Exploit Development and Reverse Engineering with GDB Made Easy
MIT License
Bot releases are hidden (Show)
Since last release we got a lot of new features and improvements done in Pwndbg.
Among others, we now show register/memory values in disasm view for different architectures, added Binary Ninja integration, added commands helping with Go debugging, added glibc heap
UAF tracking and refactored lots of Pwndbg code for future LLDB port.
Some of this work was paid thanks to the Python Summer of Code program (@OBarronCS, @mbrla0 and @jetchirag's projects) and thanks to Trail of Bits' internships (@Aplet123 and @mbrla0 projects). Here are hightlights from their work:
xor eax, eax
) and some through emulation (requires set emulation on
).
The disasm banner now displays ARM mode (ARM vs Thumb) (#2281)
Added go-dump <type> <address>
command to dump Go types. Note that the any
type below works only for addresses of Go interface objects. (read more in blog post)
go-type <address>
command to dump Go type infromation (read more in blog post):search
to look for assembly instructions (search --asm <code>
) and to set breakpoints on found instructions (search --asmbp <code>
)vmmap --gaps
which displays mapped memory with gaps instead of the normal vmmap display:pcp
command to print Linux kernel per-cpu page cache (#1487)The full changelog can be found here: https://github.com/pwndbg/pwndbg/compare/2024.02.14...2024.08.29
Also thanks to @patryk4815 for all the help with packaging and releases.
Published by disconnect3d 8 months ago
Here is the 2024.02.14 release. Thanks to everyone who contributed!
Among others, this release brings GOT tracking mechanism, more step/break commands, mmap/mprotect syscalls, printing of linked lists, displaying of threads in context for multithreaded programs, lots and lots of fixes and more!
The release files can be used to install Pwndbg as self-contained (along with GDB, Python and all deps) package on many distros and x86-64 and arm64/aarch64 architectures. The *-portable.tar.gz
archives can be just unpacked and run.
Below is a summary of changes, while the full changelog can be found further on.
Note: this release requires Python >= 3.8 (which means Ubuntu 18.04 or Debian 10 are not supported anymore).
General changes:
$base(objfile_name)
function to compute base address of given memory page, e.g. print $base(libc)+0x123
will return base of libc + 0x123context-max-threads
parameter (use set context-max-threads <N>
to change)gdb-pt-dump
git submodule was moved to a python dependency (#1929)New commands:
track-got {enable,disable,info,query} ...
can be used to track (#1971)stepuntilasm <asm>
will step through program instructions until a matching part of instruction string is found (#1798)break-if-taken <loc>
and break-if-not-taken <loc>
will setup a breakpoint on given location of a branch instruction which will stop the program if the branch was taken or not (#1799)plist ...
can be used to print linked lists (#1795, #1817)mmap ...
and mprotect ...
commands will invoke the mmap
or mprotect
syscalls with given arguments in the debugged program
thread
command to display threads informationhi
command to check if an address belongs to a glibc heap chunk (#1938)tips
to display tips about Pwndbg usagesigreturn <address>
to print sigreturn x86-64 frame (#1940)Changed commands:
telescope --frame
to display stack frame information (requires BP and SP to point to the same memory region) (#1855)spray --only-funcptrs | -x
flag to spray only the memory addresses where values point to executable memory pages (#1809)-A <N>
and -B <N>
flags to vmmap
to display N entries after/before the filtered page (#1810)vmmap
(they have unique names) (#1837)search
memory command (#1867)telescope
output can now show frame pointer offsets (#1925)distance <single-address>
now prints offset from memory page start address (#1926)stack -i | --inverse
to show stack in reverse order (#1978)cyclic
command to save its output to file (so it can later be used, e.g. as run < input
) (#2009)stepuntilasm
command by @mbrla0 in https://github.com/pwndbg/pwndbg/pull/1798
break-if-taken
and break-if-not-taken
by @mbrla0 in https://github.com/pwndbg/pwndbg/pull/1799
--only-funcptrs
feature to spray comand by @bog2n in https://github.com/pwndbg/pwndbg/pull/1809
plist
command to print linked lists by @mbrla0 in https://github.com/pwndbg/pwndbg/pull/1795
-B
and -A
in vmmap
by @feelfreelinux in https://github.com/pwndbg/pwndbg/pull/1810
vmmap -A / -B
improvements by @feelfreelinux in https://github.com/pwndbg/pwndbg/pull/1830
telescope --frame
command #1195 by @ntsleep in https://github.com/pwndbg/pwndbg/pull/1855
attachp
to be shown under "Start Commands". by @joshvarg in https://github.com/pwndbg/pwndbg/pull/1883
threads
command by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1920
hi
command -- feature to check if an address belongs to a chunk. by @kotee4ko in https://github.com/pwndbg/pwndbg/pull/1938
get_file()
by @magnified103 in https://github.com/pwndbg/pwndbg/pull/2013
Full Changelog: https://github.com/pwndbg/pwndbg/compare/2023.07.17...2024.02.14
Published by disconnect3d about 1 year ago
This is the 2023.07.17 release but which contains packages for various distributions (Debian-like using dpkg, RHEL-like using yum/rpm, Arch Linux and Alpine (.apk)).
