GEF (GDB Enhanced Features) - a modern experience for GDB with advanced debugging capabilities for exploit devs & reverse engineers on Linux
Home Page: https://hugsy.github.io/gef
License: MIT License
Hey,
I'm not sure if this is a bug.
MIPS binary remote debug.
gef➤ x/20gx 0x602000
0x602000: 0x0000000000000000 0x0000000000000021
0x602010: 0x7374702f7665642f 0x000000000000322f
0x602020: 0x0000000000000000 0x0000000000000021 # Value is 0x21
0x602030: 0x00007fffffffe940 0x0000000000000000
0x602040: 0x0000000000000000 0x0000000000000021
0x602050: 0x0000000000602020 0x0000000000000000
0x602060: 0x0000000000000000 0x0000000000000021
0x602070: 0x0000000000000000 0x0000000000000000
0x602080: 0x0000000000000000 0x0000000000020f81
0x602090: 0x0000000000000000 0x0000000000000000
gef➤ dt mchunk 0x602020
0x602020+0x0000 prev_size : 0x0000000000000000 (c_ulong)
0x602020+0x0008 size : 0x0000000000000000 (c_ulong) # Value missing?
0x602020+0x0010 FD : 0x00007fffffffe940 → 0x00007fffffffe970 → 0x0 (c_ulong)
0x602020+0x0018 BK : 0x0000000000000000 (c_ulong)
0x602020+0x0020 fd_nextsize : 0x0000000000000000 (c_ulong)
0x602020+0x0028 bk_nextsize : 0x0000000000000000 (c_ulong)
gef➤ x/gx 0x602028
0x602028: 0x0000000000000021will investigate.
Thanks for releasing your python script, I only started using it recently, but I find it very helpful.
I have what might be a unqiue situation, but I'm using gef with android's gdb to debug a file remotely on an Android device. Unfortunately, I couldn't get gef-remote to work the way I wanted, so I'm using a local executable for the file.
The issue I am having is that the inspect_stack is printing the addresses but it is not printing the values in the addresses. I looked through the code and tracked it down to the get_process_maps()
Basically, it is looking for the /proc/pid/maps, but in my case it is on the remote device. I was able to fix the issue by checking to see if the maps file exists and if not then I try to pull it down using the gdb command "remote get". I'm sure there is probably a more elegant way to do this, but it is working for me.
def get_process_maps():
sections = []
try:
pid = get_pid()
proc = __config__.get("gef-remote.proc_directory")[0]
fname = '%s/%d/maps' % (proc, pid)
mapFName = ""
if os.path.isfile(fname) :
f = open(fname)
else :
mapFName = "./map_%d" % pid
gdb.execute("remote get " + fname + " " + mapFName, to_string=True)
f = open(mapFName)**
while True:
line = f.readline()
if len(line) == 0:
if (os.path.isfile(mapFName)) :
os.remove(mapFName);
break
. . .
Thank you again for the addon.
Hello, I'm trying to add an API for generating shellcode, But it getting me some error while adding command line "shellcode zsc" which you can see in line 2701 [i write there] at here
https://github.com/Ali-Razmjoo/gef/commit/04cb3787abd4006715b2691aa9ccecbc00242a24
what am i missing?
@Grazfather reported some slow performances on gef.
Check on that
@rick2600 │ a nice feature for gef is to make it to use https://retdec.com/decompilation/ API
Hello hugsy,
Is it possible to port peda's find or searchmem, it really works well in finding bytes for either manual rop searching or ascii strings like "/bin/sh".
Thanks
I also have another issue. It looks like the stack is not being properly interpreted as the correct data type.
