GDB (GNU Debugger)
What You Will Learn
- How to navigate and debug binaries with GDB
- How to inspect registers, memory, and the stack
- How to set breakpoints and step through code
- Advanced GDB tricks for exploit development
What Is It?
GDB (GNU Debugger) is the standard debugger for Linux programs. It lets you run a program step-by-step, inspect memory, modify registers, and understand exactly what a program is doing. It is the most important tool for binary exploitation and reverse engineering on Linux.
Setup
# Set Intel syntax (easier to read than AT&T)
echo "set disassembly-flavor intel" >> ~/.gdbinit
# Install pwndbg or peda for better output
git clone https://github.com/pwndbg/pwndbg
cd pwndbg && ./setup.sh
Core Commands
# Start GDB with a binary
gdb ./binary
# Start and stop at the first instruction
starti
# Run the program normally (no breakpoints)
run
r
# Continue execution after a breakpoint
continue
c
Breakpoints
# Break at a function name
break main
b main
# Break at an address
b *0x401234
# Break at function + offset
b *main+64
# List breakpoints
info break
# Delete a breakpoint
delete 1
# Disable / enable a breakpoint
disable 1
enable 1
Stepping
# Step one instruction (follows calls INTO functions)
si
# Step one instruction (steps OVER function calls)
ni
# Next source line (source-level step over)
next
n
# Step into source line
step
s
# Finish current function and return to caller
finish
Registers and Memory
# Display all registers
info registers
i r
# Display specific register in hex
p/x $rdi
# Display next 8 instructions from RIP
display/8i $rip
# Display 4 quad-words (8 bytes each) from RSP
display/4gx $rsp
# Examine memory
# x/<count><format> <address>
x/16xb $rsp # 16 bytes as hex
x/4gx $rsp # 4 quad-words
x/10i $rip # 10 instructions from RIP
x/s $rdi # string at rdi
Process Information
# Memory map of the process
info proc map
# Stack frame info
info frame
# List source files (if debug info available)
info sources
Disassembly
# Disassemble a function
disas main
disassemble main
# Disassemble at current instruction
disas $rip
Advanced: TLS and File Structures
# Access the Thread Control Block (TLS struct)
ptype struct tcbhead_t
set $tcb = (struct tcbhead_t *)$fs_base
p *$tcb
# Get offset of _IO_read_ptr inside FILE struct
p &((struct _IO_FILE *)0)->_IO_read_ptr
# Cast a pointer to a FILE struct
p *(struct _IO_FILE_plus *) fp
Analyzing setuid Programs
# 1. Copy program to a writable location
cp /usr/bin/suid_binary /tmp/
# 2. Set base address for PIE binaries in ~/.gdbinit
nano ~/.gdbinit
# add: set $BASE = 0x0000555555554000
GDB Scripting
# Run GDB with a script file
gdb -x script.gdb ./binary
# Script contents example:
# b *main+100
# r < input.txt
# set $rip=*main+200
# c