GDB Cheatsheet | Netspooky's Blog

Here are some notes and things I’ve referenced for gdb.

I highly recommend using the gef extension for gdb: https://github.com/hugsy/gef

Unsorted

https://klatz.co/ctf-blog/stdin-to-gdb

Basics

Here are some of the most basic gdb commands.

Start the program with arguments

gdb --args ./myprogram -f myfile

Command	Description
starti	Start at the first instruction
stepi	Step 1 assembly instruction
break *0x400000	Set a breakpoint on address 0x400000
continue	Continue execution, will stop at breakpoints
vmmap	(gef only) Show process memory map
hexdump byte –size 256 0x400000	(gef only) See a hex dump of bytes at a address 0x400000
p *object	Show details of object
search-pattern 0x41414141	(gef only) Search for bytes \x41\x41\x41\x41 (“AAAA”) in memory

More Info:

https://azeria-labs.com/debugging-with-gdb-introduction/

Remote GDB

You can connect to programs on different machines using remote GDB. You can also use it to connect to local programs that support remote GDB like QEMU.

https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.html

Commands

Adapted this guide from a cheatsheet I found but lost the link to Related cheat sheet: gef

More important commands have !

Startup

Command	Description
gdb -help	print startup help, show switches
gdb object	! normal debug
gdb object core	! core debug (must specify core file)
gdb object pid	attach to running process
gdb	use file command to load object

Help

Command	Description
help	! list command classes
help running	list commands in one command class
help run	bottom-level help for a command “run”
help info	list info commands (running program state)
help info line	help for a particular info command
help show	list show commands (gdb state)
help show commands	specific help for a show command

Breakpoints

Command	Description
break main	! set a breakpoint on a function
break 101	! set a breakpoint on a line number
break basic.c:101	! set breakpoint at file and line (or function)
break *0xaddress	! Break on an address
info breakpoints	! show breakpoints
delete 1	! delete a breakpoint by number
delete	delete all breakpoints (prompted)
clear	delete breakpoints at current line
clear function	delete breakpoints at function
clear line	delete breakpoints at line
disable 2	turn a breakpoint off, but don’t remove it
enable 2	turn disabled breakpoint back on
tbreak function	line
commands break-no … end	set gdb commands with breakpoint
ignore break-no count	ignore bpt N-1 times before activation
condition break-no expr	break only if condition (expr/expression) is true
condition 2 i == 20	example: break on breakpoint 2 if i equals 20
watch expression	set software watchpoint on variable
info watchpoints	show current watchpoints

Running the program

Command	Description
set step-mode on	! This stops at the first instruction of a function
starti	! Go to the first instruction to execute
run	! run the program with current arguments
run args redirection	! run with args and redirection
set args args…	set arguments for run
show args	show current arguments to run
cont	! continue the program
step	! single step the program; step into functions
stepi	! step to next instruction
step count	single step \fIcount\fR times
next	! step but step over functions
next count	next \fIcount\fR times
CTRL-C	! actually SIGINT, stop execution of current program
attach process-id	! attach to running program
detach	! detach from running program
finish	! finish current function’s execution
kill	kill current executing program

Stack backtrace

Command	Description
x/100x $sp	! print 100 bytes from the stack pointer
bt	! print stack backtrace
frame	show current execution position
up	move up stack trace (towards main)
down	move down stack trace (away from main)
info locals	! print automatic variables in frame
info args	print function parameters

Browsing source

Command	Description
list 101	! list 10 lines around line 101
list 1,10	! list lines 1 to 10
list main	! list lines around function
list basic.c:main	! list from another file basic.c
list -	! list previous 10 lines
list *0x22e4	list source at address
cd dir	change current directory to \fIdir\fR
pwd	print working directory
search regexpr	forward current for regular expression
reverse-search regexpr	backward search for regular expression
dir dirname	add directory to source path
dir	reset source path to nothing
show directories	show source path

Browsing Data

Command	Description
print expression	! print expression, added to value history
print/x expressionR	! print in hex
print array[i]@count	artificial array - print array range
print $	print last value
print *$->next	print thru list
print $1	print value 1 from value history
print ::gx	force scope to be global
print ‘basic.c’::gx	global scope in named file (>=4.6)
print/x &main	print address of function
x/countFormatSize address	low-level examine command
x/x &gx	print gx in hex
x/4wx &main	print 4 longs at start of \fImain\fR in hex
x/gf &gd1	print double
help x	show formats for x
info locals	! print local automatics only
info functions regexp	print function names
info variables regexp	print global variable names
ptype name	! print type definition
whatis expression	print type of expression
set variable = expression	! assign value
display expression	display expression result at stop
undisplay	delete displays
info display	show displays
show values	print value history (>= gdb 4.0)
info history	print value history (gdb 3.5)

