find pattern offset
gef> pattern offset 0x6141414a # Calculate exact offset
gef> pattern offset $rip # Find RIP offset
# Advanced pattern operations
gef> cyclic 200 # Alternative pattern generation
gef> cyclic -l 0x61616169 # Find cyclic pattern offset
gef> shellcode get # Get shellcode samples
8.2 ROP Chain Development
# ROP gadget discovery and analysis
gef> ropper # Start ropper integration
gef> ropper --search "pop rdi" # Search for specific gadgets
gef> ropper --search "pop rdi; ret" # Multi-instruction gadgets
gef> ropper --chain "execve" # Generate automatic chains
# Manual ROP chain construction
gef> search-pattern "pop rdi" # Search for gadgets in memory
gef> x/5i 0x400080 # Examine potential gadget
gef> rop # ROP helper command
gef> rop --search "syscall" # Search for syscall gadgets
# Stack pivot techniques
gef> ropper --search "xchg esp" # Stack pivot gadgets
gef> ropper --search "mov esp" # Alternative pivots
gef> search-pattern "leave; ret" # Function epilogue gadgets
8.3 Shellcode Analysis and Testing
# Shellcode examination and testing
gef> shellcode search x86-64 # Search shellcode database
gef> shellcode get linux/x64/exec # Get specific shellcode
gef> assemble "mov rax, 0x3b" # Assemble instructions
gef> assemble $rip "nop; nop; ret" # Assemble at location
# Shellcode injection testing
gef> set *0x601000 = 0x90909090 # NOP sled injection
gef> context mem 0x601000 100 # Monitor injected memory
gef> break *0x601000 # Break at shellcode entry
gef> stepi # Step through shellcode
# Advanced shellcode analysis
gef> capstone-disassemble 0x601000 50 # Disassemble shellcode
gef> checksec # Check binary protections
gef> aslr # ASLR status and bypass
9. Memory Protection Analysis
Configure memory protection analysis based on your target binary's security mechanisms and exploitation requirements.
9.1 Security Mechanism Detection
# Comprehensive security analysis
gef> checksec # Full security mechanism check
gef> checksec --extended # Extended security analysis
gef> canary # Stack canary analysis
gef> aslr # ASLR status and information
# Advanced protection analysis
gef> nx # NX bit status
gef> pie # PIE (Position Independent Executable)
gef> relro # RELRO protection status
gef> fortify # FORTIFY_SOURCE analysis
# Memory region permissions
gef> vmmap # Virtual memory mapping
gef> vmmap stack # Stack region analysis
gef> vmmap heap # Heap region analysis
gef> vmmap libc # Libc region analysis
gef> info proc mappings # Process memory mappings
9.2 ASLR and PIE Bypass Techniques
# ASLR analysis and bypass
gef> aslr # Check ASLR status
gef> vmmap # Analyze memory layout randomization
gef> info sharedlibrary # Library loading addresses
gef> search-pattern 0x7ffff7a0d000 # Search for library addresses
# PIE bypass strategies
gef> pie # PIE status analysis
gef> info file # Binary loading address
gef> entry-point # Entry point address
gef> got # Global Offset Table analysis
# Information leak exploitation
gef> search-pattern libc # Search for libc references
gef> telescope $rsp 50 # Stack information disclosure
gef> context mem # Memory context for leaks
9.3 Stack Protection Bypass
# Stack canary analysis and bypass
gef> canary # Show current canary value
gef> search-pattern 0x1234567890abcdef # Search for canary patterns
gef> watch *($rbp-0x8) # Watch canary location
gef> break __stack_chk_fail # Break on canary failure
# Stack overflow exploitation
gef> pattern create 1000 # Create overflow pattern
gef> info frame # Analyze stack frame
gef> x/20gx $rbp # Examine saved frame pointer
gef> x/gx $rbp+8 # Examine return address
# Advanced stack techniques
gef> search-pattern "pop rbp" # Stack frame manipulation gadgets
gef> rop --search "ret" # Return instruction gadgets
gef> ropper --search "jmp esp" # Direct stack execution
10. Format String Vulnerability Analysis
Adjust format string addresses, buffer sizes, and exploitation vectors based on your specific vulnerability research.
