Put all functions defined for gdb in here.
This file might be changed into a module in the future.
Functions:
-
GdbFunction– -
rebase–Return address rebased onto the executable's mappings.
-
base–Return the base address of the first memory mapping containing the given name.
-
hex2ptr–Converts a hex string to a little-endian address and returns the address.
-
argc–Get the number of program arguments.
-
argv–Get the n-th program argument.
-
environ–Get an environment variable by name.
-
envp–Get the n-th environment variable.
-
dbg_value_to_gdb– -
fsbase–Get the value of the FS segment register.
-
gsbase–Get the value of the GS segment register.
Attributes:
-
functions(list[_GdbFunction]) –
Return address rebased onto the executable's mappings.
Example:
pwndbg> p/x $rebase(0xd9020)
$1 = 0x55555562d020
pwndbg> vmmap
0x555555554000 0x55555556f000 r--p 1b000 0 /usr/bin/bash
0x55555556f000 0x55555562d000 r-xp be000 1b000 /usr/bin/bash
0x55555562d000 0x55555565e000 r--p 31000 d9000 /usr/bin/bash
[...]
pwndbg> p $rebase(0xd9020) == 0x555555554000 + 0xd9020
$2 = 1
pwndbg> tele $rebase(0xd9020)
00:0000│ 0x55555562d020 ◂— 0x204900636f6c6c61 /* 'alloc' */
01:0008│ 0x55555562d028 ◂— 'have no name!'
02:0010│ 0x55555562d030 ◂— 0x65720021656d616e /* 'name!' */
03:0018│ 0x55555562d038 ◂— 'adline stdin'
[...]
Return the base address of the first memory mapping containing the given name.
Example:
pwndbg> p/x $base("libc")
$4 = 0x7ffff7d4b000
pwndbg> vmmap libc
0x7ffff7d4a000 0x7ffff7d4b000 rw-p 1000 6e000 /usr/lib/libncursesw.so.6.5
► 0x7ffff7d4b000 0x7ffff7d6f000 r--p 24000 0 /usr/lib/libc.so.6
► 0x7ffff7d6f000 0x7ffff7ed6000 r-xp 167000 24000 /usr/lib/libc.so.6
► 0x7ffff7ed6000 0x7ffff7f2b000 r--p 55000 18b000 /usr/lib/libc.so.6
► 0x7ffff7f2b000 0x7ffff7f2f000 r--p 4000 1e0000 /usr/lib/libc.so.6
► 0x7ffff7f2f000 0x7ffff7f31000 rw-p 2000 1e4000 /usr/lib/libc.so.6
0x7ffff7f31000 0x7ffff7f39000 rw-p 8000 0 [anon_7ffff7f31]
pwndbg> tele $base(\"libc\")+0x1337
00:0000│ 0x7ffff7d4c337 ◂— 0x80480a04214000f0
01:0008│ 0x7ffff7d4c33f ◂— 0x8040c02204452040
02:0010│ 0x7ffff7d4c347 ◂— 0x20042400000200
03:0018│ 0x7ffff7d4c34f ◂— 0x20 /* ' ' */
[...]
Beware of accidentally matching the wrong mapping. For instance, if the loaded executable contained the string "libc" anywhere in it's path, it would've been returned.
Converts a hex string to a little-endian address and returns the address.
Example:
pwndbg> p/x $hex2ptr("20 74 ed f7 ff 7f")
$1 = 0x7ffff7ed7420
pwndbg> p/x $hex2ptr("2074edf7ff7f")
$2 = 0x7ffff7ed7420
pwndbg> distance '$base("libc")' '$hex2ptr("20 74 ed f7 ff 7f")'
0x7ffff7d4b000->0x7ffff7ed7420 is 0x18c420 bytes (0x31884 words)
Especially useful for quickly converting pwntools output.
Get the value of the FS segment register. Only valid on x86(-64).
Example:
pwndbg> p/x $fsbase()
$3 = 0x7ffff7cdab80
pwndbg> p $fs_base == $fsbase()
$4 = 1
pwndbg> x/gx $fsbase(0x28)
0x7ffff7cdaba8: 0x4da926e1668e5a00
pwndbg> x/gx $fsbase(0x30)
0x7ffff7cdabb0: 0x190a86d93bccf0ad
pwndbg> tls
Thread Local Storage (TLS) base: 0x7ffff7cdab80
TLS is located at:
0x7ffff7cda000 0x7ffff7cdc000 rw-p 2000 0 [anon_7ffff7cda]
Dumping the address:
tcbhead_t @ 0x7ffff7cdab80
0x00007ffff7cdab80 +0x0000 tcb : 0x7ffff7cdab80
0x00007ffff7cdab88 +0x0008 dtv : 0x7ffff7cdb4f0
0x00007ffff7cdab90 +0x0010 self : 0x7ffff7cdab80
0x00007ffff7cdab98 +0x0018 multiple_threads : 0x0
0x00007ffff7cdab9c +0x001c gscope_flag : 0x0
0x00007ffff7cdaba0 +0x0020 sysinfo : 0x0
0x00007ffff7cdaba8 +0x0028 stack_guard : 0x4da926e1668e5a00
0x00007ffff7cdabb0 +0x0030 pointer_guard : 0x190a86d93bccf0ad
[...]
pwndbg> canary
[...]
Canary = 0x4da926e1668e5a00 (may be incorrect on != glibc)
[...]
Get the value of the GS segment register. Only valid on x86(-64).
Example:
The value of the GS register is more interesting when doing kernel debugging: If you're not providing an offset, it is usually easier to use gdb's builtin $gs_base variable.