GDB的GEF插件
时间:2022年6月15日, V0.1
安装
GEF几乎不需要什么依赖,以gdbinit脚本的形式起作用。
To install from Git, simply clone this repository and specify the path to gef.py inside the ~/.gdbinit file:
$ git clone https://github.com/hugsy/gef.git
$ echo source `pwd`/gef/gef.py >> ~/.gdbinit
然后启动GDB就行了:
$ gdb /path/to/my/bin
gef➤ gef help
但是有些高级功能,比如rop-chain生成等,需要其他一些工具。建议安装:capstone、keystone、unicorn、Ropper这四个工具。
For a quick installation, simply use the pip packaged version:
$ pip3 install capstone unicorn keystone-engine ropper
Just make sure you are using the pip corresponding to the version of Python your GDB was compiled with.
俺的Ubuntu20上安装的是python3,所以pip3。
远程调试
在远程机器上启动gdbserver:
remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file
Running as PID: 666
本地机器上:
gdb -q
gef➤ gef-remote -t your.ip.address:1234 -p 666
功能tips
entry-break
The entry-break (alias start) command's goal is to find and break at the most obvious entry point available in the binary. Since the binary will start running, some of the PLT entries will also be resolved, making further debugging easier.
It will perform the following actions:
Look up a main symbol. If found, set a temporary breakpoint and go.
Otherwise, it will look up for __libc_start_main. If found, set a temporary breakpoint and go.
Finally, if the previous two symbols are not found, it will get the entry point from the ELF header, set a breakpoint and run. This case should never fail if the ELF binary has a valid structure.
ksymaddr
gef➤ ksymaddr commit_creds
[+] Found matching symbol for 'commit_creds' at 0x0 (type=T)
[*] Found partial match for 'commit_creds' at 0x0 (type=r): __ksymtab_commit_creds
[*] Found partial match for 'commit_creds' at 0x0 (type=r): __kstrtab_commit_creds
[*] Found partial match for 'commit_creds' at 0x0 (type=r): __kstrtabns_commit_creds
[!] Check that you have the correct permissions to view kernel symbol addresses
看不到地址,因为需要相应的权限。Note that the debugging process needs to have the correct permissions for this command to show kernel addresses.
参考
https://gef.readthedocs.io/en/master/