[1st] Peda vs Pwndbg – GDB가 이쁘게 변했어요!

 

Peda 와 Pwndbg

 

1. 설명

gdb로 바이너리를 동적 분석하기엔 약간 불편함이 많습니다.

peda와 pwndbg는 gdb의 플러그인(?)으로써, 동적 디버깅에 엄청난 도움을 줍니다.

그 예시 3가지를 보여드리겠습니다. 스크린샷은 Peda입니다.

 

A. BreakPoint 마다 보여주는 이쁜 디버깅 정보

지금까지 여러분들은 display/x10xw $esp 이런 식의 명령을 주셨어야 했을 겁니다. 심지어 예쁘게 보여주지도 않습니다. 하지만, Peda/Pwndbg에서는 자동으로 보여줄 뿐만 아니라, 엄청 예쁩니다. Peda/Pwndbg를 설치 한 시점부터 이렇게 좋은 환경에서 분석을 진행 할 수 있습니다. 화면에 대한 설명은 아래에서 자세히 하도록 하겠습니다.

B. 재귀적으로 메모리 주소 확인 가능

만약에 메모리에 있는 값이 다른 메모리의 포인터를 가르키고 있다면, 다른 메모리의 포인터의 주소도 보여주며, String 또는 명령어인 경우 명령어를 보여줍니다.

C. 함수 인자를 보여준다.

함수 인자를 예측해서 보여줍니다.


멋지지 않나요? 기본 GDB를 사용 했을 때 보다 단지 설치를 하고 peda를 킨 것 만으로도 엄청나게 생산성이 늘어납니다.


2. 설치

Peda
git clone https://github.com/longld/peda.git ~/peda
echo “source ~/peda/peda.py” >> ~/.gdbinit
echo “DONE! debug your program with gdb and enjoy”

 

Pwndbg
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

 

두 가지 도구 중에 하나만 선택하셔서 사용하시는 것을 추천 드립니다.

Peda와 Pwndbg 설치 명령어의 내용은, Github에서 자료를 다운로드 받아서 설치해라~ 입니다.


위처럼 설치를 하면 gdb 만 입력해도 자동으로 pwndbg 또는 peda를 사용 하게 될 것 입니다.

하지만 원할 때만 사용 하고 싶은 경우도 있을 겁니다.

그때는 다음과 같이 설치합니다.

~/.gdbinit 에 다음 내용을 붙여 넣습니다.

~/.gdbinit

define init-peda
source /tools/peda/peda.py
end
document init-peda
Initializes the PEDA (Python Exploit Development Assistant for GDB) framework
end

define init-pwndbg
source /tools/pwndbg/gdbinit.py
end
document init-pwndbg
Initializes the PwnDBG
end

 

 

두 파일을 모두 한 폴더에 넣습니다.

저는 /tools/ 폴더를 만든 뒤 넣었습니다.

 

 

그 후, /bin/gdb-pea /bin/pwndbg 를 다음과 같이 작성해줍니다.

 

 

그러면, gdb / pwndbg / peda 셋 다 사용 할 수 있게 됩니다!


3. 사용

그동안 사용하시던 GDB 명령어를 그대로 쓰시면 됩니다.

하지만 추가된 몇 가지 기능이 있습니다.


Disas

먼저, disas 대신 pdisas 를 쓰면 이쁘게 보여집니다. ( peda, pwndbg 동일 )

Pwndbg 는 main이 없는 경우,현재 작업 중인 함수를 보여줍니다.

하지만 Peda의 경우에는 보여주지 않습니다.


Register View

Pwndbg

Peda

Peda가 더 깔끔하며, 메모리의 문자열을 보여줄 때, 글자가 모두 다 나옵니다.

또한, FLAG 까지 보여줌으로써, 사용자들에게 더욱 편리함을 주고 있습니다.

Register 부분은 Peda 승리!


Code View

Pwndbg

Peda

Highlight 는 Pwndbg가 더 잘 되어 있습니다. 또한, 더 많은 명령어들을 보여줍니다.

Code 부분은 Pwndbg 승리!


Memory View

Pwndbg

Peda

Pwndbg는 rsp와 rbp를 직접 메모리에 보여줌으로써 편리함을 줍니다.

Memory 부분은 Pwndbg 승리!


Legend & Now

Pwndbg
 
Peda
 
Pwndbg가 조금 더 세분화 되어 있기 때문에 Pwndbg 승리!

Pwndbg에만 있는 BackTrace

안쪽으로 깊어질수록 길어집니다. 이건 당연히 Pwndbg 승리!


vmmap 명령어

pwndbg의 하이라이팅으로 인해 pwndbg 승리!


checksec 명령어

pwndbg의 경우 os.system(“checksec”) 을 통해서 체크를 합니다.

peda의 경우 내장되어 있는 함수를 통해 체크를 합니다.