------------------------------------------------------------------------------------------[regs]
$zero 0x00000000 $at 0xfffffff8 $v0 0x76fff5e4 $v1 0x0000002c
$a0 0x76fff5f4 $a1 0x00000000 $a2 0x00000000 $a3 0x76fff5f4
$t0 0x00000000 $t1 0x00000000 $t2 0x00000000 $t3 0x00000200
$t4 0x00000100 $t5 0xfffffffe $t6 0x00000001 $t7 0x004012f8
$s0 0x56153a1d $s1 0xffffffff $s2 0x76fff6e4 $s3 0x00400c38
$s4 0x00000001 $s5 0x00400e80 $s6 0x00000000 $s7 0x00000000
$t8 0x00000024 $t9 0x766ee1d0 $k0 0x00000000 $k1 0x00000000
$s8 0x76fff5c0 $sr 0x20000010 $bad 0x00000000 $cause 0x00000000
$pc 0x004012fc $sp 0x76fff5c0 $hi 0x00000249 $lo 0x0001cbed
$fir 0x00739300 $fsr 0x00000000 $ra 0x004012f8 $gp 0x004520e0
------------------------------------------------------------------------------------------[stack]
0x76fff5c0|+0x00: ← $sp
0x76fff5c4|+0x04:
0x76fff5c8|+0x08:
0x76fff5cc|+0x0c:
0x76fff5d0|+0x10:
0x76fff5d4|+0x14:
0x76fff5d8|+0x18:
0x76fff5dc|+0x1c:
0x76fff5e0|+0x20:
0x76fff5e4|+0x24:
------------------------------------------------------------------------------------------[code:mips:3000]
0x4012f0 <main+1136> jalr t9
0x4012f4 <main+1140> nop
0x4012f8 <main+1144> lw gp,16(s8)
0x4012fc <main+1148> li v0,2 ← $pc
0x401300 <main+1152> sh v0,36(s8)
0x401304 <main+1156> lw v0,-32744(gp)
0x401308 <main+1160> nop
0x40130c <main+1164> addiu v0,v0,-21780
0x401310 <main+1168> lhu v0,4(v0)
0x401314 <main+1172> nop
0x401318 <main+1176> move a0,v0
0x40131c <main+1180> lw t9,-32672(gp)
------------------------------------------------------------------------------------------[trace]
#0 0x004012fc in main ()
0x004012fc in main ()
gef> x/10wx $sp
0x76fff5c0: 0x0044a868 0x00000032 0x0044a868 0xfefefeff
0x76fff5d0: 0x004520e0 0x00400c38 0x00000001 0x00400e80
0x76fff5e0: 0x00000000 0x00000000
gef> So far from my debugging I see that context_stack() calls inspect_stack(). Inspect_stack() calls _do_inspect_stack(), there line 3305 variable 'l' does not add the dereferenced stack pointers.
3305 l += sep.join(addrs[1:])Looks like dereference_from() calls lookup_address(). There at line 1073, the sect variable is None due to get_process_maps() uses get_pid() and it reads the debugged process's memory map from proc.
920 pid = get_pid()
921 f = open('/proc/%d/maps' % pid)I think the issue is that get_pid() does not return a valid process ID on the host system because my process is running inside qemu and it does not exist as a process on it's own.
Here is an example where I print the returned pid and the inferior object.
920 pid = get_pid()
921 print(pid)
922 f = open('/proc/%d/maps' % pid)gef> target remote localhost:12345
Remote debugging using localhost:12345
Reading symbols from /lib/ld-uClibc.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-uClibc.so.0
<gdb.Inferior object at 0x7fb5cbea7288>
42000
------------------------------------------------------------------------------------------[regs]
$zero 0x00000000 $at 0x00000000 $v0 0x00000000 $v1 0x00000000
$a0 0x00000000 $a1 0x00000000 $a2 0x00000000 $a3 0x00000000
$t0 0x00000000 $t1 0x00000000 $t2 0x00000000 $t3 0x00000000
$t4 0x00000000 $t5 0x00000000 $t6 0x00000000 $t7 0x00000000
$s0 0x00000000 $s1 0x00000000 $s2 0x00000000 $s3 0x00000000
$s4 0x00000000 $s5 0x00000000 $s6 0x00000000 $s7 0x00000000
$t8 0x00000000 $t9 0x00000000 $k0 0x00000000 $k1 0x00000000
$s8 0x00000000 $sr 0x20000010 $bad 0x00000000 $cause 0x00000000
$pc 0x767b8ab0 $sp 0x76fff6e0 $hi 0x00000000 $lo 0x00000000
$fir 0x00739300 $fsr 0x00000000 $ra 0x00000000 $gp 0x00000000
------------------------------------------------------------------------------------------[stack]
<gdb.Inferior object at 0x7fb5cbea7288>
42000
<gdb.Inferior object at 0x7fb5cbea7288>
42000
0x76fff6e0|+0x00: ← $sp
<gdb.Inferior object at 0x7fb5cbea7288>
42000
<gdb.Inferior object at 0x7fb5cbea7288>
42000
0x76fff6e4|+0x04:
<gdb.Inferior object at 0x7fb5cbea7288>
42000
<gdb.Inferior object at 0x7fb5cbea7288>
42000
0x76fff6e8|+0x08:
<gdb.Inferior object at 0x7fb5cbea7288>
....Here is the actual processes:
➜ ~ ps aux | grep mips | grep -v grep
user 53565 0.0 1.1 92360 24464 pts/0 S+ 15:23 0:00 gdb-multiarch -q ./mips
user 53630 96.5 0.1 2055184 2568 pts/7 R+ 15:46 1:59 qemu-mips -g 12345 ./mips
➜ ~ The process qemu-mips, is the process whose memory map we need.
