This page documents some tips on how to use GDB for advanced debugging. It was created as all information I could find on the web lacked some useful information.<\/p>\n
\u00a0<\/p>\n
<\/p>\n
\u00a0<\/p>\n
When debugging assembly in gdb, it’s useful to learn about TUI mode. TUI mode gives gdb text based windows. This allows you to see both the disassembled coded as well as the ability to issue commands at the same time – a must have for debugging.<\/p>\n
To enter into TUI mode use:<\/p>\n
CTRL-X CTRL-1<\/pre>\nThis will create a single window. (To get rid of it use<\/p>\n
CTRL-X a<\/pre>\nInitially this window will not be in the right\u00a0layout<\/em>. (In gdb TUI mode, a\u00a0layout<\/em>\u00a0is like a mode, ie assembler mode, etc).<\/p>\n
You can tell gdb to change to assembly mode using:<\/p>\n
layout asm<\/pre>\nNow you should be able to see your program in a disassembled text window.<\/p>\n
\n
- Tip<\/strong>: If you want to see registers as well use:\u00a0
layout regs<\/code><\/li>\n<\/ul>\n\u00a0<\/p>\n
Common Tasks<\/span><\/h2>\n
In assembly debugging, theres a few common tasks that you need to these are listed below:<\/p>\n
View registers<\/strong><\/h3>\n
To view registers you can either use:<\/p>\n
info all-registers | info reg | i r<\/pre>\nto view the all\/some of the registers. You can use:<\/p>\n
layout reg<\/pre>\nto bring up a TUI window with all the registers. This window also shows what changes between instructions when your executing them.<\/p>\n
To examine the current value of a register you can use:<\/p>\n
info reg es<\/pre>\nYou can examine the memory the register points to using the\u00a0x<\/strong>\u00a0instruction ie:<\/p>\n
x\/x $esp # View mem in hex\r\n x\/b $esp # View mem in bin\r\n x\/i $esp # View instruction at address<\/pre>\nYou can set a register using:<\/p>\n
set $eip = 0x90 # Set current eip to address 0x90<\/pre>\n\u00a0<\/p>\n
Memory Addresses<\/span><\/h3>\n
If you recall the early lessons in computing there’s two main memory regions in a program – the code segment and the data segment.<\/p>\n
The code segment normally consists of executable instructions and static things like constants and strings. You can view the instructions at a memory address using:<\/p>\n
disassemble 0x123123<\/pre>\nwhere 0x123123 is an address in memory. This will show you a number of instructions at that address and onwards till the end of the function ends.<\/p>\n
You can examine a memory address using<\/p>\n
x 0x123123<\/pre>\nThe\u00a0x<\/strong>\u00a0command takes a number of different parameters\/options. It can output binary, hex, strings, instructions etc. For more help on how to use it try:\u00a0
help x<\/code>\u00a0in gdb.
\nYou can also print out the value of an address using:<\/p>\np 0x123123<\/pre>\nlike\u00a0x<\/em>\u00a0the\u00a0p<\/strong>\u00a0(or print) command the p command takes a number of options for displaying hex, binary etc.<\/p>\n
\u00a0<\/p>\n
Altering program execution<\/span><\/h3>\n
Say you’ve been debugging a program in assembly. You’ve setup\u00a0b<\/strong>reak points, either to memory or functions. Now you’ve found the instruction you want to change. There’s a number of ways you can change it. Chances are the instruction is some type of compare, (cmp, cmpl, jge, jmp, etc). You could possible make the instruction a no instruction (nop) or modify the register the compare relies on to be something else.<\/p>\n
In order to alter the line to be a nop you can do something like:<\/p>\n
set *0xbxxxx = 0x90<\/pre>\nIn this case the address is 0xbxxxx and the instruction (under x86 arch) is 0x90 (nop). However this could cause an issue if the previous instruction was 2 bytes wide. ie:<\/p>\n
1> 0x126c\u00a0: incl 0xfffff3dc(%ebp)\r\n2> 0x126d\u00a0: testb %al,%al\r\n3> 0x126f\u00a0: jne 0x125c<\/pre>\nIn the above the instruction at line 1 is a 1 byte instruction. The instruction at line 2 is a two byte instruction. How? Looks at the difference between the addresses:<\/p>\n
0x126d - 0x126c = 1 byte\r\n 0x126f - 0x126d = 2 byte<\/pre>\nIn x86 arch, 0x90 (nop) is only a 1 byte instruction.<\/p>\n
If you wanted to modify line 2, you’ld have to set the al register so the test would succeed.<\/p>\n
Managing Signals<\/strong><\/p>\n
You can enable\/disable signals using the ‘handle<\/strong>‘ command. ie:<\/p>\n
handle SIGALARM stop<\/pre>\nThe options to handle are:<\/p>\n
\u00a0<\/p>\n
\n
nostop<\/code> <\/dt>\n- GDB should not stop your program when this signal happens. It may still print a message telling you that the signal has come in. <\/dd>\n
stop<\/code> <\/dt>\n- GDB should stop your program when this signal happens. This implies the
print<\/code> keyword as well. <\/dd>\nprint<\/code> <\/dt>\n- GDB should print a message when this signal happens. <\/dd>\n
noprint<\/code> <\/dt>\n- GDB should not mention the occurrence of the signal at all. This implies the
nostop<\/code> keyword as well. <\/dd>\npass<\/code> <\/dt>\n- GDB should allow your program to see this signal; your program can handle the signal, or else it may terminate if the signal is fatal and not handled. <\/dd>\n
nopass<\/code> <\/dt>\n- GDB should not allow your program to see this signal.\u00a0<\/dd>\n<\/dl>\n
And to see what signals are currently set and their default setup use:<\/p>\n
info signals\u00a0<\/pre>\n\u00a0<\/p>\n
Helpful External Links<\/span><\/h1>\n