Skip to content

Commands¤

Breakpoint¤

Context¤

  • context - Print out the current register, instruction, and stack context.
  • contextnext - Select next entry in context history.
  • contextoutput - Sets the output of a context section.
  • contextprev - Select previous entry in context history.
  • contextsearch - Search for a string in the context history and select that entry.
  • contextunwatch - Removes an expression previously added to be watched.
  • contextwatch - Adds an expression to be shown on context.
  • regs - Print out all registers and enhance the information.

Developer¤

Disassemble¤

  • emulate - Like nearpc, but will emulate instructions from the current $PC forward.
  • nearpc - Disassemble near a specified address.

GLibc ptmalloc2 Heap¤

  • arena - Print the contents of an arena.
  • arenas - List this process's arenas.
  • bins - Print the contents of all an arena's bins and a thread's tcache.
  • fastbins - Print the contents of an arena's fastbins.
  • find-fake-fast - Find candidate fake fast or tcache chunks overlapping the specified address.
  • heap-config - Shows heap related configuration.
  • heap - Iteratively print chunks on a heap.
  • hi - Searches all heaps to find if an address belongs to a chunk. If yes, prints the chunk.
  • largebins - Print the contents of an arena's largebins.
  • malloc-chunk - Print a chunk.
  • mp - Print the mp_ struct's contents.
  • smallbins - Print the contents of an arena's smallbins.
  • tcache - Print a thread's tcache contents.
  • tcachebins - Print the contents of a tcache.
  • top-chunk - Print relevant information about an arena's top chunk.
  • try-free - Check what would happen if free was called with given address.
  • unsortedbin - Print the contents of an arena's unsortedbin.
  • vis-heap-chunks - Visualize chunks on a heap.

Integrations¤

  • ai - Ask GPT-3 a question about the current debugging context.
  • bn-sync - Synchronize Binary Ninja's cursor with GDB.
  • decomp - Use the current integration to decompile code near an address.
  • j - Synchronize IDA's cursor with GDB.
  • r2 - Launches radare2.
  • r2pipe - Execute stateful radare2 commands through r2pipe.
  • rop - Dump ROP gadgets with Jon Salwan's ROPgadget tool.
  • ropper - ROP gadget search with ropper.
  • rz - Launches rizin.
  • rzpipe - Execute stateful rizin commands through rzpipe.
  • save-ida - Save the ida database.

Kernel¤

  • binder - Show Android Binder information
  • kbase - Finds the kernel virtual base address.
  • kchecksec - Checks for kernel hardening configuration options.
  • kcmdline - Return the kernel commandline (/proc/cmdline).
  • kconfig - Outputs the kernel config (requires CONFIG_IKCONFIG).
  • klookup - Lookup kernel symbols
  • knft-dump - Dump all nftables: tables, chains, rules, expressions
  • knft-list-chains - Dump netfilter chains form a specific table
  • knft-list-exprs - Dump only expressions from specific rule
  • knft-list-flowtables - Dump netfilter flowtables from a specific table
  • knft-list-objects - Dump netfilter objects from a specific table
  • knft-list-rules - Dump netfilter rules form a specific chain
  • knft-list-sets - Dump netfilter sets from a specific table
  • knft-list-tables - Dump netfliter tables from a specific network namespace
  • kversion - Outputs the kernel version (/proc/version).
  • pcplist - Print Per-CPU page list
  • slab - Prints information about the slab allocator

Linux/libc/ELF¤

  • argc - Prints out the number of arguments.
  • argv - Prints out the contents of argv.
  • aslr - Check the current ASLR status, or turn it on/off.
  • auxv-explore - Explore and print information from the Auxiliary ELF Vector.
  • auxv - Print information from the Auxiliary ELF Vector.
  • elfsections - Prints the section mappings contained in the ELF header.
  • envp - Prints out the contents of the environment.
  • errno - Converts errno (or argument) to its string representation.
  • got - Show the state of the Global Offset Table.
  • gotplt - Prints any symbols found in the .got.plt section if it exists.
  • libcinfo - Show libc version and link to its sources
  • linkmap - Show the state of the Link Map
  • onegadget - Find gadgets which single-handedly give code execution.
  • piebase - Calculate VA of RVA from PIE base.
  • plt - Prints any symbols found in the .plt section if it exists.
  • strings - Extracts and displays ASCII strings from readable memory pages of the debugged process.
  • threads - List all threads belonging to the selected inferior.
  • tls - Print out base address of the current Thread Local Storage (TLS).
  • track-got - Controls GOT tracking
  • track-heap - Manages the heap tracker.

Memory¤

  • distance - Print the distance between the two arguments, or print the offset to the address's page base.
  • gdt - Decode X86-64 GDT entries at address
  • go-dump - Dumps a Go value of a given type at a specified address.
  • go-type - Dumps a Go runtime reflection type at a specified address.
  • hexdump - Hexdumps data at the specified address or module name.
  • leakfind - Attempt to find a leak chain given a starting address.
  • memfrob - Memfrobs a region of memory (xor with '*').
  • mmap - Calls the mmap syscall and prints its resulting address.
  • mprotect - Calls the mprotect syscall and prints its result value.
  • p2p - Pointer to pointer chain search. Searches given mapping for all pointers that point to specified mapping.
  • probeleak - Pointer scan for possible offset leaks.
  • search - Search memory for byte sequences, strings, pointers, and integer values.
  • telescope - Recursively dereferences pointers starting at the specified address.
  • telescope - Recursively dereferences pointers starting at the specified address.
  • vmmap-add - Add virtual memory map page.
  • vmmap-clear - Clear the vmmap cache.
  • vmmap-explore - Explore a page, trying to guess permissions.
  • vmmap - Print virtual memory map pages.
  • xinfo - Shows offsets of the specified address from various useful locations.
  • xor - XOR count bytes at address with the key key.