➜ ~ cat /proc/53630/maps
7ffbee60b000-7ffbeea0b000 ---p 00000000 00:00 0
7ffbeea0b000-7ffbeea15000 r-xp 00000000 08:01 656230 /home/user/openwrt/mips
7ffbeea15000-7ffbeea55000 ---p 00000000 00:00 0
7ffbeea55000-7ffbeea56000 rw-p 0000a000 08:01 656230 /home/user/openwrt/mips
7ffbeea56000-7ffc64dc3000 ---p 00000000 00:00 0
7ffc64dc3000-7ffc64dc9000 r-xp 00000000 08:01 665474 /home/user/openwrt/cross-compiler-mips/lib/ld-uClibc-0.9.30.1.so
7ffc64dc9000-7ffc64e08000 ---p 00000000 00:00 0
7ffc64e08000-7ffc64e0a000 rw-p 00005000 08:01 665474 /home/user/openwrt/cross-compiler-mips/lib/ld-uClibc-0.9.30.1.so
7ffc64e0a000-7ffc64e0b000 ---p 00000000 00:00 0
7ffc64e0b000-7ffc68a0b000 rw-p 00000000 00:00 0
7ffc68a0b000-7ffc68a48000 r-xp 00000000 08:01 921979 /lib/x86_64-linux-gnu/libpcre.so.3.13.1
7ffc68a48000-7ffc68c47000 ---p 0003d000 08:01 921979 /lib/x86_64-linux-gnu/libpcre.so.3.13.1
7ffc68c47000-7ffc68c48000 r--p 0003c000 08:01 921979 /lib/x86_64-linux-gnu/libpcre.so.3.13.1
7ffc68c48000-7ffc68c49000 rw-p 0003d000 08:01 921979 /lib/x86_64-linux-gnu/libpcre.so.3.13.1
7ffc68c49000-7ffc68e04000 r-xp 00000000 08:01 923688 /lib/x86_64-linux-gnu/libc-2.19.so
7ffc68e04000-7ffc69003000 ---p 001bb000 08:01 923688 /lib/x86_64-linux-gnu/libc-2.19.so
7ffc69003000-7ffc69007000 r--p 001ba000 08:01 923688 /lib/x86_64-linux-gnu/libc-2.19.so
7ffc69007000-7ffc69009000 rw-p 001be000 08:01 923688 /lib/x86_64-linux-gnu/libc-2.19.so
7ffc69009000-7ffc6900e000 rw-p 00000000 00:00 0
7ffc6900e000-7ffc69027000 r-xp 00000000 08:01 923689 /lib/x86_64-linux-gnu/libpthread-2.19.so
7ffc69027000-7ffc69226000 ---p 00019000 08:01 923689 /lib/x86_64-linux-gnu/libpthread-2.19.so
7ffc69226000-7ffc69227000 r--p 00018000 08:01 923689 /lib/x86_64-linux-gnu/libpthread-2.19.so
7ffc69227000-7ffc69228000 rw-p 00019000 08:01 923689 /lib/x86_64-linux-gnu/libpthread-2.19.so
7ffc69228000-7ffc6922c000 rw-p 00000000 00:00 0
7ffc6922c000-7ffc69331000 r-xp 00000000 08:01 922568 /lib/x86_64-linux-gnu/libm-2.19.so
7ffc69331000-7ffc69530000 ---p 00105000 08:01 922568 /lib/x86_64-linux-gnu/libm-2.19.so
7ffc69530000-7ffc69531000 r--p 00104000 08:01 922568 /lib/x86_64-linux-gnu/libm-2.19.so
7ffc69531000-7ffc69532000 rw-p 00105000 08:01 922568 /lib/x86_64-linux-gnu/libm-2.19.so
7ffc69532000-7ffc69638000 r-xp 00000000 08:01 922562 /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0
7ffc69638000-7ffc69837000 ---p 00106000 08:01 922562 /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0
7ffc69837000-7ffc69838000 r--p 00105000 08:01 922562 /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0
7ffc69838000-7ffc69839000 rw-p 00106000 08:01 922562 /lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0
7ffc69839000-7ffc6983a000 rw-p 00000000 00:00 0
7ffc6983a000-7ffc69841000 r-xp 00000000 08:01 923691 /lib/x86_64-linux-gnu/librt-2.19.so
7ffc69841000-7ffc69a40000 ---p 00007000 08:01 923691 /lib/x86_64-linux-gnu/librt-2.19.so
7ffc69a40000-7ffc69a41000 r--p 00006000 08:01 923691 /lib/x86_64-linux-gnu/librt-2.19.so
7ffc69a41000-7ffc69a42000 rw-p 00007000 08:01 923691 /lib/x86_64-linux-gnu/librt-2.19.so
7ffc69a42000-7ffc69a65000 r-xp 00000000 08:01 923682 /lib/x86_64-linux-gnu/ld-2.19.so
7ffc69c13000-7ffc69c47000 rw-p 00000000 00:00 0
7ffc69c4a000-7ffc69c64000 rw-p 00000000 00:00 0
7ffc69c64000-7ffc69c65000 r--p 00022000 08:01 923682 /lib/x86_64-linux-gnu/ld-2.19.so
7ffc69c65000-7ffc69c66000 rw-p 00023000 08:01 923682 /lib/x86_64-linux-gnu/ld-2.19.so
7ffc69c66000-7ffc69c67000 rw-p 00000000 00:00 0
7ffc69c67000-7ffc69dd2000 r-xp 00000000 08:01 917736 /usr/bin/qemu-mips
7ffc69fd2000-7ffc6a012000 r--p 0016b000 08:01 917736 /usr/bin/qemu-mips
7ffc6a012000-7ffc6a019000 rw-p 001ab000 08:01 917736 /usr/bin/qemu-mips
7ffc6a019000-7ffc6a077000 rw-p 00000000 00:00 0
7ffc6a077000-7ffc6c078000 rwxp 00000000 00:00 0
7ffc6c078000-7ffc6c07b000 rw-p 00000000 00:00 0
7ffc6c27f000-7ffc6c2a0000 rw-p 00000000 00:00 0 [heap]
7ffff98f0000-7ffff9911000 rw-p 00000000 00:00 0 [stack]
7ffff99fe000-7ffff9a00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
➜ ~ I don't know how to fix that yet, maybe u can help me with some suggestions. Two solutions I'm thinking of are:
Not a bug, just a proposal.
