Skip to content

Features¤

Pwndbg has a great deal of useful features. You can a see all available commands at any time by typing the pwndbg command or by checking the Commands section of the documentation. For configuration and theming see the Configuration section. Below is a subset of commands which are easy to capture in screenshots.

Disassembly and Emulation¤

Pwndbg leverages the capstone and unicorn engines, along with its own instrospection, to display, annotate and emulate instructions.

Operands of instructions are resolved, conditions evaluated, and only the instructions that will actually be executed are shown.

This is incredibly useful when stepping through jump tables, PLT entries, and ROPping.

Context¤

A useful summary of the current execution context is printed every time the debugger stops (e.g. breakpoint or single-step), displaying all registers, the stack, call frames, disassembly, and additionally recursively dereferencing all pointers. All memory addresses are color-coded to the type of memory they represent.

A history of previous context output is kept which can be accessed using the contextprev and contextnext commands.

Arguments¤

All function call sites are annotated with the arguments to those functions. This works best with debugging symbols, but also works in the most common case where an imported function (e.g. libc function via GOT or PLT) is used.

Splitting / Layouting Context¤

The context sections can be distributed among different tty by using the contextoutput command. Thus, if you want to make better use of some of the empty space in the default Pwndbg output, you can split the panes in your terminal and redirect the various contexts among them.

See Splitting the Context for more information.

GDB TUI¤

The context sections are available as native GDB TUI windows named pwndbg_[sectionname]. There are some predefined layouts coming with Pwndbg which you can select using layout pwndbg or layout pwndbg_code.

See GDB TUI for more information.

Watch Expressions¤

You can add expressions to be watched by the context. Those expressions are evaluated and shown on every context refresh. For instance by doing contextwatch execute "info args" we can see the arguments of every function we are in (here we are in mmap):

See contextwatch for more information.

Integrations¤

Ghidra¤

With the help of radare2 or rizin it is possible to show the decompiled source code of the ghidra decompiler.

See Ghidra Integration for more information.

IDA Pro/Binary Ninja¤

Pwndbg is capable of integrating with IDA Pro or Binary Ninja by installing an XMLRPC server in the decompiler as a plugin, and then querying it for information.

This allows extraction of comments, decompiled lines of source, breakpoints, symbols, and synchronized debugging (single-steps update the cursor in the decompiler).

See Binary Ninja Integration or IDA Integration for setup information.

Heap Inspection¤

Pwndbg provides commands for inspecting the heap and the allocator's state. Currently supported are:

See some of the commands for glibc malloc:

LLDB¤

While most other GDB plugins are well GDB plugins, Pwndbg's implementation is debugger-agnostic. You can use Pwndbg with LLDB!

WinDbg Compatibility¤

For those coming from a Windows background, Pwndbg has a complete WinDbg compatibility layer. You can dd, dps, eq, and even eb $rip 90 to your heart's content.

Go Debugging¤

Pwndbg has support for dumping complex Go values like maps and slices, including automatically parsing out type layouts in certain cases.

See the Go debugging guide for more information.

So many commands¤

Go take a look at Commands! Here is some cool stuff you can do to get you started.

Process State Inspection¤

Use the procinfo command in order to inspect the current process state, like UID, GID, Groups, SELinux context, and open file descriptors! Pwndbg works particularly well with remote GDB debugging like with Android phones.

ROP Gadgets¤

Tools for finding rop gadgets statically don't know about everything that will be loaded into the address space and they can make mistakes about which addresses will actually end up executable. You can now rop at runtime with Pwndbg's rop and ropper.

Pwndbg makes searching the target memory space easy, with a complete and easy-to-use interface. Whether you're searching for bytes, strings, or various sizes of integer values or pointers, it's a simple command away.

Finding Leaks¤

Finding leak chains can be done using the leakfind and probeleak commands. They recursively inspect address ranges for pointers, and report on all pointers found.

Telescope¤

Inspecting memory dumps is easy with the telescope command. It recursively dereferences a range of memory, letting you see everything at once. As an added bonus, Pwndbg checks all of the available registers to see if they point into the memory range.

Virtual Memory Maps¤

Pwndbg enhances the standard memory map listing and allows easy searching with vmmap.

Tracking glibc heap allocations¤

It can be very useful to see allocations happening in real time. It can give us a good idea of what the allocation pattern of a program looks like, and allows us to make informed decisions on how to optimize or attack it. The track-heap command does just that.

Tracking the GOT¤

The Procedure Linkage Table (PLT) and Global Offset Table (GOT) are very interesting exploitation targets since they contain many often-accessed function pointers. You can track how your program goes through the GOT using the track-got command.

Attach to a process by name¤

The days of running pidof in a different terminal are over. Use attachp to attach to any process by name, pid, arguments or device file!