pwndbg 2018.07.29 releases: Exploit Development and Reverse Engineering with GDB

pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.

Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.

Arguments

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Context

A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

Disassembly

Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.

All absolute jumps are folded away, only displaying relevant instructions.

Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.

Emulation

Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.

This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!

Heap Inspection

Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.

IDA Pro Integration

Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.

This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).

More…

Changelog 2018.07.29

• Added/updated/modified commands:
  • next_syscall renamed to nextsyscall
  • breakrva – break at offset of given executable (default main binary; e.g. breakrva 0x123 will set a breakpoint at binary_base+0x123)
  • piebase – rebase given address for given executable
  • probeleak – scan for pointers in the specified memory (#492)
  • stepret – step until we step into a ret (#448)
  • stepsyscall – step until we step into a syscall (#447)
  • tcache – support for ptmalloc’s thread cache (#420)
  • vis_heap_chunks – visualize heap chunks at the specified address (#496)
  • eX windbg commands family now supports hex data prefixed with 0x (e.g. eq $rsp 0xCAFEBABEwill work
    the same as eq $rsp cafebabe)
  • context – it is now possible to set empty context (e.g. set context-sections)
  • hexdump, nearpc, telescope – improved repeat functionality (#395)
  • vmmap_add, vmmap_load – it is possible to add memory pages manually (might be useful for bare metal debugging – see #385)
  • version – displays capstone, unicorn, IDA and Hexrays versions
  • xinfo – display extended offset information
• Added/updated config parameters:
  • ida-enabled – control whether pwndbg try to connect to IDA xmlrpc server (enabled by default to preserve old behavior)
  • nearpc-show-args – control whether context displays an args section
• Added detection of bare metal mode and making de-reference only works on known pages in it (see #385 and vmmap_load and vmmap_add commands)
• Added $rebase(address) function (use e.g. as break *$rebase(some_address); see also breakrvaand piebase commands)
• Added syntax highlightning for disassembled code and source code
• Made everything themeable <3 (see theme and https://github.com/pwndbg/pwndbg-themes)
• Improved IDA Pro xmlrpc (see #442)
• Added basic support for Rust language (see #431)
• Added $rebase(addr) function
• Fixed heap’s find_fake_chunk (see #435)
• Fixed pwndbg crash on non-English GDB version (see #430)
• Emulator profiling and performance improvement (see #421)
• The aarch64/arm64 context now displays frame pointer register (x29)
• Improved detection of extended-remote types
• Fixes for both Py2 and Py3
• Fix nearpc following jumps when used w/o emulation (#499)
• Fix: wrong regs display on threaded targets (#488, #495)
• Exceptions now show info about exception-debugger config parameter (#501)
• Added tests engine
• …and probably some more 😉

Installation

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

Copyright (c) 2015 Zach Riggle

Source: https://github.com/pwndbg/