https://github.com/rogerhu/gdb-heap
https://github.com/cloudburst/libheap
gef> unicorn-emulate -n 3
Python Exception <type 'exceptions.TypeError'> unsupported operand type(s) for -: 'NoneType' and 'long':
Error occurred in Python command: unsupported operand type(s) for -: 'NoneType' and 'long'Thanks to such an awesome tool! 😄
I'm using gnome-terminal .When using GEF, output of "colored text" display with "[0001] xxx [0001] ". I changed
RED = "\001\x1b[31m\002"
to
RED = "\x1b[31m"
and solved the problem, hope an improvment will be made when you update it.
Finally, thanks for your works!
Show arguments passed to a function in the context_code when hitting a call instruction.
I love the gef commands, but when I have source I'd like to be able to see it...
gdb-dashboard shows source and asm if possible, just asm if not: https://github.com/cyrus-and/gdb-dashboard/blob/master/.gdbinit#L678-L752 which would be ideal...
Hello,
First, awesome job on the tool ! Really appreciate it...
While trying to work on a MIPS MSB binary I had the following problem:
➜ openwrt gdb-multiarch ./mips_binary -q
[!] Failed to load `assemble`: 'radare2 Python bindings could not be loaded'
[!] Failed to load `ropgadget`: 'Missing Python `ropgadget` package. Install with `pip install ropgadget`'
gef loaded, `gef help' to start, `gef config' to configure
28 commands loaded (10 sub-commands), using Python engine 3.4
Reading symbols from ./mips_binary...done.
gef> target remote localhost:12345
Remote debugging using localhost:12345
Reading symbols from /lib/ld-uClibc.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-uClibc.so.0
------------------------------------------------------------------------------------------[regs]
$zero 0x00000000 $at 0x00000000 $v0 0x00000000 $v1 0x00000000
$a0 0x00000000 $a1 0x00000000 $a2 0x00000000 $a3 0x00000000
$t0 0x00000000 $t1 0x00000000 $t2 0x00000000 $t3 0x00000000
$t4 0x00000000 $t5 0x00000000 $t6 0x00000000 $t7 0x00000000
$s0 0x00000000 $s1 0x00000000 $s2 0x00000000 $s3 0x00000000
$s4 0x00000000 $s5 0x00000000 $s6 0x00000000 $s7 0x00000000
$t8 0x00000000 $t9 0x00000000 $k0 0x00000000 $k1 0x00000000
Python Exception <class 'gdb.error'> Cannot convert value to long.:
Error while running hook_stop:
Error occurred in Python command: Cannot convert value to long.
0x767b8ab0 in _start () from /lib/ld-uClibc.so.0
gef> quitinfo on the binary:
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), not strippedThe way I'm executing this binary is via cross compiled libraries and qemu-mips using the -g flag for the gdb stub. The architecture and the endianess in gdb were correctly auto chosen.
After some troubleshooting of gdbinit-gef.py script, I noticed that the issue is due to the script trying to fetch the values of non-existent register names.