Object File Manipulation

Command	Description
file object	load new file for debug (sym+exec)
file	discard sym+exec file info
symbol-file object	load only symbol table
exec-file object	specify object to run (not sym-file)
core-file core	post-mortem debugging

Signal Control

Command	Description
info signals	print signal setup
handle signo actions	set debugger actions for signal
handle INT print	print message when signal occurs
handle INT noprint	don’t print message
handle INT stop	stop program when signal occurs
handle INT nostop	don’t stop program
handle INT pass	allow program to receive signal
handle INT nopass	debugger catches signal; program doesn’t
signal signo	continue and send signal to program
signal 0	continue and send no signal to program

Machine-level Debug

Command	Description
info registers	print registers sans floats
info all-registers	print all registers
print/x $pc	print one register
stepi	single step at machine level
si	single step at machine level
nexti	single step (over functions) at machine level
ni	single step (over functions) at machine level
display/i $pc	print current instruction in display
x/x &gx	print variable gx in hex
info line 22	print addresses for object code for line 22
info line *0x2c4e	print line number of object code at address
x/10i main	disassemble first 10 instructions in \fImain\fR
disassemble addr	dissassemble code for function around addr

History Display

Command	Description
show commands	print command history (>= gdb 4.0)
info editing	print command history (gdb 3.5)
ESC-CTRL-J	switch to vi edit mode from emacs edit mode
set history expansion on	turn on c-shell like history
break class::member	set breakpoint on class member. may get menu
list class::member	list member in class
ptype class	print class members
print *this	print contents of this pointer
rbreak regexpr	useful for breakpoint on overloaded member name

Miscellaneous

Command	Description
define command … end	define user command
*(gdb) RETURN	repeat last command
*(gdb) shell command args	execute shell command
*(gdb) source file	load gdb commands from file
*(gdb) quit	quit gdb

GDB Scripting

The following example is from https://stackoverflow.com/questions/4060565/how-to-script-gdb-with-python-example-add-breakpoints-run-what-breakpoint-d

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
class DebugPrintingBreakpoint(gdb.Breakpoint):
    debugging_IDs = frozenset({37, 153, 420})
    def stop(self):
        top = gdb.newest_frame()
        someVector = top.read_var('aVectorVar')
        # Access the begin() & end() pointer of std::vector in GNU Standard C++ lib
        first = someVector['_M_impl']['_M_start']
        last = someVector['_M_impl']['_M_finish']
        values = []
        while first != last:
            values.append(int(first.dereference()['intID']))
            first = first + 1
        if not set(values) & debugging_IDs:
            return False # skip: none of the items we're looking for can be found by ID in the vector on the stack
        print("Found other accompanying IDs: {}".format(values))
        return True # drop to gdb's prompt
# Ensure shared libraries are loaded already
gdb.execute("start")
# Set our breakpoint, which happens to reside in some shared lib, hence the "start" previously
DebugPrintingBreakpoint("source.cpp:42")
gdb.execute("continue")

You can execute this script from gdb’s prompt like this:

(gdb) source script.py

Or from the command-line:

$ gdb --command script.py ./executable.elf

Events

According to the Events doc, this is an event handler:

1
2
3
4
5
6
7
8
def exit_handler (event):
    print ("event type: exit")
    if hasattr (event, 'exit_code'):
        print ("exit code: %d" % (event.exit_code))
    else:
        print ("exit code not available")

gdb.events.exited.connect (exit_handler)

The types of events are

events.cont
events.exited
events.stop
events.new_objfile
events.free_objfile
events.clear_objfile
events.inferior_call
events.memory_changed - This one looks cool, any memory writes
events.register_changed - nice!
events.breakpoint_created
events.breakpoint_modified
events.breakpoint_deleted
events.before_prompt
events.new_inferior
events.inferior_deleted
events.new_thread
events.thread_exited
events.gdb_exiting
events.connection_removed
events.new_progspace
events.free_progspace There are a bunch!

The stop_signal and exit_code Event attributes may have changed. They don’t seem to work anymore.

I got the stop hook writing to a file, as well as other hooks that update “gdb_status.txt”. The gdb.SignalEvent thing doesn’t seem to fire though…

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
def signal_stop_handler (event):
    if (isinstance (event, gdb.StopEvent)):
        print ("event type: stop")
        with open("gdb_status.txt", "w") as f:
            f.write("Stopped\n")
        f.close()
    if (isinstance (event, gdb.SignalEvent)):
        print ("stop reason: signal")
        print ("stop signal: %s" % (event.stop_signal))
        if ( event.inferior_thread is not None) :
            print ("thread num: %s" % (event.inferior_thread.num))

gdb.events.stop.connect(signal_stop_handler)

TODO: Update this with real info hahah

Previous:
WinDbg Cheatsheet

Next:
Intro to Firmware Analysis (PancakesCon2020)