Skip to content

Commands¶

Start¶

attachp Attaches to a given pid, process name or device file.
entry
sstart Alias for 'tbreak __libc_start_main; run'.
start

Integrations¶

ai Ask GPT-3 a question about the current debugging context.
j Synchronize IDA's cursor with GDB.
save_ida Save the ida database.
r2 Launches radare2.
r2pipe Execute stateful radare2 commands through r2pipe.
rz Launches rizin.
rzpipe Execute stateful rizin commands through rzpipe.
rop Dump ROP gadgets with Jon Salwan's ROPgadget tool.
ropper ROP gadget search with ropper.

Linux/libc/ELF¶

argc Prints out the number of arguments.
argv Prints out the contents of argv.
envp Prints out the contents of the environment.
aslr
auxv Print information from the Auxiliary ELF Vector.
elfsections Prints the section mappings contained in the ELF header.
gotplt Prints any symbols found in the .got.plt section if it exists.
plt Prints any symbols found in the .plt section if it exists.
got Show the state of the Global Offset Table.
track-got Controls GOT tracking
linkmap Show the state of the Link Map
errno Converts errno (or argument) to its string representation.
piebase Calculate VA of RVA from PIE base.
threads List all threads belonging to the selected inferior.
tls Print out base address of the current Thread Local Storage (TLS).

Misc¶

asm Assemble shellcode into bytes
break-if-not-taken Breaks on a branch if it is not taken.
break-if-taken Breaks on a branch if it is taken.
checksec Prints out the binary security settings using checksec.
comm Put comments in assembly code.
cyclic Cyclic pattern creator/finder.
cymbol Add, show, load, edit, or delete custom structures in plain C.
dt
dumpargs Prints determined arguments for call instruction.
down Select and print stack frame called by this one.
up Select and print stack frame that called this one.
ipi Start an interactive IPython prompt.
stepuntilasm Breaks on the next matching instruction.
patch Patches given instruction with given code or bytes.
patch_list List all patches.
patch_revert Revert patch at given address.
getfile Gets the current file.
plist Dumps the elements of a linked list.
sigreturn Display the SigreturnFrame at the specific address
spray Spray memory with cyclic() generated values
tips Shows tips.
valist Dumps the arguments of a va_list.

Stack¶

canary Print out the current stack canary.
retaddr Print out the stack addresses that contain return addresses.
stack Dereferences on stack data with specified count and offset.
stackf Dereferences on stack data, printing the entire stack frame with specified count and offset .

pwndbg¶

config Shows pwndbg-specific configuration.
configfile Generates a configuration file for the current pwndbg options.
theme Shows pwndbg-specific theme configuration.
themefile Generates a configuration file for the current pwndbg theme options.
memoize
pwndbg Prints out a list of all pwndbg commands.
reinit_pwndbg Makes pwndbg reinitialize all state.
reload Reload pwndbg.
bugreport Generate a bug report.
version Displays GDB, Python, and pwndbg versions.

Context¶

context Print out the current register, instruction, and stack context.
contextoutput Sets the output of a context section.
contextunwatch Removes an expression previously added to be watched.
contextwatch
regs Print out all registers and enhance the information.
xinfo Shows offsets of the specified address from various useful locations.

Register¶

cpsr Print out ARM CPSR or xPSR register.
setflag Modify the flags register.
fsbase Prints out the FS base address. See also $fsbase.
gsbase Prints out the GS base address. See also $gsbase.

Memory¶

distance Print the distance between the two arguments, or print the offset to the address's page base.
hexdump Hexdumps data at the specified address or module name.
leakfind
mmap
mprotect
p2p Pointer to pointer chain search. Searches given mapping for all pointers that point to specified mapping.
telescope Recursively dereferences pointers starting at the specified address.
telescope Recursively dereferences pointers starting at the specified address.
probeleak
search Search memory for byte sequences, strings, pointers, and integer values.
telescope Recursively dereferences pointers starting at the specified address.
vmmap Print virtual memory map pages.
vmmap_add Add virtual memory map page.
vmmap_clear Clear the vmmap cache.
vmmap_load Load virtual memory map pages from ELF file.
xinfo Shows offsets of the specified address from various useful locations.
memfrob Memfrobs a region of memory (xor with '*').
xor XOR count bytes at address with the key key.

Heap¶

arena Print the contents of an arena.
arenas List this process's arenas.
bins Print the contents of all an arena's bins and a thread's tcache.
fastbins Print the contents of an arena's fastbins.
find_fake_fast Find candidate fake fast or tcache chunks overlapping the specified address.
heap Iteratively print chunks on a heap.
heap_config Shows heap related configuration.
hi Searches all heaps to find if an address belongs to a chunk. If yes, prints the chunk.
largebins Print the contents of an arena's largebins.
malloc_chunk Print a chunk.
mp Print the mp_ struct's contents.
smallbins Print the contents of an arena's smallbins.
tcache Print a thread's tcache contents.
tcachebins Print the contents of a tcache.
top_chunk Print relevant information about an arena's top chunk.
try_free Check what would happen if free was called with given address.
unsortedbin Print the contents of an arena's unsortedbin.
vis_heap_chunks Visualize chunks on a heap.

Breakpoint¶

ignore Set ignore-count of breakpoint number N to COUNT.
breakrva Break at RVA from PIE base.

Kernel¶

kbase Finds the kernel virtual base address.
kchecksec Checks for kernel hardening configuration options.
kcmdline Return the kernel commandline (/proc/cmdline).
kconfig Outputs the kernel config (requires CONFIG_IKCONFIG).
kversion Outputs the kernel version (/proc/version).
slab Prints information about the slab allocator

Process¶

killthreads Kill all or given threads.
pid Gets the pid.
procinfo Display information about the running process.

Disassemble¶

emulate Like nearpc, but will emulate instructions from the current $PC forward.
nearpc Disassemble near a specified address.

Step/Next/Continue¶

nextcall Breaks at the next call instruction.
nextjmp Breaks at the next jump instruction.
nextproginstr Breaks at the next instruction that belongs to the running program.
nextret Breaks at next return-like instruction.
nextsyscall Breaks at the next syscall not taking branches.
stepover Breaks on the instruction after this one.
stepret Breaks at next return-like instruction by 'stepping' to it.
stepsyscall Breaks at the next syscall by taking branches.
xuntil Continue execution until an address or function.

WinDbg¶

bc Clear the breakpoint with the specified index.
bd Disable the breakpoint with the specified index.
be Enable the breakpoint with the specified index.
bl List breakpoints.
bp Set a breakpoint at the specified address.
da Dump a string at the specified address.
db Starting at the specified address, dump N bytes.
dc Starting at the specified address, hexdump.
dd Starting at the specified address, dump N dwords.
dds Dump pointers and symbols at the specified address.
dq Starting at the specified address, dump N qwords.
ds Dump a string at the specified address.
dw Starting at the specified address, dump N words.
eb Write hex bytes at the specified address.
ed Write hex dwords at the specified address.
eq Write hex qwords at the specified address.
ew Write hex words at the specified address.
ez Write a string at the specified address.
eza Write a string at the specified address.
go Windbg compatibility alias for 'continue' command.
k Print a backtrace (alias 'bt').
ln List the symbols nearest to the provided value.
pc Windbg compatibility alias for 'nextcall' command.
peb Not be windows.