rand-tech / bef

This is a fork of GEF. However, it is specialized for x86 / x64 / ARM / AArch64, and various features are added. We hope you find it useful for CTF player, reverser, exploit developer, and so on.

# Run with root user (sudo is NOT recommended)
wget -q https://raw.githubusercontent.com/bata24/gef/dev/install.sh -O- | sh

python3 /root/.gdbinit-gef.py --upgrade

rm -f /root/.gdbinit-gef.py /root/.gef.rc

See install.sh.

All of these features are experimental. Tested on Ubuntu 18.04 / 20.04 / 22.04 / Debian 10.x.

• It works with qemu-system installed via apt, but qemu-6.x or higher is recommended.
  • Start qemu with the -s option and listen on localhost:1234.
  • Attach with gdb-multiarch -ex 'target remote localhost:1234'.

• qreg: prints register values from qemu-monitor (allows to get like $cs even under qemu 2.x).
  • It is shortcut for monitor info registers.
  • It also prints the details of the each bit of the system register when x64/x86.
  • 
• sysreg: pretty prints system registers.
  • It is the result of info registers with filtering general registers.
  • 
• pagewalk: prints page table from scanning physical memory.
  • x64 (Supported: PML5T/PML4T)
    • 
  • x86 (Supported: PAE/Non-PAE)
    • 
  • ARM64 (Supported: EL1&0-stage1/EL1&0-stage2/EL2&0-stage1/EL2-stage1/EL3-stage1)
    • ARM v8.7 base.
    • 32bit mode is NOT supported.
    • PAC/MTE are NOT supported.
    • For stage2 translation, you have to do pagewalk arm64 1 then pagewalk arm64 2.
    • Secure memory scanning is supported, but you have to break in the secure world.
    • 
  • ARM (Cortex-A only, LPAE/Non-LPAE, PL0/PL1)
    • PL2 is NOT supported.
    • Secure memory scanning is supported, you don't have to break in the secure world (use register with _S suffix).
    • 
    • 
• v2p, p2v: shows transformation virtual address <-> physical address.
  • 
• xp: is a shortcut for physical memory dump.
  • 

• ksymaddr-remote: prints kallsyms informations from scanning of kernel memory (heuristic).
  • Supported: the symbol of kernel itself.
  • Unsupported: the symbol of kernel modules.
  • Supported on x64/x86/ARM64/ARM.
  • Supported on both kASLR is enabled or not.
  • Unsupported: to resolve no-function address when kernel built as CONFIG_KALLSYMS_ALL=n.
  • This command is faster than vmlinux-to-elf, but it fails to parse depending on the in-memory layout.
  • 
• ksymaddr-remote-apply: applies kallsyms informations obtained by ksymaddr-remote to gdb.
  • 
• vmlinux-to-elf-apply: applies kallsyms informations obtained by vmlinux-to-elf to gdb.
  • Very slow, but probably more accurate than my implementation.
  • 
  • Once you get symboled vmlinux file, you can reuse and apply it automatically even after rebooting qemu-system.
  • 
• slub-dump: dumps slub free-list (heuristic).
  • Original code: https://github.com/PaoloMonti42/salt
  • Supported on x64/x86/ARM64/ARM + SLUB.
  • Unsupported: SLAB, SLOB.
  • Supported on both kASLR is enabled or not.
  • Supported on both CONFIG_SLAB_FREELIST_HARDENED is y or n.
  • Supported on both the vmlinux symbol exists or not.
  • 
• kbase: prints kernel base address.
  • 
• kversion: displays the debugged kernel version.
  • 
• kcmdline: displays the debugged kernel startup cmdline.
  • 
• ktask: displays each task address.
  • 
• kmod: displays each module address.
  • 
• kcdev: displays character devices informations.
  • 
• kfops: displays fops members.
  • 
• syscall-table-view: prints system call table (x64/x86/ARM64/ARM only).
  • 
• thunk-hunter: collects and displays the thunk addresses that are called automatically (x64/x86 only).
  • If this address comes from RW area, this is useful for getting RIP.
  • 
• usermodehelper-hunter: collects and displays information that is executed by call_usermodehelper_setup.
  • 

• msr: prints MSR (Model Specific Registers) values by embedding/executing dynamic assembly.
  • Supported on x64/x86 without -enable-kvm.
  • 
• xsm: dumps secure memory when gdb is in normal world.
  • 
• wsm: writes the value to secure memory when gdb is in normal world.
  • 
• bsm: set the breakpoint to secure memory when gdb is in normal world.
  • 
• optee-break-ta: set the breakpoint to the offset of OPTEE-Trusted-App when gdb is in normal world.
  • 

• uefi-ovmf-info: displays addresses of some important structures in each boot phase of UEFI when OVMF is used (heuristic).
  • Supported on x64 only.
  • 

