Show Menu
Cheatography
  1. Home >
  2. Programming >

Closed-source Debugging with GDB Cheat Sheet by

A reference to the arcane syntax of the Gnu Debugger, GDB. This cheat sheet is tailored for a reverse-engineering audience.

GDB: Launching

Launching GDB
gdb programfile
Start GDB ready to launch and debug progra­mfile
gdb --args program arg1 arg2
Start GDB as above but supplying command line arguments to the target process.
gdb -p pid
Attach GDB to a running target process.
Selecting the Start of Debugging
gdb$ start
Run the debuggee and break at main() (if it exists).
gdb$ attach pid
Attach GDB to a running target process.
(gdb) attach
--waitfor proces­s-name
(Mac OS X only) Wait for a process to launch and immedi­ately attach to it.
Adding a shim
gdb$ set exec-w­rapper env 'LD_PR­ELOAD=libfoo.so'
The dynamic library file libfoo.so will be loaded into the address space of the debuggee.
Logging
gdb$ set logging file filename
The default logfile is gdb.txt but you can use this to change it.
gdb$ set logging overwrite off
The default is on, which overwrites the existing log file.
gdb$ set logging on
Turns on logging.
gdb$ echo comment\n
With logging on, this will add a comment to the logfile.

GDB: Execution

Displaying the Call Stack
gdb$ bt
Show the list of stack frames (BackT­race).
gdb$ bt full
Show the list of stack frames with the local variables of each.
gdb$ info frame
Show saved stack pointer, call address, etc. for the selected stack frame.
gdb$ frame number
Select stack frame number number (and crashed GDB 6.3.50 on OS X).
Contro­lling Execution
si [count]
Step-into (one or count instru­ction forward).
ni [count]
Step-over (one or count instru­ction, stepping over function calls).
return [value]
Immedi­ately return from the current function, optionally setting the return value.
finish
Stop after finishing execution of the current function.
continue
Any time GDB is stopped, this will continue normal execution.

GDB: Enviro­nment

gdb$ show env
Display the debuggee's current enviro­nment variables.
gdb$ set env varname=value
Set an enviro­nment variable.
gdb$ unset env varname
Delete an enviro­nment variable.
gdb$ show args
Display the comman­d-line arguments of the debuggee process.
gdb$ set args arg1 arg2
Set the comman­d-line arguments to the debuggee process.
gdb$ shell command
Run shell commands (useful commands may include "ps -e", etc.)
gdb$ pwd | cd
These two commands can can show or change the working directory of GDB (useful for logging, etc.).
 

GDB: Breakp­oints

Managing Breakp­oints
gdb$ set breakpoint pending on
Bypasses the warning about breakp­oints in modules that aren't loaded yet.
gdb$ break function
Sets a breakpoint at function if ("pe­ndi­ng" off) or when ("pe­nding on") a symbol by that name exists.
gdb$ break *0x000­01234
Sets a breakpoint at address 0x0000­1234.
gdb$ break 0x00001234 if symbol==somevalue*
This is an example of the condit­ional breakpoint syntax.
gdb$ catch syscall name
Stop when the syscall name is called. Omit name to stop on every syscall. Instead of name, you can also specify a syscall by number.
gdb$ catch load
(not in Mac OS X) Stop when the debuggee loads any dynamic library. Also: catch unload.
gdb$ info break
List all breakp­oints and watchp­oints.
gdb$ clear [breakp­ointid]
Deletes one or all existing breakp­oints. Without this cheat sheet, the user would be forced to guess what is being cleared.
gdb$ disable [breakp­ointid]
Disables one or all breakp­oints.
 
Managing Watchp­oints (Data Breakp­oints)
gdb$ watch *0x123­45678 [mask 0xffff­ff00]
Break on any change to the 24 most signif­icant bits of a 32-bit value at address 0x1234­5678.
gdb$ awatch *0x123­45678
Like watch, but also stops on any write or read accesses to the given address.
gdb$ rwatch *0x123­45678
Like watch, but only stops on read accesses.