The packages are totally self-contained: they include all what you need to run GDB+Pwndbg after installation.
They do not rely on any dependencies and are build in (hopefully) reproducible way using Nix package manager.
Please ignore the 'source code' attached, it is fr later commit than 2023.07.17. The packages were build from the 2023.07.17 version.
Published by disconnect3d over 1 year ago
Here is the 2023.07.17 release. Thanks to everyone who contributed!
We would also like to honour Zach Riggle once again, who was a long time contributor and maintainer of Pwndbg.
Also please note that this release will be the last to support Python 3.6 and Python 3.7 (and so Ubuntu 18.04 and Debian 10).
setup.sh
now installs Python dependencies in a virtual environment created in pwndbg/.venv/
and gdbinit.py
sets appropriate paths so that the created virtual environment is used automatically (previously, we installed deps in the system's Python interpreter which could break users' setups)pwndbg
helper command can now filter commands list by category, e.g.: pwndbg -c heap
(categories are: heap, kernel, linux etc.)killthreads [<ids....>]
command to kill threads with given IDsslab contains <addr> [<addrs...>]
command to inspect Linux kernel heap (when debugging kernel)spray <addr> ...
command to spray memory with given values (instead of doing pi pwndbg.gdblib.memory.write(address, b'data')
)got
command display and filteringheap
, vis_heap_chunks
optimized, find_fake_fast
, *bins
)
vis_heap_chunks
commandtelescope -r
now always displays the input addressvmmap
for 32-bit kernelspatch-list
and patch-revert
commandsai
commandkrelease
function that allows us to implement different behavior for different Linux kernel versions...and other bug fixes and improvements. See below for full changelog!
info args
and set scheduler-locking on
by @disconnect3d in https://github.com/pwndbg/pwndbg/pull/1636
tcache_count
in malloc_par
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1648
MALLOC_ALIGNMENT
for powerpc by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1646
store_true
argparse action on *bins commands by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1655
heap
commands by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1659
--verbose
flag descriptions for *bins commands by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1665
killthreads
command (closes #1580) by @alufers in https://github.com/pwndbg/pwndbg/pull/1581
find_fake_fast
command issues by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1640
krelease()
function by @theguy147 in https://github.com/pwndbg/pwndbg/pull/1673
slab contains
command by @theguy147 in https://github.com/pwndbg/pwndbg/pull/1707
gdb.parse_and_eval
instead of info address
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1724
telescope -r
should always display the input address #1240 by @ntsleep in https://github.com/pwndbg/pwndbg/pull/1779
Full Changelog: https://github.com/pwndbg/pwndbg/compare/2023.03.19...2023.07.17
Published by disconnect3d over 1 year ago
Here is the 2023.03.19 release. Thanks to everyone who contributed!
kbase
, kchecksec
, slab
- kernel debugging only commands to get kernel base address, checksec for kernel and list kernel slabsvalist
- dumps arguments of a va_list
structure on given addressai
- ask AI about the current debugging session (requires openAI API key)cunwatch
now operates on the index/number of expression instead of requiring the user to pass the whole expression to unwatchcyclic
- improved UX by adding nicer info/error messagestls
command now leverages GDB's scheduler locking so now when it calls a function to obtain TLS address it won't allow any other target threads to run, which could previously cause issues on targets with multiple threadspwndbg
help :)largebins
now display bin size ranges instead of indexesarena
displays thread idvis_heap_chunks
has now --all-chunks
to display all chunksvis_heap_chunks
command (--naive
-> --beyond-top
and --display_all
-> --no_truncate
)set nearpc-num-opcode-bytes 9
mmap(1GB, RWX)
fails due Unicorn Engine aborts on environments with low memory
LC_CTYPE=C.UTF-8
environment variable and not LC_ALL=en_US.UTF-8 PYTHONIOENCODING=UTF-8
as it previously suggestedpython-future
(#1250) by @hamarituc in https://github.com/pwndbg/pwndbg/pull/1470
rich
module to print the full stacktrace by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1578
arenas
command output by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1612
largebins
command output by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1613
largebin_index_32_big
macro by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1617
tcache
for some 32-bit architectures by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1625
Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.12.19...2023.03.19
Published by disconnect3d almost 2 years ago
A new release is here :). Thanks to all contributors for improving Pwndbg!