10.1 Format String Detection and Analysis
# Format string vulnerability detection
gef> format-string-helper # Enable format string analysis
gef> break printf # Break on printf functions
gef> break sprintf # Break on sprintf functions
gef> break fprintf # Break on fprintf functions
# Advanced format string analysis
gef> gef config format-string-helper.nb_argument 10
gef> context args # Show function arguments
gef> x/s $rdi # Examine format string (x86-64)
gef> x/s $r0 # Examine format string (ARM)
# Format string exploitation assistance
gef> telescope $rsp 20 # Stack telescope for format string
gef> pattern create 100 # Create pattern for offset calculation
gef> search-pattern 0x41414141 # Find pattern in stack
10.2 Format String Exploitation
# Information disclosure via format strings
gef> x/20gx $rsp # Examine stack for disclosure
gef> search-pattern "%x" # Search for format specifiers
gef> context stack 30 # Extended stack context
# Memory write primitives
gef> break printf # Break before printf
gef> set $rdi = 0x400000 # Modify format string pointer
gef> context args # Verify argument modification
gef> continue # Execute modified printf
# Advanced format string techniques
gef> search-pattern "GOT" # Find GOT references
gef> got # Display GOT entries
gef> plt # Display PLT entries
gef> info symbol printf # Get printf address
11. Architecture-Specific Debugging
Adjust register names, instruction sets, and calling conventions based on your target architecture.
11.1 x86/x64 Advanced Debugging
# x86/x64 specific register analysis
gef> registers # All registers with enhanced display
gef> registers eax ebx ecx edx # Specific x86 registers
gef> registers rax rbx rcx rdx # Specific x64 registers
gef> info registers eflags # Flags register analysis
# x86/x64 calling convention analysis
gef> context args # Function arguments
gef> x/gx $rdi # First argument (x64 System V)
gef> x/gx $rsi # Second argument (x64 System V)
gef> x/gx $rdx # Third argument (x64 System V)
# Advanced x86/x64 features
gef> set disassembly-flavor intel # Intel syntax
gef> disassemble /r main # Disassemble with raw bytes
gef> x/i $rip # Current instruction
gef> stepi # Single instruction step
11.2 ARM Architecture Debugging
# ARM register analysis
gef> registers # ARM registers with colors
gef> info registers # Standard ARM register info
gef> print $r0 # ARM register access
gef> print $sp # Stack pointer
gef> print $lr # Link register
gef> print $pc # Program counter
# ARM calling convention
gef> x/gx $r0 # First argument
gef> x/gx $r1 # Second argument
gef> x/gx $r2 # Third argument
gef> x/gx $r3 # Fourth argument
# ARM-specific debugging
gef> set architecture arm # Set ARM architecture
gef> set endian little # ARM endianness
gef> disassemble /r main # ARM disassembly with bytes
gef> stepi # ARM instruction stepping
11.3 MIPS Architecture Debugging
# MIPS register and debugging setup
gef> set architecture mips # Set MIPS architecture
gef> set endian big # MIPS big endian
gef> registers # MIPS registers
gef> print $v0 # MIPS return value register
gef> print $a0 # MIPS argument register
# MIPS calling convention analysis
gef> x/gx $a0 # First argument
gef> x/gx $a1 # Second argument
gef> x/gx $a2 # Third argument
gef> x/gx $a3 # Fourth argument
# MIPS-specific features
gef> disassemble main # MIPS disassembly
gef> stepi # MIPS instruction stepping
gef> info registers hi lo # MIPS multiply/divide registers
12. Process Attachment and Remote Debugging
Replace process IDs, hostnames, and port numbers with your specific debugging targets and network configuration.
