Skip to content

GDB

GDB

Reading Values from Memory

Read 32 bits:

gdb$ x/64wx 0x606000
0x606000 <path.4275+3360>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606010 <path.4275+3376>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606020 <path.4275+3392>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606030 <path.4275+3408>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606040 <path.4275+3424>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606050 <path.4275+3440>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606060 <path.4275+3456>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606070 <path.4275+3472>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606080 <path.4275+3488>:	0x00000000	0x00000000	0x00000000	0x00000000
0x606090 <path.4275+3504>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060a0 <path.4275+3520>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060b0 <path.4275+3536>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060c0 <path.4275+3552>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060d0 <path.4275+3568>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060e0 <path.4275+3584>:	0x00000000	0x00000000	0x00000000	0x00000000
0x6060f0 <path.4275+3600>:	0x00000000	0x00000000	0x00000000	0x00000000

Read 64 bits:

gef➤  x/20gx $rsp-0x8
0x7ffd6864d4d8:	0x0000000000401062	0x0000000000401001
0x7ffd6864d4e8:	0x00007ffd6864f1c7	0x00007ffd6864f1e4
0x7ffd6864d4f8:	0x0000000000000000	0x00007ffd6864f1ec
0x7ffd6864d508:	0x00007ffd6864f220	0x00007ffd6864f238
0x7ffd6864d518:	0x00007ffd6864f24b	0x00007ffd6864f264
0x7ffd6864d528:	0x00007ffd6864f26c	0x00007ffd6864f27c
0x7ffd6864d538:	0x00007ffd6864f299	0x00007ffd6864f2b0
0x7ffd6864d548:	0x00007ffd6864f2d6	0x00007ffd6864f2e5
0x7ffd6864d558:	0x00007ffd6864f2f9	0x00007ffd6864f304
0x7ffd6864d568:	0x00007ffd6864f33e	0x00007ffd6864f367

Read Strings from the stack:

gef➤  x/5s  $rsp -0x8
0x7fffffffde38:	"8Af9Ag0Ag1Ag2Ag3\272\341\377\377\377\177"
0x7fffffffde4f:	""
0x7fffffffde50:	""
0x7fffffffde51:	""
0x7fffffffde52:	""

Useful GEF Commands

For permissions a s means shared memory and a p means private memory.
MAP_SHARED allows any other process that has that same memory mapped to access the data
MAP_PRIVATE does not allow any other process that has the same memory mapped to access the data

View mapped memory segments the heap/stack and the actual program code:

gef➤ vmmap
Start      End        Offset     Perm Path
0x00400000 0x00401000 0x00000000 r-x /home/user/challenges-day1/challenge1
0x00410000 0x00411000 0x00000000 r-x /home/user/challenges-day1/challenge1
0x00411000 0x00412000 0x00001000 rwx /home/user/challenges-day1/challenge1
0xb6ede000 0xb6fc0000 0x00000000 r-x /lib/arm-linux-gnueabihf/libc-2.27.so
0xb6fc0000 0xb6fd0000 0x000e2000 --- /lib/arm-linux-gnueabihf/libc-2.27.so
0xb6fd0000 0xb6fd2000 0x000e2000 r-x /lib/arm-linux-gnueabihf/libc-2.27.so
0xb6fd2000 0xb6fd3000 0x000e4000 rwx /lib/arm-linux-gnueabihf/libc-2.27.so
0xb6fd3000 0xb6fd6000 0x00000000 rwx 
0xb6fd6000 0xb6fee000 0x00000000 r-x /lib/arm-linux-gnueabihf/ld-2.27.so
0xb6ff9000 0xb6ffb000 0x00000000 rwx 
0xb6ffb000 0xb6ffc000 0x00000000 r-x [sigpage]
0xb6ffc000 0xb6ffd000 0x00000000 r-- [vvar]
0xb6ffd000 0xb6ffe000 0x00000000 r-x [vdso]
0xb6ffe000 0xb6fff000 0x00018000 r-x /lib/arm-linux-gnueabihf/ld-2.27.so
0xb6fff000 0xb7000000 0x00019000 rwx /lib/arm-linux-gnueabihf/ld-2.27.so
0xbefdf000 0xbf000000 0x00000000 rwx [stack]
0xffff0000 0xffff1000 0x00000000 r-x [vectors]

Run command after breakpoint is reached:

gdb$ define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/64wx 0x606000
>end

Define variable with type:

gdb$ set $i1 = (struct internet*) 0x606000
gdb$ print *$i1
$2 = {piroity = 1, name = 0x0}

Set breakpoint on read of memory address:

gdb$ rwatch *0xfeedface
Hardware read watchpoint 2: *0xfeedface

Set breakpoint on read or write of memory address:

gdb$ watch *0xfeedface

Disable ASLR:

gef➤  aslr off
[+] Disabling ASLR

Figure out what is at an address anywhere in memory:

gef➤  telescope 0x7ffe48142898
0x00007ffe48142898│+0x0000: 0x00007ffe4814293f    0x0000000040103c00	  $rsi
0x00007ffe481428a0│+0x0008: 0x0000000000000000
0x00007ffe481428a8│+0x0010: 0x00007ffe48142979    0x5900007ffe481432
0x00007ffe481428b0│+0x0018: 0x00007ffe48142940    0x000000000040103c     add rbp, rbx
0x00007ffe481428b8│+0x0020: 0x0000000000000000
0x00007ffe481428c0│+0x0028: 0xfffffffffffffff8
0x00007ffe481428c8│+0x0030: 0x0068732f6e69622f ("/bin/sh"?)
0x00007ffe481428d0│+0x0038: 0x000000000000003b (";"?)
0x00007ffe481428d8│+0x0040: "qaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabda[...]"
0x00007ffe481428e0│+0x0048: "saaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfa[...]"

PwnDbg

https://github.com/pwndbg/pwndbg