kconfig
to obtain debugged Linux kernel configcymbol
to add/show/load/edit/delete custom structures written in plain Cmprotect
to set memory protections (the command was fixed as it was not working for some time)bins
and find_fake_fast
were improvedcyclic
- the Pwntools' pwn cyclic
commmand was ported as a native commandhelp set kernel-vmmap
heap_config
and help set resolve-heap-via-heuristic
for more information.help cmd
and cmd --help
behavior by @disconnect3d in https://github.com/pwndbg/pwndbg/pull/1108
./pwndbg/lib
by @syheliel in https://github.com/pwndbg/pwndbg/pull/1135
gdb.MemoryError
check to get_heap() by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1145
find_fake_fast
command by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1147
ipi
command by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1170
ipi
command by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1176
ipdb
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1177
malloc_chunk
command by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1184
malloc_chunk
command test by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1214
CStruct2GDB
support gdb.types.has_field()
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1224
malloc_chunk
command tests for heuristic heap by @CptGibbon in https://github.com/pwndbg/pwndbg/pull/1234
set exception-* on
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1270
main_arena
and mp_
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1273
pwndbg.gdblib.config
by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1315
malloc_par
of GLIBC 2.35 by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1353
.data
instead of .got.plt
in the heap heuristic by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1381
default-visualize-chunk-number
config and refactor some code related to config by @lebr0nli in https://github.com/pwndbg/pwndbg/pull/1388
Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.08.30...2022.12.19
Published by disconnect3d about 2 years ago
A new release is here :). Thanks to all contributors for improving Pwndbg!
attachp [pid | process name | device file]
to attach to process by pid/name/device file,setflag
to set CPU flags register values,telescope --reverse ...
to see memory before a provided address,heap_config
to set heap commands configuration,heap_config
can be used to configure symbols addresses,$heap_base
convenient variable,monitor info mem
information,/proc/$pid/fd/$fd
of opened files when showing the arguments of POSIX file APIs (open, read, write, close etc.) in the disasm view,set show-tips off
added do ~/.gdbinit
)./tests.sh
now has [<filter-tests-names>] [--pdb]
arguments,setflag
command by @dgmcdona in https://github.com/pwndbg/pwndbg/pull/1027
Full Changelog: https://github.com/pwndbg/pwndbg/compare/2022.01.05...2022.08.30
Published by disconnect3d almost 3 years ago
Commits included:
96d3d5a (HEAD -> dev, tag: 2022.01.05) Set docs version to 2022.01.05
eec6f74 (origin/dev, origin/HEAD) Use `add-symbol-file` correctly.
439b660 added pylintrc file for standarized linting
cddbcb5 Fix search bug in kernel mode
6d2b6c6 .
5a39da7 moved block to source gdbinit
5844257 removed source line
a1c9d09 added little blurb for endeavourOS
0e45524 added command to source gdbinit.py
8b05953 Fixed multiple alignment issues of compact register view
38c38aa Fix typos
2616e70 Updated permissions for Docker container
1cc12ad Added devcontainer configuration for VS Code to directly develop inside Docker container
84e783a Ignore printing vertical tabs in vis_heap_chunks command
d348c74 Update emulator.py
9448cf5 Fix error message on interrupts
5c0627d Update pwndbg/glibc.py
e0e32dc fix ending of chain
bd7c3aa add test for heap bins
94eea64 safe-linking: use __libc_version when debug symbols loaded
09f2cb6 Add safe-linking support
95e3bb0 Fix lint
0ec3180 Hopefully fix windbg commands tests on CI
9636331 CI: show installed packages
1d70e14 Fix #932,#788: fix command parsing
d861d6e Skip attachp tests when cant attach
eee5dbc Remove Py2 class object inheritance
ef86a5c Remove shebang and coding lines
89b2df5 Remove incorrect i386 regs: dil/sil/spl/bpl
9a17798 Speedup emulator by disabling debug formatting when not debugging
270fef3 Remove redundant disasm.is_call function
af41986 Bump capstone to 4.0.2
e239e9c Hopefully fix recursion error
c8c9e3f Add Codecov
9c8df00 Add basic coverage testing
3583b57 fix(tempdir): use safe and unpredictable cachedir location
1c63382 Do not sort auxv, use the implicit order
526b3ea Hopefully fix CI tests
b203d53 SLES/OpenSUSE: enable debugging repo before installing
6fd42dd Add attachp command and tests for it
1e28920 Stop skipping tests
34f9535 Fix isort
4439446 Maintain backward compatibility with Python < 3.10
07b7c75 Migrate to 3.10 compatible abc usage.