12.1 Local Process Attachment
# Process identification and attachment
ps aux | grep target_process # Find target process ID
gdb -p 1234 # Attach to process ID 1234
gdb --pid=1234 # Alternative attachment syntax
# GEF-enhanced process attachment
gef> attach 1234 # Attach with GEF enhancements
gef> info proc # Process information
gef> info proc mappings # Process memory mappings
gef> vmmap # GEF enhanced memory map
# Process state analysis
gef> info threads # Thread information
gef> thread apply all bt # Backtrace all threads
gef> detach # Detach from process
gef> kill # Kill attached process
12.2 Remote Debugging Configuration
# GDBserver setup (on target machine)
gdbserver localhost:1234 ./target_binary
gdbserver 0.0.0.0:1234 ./target_binary args
gdbserver --attach localhost:1234 1234
# GDB client connection (local machine)
gdb ./target_binary
(gdb) target remote localhost:1234
(gdb) target remote 192.168.1.100:1234
(gdb) target extended-remote localhost:1234
# Remote debugging with GEF
gef> target remote localhost:1234 # Connect to remote target
gef> context # Verify remote context
gef> vmmap # Remote memory mapping
gef> continue # Continue remote execution
12.3 Advanced Remote Debugging
# File transfer for remote debugging
(gdb) remote put local_file remote_file
(gdb) remote get remote_file local_file
(gdb) remote delete remote_file
# Remote process management
gef> info os processes # Remote process list
gef> info os modules # Remote loaded modules
gef> set remote exec-file /path/binary # Set remote executable
gef> set sysroot /remote/root # Set remote system root
# Remote debugging optimization
gef> set tcp connect-timeout 30 # Connection timeout
gef> set remotetimeout 10 # Remote operation timeout
gef> monitor help # GDBserver monitor commands
13. Scripting and Automation
Customize script paths, function names, and automation parameters based on your specific analysis workflow requirements.
13.1 GDB Scripting with Python
# Python scripting within GDB/GEF
(gdb) python
import gdb
import struct
# Custom GDB command example
class CustomBreakpoint(gdb.Command):
def __init__(self):
super(CustomBreakpoint, self).__init__("custom-break", gdb.COMMAND_BREAKPOINTS)
def invoke(self, arg, from_tty):
args = gdb.string_to_argv(arg)
addr = int(args[0], 16)
bp = gdb.Breakpoint(f"*{addr}")
print(f"Breakpoint set at {hex(addr)}")
CustomBreakpoint()
end
# GEF Python scripting integration
gef> python-interactive
>>> import gef
>>> current_arch = gef.session.arch
>>> print(f"Current architecture: {current_arch}")
>>> mem = gef.memory.read(gef.session.arch.pc, 16)
>>> print(f"Memory at PC: {mem.hex()}")
13.2 Automated Analysis Scripts
# GDB initialization script (.gdbinit)
# Custom .gdbinit for automated setup
set disassembly-flavor intel
set print pretty on
set pagination off
set confirm off
define hook-stop
context
end
define exploit-pattern
pattern create 1000
run
pattern search $rip
end
# Advanced automation script
define heap-analysis-full
heap chunks
heap bins
heap arenas
heap-analysis-helper
end
define exploit-setup
checksec
vmmap
got
plt
canary
end
# Batch mode operations
gdb -batch -ex "run" -ex "bt" -ex "quit" ./binary
gdb -batch -x analysis_script.gdb ./binary
13.3 Custom GEF Extensions
# Custom GEF command development
# Save as ~/.gef-extras/custom_commands.py
@register_command
class CustomHeapAnalysis(GenericCommand):
"""Custom heap analysis command."""
_cmdline_ = "custom-heap"
_syntax_ = f"{_cmdline_}"
def __init__(self):
super().__init__(complete=gdb.COMPLETE_NONE)
def do_invoke(self, argv):
"""Execute custom heap analysis."""
try:
# Get heap information
arena = gef.heap.main_arena
if not arena:
err("No heap arena found")
return
# Custom analysis logic
self.analyze_heap_chunks()
self.detect_heap_corruption()
except Exception as e:
err(f"Error in custom heap analysis: {e}")
def analyze_heap_chunks(self):
"""Analyze heap chunks for patterns."""
info("Analyzing heap chunks...")
# Implementation here
def detect_heap_corruption(self):
"""Detect potential heap corruption."""
info("Checking for heap corruption...")
# Implementation here
# GEF configuration for custom commands
gef> gef config gef.extra_plugins_dir ~/.gef-extras/
gef> gef config gef.debug True
14. Vulnerability Research and Exploit Development
Adjust vulnerability patterns, payload structures, and exploitation techniques based on your specific research targets.
