pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.
Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the
pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.
All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.
A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.
Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.
All absolute jumps are folded away, only displaying relevant instructions.
Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.
Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.
This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!
Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.
IDA Pro Integration
Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.
This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).
- Updated Capstone to 4.0.1 – this adds more instructions that can be disassembled properly and fixes the setup on recent stable version after Capstone got updated
- Fixed SPARC architecture support (#573)
- Pwndbg doesn’t set a limit on
print elementsanymore (#590)
- Added a
- Added support of PIE binaries for r2 (#567)
- Added support for heap tcache on targets w/o -lpthread (#552)
context codenow displays the source file path (#526)
- Better support for Rust binaries: added missing types (#559)
probeleaknow displays symbols if the address corresponds to one (#572)
- Fixed r2 sync trying to get pc when the process wasn’t running (#584)
- Fixed source code display crashing when it had unicode chars (#578)
- Fixed a bug in emulator on non-x86 architectures when the return address was not restored properly (#555)
- Fixed a bug when enhancing display of instruction that dereferenced memory (#587)
- Fixed a bug with gdb 8.2 (#575)
- Fixed a bug that crashed pwndbg when debugging mips binary when run on qemu-mips (#569)
- Fixed some bugs related to heap commands (#563, #537, #546)
- Fixed setup.sh for some distros (#551, #549, #540)
- Pwndbg will now check if added command overrides commands that were registered before launching pwndbg (from other plugins or built-in commands) (#543)
- Fixed got command (#531)
git clone https://github.com/pwndbg/pwndbg cd pwndbg ./setup.sh
Copyright (c) 2015 Zach Riggle