b739733 fix typo in dd command
f11afe2 Fix get_highlight_source line splitting
8cc218f Adding p2p command - pointer chain search
a7a554f Add square brackets to vmmap's anonymous map names
648c7f0 Fix heap unprinted messages
e2c899e Fix isort lint import issues
00e94a9 Fix unprinted 'Unknown register' context warning
8975d42 Better pwndbg.commands.OnlyWithFile error for QEMU targets
c294ede pwndbg.file.get_file: better warning message
32cdc10 piebase, breakrva: print error on failures
71291d8 Fix vmmap_load on remote targets
Published by disconnect3d over 3 years ago
The 2021 release, which contains many fixes & some enhancements.
Thanks to all contributors!
TL;DR git log since last release:
a79c85b (HEAD -> dev, tag: 2021.06.22, origin/dev, origin/HEAD) Update links to use Discord
668e53f Fix xinfo used with symbols that are function pointers
8db8f4d fix: update_length() raise exception in some cases
30d6745 Make brva alias accept same args as breakrva
aa25aac fix(disasm,emulate): support mips32r6
44471df fix(emulate): refix emulate, let it works correct on unicorn-1.0.2rc1 ~ unicorn-1.0.2
99a5ef3 fix exception raised by cs.syntax when debugging mips binary
5389eb6 fix(emulate): let `emulate` works on unicorn-1.0.2rc1 ~ unicorn-1.0.2
87da998 fix(telescope): also unroll buffer if last line is skipped
05036de fix(telescope): avoid superfluous whitespace after register column
75b4249 feature(telescope): reduce cognitive load by adding skip count label
baf3fe7 feature(telescope): option to set min repeating values before skipping
14325af chore: clean up unused imports
a8c2fb5 fix(ui): fix display of addrsz to be hex formated
a5c9738 feature(radare2): add r2pipe command to execute stateful radare2 cmds
5d0441b feature(shell): put 'pwn' into allow list for pwntools
56d1fac chore(profile): extend test binary so unicorn engine shows more code flow
f1aa0c8 feature(profile): use a simple module based approach to define profiles
fbfd47f fix(profile): accept any valid location for pyprof2calltree
87bf6ac chore(ghidra): simplify logic and clean up code flow
707fe12 chore(ghidra): use memoize feature to cache r2pipe handle
44770fd fix(ghidra): handle PIE base address when opening the r2pipe
71ca721 feature(ghidra): use configurable code prefix marker for line indicator
a100d87 fix(ghidra): make if-no-source condition work as expected
6354fdc fix(ghidra): avoid crash if we try to decompile a faulty addr/func
e8b5124 chore(ghidra): modularize ghidra functions into utils and commands
b036575 feature(radare2): add argument to set base when loading for PIE (#897)
cd3cbf3 Update README to show more modern supported Linux versions (#885)
00c9740 use_info_auxv() : change regex (#894)
96df189 Changed register list to use precomputed tuples (#866)
cd0cd82 Fixed bug when the GDB is debuggin an architecture arm-eabi (disassembly-flavor). (#889)
4d213a1 Fix #881 (#883)
ae6f25a Fix #858 (#877)
26a18f1 Remove quotes from command option interpolation (#876)
bf49bf8 Unit test fix (#868)
5639589 Remove unimplemented dlmalloc (#874)
c31c720 docs: fix simple typo, divison -> division (#870)
f74aa34 The disassembly flavor is hard-coded. It does not change from Intel to AT&T (#860)
304bf26 Improved the number of Runs/Layers in the container. Upgraded Ubuntu and install GoLand to run the tests. (#862)
cc92959 Added comment command (#857)
812278b Allow return offsets and use it for 'start' method. (#864)
bde3637 added fix for i386 libc6-dbg package. (#859)
29f962c ropgadget: fix path export. (#854)
cfe93ab fix for ubuntu 20.04 (#850)
979d330 Fixes #841
30c816b Moved filename to the end of the command (#842)
ea11f86 Add basic i8086 support (#835)
f096be7 Compact, [big-endian] hexdump (#839)
779634a fix prev chunk size check (#837)
9250cc5 Compact register list for context view (#830)
7690b60 Fixed bug: bins gets the wrong pointer offset (#832)
d626db1 add config context-backtrace-lines (#831)
b209c2b Added installation configuration for Gentoo (#820)
a9c43ed In setup.sh, remove installation of python2 for apt (#828)
487caa1 Fix #814: better aslr output (#818)
301012a Py3k (#817)
ccd8f76 Remove travis (#816)
ce2266e Add GitHub Actions support (#809)
15b11c7 Add Dockerfile for easier dev (#815)
96716ce Fix mprotect failing on py2
Published by disconnect3d about 4 years ago
This release brings a lot of fixes and improvements and a new mprotect
command that injects/calls the corresponding syscall (x64/x86 only for now).