In gdbinit-gef.py you have
688 def mips_registers():
689 # http://vhouten.home.xs4all.nl/mipsel/r3000-isa.html
690 return ["$zero ", "$at ", "$v0 ", "$v1 ", "$a0 ", "$a1 ", "$a2 ", "$a3 ",
691 "$t0 ", "$t1 ", "$t2 ", "$t3 ", "$t4 ", "$t5 ", "$t6 ", "$t7 ",
692 "$s0 ", "$s1 ", "$s2 ", "$s3 ", "$s4 ", "$s5 ", "$s6 ", "$s7 ",
693 "$t8 ", "$t9 ", "$k0 ", "$k1 ", "$s8 ", "$status ", "$badvaddr ", "$cause ",
694 "$pc ", "$sp ", "$hi ", "$lo ", "$fir ", "$fcsr ", "$ra ", "$gp ", ]gdb registers:
(gdb) info reg
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
s0 s1 s2 s3 s4 s5 s6 s7
R16 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
t8 t9 k0 k1 gp sp s8 ra
R24 00000000 00000000 00000000 00000000 00000000 76fff6e0 00000000 00000000
sr lo hi bad cause pc
20000010 00000000 00000000 00000000 00000000 767b8ab0
fsr fir
00000000 00739300
(gdb) quitThe function that the error is triggered is context_regs(). I noticed that there you might be anticipating issues with registers by your comments
2528 except gdb.MemoryError:
2529 # If this exception is triggered, it means that the current register
2530 # is corrupted. Just use the register "raw" value (not eval-ed)Unfortunately the suggested solution did not work for me...
The way I got this to work is simply replace the names of the MIPS registers $status to $sr, $badvaddr to $bad and $fcsr to $fsr. It looks like this is not due to a version of gdb but to the features of the MIPS CPU, I'm not really sure why/how that's determined by gdb. Hope you find a better alternative.
Hello,
I got this python exception while running the ropgadget command on a 32 bit binary on 64 bit linux:
gef> ropgadget
[+] Using binary: plop
Python Exception <class 'AttributeError'> 'FakeArgs' object has no attribute 're':
Error occurred in Python command: 'FakeArgs' object has no attribute 're'
Also really dumb question: how to set gdb variables as command line args or input? Seems easy but always end up with the variable name and not its content.
Thanks
See #13
Output file:
# Start address: 0x00000000004007eb
# End address: 0x000000000040088a
# Recursion level: 1
# automatically generated by gef.py
#
0x00000000004007ec in ?? ()
0x00000000004007f3 in ?? ()
Breakpoint 2, 0x000000000040088a in ?? ()
0x4007eb push rbx <- $pc
0x4007ec sub rsp,0x118
0x4007f3 mov rax,QWORD PTR fs 0x28checksec command seems to fail when using GDB with Python3:
gef> checksec
[+] checksec for '/bin/ls'
Python Exception <class 'TypeError'> Type str doesn't support the buffer API:
Error occurred in Python command: Type str doesn't support the buffer API
Thanks for this great tool!
gef➤ aslr 2
[*] Invalid command
[!] Syntax
aslr (on|off)
AND:
The following values are supported:
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.
aslr on means 1 or 2? Maybe you guys need to update that command
Hello Hugsy,
Further to our Twitter conversation, I would use a simple command with GEF to generate a test command line fastly to execute a shellcode with python (or perl and co) like :
run $(python -c 'print "shellcode" + "\x90" * 180 + "\x74\xff\xff\xff\xdf\xc0" [::-1]')
Where :
Command sample (like the metasploit model, why not) :
$ gef set ARCHITECTURE x64
$ gef set LANGAGE python
$ gef set SHELLCODE \xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x4
$ gef set PATTERN_OFFSET 180
$ gef set POINTER_ADDRESS \x74\xff\xff\xff\xdf\xc0
$ gef exploit (or sample command line return to run)
Regards,
Traceback (most recent call last):
File "/root/.gdbinit-gef.py", line 61, in
if sys.version_info.major == 2:
AttributeError: 'tuple' object has no attribute 'major'
Hi, first of all thanks for making gef so awesome.
When looking through your source code I was wondering why you make the user specify the PID of the program to debug when using gef-remote. Why not just use "gdb.selected_inferior().pid" like you do locally? A quick test I made showed that it seems to work.
Background: I thought about adding support for remotely specifying the program to debug (with "gdbserver --multi" and "set remote exec-file" ) but this obviously requires dynamic detection of the debugee PID as it isn't running yet at the time you instruct gdb to connect. I thought I'd better ask you if there is some kind of bug or undocumented behavior with selected_inferior before I start implementing it like this.
Easy to fix, i'll do it.
