Using PEDA (GDB)

PEDA - Python Exploit Development Assistance for GDB

There is nothing complicated in the installation instructions. The ~/.gdbinit file contains commands that are to be executed at gdb startup. You can think of it as a .bashrc for gdb.

git clone https://github.com/longld/peda.git ~/peda

echo "source ~/peda/peda.py” >> ~/.gdbinit

  • Find below some additional and useful gdb commands:

disas [function name] — Shows a disassembly of a function of certain name.

  • break [function] or break *0Oxaddress — Puts a breakpoint at the entry of a function of certain name or at a certain address. Execution will stop each time a breakpoint is reached.

« print [name] — Displays contents of an object of certain name. The name could be a function name, register or variable. JiNE

info [name] — Displays information about a certain name; for example, info registers prints the contents of all registers. step — Step in the program until it reaches the next source line (Step Over). stepi — Step into exactly one instruction. x — examine. This command can be used to display various memory locations in various formats. The syntax for it is: x/[number of units][data type] [location name] For example, you can use:

  • x/20w $esi, which displays 20 words starting from where esi points to. OR

  • x/10i $eip, which displays 10 instructions starting from where eip points to. You can find more gdb x command references at: ftp://ftp.gnu.org/old-gnu/Manuals/gdb/html_chapter/gdb_9.html

It is worth mentioning that there are two common user Assembly syntax versions: AT&T and Intel.

Gdb, by default, uses the AT&T syntax, which means the assembly code is written differently. For example, a percent sign needs to precede any register, or the operands are written in reverse order as opposed to the Intel syntax, which could lead to confusions.

You can change the syntax handling manually by issuing the ,set disassembly-flavor intel” command. PEDA does this by default, as you can see in its source code below.

Other tools that are useful when inspecting Linux binaries are readelf, Itrace, strace and objdump.

You may also like to use strings.

Itrace and strace trace library or system calls performed by the target binary.

readelf displays information about an ELF (Linux executable format) file.

objdump displays information about object files. It can also be used for disassembling Linux executables.

strings extracts readable strings from a binary. This is useful for extracting hardcoded paths, ,secret” strings or names.

PreviousLinux Exploit DevelopmentNextAbout ELF and File Permission

Last updated