14.1 Buffer Overflow Analysis
# Buffer overflow identification and exploitation
gef> pattern create 1000 # Create overflow pattern
gef> run # Trigger overflow
gef> pattern search $rip # Find RIP offset
gef> pattern offset 0x6161616a # Calculate exact offset
# Stack-based buffer overflow exploitation
gef> info frame # Analyze stack frame
gef> x/20gx $rsp # Examine stack contents
gef> telescope $rsp 30 # Enhanced stack view
gef> context stack # Stack context display
# Exploitation development workflow
gef> ropper --search "pop rdi; ret" # Find ROP gadgets
gef> ropper --search "pop rsi; pop r15; ret" # Multi-pop gadgets
gef> search-pattern "/bin/sh" # Find string references
gef> search-pattern "system" # Find function addresses
# Advanced overflow techniques
gef> break __stack_chk_fail # Break on stack canary failure
gef> watch *($rbp-0x8) # Watch canary location
gef> canary # Display current canary
gef> search-pattern 0x1234567890abcdef # Search for leaked canary
14.2 Use-After-Free Analysis
# UAF vulnerability detection and analysis
gef> heap-analysis-helper # Enable UAF detection
gef> gef config heap-analysis-helper.check_uaf True
gef> break malloc # Monitor allocations
gef> break free # Monitor deallocations
# UAF exploitation workflow
gef> heap chunks # Monitor heap state
gef> heap bins # Check freed chunks
gef> search-pattern 0x602010 # Search for chunk references
gef> telescope 0x602010 10 # Examine freed chunk
# Advanced UAF techniques
gef> heap chunk 0x602010 # Analyze specific chunk
gef> x/20gx 0x602010 # Manual chunk inspection
gef> watch *0x602010 # Watch freed chunk access
gef> context mem 0x602010 50 # Monitor chunk memory
14.3 Format String Exploitation
# Format string vulnerability exploitation
gef> format-string-helper # Enable format string detection
gef> break printf # Break on printf family
gef> break sprintf # Break on sprintf
gef> break snprintf # Break on snprintf
# Format string analysis workflow
gef> context args # Examine function arguments
gef> x/s $rdi # Examine format string
gef> telescope $rsp 50 # Stack analysis for format string
gef> pattern create 100 # Pattern for offset calculation
# Advanced format string exploitation
gef> got # Analyze GOT for overwrites
gef> search-pattern "printf" # Find printf references
gef> info symbol printf # Get printf address
gef> search-pattern "%n" # Find write primitives
15. Kernel and System-Level Debugging
Configure kernel debugging parameters and system-level analysis based on your specific kernel version and debugging environment.
15.1 Kernel Module Analysis
# Kernel debugging setup
gdb vmlinux
(gdb) target remote :1234 # QEMU kernel debugging
(gdb) add-symbol-file module.ko 0xaddr # Load kernel module symbols
# GEF kernel debugging enhancements
gef> ksymaddr # Kernel symbol addresses
gef> search-pattern "init_module" # Find module initialization
gef> vmmap # Kernel memory mapping
gef> context # Kernel context display
# Advanced kernel analysis
gef> info address init_module # Module function addresses
gef> disassemble init_module # Module disassembly
gef> break init_module # Break on module init
gef> break cleanup_module # Break on module cleanup
15.2 System Call Analysis
# System call tracing and analysis
gef> catch syscall # Catch all system calls
gef> catch syscall write # Catch specific syscall
gef> catch syscall open openat # Catch multiple syscalls
# System call parameter analysis
gef> context args # System call arguments
gef> x/s $rdi # First argument (filename)
gef> x/s $rsi # Second argument (buffer)
gef> print $rdx # Third argument (count)
# Advanced syscall debugging
gef> info registers # Syscall number in rax
gef> stepi # Step through syscall entry
gef> finish # Execute until syscall return
gef> print $rax # Syscall return value
15.3 Driver and Hardware Analysis
# Device driver debugging
gef> break driver_probe # Break on driver probe
gef> break driver_remove # Break on driver removal
gef> info address driver_ops # Driver operation structure
# Hardware interaction analysis
gef> x/20gx 0xffffc90000000000 # MMIO region examination
gef> watch *0xffffc90000000000 # Watch hardware register
gef> context mem 0xffffc90000000000 32 # Monitor hardware memory
# Interrupt and DMA analysis
gef> break irq_handler # Break on interrupt handler
gef> context # Interrupt context
gef> backtrace # Interrupt call stack
16. Performance Analysis and Optimization
Configure performance monitoring and optimization parameters based on your analysis requirements and system capabilities.
