set $esp = 1        -set register esp to value of 1
disas main          – disassembles main function
set disassembly-flavor intel          -make it read like windows disassembly! (not AT&T)
gdb program core    – tell gdb you are working with a core file
list                – print sourcecode
gdb -tui            – (ctrl-x-a) tui mode shows sourcecode in one windows, takes commands in another
step                – single step through code – pauses in the middle of functions
next                – execute the next line then pause – pauses after functions exit
next 3              – run the next 3 lines of code
continue            – resume running code until breakpoint
tbreak              – one time breakpoint
finish              – resume execution until end of stack frame
until            – execute until the program reaches a source line greater than the current [one].
until 17        – execute until line 17
until functionName  – execute until function “functionName”
until swapflaw.c:swap – execute until filename swapflaw.c reaches function “swap”
until swapflaw.c:17 – execute until filename swapflaw.c reaches line 17
break               – set breakpoint  (break 16) (sets a breakpoint on line 16 of the source)
the break command accepts line numbers and function names
break if (i == 70000) – break only if “i” = 70000

break 180 if string==NULL && i < 0  – break on line number 180 if “string” is null and i is less than 0
info locals        – show information about local variable of current stack frame
info registers      – show info about registers
disable 2        – disables breakpoint 2
enable  2           – enables breakpoint 2
commands 1          – enter commands to be executed when breakpoint one is hit (enter “end” to quit entering commands)

silent            * research more on this command
define name_of_macro * research more on this command (used for macros) use in command “commands” as a command (define can take arguments (the macro can))
when your macro takes arguments they are passed in with spaces not commas.
enable once breakpoint-list   -enables breakpoints for one pass
show user        – show all macros defined
info break          – show information on current breakpoints
until 600           – //continue until like 600 in the code
finish              –
print variablename  – print out the value of variablename
watch j             – create a hardware breakpoint which will tell you when “j” changes
watch (z > 28)      – create conditional hardware breakpoints
clear               – Clears a breakpoint at the next instruction that GDB will execute.
clear 28        – clears breakpoint on line 28
clear functionName  – clears breakpoint for function “functionName”
up                  – move to parent frame
down                – move to child thread
backtrace           – show entire stack
gcc -g              – tells gcc to save symbol information (line numbers and variables)
condition           – makes breakpoints conditional followed by the breakpoint number and condition.
condition 1 num_y==1   – makes breakpoint 1 break only if num_y equals 1.
print variableName  – display the contents of variable (print myvariable = contents of myvariable)
delete 1 2 3 4        – delete breakpoints 1,2,3,and 4. use no number after it to delete all breakpoints.
tbreak            – set temorary breakpoint (same syntax as break)
break *address      – set a breakpoint for when memory address is accessed
break +offset       – Set a breakpoint some number of lines forward from the position at which execution stopped in the currently selected stack frame.
break -offset       – Set a breakpoint some number of lines back from the position at which execution stopped in the currently selected stack frame.
hbreak              – command sets a hardware assisted breakpoint.
thbreak             – sets a temporary, hardware-assisted breakpoint
catch            – set a catchpoint
call FunctionName   – call a function of the debugged program. call myfunction(a) /calls myfunction with argument of a
display variableName – display the contents of variableName everytime you break
set x = 2           – sets x to 2
x                   *- print memory *more info needed
x/4c  0x400874      -print 4 chars worth of memory starting ad address or $register
x/4c  $rax          -print 4 chars worth of memory starting ad address or $register
set args myarg1 myarg2 – sets args for argv[x] (myarg1 would be argv[1])
backtrace         – prints out the stack (backwards)
frame 1              – starts working with stackframe 1 (frames can be listed with backtrace)
run arguments        – run program with arguments
print 0xbffff7bc – 0xbffff7a0  – use gdb to calculate distance between the two addresses
disas                – disassemble stack frame
print/f  REGISTERNAME -print out floating point value of REGISTERNAME
ptype variableName // print the type for the variable (what type it is)
gdb -c corefile  //load a core file
set {int}0xbfb4c8a8 = 0×90909090  – sets value at memory address 0xbfb4c8a8 to 0×90909090
set variable i = 0×40  – sets the value for variable i to 0x40
set variable *x=ee  -sets the value that x points at to the value of 0xee. x was a pointer and the * dereferenced it (without the * you would put a memory address)
set variable x=0×90909090 -sets the memory address that x points to (x is a pointer)
maintenance info sections – prints out the allocated memory for the executable and show memory protections
cat /proc/PID_HERE/maps – show memory allocation for a single pid

