This is a fork of GEF. However, it is specialized for x86 / x64 / ARM / AArch64, and various features are added. We hope you find it useful for CTF player, reverser, exploit developer, and so on.
# Run with root user (sudo is NOT recommended)
wget -q https://raw.githubusercontent.com/bata24/gef/dev/install.sh -O- | sh
python3 /root/.gdbinit-gef.py --upgrade
rm -f /root/.gdbinit-gef.py /root/.gef.rc
See install.sh.
All of these features are experimental. Tested on Ubuntu 18.04 / 20.04 / 22.04 / Debian 10.x.
- It works with qemu-system installed via apt, but qemu-6.x or higher is recommended.
- Start qemu with the
-s
option and listen onlocalhost:1234
. - Attach with
gdb-multiarch -ex 'target remote localhost:1234'
.
- Start qemu with the
qreg
: prints register values from qemu-monitor (allows to get like$cs
even under qemu 2.x).sysreg
: pretty prints system registers.pagewalk
: prints page table from scanning physical memory.- x64 (Supported: PML5T/PML4T)
- x86 (Supported: PAE/Non-PAE)
- ARM64 (Supported: EL1&0-stage1/EL1&0-stage2/EL2&0-stage1/EL2-stage1/EL3-stage1)
- ARM (Cortex-A only, LPAE/Non-LPAE, PL0/PL1)
v2p
,p2v
: shows transformation virtual address <-> physical address.xp
: is a shortcut for physical memory dump.
ksymaddr-remote
: prints kallsyms informations from scanning of kernel memory (heuristic).- Supported: the symbol of kernel itself.
- Unsupported: the symbol of kernel modules.
- Supported on x64/x86/ARM64/ARM.
- Supported on both kASLR is enabled or not.
- Unsupported: to resolve no-function address when kernel built as
CONFIG_KALLSYMS_ALL=n
. - This command is faster than
vmlinux-to-elf
, but it fails to parse depending on the in-memory layout.
ksymaddr-remote-apply
: applies kallsyms informations obtained byksymaddr-remote
to gdb.vmlinux-to-elf-apply
: applies kallsyms informations obtained byvmlinux-to-elf
to gdb.slub-dump
: dumps slub free-list (heuristic).- Original code: https://github.com/PaoloMonti42/salt
- Supported on x64/x86/ARM64/ARM + SLUB.
- Unsupported: SLAB, SLOB.
- Supported on both kASLR is enabled or not.
- Supported on both
CONFIG_SLAB_FREELIST_HARDENED
isy
orn
. - Supported on both the vmlinux symbol exists or not.
kbase
: prints kernel base address.kversion
: displays the debugged kernel version.kcmdline
: displays the debugged kernel startup cmdline.ktask
: displays each task address.kmod
: displays each module address.kcdev
: displays character devices informations.kfops
: displays fops members.syscall-table-view
: prints system call table (x64/x86/ARM64/ARM only).thunk-hunter
: collects and displays the thunk addresses that are called automatically (x64/x86 only).usermodehelper-hunter
: collects and displays information that is executed bycall_usermodehelper_setup
.
msr
: prints MSR (Model Specific Registers) values by embedding/executing dynamic assembly.xsm
: dumps secure memory when gdb is in normal world.wsm
: writes the value to secure memory when gdb is in normal world.bsm
: set the breakpoint to secure memory when gdb is in normal world.optee-break-ta
: set the breakpoint to the offset of OPTEE-Trusted-App when gdb is in normal world.
uefi-ovmf-info
: displays addresses of some important structures in each boot phase of UEFI when OVMF is used (heuristic).
partition-alloc-dump-stable
: dumps partition-alloc free-list (heuristic).- This command is reserved for the implementation of latest stable version of chromium.
- Currently tested: v103.x / 1003490 / 4f4be3c1f3ff682c9fdd0dbe133ae1bc32761b0a
- https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1003490/
- Supported on x64 only (maybe it works on x86/ARM/ARM64, but not tested).
- It will try heuristic search if binary has no symbol.
partition-alloc-dump-beta
: dumps partition-alloc free-list (heuristic).- This command is reserved for the implementation of latest beta version of chromium.
- Currently tested: v104.x / 1013129 / af492a3f41a3aad84b5af515bddf2e72f4d2c1a0
- https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1013129/
- This command is reserved for the implementation of latest beta version of chromium.
partition-alloc-dump-dev
: dumps partition-alloc free-list (heuristic).- This command is reserved for the implementation of latest dev version of chromium.
- Currently tested: v105.x / 1018618 / d6cd4585b3811efa5a14960490ef9ceacb382cae
- https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1018618/
- This command is reserved for the implementation of latest dev version of chromium.
partition-alloc-dump-old1
: dumps partition-alloc free-list (heuristic).- For the implementation in 2021 Jul (tested on
Google CTF 2021 - fullchain
). - Not maintained for a while.
- For the implementation in 2021 Jul (tested on
partition-alloc-dump-old2
: dumps partition-alloc free-list (heuristic).- For the implementation in 2020 Jun (tested on
0CTF 2020 - chromium fullchain
). - Not maintained for a while.
- For the implementation in 2020 Jun (tested on
tcmalloc-dump
: dumps tcmalloc free-list (heuristic).- For tcmalloc, there are 3 major versions.
- tcmalloc that is a part of gperftools published in 2005: supported.
- tcmalloc that is included in chromium: supported. (For the implementation in 2020 Jun. Tested on
0CTF 2020 - chromium fullchain
). - tcmalloc that is maintained in Google Inc. published in 2020: unsupported.
