pwndbg 2020.07.23 releases: Exploit Development and Reverse Engineering with GDB

pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.

Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.

Arguments

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Context

A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

Disassembly

Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.

All absolute jumps are folded away, only displaying relevant instructions.

Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.

Emulation

Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.

This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!

Heap Inspection

Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.

IDA Pro Integration

Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.

This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).

More…

Changelog 2020.06.23

This release brings a lot of fixes and improvements and a new mprotect command that injects/calls the corresponding syscall (x64/x86 only for now).

Thanks to all contributors!

Detailed commit log

• fa326d3 – Fix disasm call target display when symbol is known (#801)
• 9c60b62 – arch.py: remove unused instruction (#800)
• 21319d3 – Add repeat mode dX commands (#791) (#799)
• 79140e3 – Fix dqs windbg command (#798)
• d088019 – Update .travis.yml: trusty->bionic (#796)
• b5775f7 – Fix typo in exception-verbose parameter
• 64f75c9 – vmmap command: fixes #795 – usage w/o argument
• f543205 – vmmap command: show offset for single addresses (#795)
• 8c601c4 – Fix typos (#787)
• 5efff78 – return only valid arenas (#784)
• af0b065 – 2*ptrsize mismatch (#783)
• 970ac22 – Delete dead code in regs.py (#779)
• 7bad305 – Determine register sizes dynamically, do not assume ptrdiff width (#775)
• a1b2b03 – Fixes #777 – missing pyelftools program header name (#782)
• 606eae0 – Update regs.py (#780)
• 744aa22 – Fixes #770 – broken vmmap aliases (#778)
• 1cd9874 – Use qemu.root() instead of a hardcoded path (#774)
• 5b9a42a – Fix find_fake_fast error on older gdb version (#760)
• b361bda – #664 mark changed registers (#756)
• 016326f – Update issue templates (#776)
• 677dfa2 – Changes in dependencies needed for Ubuntu, starting from scratch. (#763)
• 609284c – support for xbps install (#753)
• f90db72 – chunk printing to malloc_chunk cmd (#751)
• 5062e4a – Fixes #749 – stop showing pc marker in disasm loops (#750)
• ac7fb64 – mprotect command injecting mprotect syscall. (#740)
• d3ec217 – fix for ubuntu 20.04 (#748)
• 2a09b30 – Fixes #726 (#747)
• e3b910c – Try heap (#744)
• 4281583 – Update heap implementation (#728)
• fbd2bb3 – Fixed alignment bug in vis_heap_chunks command (#739)
• 3cf9b31 – Added suppor fot opensuse (#734)
• 0cdcd6f – Fixed misprint ‘distibuted’ –> ‘distributed’ (#733)
• d4a6ff4 – Fix command description format (#727)
• b1beacf – fixes #660, can not get correct arm64 context (#724)
• 5849d27 – [WIP] Feature: show ghidra decompiled code in context (#715)
• ab1e091 – rename ctx-watch -> ctx-unwatch (#725)
• 5c67072 – Enhance find_fake_fast (#721)
• 798bcb6 – Fix inaccuracies in vis_heap_chunks() (#708)
• a18e751 – [WIP] Context watches expressions (#711)
• 80e3959 – Don’t use top chunk heuristics (#712)
• c8a846e – Replace malloc initialization heuristics (#713)
• 08a78ad – Remove temp files and dir when exit (#720)
• 64ca9a6 – Fix decompile error (#716)
• c46417f – Remove useless cat from setup (#717)
• d2fc367 – Happy new year 2020 (#718)
• f2c0efc – Per section context output (#697)
• 9aef04b – Add line indicator in decompile result (#714)
• cc0c90a – Fix vmmap crash when PG is disabled (#709)
• ca649da – Fix switching to remote debug caching bug #707
• 8cbb863 – Update init.py (#703)
• 355c09e – command: support alternatives including sub command wrapper like pwn (#701)
• ecae891 – fix spelling errors (#699)
• 829f36a – Improve probeleak command (#698)
• b2f7f90 – split inode_objfile at most once to fix #695 (#696)
• e650f92 – adding support for clear linux (#694)

Installation

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

Copyright (c) 2015 Zach Riggle

Source: https://github.com/pwndbg/