pwndbg 2022.12.19 releases: Exploit Development and Reverse Engineering with GDB

by do son · Published January 24, 2019 · Updated December 19, 2022

pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.

Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.

Arguments

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Context

A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

Disassembly

Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.

All absolute jumps are folded away, only displaying relevant instructions.

Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.

Emulation

Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.

This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!

Heap Inspection

Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.

IDA Pro Integration

Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.

This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).

More…

Changelog 2022.02.19

New or edited commands:
- kconfig to obtain debugged Linux kernel config
- cymbol to add/show/load/edit/delete custom structures written in plain C
- mprotect to set memory protections (the command was fixed as it was not working for some time)
- bins and find_fake_fast were improved
- cyclic – the Pwntools’ pwn cyclic commmand was ported as a native command
We improved the support for debugging QEMU kernels and more improvements and new commands are incomming
- You can set Pwndbg to fetch vmmap info for kernels in three different modes, see help set kernel-vmmap
Added support for heap commands for cases when libc debug symbols are not present. For this, certain heuristics regarding the code are used and as a last resort, the user can set addresses of heap related symbols to make the heap command work properly. See heap_config and help set resolve-heap-via-heuristic for more information.
We improved coredump debugging (vmmap fetching)
We refactored lots of code and more refactoring is incomming
Lots of tests and CI targets were added to ensure we don’t hit regressions
And more… see the full changelog below

What’s Changed

Minor linter/formatter configuration changes by @gsingh93 in #1105
support riscv:rv64 without capstone by @lonnywong in #1096
Fix IDE’s auto-complete support by @syheliel in #1106
vmmap: use pwndbg.info.auxv instead of gdb.execute by @disconnect3d in #1107
ArgparsedCommand: fix help cmd and cmd --help behavior by @disconnect3d in #1108
improve start and entry commands description by @disconnect3d in #1109
Add smoke test by @gsingh93 in #1113
Add dev-requirements.txt to Docker image by @gsingh93 in #1115
Set security_opt to seccomp:unconfined in docker-compose.yml by @gsingh93 in #1116
Some updates about Heap heuristics by @lebr0nli in #1075
Build docker in CI by @gsingh93 in #1117
fix errno command by @disconnect3d in #1112
GDB Refactor [1/N]: Split arch.py and related files into lib/ and gdb/ by @gsingh93 in #1114
Add lint.sh script by @gsingh93 in #1122
GDB Refactor [2/N]: move some modules to lib/ by @gsingh93 in #1118
Format shell scripts with shfmt by @gsingh93 in #1123
fix #1111 errno command edge case by @disconnect3d in #1126
GDB Refactor [3/N]: Split android into lib/ and gdblib/ by @gsingh93 in #1119
GDB Refactor [4/N]: Split abi into lib/ and gdblib/ by @gsingh93 in #1120
GDB Refactor [5/N]: Split regs.py into lib/ and gdblib/ by @gsingh93 in #1121
GDB Refactor [6/N]: Move gcc.py into lib/ by @gsingh93 in #1124
GDB Refactor [7/N]: Move some modules to gdblib/ by @gsingh93 in #1125
Fix incorrect import by @gsingh93 in #1131
GDB Refactor [8/N]: Split memory into lib/ and gdblib/ by @gsingh93 in #1128
GDB Refactor [9/N]: Move strings.py and dt.py to gdblib by @gsingh93 in #1129
GDB Refactor [10/N]: Move qemu.py and remote.py to gdblib by @gsingh93 in #1130
GDB Refactor [12/N]: Move stdio.py to lib/ by @gsingh93 in #1133
GDB Refactor [11/N]: Move elftypes.py to lib/ by @gsingh93 in #1132
Linting/formatting improvements by @gsingh93 in #1138
Add types for some modules in lib/ by @gsingh93 in #1137
Remove unused imports by @gsingh93 in #1139
Add support for formatting the code directly from lint.sh by @gsingh93 in #1140
GDB Refactor [13/N]: Move argv.py to gdblib by @gsingh93 in #1141
add type for ./pwndbg/lib by @syheliel in #1135
add color for modified registers by @syheliel in #1127
Add gdb.MemoryError check to get_heap() by @CptGibbon in #1145
fix distance command by @disconnect3d in #1146
Add regression test for find_fake_fast command by @CptGibbon in #1147
fix qemu vmmap showing coredump mappings by @disconnect3d in #1148
Improve vmmap on coredump files by @disconnect3d in #1149
add patch command by @disconnect3d in #1150
Fix for android check in procinfo by @ntsleep in #1156
Tests for procinfo command by @ntsleep in #1157
Fix #1153 nextproginstr command by @disconnect3d in #1158
Show arch and emulation status on disasm banner by @disconnect3d in #1160
fix: mprotect command and add tests for it by @alufers in #1161
Fix #1165: set context-clear-screen on resetting scrollback by @disconnect3d in #1166
Show less error when trying to load a non-exist type by @lebr0nli in #1171
silence heap_bugs.c build warnings by @disconnect3d in #1172
Enhance heap with for static-linked binaries & remove typeinfo bloat by @disconnect3d in #1173
Add Chunk class & template_heap_command by @CptGibbon in #1159
Support starting the IPython interactive prompt with ipi command by @lebr0nli in #1170
Upload codecov report only from Ubuntu22.04 by @miles170 in #1178
Update ipi command by @lebr0nli in #1176
Enhances ipdb by @lebr0nli in #1177
search command: remove unused string optional arg by @disconnect3d in #1180
add type for ./pwndbg/lib/ by @syheliel in #1168
fix #1190: telescope -r with addr as count by @disconnect3d in #1198
Integrate Chunk class into malloc_chunk command by @CptGibbon in #1184
tips: add set show-flags on tip by @disconnect3d in #1200
Fix disable_colors formatting & test ctx disasm showing fds by @disconnect3d in #1186
add show-flags and show-compact-regs to ctx regs banner by @disconnect3d in #1201
remove defcon.py by @disconnect3d in #1203
bugreport command: use code listings by @disconnect3d in #1204
Delete .sublime-settings by @disconnect3d in #1206
leakfind should default to $sp by @amoghrajesh in #1218
Add malloc_chunk command test by @CptGibbon in #1214
Make the heap heuristic compatible with new heap code by @lebr0nli in #1217
Update README with GDB build steps by @disconnect3d in #1220
fix #1221: ipi command multi-line inputs by @disconnect3d in #1222
Make CStruct2GDB support gdb.types.has_field() by @lebr0nli in #1224
Cleanup requirements and run full setup in lint CI job by @gsingh93 in #1230
Add –shell argument to pwndbg command by @gsingh93 in #1233
Add malloc_chunk command tests for heuristic heap by @CptGibbon in #1234
Split heap tests into their own files by @gsingh93 in #1235
events.py: remove unused Pause class by @disconnect3d in #1223
Fix #1197: dont display ctx on reg/mem changes by @disconnect3d in #1239
Load commands and gdblib explicitly in init.py by @gsingh93 in #1243
GDB Refactor [15/N]: Move stack.py to gdblib/stack.py by @gsingh93 in #1244
GDB Refactor [16/N]: Move tls.py to gdblib/tls.py by @gsingh93 in #1245
GDB Refactor [17/N]: Move net.py to lib/net.py by @gsingh93 in #1246
Cleanup load_gdblib() by @gsingh93 in #1248
Cleanup dependencies by @gsingh93 in #1251
Remove unnecessary imports…

Installation

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

Source: https://github.com/pwndbg/

pwndbg 2022.12.19 releases: Exploit Development and Reverse Engineering with GDB

Search

Brilliantly

Content & Links

Technology News