pwndbg 2022.08.30 releases: Exploit Development and Reverse Engineering with GDB

pwndbg (/poʊndbæg/) is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.

Pwndbg has a lot of useful features. You can a list of all available commands at any time by typing the pwndbgcommand. Here’s a small subset which is easy to capture in screenshots.

Arguments

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Context

A useful summary of the current execution context is printed every time GDB stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

Disassembly

Pwndbg uses Capstone Engine to display disassembled instructions, but also leverages its introspection into the instruction to extract memory targets and condition codes.

All absolute jumps are folded away, only displaying relevant instructions.

Additionally, if the current instruction is conditional, Pwndbg displays whether or not it is evaluated with a green check or a red X, and folds away instructions as necessary.

Emulation

Pwndbg leverages Unicorn Engine in order to only show instructions which will actually be emulated. At each debugger stop (e.g. breakpoint or single-step) the next few instructions are silently emulated, and only instructions which will actually be executed are displayed.

This is incredibly useful when stepping through jump tables, PLT entries, and even while ROPping!

Heap Inspection

Pwndbg enables introspection of the glibc allocator, ptmalloc2, via a handful of introspection functions.

IDA Pro Integration

Pwndbg flips traditional IDA Pro integration on its head. Rather than sticking code inside of IDA that you need to interact with, by installing a small XMLRPC server inside of IDA, Pwndbg has full access to everything IDA knows.

This allows extraction of comments, decompiled lines of source, breakpoints, and synchronized debugging (single-steps update the cursor in IDA).

More…

Changelog 2022.08.30

• New commands or new flags:
  • attachp [pid | process name | device file] to attach to process by pid/name/device file,
  • setflag to set CPU flags register values,
  • telescope --reverse ... to see memory before a provided address,
  • heap_config to set heap commands configuration,
• Better support for heap debugging without symbols:
  • It is now possible to make Pwndbg determine the addresses of heap symbols when they are missing; also this is going to be improved further soon,
  • If symbols cannot be found, heap_config can be used to configure symbols addresses,
  • We now define a $heap_base convenient variable,
• better kernel debugging support – we use gdb-pt-dump to dump memory map information which should be much faster than the previous solution of parsing monitor info mem information,
• better support for coredump debugging, mainly its vmmap display – we now parse what we can to get that info (btw GDB could improve on generating core dumps as well, see GDB-bugzilla#29508,
• we now display file paths based on /proc/$pid/fd/$fd of opened files when showing the arguments of POSIX file APIs (open, read, write, close etc.) in the disasm view,
• we now display tips when Pwndbg is launched (can be disabled with set show-tips off added do ~/.gdbinit)
• better support for virtualenvs – though, we display a warning that this may not work as expected (due to C libraries dependencies like libffi-dev etc)
• more tests and improved CI as we now test on Ubuntu 18.04, 20.04 and 22.04,
  • ./tests.sh now has [<filter-tests-names>] [--pdb] arguments,
• …and lots and lots of fixes!

What’s Changed

• Add fortified function signatures by @AetherBreeze in #998
• Ignore non utf-8 characters in the source code by @lonnywong in #1002
• Change year 2021 to 2022 in README.md by @simark in #1003
• Make pwndbg faster by @bet4it in #1004
• Show all registers of PowerPC by @bet4it in #1005
• Try with lowercase xpsr register first on ARM Cortex M/gdb 8+ by @wavexx in #1007
• Fix two bugs in /pwndbg/commands/context.py by @dev2ero in #1012
• Bump Unicorn Version to 1.0.3 by @Mez0ne in #1015
• Display symbol name for computed disasm address by @galkinvv in #1016
• Fix installation error on osx by @Pribess in #1017
• fix splitmind compatibility issues from PR #1012 by @jtpereyda in #1023
• Create setflag command by @dgmcdona in #1027
• added docker-compose and instructions how to run tests there by @hbrylkowski in #1032
• Add gp register to MIPS by @bet4it in #1025
• Freeze requirements by @hbrylkowski in #1033
• Try fs/gs_base registers before ptrace’ing by @lebr0nli in #1030
• update unicorn to 2.0.0 by @disconnect3d in #1034
• [#1035] Use virtualenv when available by @viciu in #1037
• Show tip of the day at the startup by @hbrylkowski in #1036
• merge hack-pt-dump branch to dev by @lonnywong in #1022
• colorful tip of the day by @disconnect3d in #1046
• nearpc: convert pc to pointer by @l4rzy in #1048
• Remove Python 2 legacy code by @ivellios in #1052
• Add $heap_base variable after running the heap command by @gsingh93 in #1051
• fix context showing unexpectedly on first command by @lonnywong in #1042
• Fix aarch64 regs display by @arcz in #1054
• Add tip about $heap_base to tips.py by @gsingh93 in #1053
• Fix context args crash on missing instruction by @arcz in #1055
• Fix xor and memfrob by @artcz in #1057
• Add support to use heap commands without debug symbols by @lebr0nli in #1029
• Adds documentation for debugging with PyCharm by @overfl0 in #1058
• Remove shell commands registration by @disconnect3d in #1064
• Improve search –next speed and add –trunc-out flag by @disconnect3d in #1066
• Replace with IDA 7.x API by @akiym in #1024
• Revert “Remove shell commands registration” by @disconnect3d in #1073
• small refactor of vmmap module by @disconnect3d in #1078
• Fix coredump debugging by @disconnect3d in #1079
• Avoid bare catch-all except blocks by @Arusekk in #1080
• Fix test runner script for parallel make builds by @gsingh93 in #1083
• Refactor heap code by @gsingh93 in #1063
• Revert “Refactor heap code” by @disconnect3d in #1084
• fix vis_heap_chunk test on CI? by @disconnect3d in #1086
• Fix heap test binaries build by @disconnect3d in #1087
• tools: change zig to install from a tarball (fixes: #1088) by @alufers in #1089
• Make ZIGPATH configurable and provide defaults by @artcz in #1090
• Remove QuietSloppyParsedCommand once and for all by @disconnect3d in #1091
• Fix zig not being installed when installed system-wide by @alufers in #1093
• tests.sh: add [filter] and –pdb by @disconnect3d in #1092
• Add support for telescope to show previous addresses #1047 by @ntsleep in #1094
• Minor test cleanup by @gsingh93 in #1099
• Update CI to test 18.04, 20.04, and 22.04 by @gsingh93 in #1100
• Add black to CI by @gsingh93 in #1101
• black all da code by @disconnect3d in #1103
• Fix PEP8 violations and add flake8 to CI by @gsingh93 in #1102
• fix #1098: dX cmds trunc out on x86 binaries by @disconnect3d in #1104

Installation

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

Copyright (c) 2015 Zach Riggle

Source: https://github.com/pwndbg/