• partition-alloc-dump-stable: dumps partition-alloc free-list (heuristic).
  • 
  • This command is reserved for the implementation of latest stable version of chromium.
    • Currently tested: v103.x / 1003490 / 4f4be3c1f3ff682c9fdd0dbe133ae1bc32761b0a
    • https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1003490/
  • Supported on x64 only (maybe it works on x86/ARM/ARM64, but not tested).
  • It will try heuristic search if binary has no symbol.
• partition-alloc-dump-beta: dumps partition-alloc free-list (heuristic).
  • This command is reserved for the implementation of latest beta version of chromium.
    • Currently tested: v104.x / 1013129 / af492a3f41a3aad84b5af515bddf2e72f4d2c1a0
    • https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1013129/
• partition-alloc-dump-dev: dumps partition-alloc free-list (heuristic).
  • This command is reserved for the implementation of latest dev version of chromium.
    • Currently tested: v105.x / 1018618 / d6cd4585b3811efa5a14960490ef9ceacb382cae
    • https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/1018618/
• partition-alloc-dump-old1: dumps partition-alloc free-list (heuristic).
  • For the implementation in 2021 Jul (tested on Google CTF 2021 - fullchain).
  • Not maintained for a while.
• partition-alloc-dump-old2: dumps partition-alloc free-list (heuristic).
  • For the implementation in 2020 Jun (tested on 0CTF 2020 - chromium fullchain).
  • Not maintained for a while.
• tcmalloc-dump: dumps tcmalloc free-list (heuristic).
  • For tcmalloc, there are 3 major versions.
    1. tcmalloc that is a part of gperftools published in 2005: supported.
    2. tcmalloc that is included in chromium: supported. (For the implementation in 2020 Jun. Tested on 0CTF 2020 - chromium fullchain).
    3. tcmalloc that is maintained in Google Inc. published in 2020: unsupported.
  • 
  • Not maintained for a while.
• musl-dump: dumps musl-libc unused chunks (heuristic).
  • Supported on x64/x86, based on musl-libc v1.2.2.
  • 
• optee-bget-dump: dumps bget allocator of OPTEE-Trusted-App.
  • 

• Glibc heap commands are improved.
  • Thread arena is supported for all heap commands.
    • Use -a option.
  • They print info if the chunk is in free-list.
    • 
  • find-fake-fast: searches for a memory with a size-like value that can be linked to the fastbin free-list.
    • 
  • visual-heap: is colorized heap viewer.
    • 
  • extract-heap-addr: analyzes tcache-protected-fd introduced from glibc-2.32.
    • 
• vmmap: is improved.
  • It prints meomry map informations even when connecting to gdb stub like qemu-user (heuristic), intel pin and intel SDE.
    • 
    • 
    • 
  • It is redirected to pagewalk when connecting to gdb stub of qemu-system.
• registers: is improved.
  • It also shows raw values of $eflags and $cpsr.
  • It prints current ring for x64/x86 when prints $eflags (Ring state is from $cs).
    • 
  • It prints current exception level for ARM64 when prints $cpsr (Secure state is from $SCR_EL3).
    • 
  • It prints current mode for ARM when prints $cpsr (Secure state is from $SCR).
    • 
• context: is improved.
  • It supports automatic display of system call arguments when calling a system call.
    • 
  • It supports automatic display of address and value when accessing memory.
    • 
  • It supports smart symbol printing for cpp function.
    • ex: std::map<int, std::map<int, int>> will be replaced by std::map<...>.
    • 
    • command: gef config context.smart_cpp_function_name true or smart-cpp-function-name (later is used to toggle).
• telescope: is improved.
  • It prints ordinal numbers as well as offsets.
  • It prints if there are canary and ret-addr on the target area.
    • 
  • It supports blacklist address features (to avoid dying when touching the address mapped to the serial device).
  • It also shows the symbol if available.
• procinfo: is improved.
  • It prints some additional informations.
    • 
• elf-info: is improved.
  • It prints Program Header and Section Header.
    • 
  • It supports parsing from memory.
• checksec: is improved.
  • It prints whether Static or Dynamic.
  • It prints whether Stripped or not.
  • It detects canary against static stripped binary.
  • It prints whether Intel CET instructions (endbr64/endbr32) is found or not.
  • It prints whether RPATH/RUNPATH is set or not.
  • It prints if Clang CFI/SafeStack is used or not.
  • It prints whether System-ASLR is enabled or not.
  • It prints whether GDB ASLR setting is enabled or not.
    • 
• got: improved.
  • It prints not only GOT address but also PLT address.
  • It scans .plt.sec section if Intel CET is enabled.
    • 
• canary: is improved.
  • It prints all canary positions in memory.
    • 
• edit-flags: is improved.
  • It prints the meaning of each bit if -v option is provided.
    • 
    • 
    • 
• unicorn-emulate: is improved.
  • It reads and writes correctly to the address pointed to by $fs/$gs.
  • It supports a new mode to stop after executing N instructions (-g).
    • 
• ropper: is improved.
  • It does not reset autocomplete settings after calling imported ropper.
• hexdump: is improved.
  • It supports physical memory if under qemu-system.
  • It will retry with adjusting read size when failed reading memory.
  • By default, the same line is omitted.
    • 
• patch: is improved.
  • It supports physical memory if under qemu-system.
  • Added some new modes: patch pattern, patch history, patch revert, patch nop, patch inf, patch trap and patch ret.
    • nop command has been integrated into patch command.
    • 
• search-pattern: is improved.
  • It supports when under qemu-system (in short, it works without /proc/self/maps)
  • It supports aligned search.
  • It supports hex string specification.
  • It also searches UTF-16 string if target string is ASCII.
    • 

