pwndbg 2021.06.22 releases: Exploit Development and Reverse Engineering with GDB

pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.

Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.

Arguments

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Context

A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

Disassembly

Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.

All absolute jumps are folded away, only displaying relevant instructions.

Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.

Emulation

Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.

This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!

Heap Inspection

Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.

IDA Pro Integration

Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.

This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).

More…

Changelog 2021.06.22

a79c85b (HEAD -> dev, tag: 2021.06.22, origin/dev, origin/HEAD) Update links to use Discord
668e53f Fix xinfo used with symbols that are function pointers
8db8f4d fix: update_length() raise exception in some cases
30d6745 Make brva alias accept same args as breakrva
aa25aac fix(disasm,emulate): support mips32r6
44471df fix(emulate): refix emulate, let it works correct on unicorn-1.0.2rc1 ~ unicorn-1.0.2
99a5ef3 fix exception raised by cs.syntax when debugging mips binary
5389eb6 fix(emulate): let `emulate` works on unicorn-1.0.2rc1 ~ unicorn-1.0.2
87da998 fix(telescope): also unroll buffer if last line is skipped
05036de fix(telescope): avoid superfluous whitespace after register column
75b4249 feature(telescope): reduce cognitive load by adding skip count label
baf3fe7 feature(telescope): option to set min repeating values before skipping
14325af chore: clean up unused imports
a8c2fb5 fix(ui): fix display of addrsz to be hex formated
a5c9738 feature(radare2): add r2pipe command to execute stateful radare2 cmds
5d0441b feature(shell): put ‘pwn’ into allow list for pwntools
56d1fac chore(profile): extend test binary so unicorn engine shows more code flow
f1aa0c8 feature(profile): use a simple module based approach to define profiles
fbfd47f fix(profile): accept any valid location for pyprof2calltree
87bf6ac chore(ghidra): simplify logic and clean up code flow
707fe12 chore(ghidra): use memoize feature to cache r2pipe handle
44770fd fix(ghidra): handle PIE base address when opening the r2pipe
71ca721 feature(ghidra): use configurable code prefix marker for line indicator
a100d87 fix(ghidra): make if-no-source condition work as expected
6354fdc fix(ghidra): avoid crash if we try to decompile a faulty addr/func
e8b5124 chore(ghidra): modularize ghidra functions into utils and commands
b036575 feature(radare2): add argument to set base when loading for PIE (#897)
cd3cbf3 Update README to show more modern supported Linux versions (#885)
00c9740 use_info_auxv() : change regex (#894)
96df189 Changed register list to use precomputed tuples (#866)
cd0cd82 Fixed bug when the GDB is debuggin an architecture arm-eabi (disassembly-flavor). (#889)
4d213a1 Fix #881 (#883)
ae6f25a Fix #858 (#877)
26a18f1 Remove quotes from command option interpolation (#876)
bf49bf8 Unit test fix (#868)
5639589 Remove unimplemented dlmalloc (#874)
c31c720 docs: fix simple typo, divison -> division (#870)
f74aa34 The disassembly flavor is hard-coded. It does not change from Intel to AT&T (#860)
304bf26 Improved the number of Runs/Layers in the container. Upgraded Ubuntu and install GoLand to run the tests. (#862)
cc92959 Added comment command (#857)
812278b Allow return offsets and use it for ‘start’ method. (#864)
bde3637 added fix for i386 libc6-dbg package. (#859)
29f962c ropgadget: fix path export. (#854)
cfe93ab fix for ubuntu 20.04 (#850)
979d330 Fixes #841
30c816b Moved filename to the end of the command (#842)
ea11f86 Add basic i8086 support (#835)
f096be7 Compact, [big-endian] hexdump (#839)
779634a fix prev chunk size check (#837)
9250cc5 Compact register list for context view (#830)
7690b60 Fixed bug: bins gets the wrong pointer offset (#832)
d626db1 add config context-backtrace-lines (#831)
b209c2b Added installation configuration for Gentoo (#820)
a9c43ed In setup.sh, remove installation of python2 for apt (#828)
487caa1 Fix #814: better aslr output (#818)
301012a Py3k (#817)
ccd8f76 Remove travis (#816)
ce2266e Add GitHub Actions support (#809)
15b11c7 Add Dockerfile for easier dev (#815)
96716ce Fix mprotect failing on py2

Installation

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

Copyright (c) 2015 Zach Riggle

Source: https://github.com/pwndbg/