GDB: Concur­rency

Multit­hreaded Debugging
gdb$ info threads
List the threads of the target process.
gdb$ thread threadID
Attach GDB to the thread threadID.
gdb$ set non-stop on
Only the debugged thread is halted in GDB, the rest continue to run non-stop (unless they are blocking on the thread being debugged).
gdb$ set scheduler-locking on
Only the debugged thread will run when the debuggee is resumed.
gdb$ set schedu­ler­-lo­cking step
Only the debugged thread will step when being step-d­ebu­gged.
gdb$ show schedu­ler­-lo­cking
Display the current setting value.
 
Multip­rocess Debugging
gdb$ set follow­-fo­rk-mode child
GDB will detach at a fork() and attach to the new process.
gdb$ set follow­-fo­rk-mode parent
(Default) GDB will not detach at a fork().
gdb$ show follow­-fo­rk-mode
Display the current setting value.
gdb$ set follow­-ex­ec-mode new
GDB will detach at an exec() and attach to the new process.
gdb$ set follow­-ex­ec-mode same
(Default) GDB will not detach at an exec().
gdb$ show follow­-ex­ec-mode
Display the current setting value.
gdb$ set detach­-on­-fork off
GDB will not detach at a fork() and will also attach to the child process (both will be debugged).
gdb$ show detach­-on­-fork
Display the current setting value.
gdb$ info inferiors
List all processes under GDB's control. (On Mac OS X: info files)
 

GDB: Memory

Memory Images
gdb program -c dumpfile
Debug program using a memory dump file, imagefile.
gdb$ generate-core-file
(not in Mac OS X) Dump the debuggee process memory to disk.
Reading Disass­embly and Memory
gdb$ set disass­emb­ly-­flavor intel
Use the modern syntax for x86-64 assembly. This is not the default.
gdb$ set disass­emb­le-­nex­t-line on
Disassemble the next instru­ction every time GDB stops. You want to turn this on.
gdb$ x/4i 0x00001234
Disassemble (eXamine) the first 4 instru­ctions at address 0x0000­1234.
gdb$ x/32i $rip
Disassemble the first 32 instru­ctions starting at the current instru­ction ($RIP on x86-64).
gdb$ x/32i $rip-16
Same command, but attempting to disass­emble both forward and backward from the current instru­ction.
gdb$ info address symbolname
Display the address in memory of a given symbol, specified by name.
gdb$ info symbol 0x00001234
Displays the symbol name (if any), executable segment, and executable module associated with the given address.
gdb$ x/1s 0x00001234
Display one null-t­erm­inated string at address 0x0000­1234.
gdb$ x/8xb 0x00001234
Display 8 heXade­cimal Bytes of memory starting at address 0x0000­1234.
gdb$ info registers
Display the value of the regular CPU registers.
gdb$ info all-re­gisters
Display the value of all CPU registers including floati­ng-­point and vector registers. Does not include special Machine Specific Registers (MSRs).
gdb$ find start_­address, distance, value [, anothe­r_value, ...]
(not in Mac OS X) Search memory for a value, given a starting point and a search distan­ce/­offset.
gdb$ info shared
Display info about all of the executable modules of the debuggee (name, load address, file path, etc.).
gdb$ info functions
Display all of the function symbols available and their associated addresses.
gdb$ info variables
Display all of the variable symbols available and their associated addresses.

GDB: Advanced

Anti-Anti Debugging
gdb$ handle signal [keywo­rds...]
(Untested) might bypass except­ion­-based anti-d­ebu­gging
gdb$ catch syscall ptrace
(Untested) Use this breakpoint to return 0 (set $rax = 0; continue), should bypass ptrace() checking by the debuggee.
               
 

Metadata

  • Languages:
  • Published: 2nd May, 2013
  • Last Updated: 12th May, 2016
  • Rated: 5 stars based on 3 ratings

Favourited By

Dev Singh rce343 lucas0080 zyqhi gamliel raj47i markhuyong capt_redbeard anticom Theosis

Comments

This is really great and pretty complete. Thanks for sharing! I am printing this and putting on my desk

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          oAuth End Points Cheat Sheet
          ISTQB Test Automation Engineering Cheat Sheet