Making GDB cool again

   

$ who

  • I like playing with low-level stuff
    • assembly, exploit, reverse
  • CTF playor, code reviewor, bug bounty collector
    • online, on-site, crackmes, etc.
avatar

From the Dark Age came GDB

~1986

Multi-platform Un*x debugger (originally for VAX and M68K)

Open Source from Day 1* (RMS was a large committer)

Pure C + Bison

Then Linux Arose

1991

GCC+GDB+VimEmacs became quick the reference dev combination

GDB got massive improvements from FOSS community

“ In other words, go ahead and share GDB, don't try to stop anyone else from sharing it farther. Help stamp out software hoarding! ”

The Golden Age

1993 - 2003

Grew big, v.4.x(~1.3MB) v.6.x(>13MB)

THE debugger for Un*x, BSD, etc.

And Then

2004 - 2008

Not much

Mostly bug fixes, new architectures added, more comments/docs, better code structure

Desperation, anguish submerged devs

fG! GdbInit

Best tool for exploit dev (~2008)

Big GDB script with dirty procedures and hardcoded values








fG! GdbInit

  • Worked really well
  • But
    • x86 only
    • hard to read/maintain

The Revelation

2008-2009

First series of patches to export GDB API to Python


2011-08-23

GDB 7.0 with Python scripting released

O'rly?

  • Extend GDB features
  • Create new commands
  • Create new internal functions (breakpoints, hook events, etc.)
  • Totally architecture agnostic

Awesome article by 0verclock: “GDB, meet Python

Basic commands

  • gdb.parse_and_eval("[SYMBOL OR ADDRESS]")
  • gdb.execute("[GDB_COMMAND]", to_string=True)
  • gdb.prompt_hook
  • gdb.breakpoints
  • gdb.events.*.connect

Complete docs on Sourceware

Demo

Some cool projects came to life

GDB Enhanced Features

i.e. GDB on steroid for debugging, reversing, exploiting

Started as a collection of files with GDB Python commands

Then merged into one consistent, extensible tool

GEF

  • Built by curiosity, improved by CTF
  • Must be fast
    • Fast to install on a "new" environment
    • Fast access to information about registers, memory, code

GEF

  • Intel x86-32 /x86-64
  • ARM v5/v6/v7/AARCH64 (so yes, even Android)
  • PowerPC / PowerPC64
  • MIPS / MIPS64
  • SPARC / SPARC v9 (i.e. SPARC64)
  • easy to add more archs...

Some of the features

... live for some

... just images & videos for other

Displaying a comprehensive context

Derefencing automatically pointers (WinDBG poi style)

"Normal" way


"GEF" way

Get precise info on memory mapping.


Get generic info on the binary.


Automatically detect vulnerable format strings


Interact with IDA Pro Disassembler.


... live!

Easily search patterns in all memory sections


Perfect integration with gdb remote debugging functionality


Perfect for debugging native Android apps!

Want to redirect a file descriptor to a file ?

Or want to change permissions of a page ?

Latest features!


Runtime decompilation!

Latest features!


User-defined structures

Still not convinced?

GEF has NO mantory dependency

Works out of the box on any GDB compiled with Python2 / Python3

... but can integrate other Python libraries for...

Dumping ROP gadgets and generating ROP chains (ROPChain, Ropper)

Emulating instructions from the current to predict the behaviour (Unicorn-Engine)

(... yes it is an emulator embedded with gdb)

Lookup online for known shellcode (@ShellStorm DB)

... Or write your own directly in memory (Keystone)

etc. etc.

~50 commands already implemented

All working on ANY architecture (X86, ARM, MIPS, etc.)

Constantly improving

Future


  • Replace PEDA
  • More bug fixes/new commands
  • Massive improvements from Open-Source community (thanks to all the contributors)

Morale

Python API for GDB is awesome

Let's do more of it

Ultimate goal: reach the awesomeness of WinDBG

End, Questions?

They (didn’t) talk about GEF :

  • “Omaagadd!!” - John Travolta
  • “GEF is why I wanted a Linux subsystem for Windows” - Bill Gates
  • “LAAANNNNAAAA!! Danger zone!!” - Sterling Archer
  • “Hodor!!” - Hodor

Tool: https://github.com/hugsy/gef

Slides: https://blahcat.github.io/slides/ruxmon-2016-08-gef/

IRC: Freenode ##gef

@_hugsy_