16.1 Execution Profiling
# GDB profiling and performance analysis
gef> set logging on # Enable logging
gef> set logging file profile.log # Set log file
gef> record # Record execution
gef> record function-call-history # Function call history
# Advanced profiling techniques
gef> maintenance time # Enable timing
gef> maintenance space # Enable space usage
gef> maintenance check-symtabs # Symbol table check
gef> maintenance info program-spaces # Program space info
# Custom profiling implementation
gef> break main # Profile from main
gef> commands
Type commands for breakpoint(s) 1, one per line.
End with a line saying just "end".
>silent
>printf "Function: %s\n", $_function
>continue
>end
16.2 Memory Usage Analysis
# Memory analysis and optimization
gef> info proc mappings # Detailed memory mappings
gef> vmmap # GEF enhanced memory view
gef> heap chunks --summary # Heap usage summary
gef> maintenance info sections # Binary section analysis
# Advanced memory profiling
gef> search-pattern 0x00000000 # Find null patterns
gef> search-pattern 0x41414141 # Find specific patterns
gef> telescope $rsp 100 # Extensive stack analysis
gef> context mem # Memory context analysis
# Memory leak detection
gef> heap-analysis-helper # Enable heap tracking
gef> break malloc # Track allocations
gef> break free # Track deallocations
gef> info breakpoints # Verify tracking setup
16.3 Optimization Strategies
# GDB performance optimization
gef> set pagination off # Disable pagination
gef> set print elements 0 # Unlimited array printing
gef> set print max-symbolic-offset 1 # Limit symbol offset
gef> set confirm off # Disable confirmations
# GEF performance tuning
gef> gef config context.clear_screen False # Faster context
gef> gef config context.redirect /tmp/gef.txt # Redirect output
gef> gef config glibc.main_arena 0x7ffff7e19b80 # Manual arena
gef> gef config context.nb_lines_stack 5 # Reduce stack lines
# Advanced optimization
gef> set remote memory-write-packet-size 1024 # Remote optimization
gef> set remote memory-read-packet-size 1024 # Remote read optimization
gef> maintenance set dwarf max-cache-age 0 # Disable DWARF cache
17. Advanced Debugging Scenarios
Customize debugging scenarios and analysis techniques based on your specific reverse engineering and exploitation challenges.
17.1 Anti-Debugging Bypass
# Anti-debugging detection and bypass
gef> catch signal SIGTRAP # Catch debug traps
gef> catch signal SIGILL # Catch illegal instructions
gef> handle SIGTRAP nostop # Ignore debug traps
gef> handle SIGILL nostop # Ignore illegal instructions
# PTRACE detection bypass
gef> break ptrace # Break on ptrace calls
gef> return -1 # Force ptrace failure
gef> set $rax = -1 # Fake ptrace failure
# Timing-based anti-debugging bypass
gef> break rdtsc # Break on timing instructions
gef> set $rax = 0x1234 # Fake timing value
gef> set $rdx = 0x5678 # Fake high timing value
# Advanced anti-debugging techniques
gef> search-pattern "ptrace" # Find ptrace references
gef> search-pattern "PTRACE_TRACEME" # Find tracing constants
gef> patch byte 0x400080 0x90 # Patch anti-debug checks
17.2 Packed Binary Analysis
# Packed/obfuscated binary analysis
gef> break _start # Break at entry point
gef> stepi # Single step through unpacker
gef> vmmap # Monitor memory changes
gef> context # Enhanced context during unpacking
# Dynamic unpacking assistance
gef> break mprotect # Break on memory protection changes
gef> watch *0x400000 # Watch unpacking region
gef> context mem 0x400000 100 # Monitor unpacking memory
# Advanced unpacking techniques
gef> search-pattern 0x5a4d # Find PE headers (Windows)
gef> search-pattern 0x7f454c46 # Find ELF headers (Linux)
gef> info files # Monitor file mapping changes
gef> maintenance info sections # Section information
17.3 Multi-threaded Application Debugging
# Multi-threaded debugging with GEF
gef> info threads # List all threads
gef> thread 2 # Switch to thread 2
gef> thread apply all bt # Backtrace all threads
gef> thread apply all context # Context for all threads
# Thread-specific breakpoints
gef> break main thread 2 # Thread-specific breakpoint
gef> break function_name thread all # Breakpoint for all threads
gef> condition 1 $_thread == 2 # Conditional thread breakpoint
# Advanced thread analysis
gef> context threads # Thread context display
gef> info threads # Detailed thread information
gef> thread apply 1-3 print $rip # Print RIP for threads 1-3
gef> set scheduler-locking on # Lock thread scheduling
18. Integration and Automation Workflows
Replace integration paths, script names, and automation parameters with your specific development and analysis environment.