Misc¤

  • asm - Assemble shellcode into bytes
  • checksec - Prints out the binary security settings using checksec.
  • comm - Put comments in assembly code.
  • cyclic - Cyclic pattern creator/finder.
  • cymbol - Add, show, load, edit, or delete custom structures in plain C.
  • down - Select and print stack frame called by this one.
  • dt - Dump out information on a type (e.g. ucontext_t).
  • dumpargs - Prints determined arguments for call instruction.
  • getfile - Gets the current file.
  • hex2ptr - Converts a space-separated hex string to a little-endian address.
  • hijack-fd - Replace a file descriptor of a debugged process.
  • ipi - Start an interactive IPython prompt.
  • patch-list - List all patches.
  • patch-revert - Revert patch at given address.
  • patch - Patches given instruction with given code or bytes.
  • plist - Dumps the elements of a linked list.
  • sigreturn - Display the SigreturnFrame at the specific address
  • spray - Spray memory with cyclic() generated values
  • tips - Shows tips.
  • up - Select and print stack frame that called this one.
  • valist - Dumps the arguments of a va_list.
  • vmmap-load - Load virtual memory map pages from ELF file.

Process¤

  • killthreads - Kill all or given threads.
  • pid - Gets the pid.
  • procinfo - Display information about the running process.

Register¤

  • cpsr - Print out ARM CPSR or xPSR register.
  • fsbase - Prints out the FS base address. See also $fsbase.
  • gsbase - Prints out the GS base address. See also $gsbase.
  • setflag - Modify the flags register.

Stack¤

  • canary - Print out the current stack canary.
  • retaddr - Print out the stack addresses that contain return addresses.
  • stack-explore - Explore stack from all threads.
  • stack - Dereferences on stack data with specified count and offset.
  • stackf - Dereferences on stack data, printing the entire stack frame with specified count and offset .

Start¤

  • attachp - Attaches to a given pid, process name, process found with partial argv match or to a device file.
  • entry - Start the debugged program stopping at its entrypoint address.
  • sstart - Alias for 'tbreak __libc_start_main; run'.
  • start - Start the debugged program stopping at the first convenient location

Step/Next/Continue¤

  • nextcall - Breaks at the next call instruction.
  • nextjmp - Breaks at the next jump instruction.
  • nextproginstr - Breaks at the next instruction that belongs to the running program.
  • nextret - Breaks at next return-like instruction.
  • nextsyscall - Breaks at the next syscall not taking branches.
  • stepover - Breaks on the instruction after this one.
  • stepret - Breaks at next return-like instruction by 'stepping' to it.
  • stepsyscall - Breaks at the next syscall by taking branches.
  • stepuntilasm - Breaks on the next matching instruction.
  • xuntil - Continue execution until an address or expression.

WinDbg¤

  • bc - Clear the breakpoint with the specified index.
  • bd - Disable the breakpoint with the specified index.
  • be - Enable the breakpoint with the specified index.
  • bl - List breakpoints.
  • bp - Set a breakpoint at the specified address.
  • da - Dump a string at the specified address.
  • db - Starting at the specified address, dump N bytes.
  • dc - Starting at the specified address, hexdump.
  • dd - Starting at the specified address, dump N dwords.
  • dds - Dump pointers and symbols at the specified address.
  • dq - Starting at the specified address, dump N qwords.
  • ds - Dump a string at the specified address.
  • dw - Starting at the specified address, dump N words.
  • eb - Write hex bytes at the specified address.
  • ed - Write hex dwords at the specified address.
  • eq - Write hex qwords at the specified address.
  • ew - Write hex words at the specified address.
  • ez - Write a string at the specified address.
  • eza - Write a string at the specified address.
  • go - Windbg compatibility alias for 'continue' command.
  • k - Print a backtrace (alias 'bt').
  • ln - List the symbols nearest to the provided value.
  • pc - Windbg compatibility alias for 'nextcall' command.
  • peb - Not be windows.

jemalloc Heap¤

pwndbg¤

  • bugreport - Generate a bug report.
  • config - Shows pwndbg-specific configuration.
  • configfile - Generates a configuration file for the current pwndbg options.
  • memoize - Toggles memoization (caching).
  • profiler - Utilities for profiling pwndbg.
  • pwndbg - Prints out a list of all pwndbg commands.
  • reinit-pwndbg - Makes pwndbg reinitialize all state.
  • reload - Reload pwndbg.
  • theme - Shows pwndbg-specific theme configuration.
  • themefile - Generates a configuration file for the current pwndbg theme options.
  • version - Displays Pwndbg and its important deps versions.