pwndbg 2023.07.17 releases: Exploit Development and Reverse Engineering with GDB
pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.
Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbg
command. Here’s a small subset which is easy to capture in screenshots.
Arguments
All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.
Context
A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.
Disassembly
Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.
All absolute jumps are folded away, only displaying relevant instructions.
Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.
Emulation
Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.
This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!
Heap Inspection
Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.
IDA Pro Integration
Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.
This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).
More…
Changelog 2023.07.17
TL;DR what this release brings
- The
setup.sh
now installs Python dependencies in a virtual environment created inpwndbg/.venv/
andgdbinit.py
sets appropriate paths so that the created virtual environment is used automatically (previously, we installed deps in the system’s Python interpreter which could break users’ setups) - New or improved commands:
- The
pwndbg
helper command can now filter commands list by category, e.g.:pwndbg -c heap
(categories are: heap, kernel, linux etc.) - Added
killthreads [<ids....>]
command to kill threads with given IDs - Added
slab contains <addr> [<addrs...>]
command to inspect Linux kernel heap (when debugging kernel) - Added
spray <addr> ...
command to spray memory with given values (instead of doingpi pwndbg.gdblib.memory.write(address, b'data')
) - Improved
got
command display and filtering - Multiple heap commands improvements (
heap
,vis_heap_chunks
optimized,find_fake_fast
,*bins
)- Optimized
vis_heap_chunks
command
- Optimized
telescope -r
now always displays the input address- Fixed
vmmap
for 32-bit kernels - Fixed
patch-list
andpatch-revert
commands - More AI clouds support in the
ai
command
- The
- Improved RISC-V support — added branch prediction through Unicorn emulation
- Added basic heap heuristics for RISC-V and PowerPC
- Added
krelease
function that allows us to implement different behavior for different Linux kernel versions - Better glibc version detection
- More…
Installation
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh
Copyright (c) 2015 Zach Riggle
Source: https://github.com/pwndbg/