gef➤ dt -l
[+] Listing custom structures:
Python Exception <class 'FileNotFoundError'> [Errno 2] No such file or directory: '/tmp/user/1000/gef/structs':
Error occurred in Python command: [Errno 2] No such file or directory: '/tmp/user/1000/gef/structs'
Stack output currently looks like this, where the offsets are printed in regards to $rsp:
0x00007fffffffe1b0│+0x0000: 0x361616161 ← $rsp
0x00007fffffffe1b8│+0x0008: 0x603110
0x00007fffffffe1c0│+0x0010: 0x0
0x00007fffffffe1c8│+0x0018: 0x00007fffffffe1f7 → 0x6031a000
0x00007fffffffe1d0│+0x0020: 0xf700603107
0x00007fffffffe1d8│+0x0028: 0x603010
0x00007fffffffe1e0│+0x0030: 0x0000000000401129 → "Welcome %s"
0x00007fffffffe1e8│+0x0038: 0x3
Maybe it's a good idea to also have the option to print the stack from the perspective of $rbp, since some binaries use that to point to things on the stack ($rbp = 0x00007fffffffe210 ; $rbp-$rsp = 0x60):
0x00007fffffffe1b0│-0x0060: 0x361616161 ← $rsp
0x00007fffffffe1b8│-0x0058: 0x603110
0x00007fffffffe1c0│-0x0050: 0x0
0x00007fffffffe1c8│-0x0048: 0x00007fffffffe1f7 → 0x6031a000
0x00007fffffffe1d0│-0x0040: 0xf700603107
0x00007fffffffe1d8│-0x0038: 0x603010
0x00007fffffffe1e0│-0x0030: 0x0000000000401129 → "Welcome %s"
0x00007fffffffe1e8│-0x0028: 0x3
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 + python2.7
This is something I suggest in PEDA, but since I like GEF more now I thought I'd suggest it here.
you show which flags are set nicely
Flags: [ carry PARITY adjust zero sign trap INTERRUPT direction overflow resume virtualx86 identification ]
...
0x7ffff77c2e95 <__libc_start_main+69> je 0x7ffff77c2ea3 <__libc_start_main+83> ← $pc Branch NOT takenI think it'd be nice if there was some notation on which flags are in consideration for the current conditional:
Flags: [ carry PARITY adjust __zero__ sign trap INTERRUPT direction overflow resume virtualx86 identification ]Of course, how you show how they interact might be a bit trickier (e.g. G = !Z && SF == OF) so perhaps it could go somewhere near the Branch NOT taken.
Now another nice feature would be an easy way to toggle flags. Maybe even a command to just somehow toggle the jump (e.g. I don't care if you toggle Z or SF or OF, just avoid this jump!)
In the README.md pip3 install capstone keystone won't install the Keystone Engine (https://github.com/keystone-engine/keystone). It rather refers to the Keystone web framework.
There are a couple of instances in GEF of calls to dict.has_key(), which was removed in Python 3.0.
Changing those to "xxx in dict" rather than "dict.has_key(xxx)" seems to fix the problem and should be backwards compatible.
The current alias g=run is different from the Windbg semantics, where g and go would rather mean continue.
I'm not sure if you intended it to be Windbg-compat, but it's next to it so maybe.
How does one describe a struct that has another struct as a member (or is it even possible)?
struct fosphor_cl_features
{
#define FLG_CL_GL_SHARING (1<<0)
#define FLG_CL_NVIDIA_SM11 (1<<1)
#define FLG_CL_OPENCL_11 (1<<2)
#define FLG_CL_LOCAL_ATOMIC_EXT (1<<3)
cl_device_type type;
char vendor[128];
unsigned long local_mem;
int flags;
int wg_size;
int wg_size_dim[2];
};
struct fosphor_cl_state
{
cl_platform_id pl_id;
cl_device_id dev_id;
cl_context ctx;
cl_command_queue cq;
/* Features */
struct fosphor_cl_features feat;
/* FFT */
cl_mem mem_fft_in;
cl_mem mem_fft_out;
cl_mem mem_fft_win;
cl_program prog_fft;
cl_kernel kern_fft;
float *fft_win;
int fft_win_updated;
/* Display */
cl_mem mem_waterfall;
cl_mem mem_histogram;
cl_mem mem_spectrum;
cl_program prog_display;
cl_kernel kern_display;
/* Histogram range */
float histo_scale;
float histo_offset;
/* State */
int waterfall_pos;
enum {
CL_BOOTING = 0,
CL_PENDING,
CL_READY,
} state;
};( code taken from https://github.com/osmocom/gr-fosphor/blob/master/lib/fosphor/cl.c )
from @rick2600
see
rick2600@b8cb49f
syntax example:
> dt MyStruct
dumps the structure
> dt MyStruct 0x41414141
applies MyStruct to 0x41414141
> dt -r MyStruct 0x41414141
tells gef to recurse on nested structures
Run a program until we overwrite some stack contents
# stack view
0xbefff704│+0x04: 0xbefff811 → "/home/x/x"
...
# confirm it
gef➤ x/wx $sp+4
0xbefff704: 0xbefff811
...
# execute a write to the stack
0x1005c str r0, [sp, #4] ← $pc
...
# new stack view is 0x70? that doesn't seem right
0xbefff704│+0x04: "p"
...