따라서  pwndbg 는 checksec을 미리 설치해 놓아야 합니다.

Pwndbg
Peda

 


Pwndbg 명령어
address              Windbg compatibility alias for 'vmmap' command.
arena                Prints out the main arena or the arena at the specified by address.
arenas               Prints out allocated arenas
argc                 Prints out the number of arguments.
args                 Prints out the contents of argv.
argv                 Prints out the contents of argv.
aslr                 Inspect or modify ASLR status
auxv                 Print information from the Auxiliary ELF Vector.
awk                  None
bash                 None
bc                   Clear the breapoint with the specified index.
bd                   Disable the breapoint with the specified index.
be                   Enable the breapoint with the specified index.
bins                 Prints out the contents of the fastbins, unsortedbin, smallbins, and largebins from the
bl                   List breakpoints
bp                   Set a breakpoint at the specified address.
canary               Print out the current stack canary.
cat                  None
chattr               None
checksec             Prints out the binary security settings using `checksec`.
chmod                None
chown                None
config               Shows pwndbg-specific configuration points
configfile           Generates a configuration file for the current Pwndbg options
context              Print out the current register, instruction, and stack context.
cp                   None
cpsr                 Print out ARM CPSR register
da                   Dump a string at the specified address.
date                 None
db                   Starting at the specified address, dump N bytes
dc                   None
dd                   Starting at the specified address, dump N dwords
dds                  Dump pointers and symbols at the specified address.
diff                 None
distance             Print the distance between the two arguments
down                 Select and print stack frame called by this one.
dps                  Dump pointers and symbols at the specified address.
dq                   Starting at the specified address, dump N qwords
dqs                  Dump pointers and symbols at the specified address.
ds                   Dump a string at the specified address.
dt                   Dump out information on a type (e.g. ucontext_t).
dumpargs             Prints determined arguments for call instruction. Pass --all to see all possible arguments.
dw                   Starting at the specified address, dump N words
eb                   Write hex bytes at the specified address.
ed                   Write hex dwords at the specified address.
egrep                None
elfheader            Prints the section mappings contained in the ELF header.
emulate              Like nearpc, but will emulate instructions from the current $PC forward.
entry                Set a breakpoint at the first instruction executed in
entry_point          GDBINIT compatibility alias to print the entry point.
env                  Prints out the contents of the environment.
environ              Prints out the contents of the environment.
envp                 Prints out the contents of the environment.
eq                   Write hex qwords at the specified address.
errno                Converts errno (or argument) to its string representation.
ew                   Write hex words at the specified address.
ez                   Write a string at the specified address.
eza                  Write a string at the specified address.
fastbins             Prints out the contents of the fastbins of the main arena or the arena
find_fake_fast       Finds candidate fake fast chunks that will overlap with the specified
fsbase               Prints out the FS base address.  See also $fsbase.
getfile              None
getpid               None
go                   Windbg compatibility alias for 'continue' command.
got                  Show the state of the Global Offset Table
gotplt               Prints any symbols found in the .got.plt section if it exists.
grep                 None
gsbase               Prints out the GS base address.  See also $gsbase.
heap                 Prints out all chunks in the main_arena, or the arena specified by `addr`.
hexdump              Hexdumps data at the specified address (or at $sp)
id                   None
init                 GDBINIT compatibility alias for 'start' command.
j                    Synchronize IDA's cursor with GDB
k                    Print a backtrace (alias 'bt')
kd                   Dump pointers and symbols at the specified address.
largebins            Prints out the contents of the large bin of the main arena or the arena
less                 None
libs                 GDBINIT compatibility alias for 'libs' command.
lm                   Windbg compatibility alias for 'vmmap' command.
ln                   List the symbols nearest to the provided value.
ls                   None
main                 GDBINIT compatibility alias for 'main' command.
malloc_chunk         Prints out the malloc_chunk at the specified address.
man                  None
memfrob              memfrob(address, count)
mkdir                None
mktemp               None
more                 None
mp                   Prints out the mp_ structure from glibc
mv                   None
nano                 None
nc                   None
nearpc               Disassemble near a specified address.
next_syscall         Breaks at the next syscall.
nextcall             Breaks at the next call instruction
nextjmp              Breaks at the next jump instruction
nextjump             Breaks at the next jump instruction
nextproginstr        Breaks at the next instruction that belongs to the running program
nextret              None
nextsc               Breaks at the next syscall.
pc                   Windbg compatibility alias for 'nextcall' command.
pdisass              Compatibility layer for PEDA's pdisass command
peb                  None
pid                  None
ping                 None
pkill                None
plt                  Prints any symbols found in the .plt section if it exists.
procinfo             Display information about the running process.
ps                   None
pstree               None
pwd                  None
pwndbg               Prints out a list of all pwndbg commands. The list can be optionally filtered if filter_pattern is passed.
r2                   .
regs                 Print out all registers and enhance the information.
reinit_pwndbg        Makes pwndbg reinitialize all state.
reload               None
retaddr              Print out the stack addresses that contain return addresses.
rm                   None
rop                  Dump ROP gadgets with Jon Salwan's ROPgadget tool.
ropgadget            None
ropper               ROP gadget search with ropper.
save_ida             Save the IDA database
search               Search memory for byte sequences, strings, pointers, and integer values
sed                  None
sh                   None
smallbins            Prints out the contents of the small bin of the main arena or the arena
so                   Alias for stepover
sort                 None
ssh                  None
sstart               GDBINIT compatibility alias for 'tbreak __libc_start_main; run' command.
stack                dereferences on stack data with specified count and offset
start                Set a breakpoint at a convenient location in the binary,
stepover             Sets a breakpoint on the instruction after this one
sudo                 None
tail                 None
telescope            Recursively dereferences pointers starting at the specified address
theme                Shows pwndbg-specific theme configuration points.
themefile            Generates a configuration file for the current Pwndbg theme options
top                  None
top_chunk            Prints out the address of the top chunk of the main arena, or of the arena
touch                None
u                    Starting at the specified address, disassemble
uniq                 None
unsortedbin          Prints out the contents of the unsorted bin of the main arena or the
up                   Select and print stack frame that called this one.
version              Displays gdb, python and pwndbg versions.
vi                   None
vim                  None
vmmap                Print virtual memory map pages. Results can be filtered by providing address/module name.
vmmap_add            Add Print virtual memory map page.
vmmap_clear          None
vmmap_load           Load virtual memory map pages from ELF file.
vprot                Windbg compatibility alias for 'vmmap' command.
w                    None
wget                 None
who                  None
whoami               None
xinfo                Shows offsets of the specified address to useful other locations
xor                  xor(address, key, count)