Thanks to all contributors!
Published by disconnect3d almost 5 years ago
This release brings some bugfixes (also related to IDA Pro sync), enhancements to commands and some other enhancements.
memory info mem
(#685, #687)vis_heap_chunk
command got improved (#625)leakfind
command (#608, #620)xuntil
command (#604, #648)set context-output /dev/pts/x
(#610)ctx
alias for the context
command (#656)__read_chk
, __fread_chk
and __pread_chk
to recognized functions (#536)pwndbg.proc.exe
returned wrong path (#624)ArgparsedCommand
to have aliases (#621)new_objfile
event (#616)ida-enabled
parameter is enabled (#597)Thanks to all external contributors:
And our team:
Published by disconnect3d over 5 years ago
This release brings a lot of bugfixes, update to Capstone 4.0.1, better r2 sync support and some other enhancements.
Thanks for all external contributors:
Changes:
print elements
anymore (#590)bugreport
command (#533)context code
now displays the source file path (#526)probeleak
now displays symbols if the address corresponds to one (#572)We haven't done releases for some time but hopefully this release will change that habbit.
Below you can see a detailed changelog of what has been changed.
next_syscall
renamed to nextsyscall
breakrva
- break at offset of given executable (default main binary; e.g. breakrva 0x123
will set a breakpoint at binary_base+0x123
)piebase
- rebase given address for given executableprobeleak
- scan for pointers in the specified memory (#492)stepret
- step until we step into a ret (#448)stepsyscall
- step until we step into a syscall (#447)tcache
- support for ptmalloc's thread cache (#420)vis_heap_chunks
- visualize heap chunks at the specified address (#496)eX
windbg commands family now supports hex data prefixed with 0x (e.g. eq $rsp 0xCAFEBABE
will workeq $rsp cafebabe
)context
- it is now possible to set empty context (e.g. set context-sections
)hexdump
, nearpc
, telescope
- improved repeat functionality (#395)vmmap_add
, vmmap_load
- it is possible to add memory pages manually (might be useful for bare metal debugging - see #385)version
- displays capstone, unicorn, IDA and Hexrays versionsxinfo
- display extended offset informationida-enabled
- control whether pwndbg try to connect to IDA xmlrpc server (enabled by default to preserve old behavior)nearpc-show-args
- control whether context
displays an args sectionvmmap_load
and vmmap_add
commands)$rebase(address)
function (use e.g. as break *$rebase(some_address)
; see also breakrva
and piebase
commands)theme
and https://github.com/pwndbg/pwndbg-themes)$rebase(addr)
functionfind_fake_chunk
(see #435)exception-debugger
config parameter (#501)Thanks to all who contributed to this release:
Published by zachriggle over 7 years ago
This release of Pwndbg includes a large number of bug fixes, and the following new or updated commands:
bins
fastbins
largebins
mp
smallbins
unsortedbin
configfile
and themefile
will save your settings to a file easily added to ~/.gdbinit
Published by zachriggle about 8 years ago
Add CheatEngine style searching
Fix Windbg command byte-endianness
Fix VDSO and Linker mappings under QEMU (#91)
Mark $pc
as executable upon resuming execution (#90)
Remove input-radix
and output-radix
configuration options
set output-radix 0x10
set input-radix 0x10
Published by zachriggle about 8 years ago
First tagged release.