# hmmm
gef➤ x/wx $sp+4
0xbefff704: 0x00010070
It looks like the stack view is assuming the 'str r0' instruction is an 'strb' or similar, and truncating it's display?
gef> context
------------------------------------------------------------------------------------------[regs]
Python Exception <type 'exceptions.TypeError'> coercing to Unicode: need string or buffer, NoneType found:
Error occurred in Python command: coercing to Unicode: need string or buffer, NoneType found
gef> python print 42
42
gdb-multiarch (debugging arm):
gef> context
------------------------------------------------------------------------------------------[regs]
Python Exception <type 'exceptions.TypeError'> coercing to Unicode: need string or buffer, NoneType found:
Error occurred in Python command: coercing to Unicode: need string or buffer, NoneType found
gef> info r
r0 0xfffffffc 4294967292
r1 0xbef424a8 3203671208
r2 0x10 16
r3 0x19e 414
r4 0x2a03ffc8 704905160
r5 0x0 0
r6 0x2a03ffdc 704905180
r7 0xfc 252
r8 0x2a040010 704905232
r9 0x14 20
r10 0x2a00d0a0 704696480
r11 0xbef4261c 3203671580
r12 0xbef424a8 3203671208
sp 0xbef42488 0xbef42488
lr 0x400b1fb5 1074470837
pc 0x400433dc 0x400433dc
cpsr 0x20000010 536870928
gef> elf-info
Python Exception <type 'exceptions.TypeError'> coercing to Unicode: need string or buffer, NoneType found:
Error occurred in Python command: coercing to Unicode: need string or buffer, NoneType found
gef> inspect-stack
Python Exception <type 'exceptions.TypeError'> coercing to Unicode: need string or buffer, NoneType found:
Error occurred in Python command: coercing to Unicode: need string or buffer, NoneType found
gef>
gdb (debugging x64) on the same machine - no errors:
gef> context
------------------------------------------------------------------------------------------[regs]
$rax 0xfffffffffffffe00 $rcx 0xffffffffffffffff $rdx 0x0000000000008000 $rbx 0x0000000000008000
$rsp 0x00007fffffffe1b8 $rbp 0x0000000000008000 $rsi 0x0000000000612000 $rdi 0x0000000000000000
$rip 0x00007ffff7b21970 $r8 0x00007ffff7dd8e40 $r9 0x00007ffff7dd8e90 $r10 0x0000000000000000
$r11 0x0000000000000246 $r12 0x0000000000612000 $r13 0x0000000000000000 $r14 0x0000000000000000
$r15 0x0000000000008000 $cs 0x0000000000000033 $ss 0x000000000000002b $ds 0x0000000000000000
$es 0x0000000000000000 $fs 0x0000000000000000 $gs 0x0000000000000000 $eflags [ PF ZF IF ]
------------------------------------------------------------------------------------------[stack]
0x00007fffffffe1b8: "VN@"
0x00007fffffffe1c0: 0x8000
0x00007fffffffe1c8: 0x0000000000612000 -> 0x0
0x00007fffffffe1d0: 0x8000
0x00007fffffffe1d8: 0x0000000000402718 -> xor ebp,ebp
0x00007fffffffe1e0: 0x00007fffffffe440 -> 0x1
0x00007fffffffe1e8: 0x00000000004025a3 -> cmp rax,0xffffffffffffffff
0x00007fffffffe1f0: 0x100000000
0x00007fffffffe1f8: 0x1000007ff
0x00007fffffffe200: 0x24e8c23a
------------------------------------------------------------------------------------------[code]
0x00007ffff7b21970 cmp rax, -0xfff <- $pc
0x00007ffff7b21976 jae 0x7ffff7b219a9
0x00007ffff7b21978 ret
0x00007ffff7b21979 sub rsp, 8
0x00007ffff7b2197d call 0x7ffff7b3a3e0
0x00007ffff7b21982 mov qword ptr [rsp], rax
0x00007ffff7b21986 mov eax, 0
0x00007ffff7b2198b syscall
0x00007ffff7b2198d mov rdi, qword ptr [rsp]
0x00007ffff7b21991 mov rdx, rax
------------------------------------------------------------------------------------------[trace]
#0 0x00007ffff7b21970 in read () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000000000404e56 in ?? ()
#2 0x00000000004025a3 in ?? ()
#3 0x00007ffff7a70ead in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000402741 in ?? ()
gef>
Same output for both gdb and gdb-multiarch when loaded
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
(gdb) source /opt/gef.py
[!] Failed to load assemble: 'radare2 Python bindings could not be loaded'
gef loaded, gef help' to start,gef config' to configure
29 commands loaded (10 sub-commands), using Python engine 2.7
gef>
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
(gdb) source /opt/gef.py
[!] Failed to load assemble: 'radare2 Python bindings could not be loaded'
gef loaded, gef help' to start,gef config' to configure
29 commands loaded (10 sub-commands), using Python engine 2.7
gef>
Hi,
Thanks ofr GEF, it is really useful. There is one minor thing that I think can make it even better. Would it be possible to output the Context info toa different TTY like gdb-dashboard does:
https://github.com/cyrus-and/gdb-dashboard#dashboard--output-file
This helps keep an eye on the context while printing different variables or areas of memory
Thanks!