• pid: prints pid.
• filename: prints filename.
• auxv: pretty prints ELF auxiliary vector.
  • Supported also under qemu-user (heuristic).
  • 
• argv: pretty prints argv.
  • 
• envp: pretty prints envp.
  • 
• gdtinfo: pretty prints GDT sample.
  • 
• tls: pretty prints TLS area.
  • 
• fsbase,gsbase: pretty prints $fs_base, $gs_base.
  • 
• magic: is useful addresses resolver in gilbc.
  • 
  • 
• libc/ld/heapbase/codebase: prints each of the base address.
  • 
• fpu/mmx/sse/avx: pretty prints FPU/MMX/SSE/AVX registers.
  • 
• xmmset: sets the value to xmm/ymm register simply.
  • 
• mmxset: sets the value to mm register simply.
  • 
• exec-until: executes until specific operation.
  • Supported on x64/x86/ARM64/ARM for call/jmp/syscall/ret/memory-access/specific-keyword-regex/specific-condition.
  • Supported on x64/x86 for indirect-branch.
  • Please note that this command temporarily closes stdin and stderr on gdb.
  • 
• exec-next: executes until next address.
  • This is useful for the operation with rep prefix.
• add-symbol-temporary: adds symbol information from command-line.
  • 
• errno: prints errno list or specific errno.
  • 
• u2d: shows cast/transformation u64 <-> double/float.
  • 
• pack,unpack: shows transformation int <-> bytes/hex.
  • 
• tohex,unhex: shows transformation hex <-> bytes.
  • 
• byteswap: shows transformation little-endian <-> big-endian.
  • 
• hash-memory: calculates the hash.
  • Supported: md5, sha1, sha224, sha256, sha384, sha512, crc16, crc32, crc64.
  • 
• memcmp: compares the contents of address A and B, whether virtual or physical.
  • 
• memcpy: copies the contents from address A to B, whether virtual or physical.
• is-mem-zero: checks the contents of address range is all 0x00 or 0xff or not.
  • 
• pdisas: is a shortcut for cs-dis $pc LENGTH=50 OPCODES.
  • 
• ii: is a shortcut for x/50i $pc.
  • It prints the value if memory access operation.
  • 
• version: shows software version that gef used.
  • 
• follow: changes follow-fork-mode setting.
• smart-cpp-function-name: toggles context.smart_cpp_function_name setting.
• seccomp: invokes seccomp-tools.
• onegadget: invokes one_gadget.
  • 
• ls/cat: invokes ls/cat directly.
• constgrep: invokes grep under /usr/include.
  • 
• time: measures the time of the GDB command.
  • 
• rp: invokes rp++ with commonly used options.
  • Supports both rp++ v1 and v2.
• cpuid: shows the result of cpuid(eax=0,1,2...).
  • 
• dasm: disassembles the code by capstone.
  • 
• asm-list: lists up instructions. (only x86/x64)
  • 
  • This command uses x86data.js from https://github.com/asmjit/asmdb
• syscall-search: searches system call by regex.
  • 
• dwarf-exception-handler: dumps the DWARF exception handler informations.
  • 
• dynamic: dumps the DYNAMIC area.
  • 
• linkmap: dumps linkmap with iterating.
  • 
• ret2dl-hint: shows the structure used by ret2dl as hint.
• srop-hint: shows the code for srop as hint.
• dtor-dump: dumps some destructor functions list.
  • 
• linklist-walk: walks link list.
  • 
• ptr-demangle: shows the demangled value of the value mangled by PTR_MANGLE.
  • 
• search-mangled-ptr: searchs the mangled value from RW memory.
  • 

• The category is introduced in gef help.
  • 
• Combined into one file (from gef-extra).
  • peek-pointers, current-stack-frame, xref-telescope, bytearray, bincompare, ftrace and v8deref are moved from gef-extras.
  • This is because a single file is more attractive than ease of maintenance.
• The system-call table used by syscall-args is moved from gef-extras.
  • It was updated up to linux kernel 5.18-rc6 (only x64/x86/ARM64/ARM).
  • Since there are many exceptions at system calls for each architecture, arguments information of system call was picked up manually.
• Removed some features I don't use.
  • ida-interact, gef-remote, pie, pcustom, ksymaddr, shellcode and highlight.
• Many bugs fix / formatting / made it easy for me to use.