18.1 IDE Integration
# VS Code integration with GDB/GEF
# launch.json configuration
{
"version": "0.2.0",
"configurations": [
{
"name": "GDB/GEF Debug",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/target_binary",
"args": ["arg1", "arg2"],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable GEF",
"text": "source ~/.gdbinit-gef.py",
"ignoreFailures": false
}
]
}
]
}
# Vim integration with GDB
# .vimrc configuration for GDB integration
nnoremap <F5> :!gdb -tui %:r<CR>
nnoremap <F6> :!gdb -batch -ex run -ex bt -ex quit %:r<CR>
18.2 Continuous Integration
# Automated testing with GDB/GEF
#!/bin/bash
# ci_debug_test.sh
# Compile test binary
gcc -g -o test_binary test.c
# Run automated GDB analysis
gdb -batch \
-ex "source ~/.gdbinit-gef.py" \
-ex "start" \
-ex "checksec" \
-ex "vmmap" \
-ex "continue" \
-ex "bt" \
-ex "quit" \
./test_binary > analysis_report.txt
# Check for security issues
if grep -q "No canary found" analysis_report.txt; then
echo "Security issue: No stack canary"
exit 1
fi
echo "Analysis completed successfully"
18.3 Report Generation
# Automated report generation
import subprocess
import json
import datetime
class GDBAnalysisReport:
def __init__(self, binary_path):
self.binary_path = binary_path
self.analysis_data = {}
self.timestamp = datetime.datetime.now()
def run_gdb_analysis(self):
"""Execute comprehensive GDB/GEF analysis."""
gdb_script = """
source ~/.gdbinit-gef.py
file {}
checksec
info functions
info variables
vmmap
quit
""".format(self.binary_path)
with open('/tmp/gdb_script.gdb', 'w') as f:
f.write(gdb_script)
result = subprocess.run(
['gdb', '-batch', '-x', '/tmp/gdb_script.gdb'],
capture_output=True, text=True
)
return result.stdout
def parse_security_features(self, output):
"""Parse security features from checksec output."""
security_features = {
'canary': 'Canary found' in output,
'nx': 'NX enabled' in output,
'pie': 'PIE enabled' in output,
'relro': 'Full RELRO' in output,
'aslr': True # Assume ASLR is system-wide
}
return security_features
def generate_report(self):
"""Generate comprehensive analysis report."""
output = self.run_gdb_analysis()
security = self.parse_security_features(output)
report = {
'binary': self.binary_path,
'timestamp': self.timestamp.isoformat(),
'security_features': security,
'analysis_output': output
}
return json.dumps(report, indent=2)
# Usage
reporter = GDBAnalysisReport('./target_binary')
report = reporter.generate_report()
print(report)
19. Troubleshooting and Common Issues
Address common operational challenges and provide solutions for typical GDB/GEF deployment scenarios.