A
If a jump is to be taken, it would be nice if the code context view could disassemble at the jump target.
Hey, it would be awesome if you can start tagging git releases sometimes, this would also aid the way package maintainers could start packaging this 😄
Would love to soon see a tag 👍
gdb
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
[*] Failed to load unicorn-emulate: 'This command requires the following packages: unicorn and capstone.'
gef loaded, gef help' to start,gef config' to configure
36 commands loaded (17 sub-commands), using Python engine 2.7
Kali-Linux 1.0.1
I've install the dependicies but the error still there.
Hello,
First of all, kudos! Great tools, loving it. Have been playing around with gef, and comparing some of the utilities it brings to gdb with peda's set. As you pointed out in your wiki, why not use peda as well?
I first set out to use either peda or gef. I imagine that's how you saw people using it. But then I thought, why not have them both in .gdbinit?
I noticed that there was some overlap in the aliases between the two. For instance, 'asm' aliases 'assemble' in gef, but 'asmsearch' in peda. ps and grep also have conflicts. After changing the aliases slightly in gef, I see that the two coexist and compliment each other nicely.
As a request, do you think it would be possible to change the aliases slightly so that the two can be loaded in gdb at the same time?
HTH,
IJ.
I have installed capstone , keystone and ropgadget using python2.7.
I have removed python3 binaries from the /usr/bin/ folder but when I open the gdb it still gives me following error.
Type "apropos word" to search for commands related to "word".
[*] Failed to load `capstone-disassemble`: 'Missing Python `capstone` package. Install with `pip3 install capstone`'
[*] Failed to load `assemble`: 'Missing Python `keystone` package. Install with `pip3 install keystone`'
[*] Failed to load `ropgadget`: 'Missing Python `ropgadget` package. Install with `pip3 install ropgadget`'
[*] Failed to load `unicorn-emulate`: 'This command requires the following packages: `unicorn` and `capstone`.'
[*] Failed to load `set-permission`: 'Missing Python `keystone` package. Install with `pip3 install keystone`'
gef loaded, `gef help' to start, `gef config' to configure
32 commands loaded (17 sub-commands), using Python engine 3.5
How can I use Python2.7 engine ?
┌[kiwish-4.2]-(Code/gef)-[git:master]-$
└> pip2 install ROPgadget
Requirement already satisfied (use --upgrade to upgrade): ROPgadget in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied (use --upgrade to upgrade): capstone in /usr/local/lib/python2.7/dist-packages (from ROPgadget)
Cleaning up...
┌[kiwish-4.2]-(Code/gef)-[git:master]-$
└> gdb -q /bin/ls
[+] Failed to load `ropgadget`: 'Failed to import ROPgadget (check path)'
gef loaded, `gef help' to start, `gef config' to configure
28 commands loaded (10 sub-commands), using Python engine 2.7
Reading symbols from /bin/ls...(no debugging symbols found)...done.
gef> quit
┌[kiwish-4.2]-(Code/gef)-[git:master]-$
└> python
Python 2.7.9 (default, Mar 1 2015, 12:57:24)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ropgadget
>>>
┌[kiwish-4.2]-(Code/gef)-[git:master]-$
└>
Others might be missing as well.
I might fix this tonight.
I think there is an issue in the way the usable size is computed in the heap chunk command - here is an example:
overclok@wildout:/tmp$ cat gef.c
#include <stdio.h>
int main() {
int *p = malloc(0x1090+3);
printf("p @ %p\n", p);
*(unsigned int**)(0xdead) = p;
return 0;
}
overclok@wildout:/tmp$ clang gef.c
overclok@wildout:/tmp$ gdb -q ./a.out
GEF ready, type `gef' to start, `gef config' to configure
51 commands loaded, using Python engine 3.4
[*] 7 commands could not be loaded, run `gef missing` to know why.
Reading symbols from ./a.out...(no debugging symbols found)...done.
gef> r
Starting program: /tmp/a.out
p @ 0x602010
[...]
gef> heap chunk 0x602010
[ Chunk (used): 0x602000 ]
Chunk size: 4256 (0x10a0)
Usable size: 4240 (0x1090) <-Cheers
Hi,
I run openOCD to jtag and attach with GEF+GDB 7.10.
GDB> taget remote 127.0.0.1:3333
Python Exception <class 'TypeError'> invalid file: None:
Error while running hook_stop:
Error occurred in Python command: invalid file: None
0x802141b4 in ?? ()
Did you have an idea ? How can I help you with more log ?
thanks
On stripped binaries, where main isn't defined, vanilla gdb and gef don't work. peda, however, gets it working. See here. Can you add something similar?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.