- Not maintained for a while.
- For tcmalloc, there are 3 major versions.
musl-dump
: dumps musl-libc unused chunks (heuristic).optee-bget-dump
: dumps bget allocator of OPTEE-Trusted-App.
- Glibc heap commands are improved.
- Thread arena is supported for all heap commands.
- Use
-a
option.
- Use
- They print info if the chunk is in free-list.
find-fake-fast
: searches for a memory with a size-like value that can be linked to the fastbin free-list.visual-heap
: is colorized heap viewer.extract-heap-addr
: analyzes tcache-protected-fd introduced from glibc-2.32.
- Thread arena is supported for all heap commands.
vmmap
: is improved.registers
: is improved.- It also shows raw values of
$eflags
and$cpsr
. - It prints current ring for x64/x86 when prints
$eflags
(Ring state is from$cs
). - It prints current exception level for ARM64 when prints
$cpsr
(Secure state is from$SCR_EL3
). - It prints current mode for ARM when prints
$cpsr
(Secure state is from$SCR
).
- It also shows raw values of
context
: is improved.- It supports automatic display of system call arguments when calling a system call.
- It supports automatic display of address and value when accessing memory.
- It supports smart symbol printing for cpp function.
telescope
: is improved.procinfo
: is improved.elf-info
: is improved.checksec
: is improved.- It prints whether Static or Dynamic.
- It prints whether Stripped or not.
- It detects canary against static stripped binary.
- It prints whether Intel CET instructions (endbr64/endbr32) is found or not.
- It prints whether RPATH/RUNPATH is set or not.
- It prints if Clang CFI/SafeStack is used or not.
- It prints whether System-ASLR is enabled or not.
- It prints whether GDB ASLR setting is enabled or not.
got
: improved.canary
: is improved.edit-flags
: is improved.unicorn-emulate
: is improved.ropper
: is improved.- It does not reset autocomplete settings after calling imported ropper.
hexdump
: is improved.patch
: is improved.search-pattern
: is improved.
pid
: prints pid.filename
: prints filename.auxv
: pretty prints ELF auxiliary vector.argv
: pretty prints argv.envp
: pretty prints envp.gdtinfo
: pretty prints GDT sample.tls
: pretty prints TLS area.fsbase
,gsbase
: pretty prints$fs_base
,$gs_base
.magic
: is useful addresses resolver in gilbc.libc
/ld
/heapbase
/codebase
: prints each of the base address.fpu
/mmx
/sse
/avx
: pretty prints FPU/MMX/SSE/AVX registers.xmmset
: sets the value to xmm/ymm register simply.mmxset
: sets the value to mm register simply.exec-until
: executes until specific operation.exec-next
: executes until next address.- This is useful for the operation with
rep
prefix.
- This is useful for the operation with
add-symbol-temporary
: adds symbol information from command-line.errno
: prints errno list or specific errno.u2d
: shows cast/transformation u64 <-> double/float.pack
,unpack
: shows transformation int <-> bytes/hex.tohex
,unhex
: shows transformation hex <-> bytes.byteswap
: shows transformation little-endian <-> big-endian.hash-memory
: calculates the hash.memcmp
: compares the contents of address A and B, whether virtual or physical.memcpy
: copies the contents from address A to B, whether virtual or physical.is-mem-zero
: checks the contents of address range is all 0x00 or 0xff or not.pdisas
: is a shortcut forcs-dis $pc LENGTH=50 OPCODES
.ii
: is a shortcut forx/50i $pc
.version
: shows software version that gef used.follow
: changesfollow-fork-mode
setting.smart-cpp-function-name
: togglescontext.smart_cpp_function_name
setting.seccomp
: invokesseccomp-tools
.onegadget
: invokesone_gadget
.ls
/cat
: invokesls
/cat
directly.constgrep
: invokesgrep
under/usr/include
.time
: measures the time of the GDB command.rp
: invokesrp++
with commonly used options.- Supports both rp++ v1 and v2.
cpuid
: shows the result of cpuid(eax=0,1,2...).dasm
: disassembles the code by capstone.asm-list
: lists up instructions. (only x86/x64)- This command uses x86data.js from https://github.com/asmjit/asmdb
syscall-search
: searches system call by regex.dwarf-exception-handler
: dumps the DWARF exception handler informations.dynamic
: dumps the DYNAMIC area.linkmap
: dumps linkmap with iterating.ret2dl-hint
: shows the structure used by ret2dl as hint.srop-hint
: shows the code for srop as hint.dtor-dump
: dumps some destructor functions list.linklist-walk
: walks link list.ptr-demangle
: shows the demangled value of the value mangled byPTR_MANGLE
.search-mangled-ptr
: searchs the mangled value from RW memory.
- The category is introduced in
gef help
. - Combined into one file (from gef-extra).
peek-pointers
,current-stack-frame
,xref-telescope
,bytearray
,bincompare
,ftrace
andv8deref
are moved from gef-extras.- This is because a single file is more attractive than ease of maintenance.
- The system-call table used by
syscall-args
is moved from gef-extras.- It was updated up to linux kernel 5.18-rc6 (only x64/x86/ARM64/ARM).
- Since there are many exceptions at system calls for each architecture, arguments information of system call was picked up manually.
- Removed some features I don't use.
ida-interact
,gef-remote
,pie
,pcustom
,ksymaddr
,shellcode
andhighlight
.
- Many bugs fix / formatting / made it easy for me to use.