19.1 Installation and Configuration Issues
# Common GEF installation problems
# Python compatibility issues
python3 --version # Check Python version
pip3 install unicorn-engine # Install dependencies
pip3 install capstone # Install capstone
pip3 install ropper # Install ropper
# GEF loading issues
gdb -q
(gdb) python import sys; print(sys.version)
(gdb) python exec(open('/path/to/gef.py').read())
(gdb) source ~/.gdbinit-gef.py
# Permission and path issues
chmod +x ~/.gdbinit-gef.py # Fix permissions
echo 'source ~/.gdbinit-gef.py' >> ~/.gdbinit
export PYTHONPATH=/usr/local/lib/python3.8/site-packages
19.2 Performance and Memory Issues
# GEF performance optimization
gef> gef config context.nb_lines_stack 5 # Reduce stack lines
gef> gef config context.nb_lines_code 5 # Reduce code lines
gef> gef config context.clear_screen False # Disable screen clear
gef> gef config heap.main_arena 0x7ffff7e19b80 # Manual arena
# Memory usage optimization
gef> set print elements 200 # Limit array printing
gef> set print max-symbolic-offset 1 # Limit symbol offset
gef> maintenance set dwarf max-cache-age 0 # Disable DWARF cache
gef> set remote memory-read-packet-size 1024 # Optimize remote reads
# Debug output management
gef> set logging on # Enable logging
gef> set logging file /tmp/gdb.log # Redirect to file
gef> set logging redirect on # Redirect all output
19.3 Compatibility and Version Issues
# GDB version compatibility
gdb --version # Check GDB version
python3 -c "import gdb; print('GDB Python support OK')"
# Library compatibility issues
ldd /usr/bin/gdb # Check GDB dependencies
python3 -c "import unicorn; print('Unicorn OK')"
python3 -c "import capstone; print('Capstone OK')"
# Architecture compatibility
gdb-multiarch --version # Multi-architecture support
file target_binary # Check binary architecture
gef> info target # Target information
# Remote debugging issues
gdbserver --version # Check gdbserver version
netstat -tlnp | grep 1234 # Check port availability
telnet target_host 1234 # Test connectivity
20. Legal and Ethical Considerations
All GDB/GEF debugging activities must be performed within legal and ethical boundaries with proper authorization and scope definition.
20.1 Authorization Requirements
Pre-Analysis Authorization:
- Written permission from software owners
- Clearly defined scope of reverse engineering activities
- Approved analysis methodologies and tools
- Escalation procedures for security findings
- Data handling and confidentiality agreements
Scope Limitations:
- Specific binaries and versions approved for analysis
- Excluded proprietary or third-party components
- Time limitations for analysis activities
- Reporting requirements and disclosure timelines
- Documentation and evidence preservation protocols
20.2 Documentation Standards
Comprehensive Documentation Must Include:
- Scope of authorization and analysis targets
- Debugging methodologies and tools employed
- Timeline of all analysis activities
- Findings classification and impact assessment
- Technical evidence and reproduction steps
- Recommendations and remediation guidance
Legal Compliance Requirements:
- DMCA compliance for reverse engineering activities
- Industry-specific regulations and standards
- International reverse engineering law considerations
- Intellectual property protection requirements
- Third-party software license compliance
20.3 Responsible Disclosure
# Vulnerability Disclosure Template
## Executive Summary
- Vulnerability classification and impact
- Affected software versions and components
- Recommended immediate actions
## Technical Analysis
- Vulnerability discovery methodology
- Proof of concept and reproduction steps
- Root cause analysis and technical details
- Exploitation scenarios and impact assessment
## Remediation Guidance
- Immediate mitigation strategies
- Long-term remediation recommendations
- Testing and validation procedures
- Security architecture improvements
## Timeline
- Discovery date and analysis methodology
- Initial vendor notification timeline
- Remediation deadline recommendations
- Public disclosure timeline and considerations
Conclusion
This comprehensive GDB with GEF reference manual provides security researchers and exploit developers with the knowledge and tools necessary to implement effective reverse engineering and vulnerability research programs. The techniques and methodologies described represent current best practices for dynamic binary analysis, enabling organizations and researchers to proactively identify and understand security vulnerabilities.
The evolution of the exploitation landscape requires continuous adaptation of debugging methodologies and tool mastery. Future research should focus on machine learning-enhanced vulnerability detection, automated exploit generation capabilities, and integration with cloud-native security research platforms.
Security practitioners must balance the powerful capabilities of GDB/GEF with responsible disclosure practices, comprehensive documentation, and adherence to legal and ethical guidelines to ensure the advancement of cybersecurity research while maintaining trust and accountability.
References
- GNU Debugger Documentation
- GEF GitHub Repository
- GEF Documentation
- CTF101 GDB Guide
- Azeria Labs ARM Debugging
- LiveOverflow GDB Tutorials
- PEDA GitHub Repository
- Pwndbg GitHub Repository
- Reverse Engineering for Beginners
- The Art of Software Security Assessment
- Hacking: The Art of Exploitation
- Practical Reverse Engineering
- Intel 64 and IA-32 Architecture Manuals
- ARM Architecture Reference Manual
- System V ABI Documentation
- GNU Binutils Documentation
- ELF Specification