find 0x7fd608b18000, 0x7fd608cd5000, “/bin/sh”
find memory_address, memory_address, “string”
find memory_address, memory_address, 0x123456789 (hex string)
info files   – show files and their locations in memory. does not show memory protection, and for imports you have to set a break point and run the executable, the run the command when it breaks at the

info functions         -print out information on all defined functions
p system   – show location of libc in memory
p exit     – show location of exit call in memory
p printf   – show location of printf in memory

info proc mappings -show memory information for a process running

break * main+387  creates breakpoint at main + address  (* main+XXX)

gcc -fno-stack-protector -z execstack       kills stack cookie and sets execute bit for stack

trace foo.c:121  //

The register names $pc and $sp are used for the program counter register and the stack pointer.
$fp is used for a register that contains a pointer to the current stack frame, and
$ps is used for a register that contains the processor status
watch expression    – watch watches the value of expression and informs you when things change.
watch a             – watch variable a and report if it changes
watch (a =< 10)     – watch and report when a = or < than 10
Once the variable no longer exists in any frame of the call stack (when the function con-
taining a local variable returns), GDB automatically deletes the watchpoint.
GDB is only capable of watching a variable within a single thread.

break filename:function        -set a breakpoint upon occurrence of function in filename X
break filename:line_number    -set a breakpoint upon occurrence of line number in filename X
rbreak            – sets a breakpoint with perl syntax

frame    –
When issuing GDB’s frame command, the frame of the currently execut-
ing function is numbered 0, its parent frame (that is, the stack frame of the
function’s caller) is numbered 1, the parent’s parent is numbered 2, and so
on. GDB’s up command takes you to the next parent in the call stack (for ex-
ample, to frame 1 from frame 0), and down takes you in the other direction.

when you set a breakpoint gdb breaks before executing the code at that location
temporary breakpoint is a breakpoint that is automatically deleted after the first time it’s reached.

Withbreak +offset or break -offset, you can set a breakpoint
offset lines ahead or behind the executing line of source code
in the currently selected stack frame.

Theformbreak *address can be used to set a breakpoint at a
virtual memory address. This would be necessary for sections
of a program that don’t have debugging information, like
when the source code is unavailable or for shared libraries,
for instance.

page 66

Creating core dumps to analyze:

kill -ABRT pid_of_process

or possibly

kill -SIGQUIT pid_of_process
GNU Compiler options:

-Wall       -turn on all warning messages
-g        -keep debugging information (keep symbol info)
Compilation of multi-file program

$ gcc -g3 -Wall -Wextra -c main.c swapper.c //compile files to create object files
$ gcc -o swap main.o swapper.o              //link object files into file “swap”
$ gdb swap                                  //open program with debugger
At any given time, GDB has (for lack of a better word) a focus, which you
can think of as being the currently “active” file. This means that unless you
qualify your commands, they are performed on the file that has GDB’s fo-
cus. By default, the file that has GDB’s initial focus is the one containing the
main() function, but the focus is changed to a different file when any of the
following actions occurs:

• You apply the list command to a different source file.
• You step into code residing in a different source file.
• GDB hits a breakpoint while executing code in a different source file.

You can change the focus by listing code from the file you want focus in.
Listing a function from another file changes the focus.
list functionInFile
By the way, note that a program always receives at least one argument—the name of the program
itself, which is pointed to by argv[0],
If the last command in a commands list is continue, GDB will automatically continue executing the pro-
gram after it completes the commands in the commands list:
An expression in GDB can contain many things:
• GDB convenience variables
• Any in-scope variable from your program, like i from the previous example
• Any kind of string, numerical, or character constant
• Pre-processor macros, if the program was compiled to include pre-preprocessor
debugging information
• The conditionals, function calls, casts, and operators defined by the lan-
guage you’re using

As of this writing, the official GNU GDB User’s Manual states that pre-processor macros can-
not be used in expressions; however, this is not true. If you compile the program with GCC’s -g3
option, pre-processor macros can be used in expressions.

If you just hit the ENTER key in GDB without issuing a command, GDB takes this as a request
to repeat the last command
In bash, you can control the creation of core files with the ulimit command:
ulimit -c unlimited

For tcsh and csh users, the limit command controls core file sizes. For example,
limit coredumpsize 1000000
Examine memory: x/FMT ADDRESS.

ADDRESS is an expression for the memory address to examine.
FMT is a repeat count followed by a format letter and a size letter.

Format letters are
o(octal), x(hex), d(decimal), u(unsigned decimal),
t(binary), f(float), a(address), i(instruction), c(char) and s(string).

Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).

The specified number of objects of the specified size are printed
according to the format.


Leave a Reply