Peda 명령어
aslr — Show/set ASLR setting of GDB
asmsearch — Search for ASM instructions in memory
assemble — On the fly assemble and execute instructions using NASM
checksec — Check for various security options of binary
cmpmem — Compare content of a memory region with a file
context — Display various information of current execution context
context_code — Display nearby disassembly at $PC of current execution context
context_register — Display register information of current execution context
context_stack — Display stack of current execution context
crashdump — Display crashdump info and save to file
deactive — Bypass a function by ignoring its execution (eg sleep/alarm)
distance — Calculate distance between two addresses
dumpargs — Display arguments passed to a function when stopped at a call instruction
dumpmem — Dump content of a memory region to raw binary file
dumprop — Dump all ROP gadgets in specific memory range
eflags — Display/set/clear/toggle value of eflags register
elfheader — Get headers information from debugged ELF file
elfsymbol — Get non-debugging symbol information from an ELF file
gennop — Generate abitrary length NOP sled using given characters
getfile — Get exec filename of current debugged process
getpid — Get PID of current debugged process
goto — Continue execution at an address
help — Print the usage manual for PEDA commands
hexdump — Display hex/ascii dump of data in memory
hexprint — Display hexified of data in memory
jmpcall — Search for JMP/CALL instructions in memory
loadmem — Load contents of a raw binary file to memory
lookup — Search for all addresses/references to addresses which belong to a memory range
nearpc — Disassemble instructions nearby current PC or given address
nextcall — Step until next ‘call’ instruction in specific memory range
nextjmp — Step until next ‘j*’ instruction in specific memory range
nxtest — Perform real NX test to see if it is enabled/supported by OS
patch — Patch memory start at an address with string/hexstring/int
pattern — Generate, search, or write a cyclic pattern to memory
pattern_arg — Set argument list with cyclic pattern
pattern_create — Generate a cyclic pattern
pattern_env — Set environment variable with a cyclic pattern
pattern_offset — Search for offset of a value in cyclic pattern
pattern_patch — Write a cyclic pattern to memory
pattern_search — Search a cyclic pattern in registers and memory
payload — Generate various type of ROP payload using ret2plt
pdisass — Format output of gdb disassemble command with colors
pltbreak — Set breakpoint at PLT functions match name regex
procinfo — Display various info from /proc/pid/
profile — Simple profiling to count executed instructions in the program
pyhelp — Wrapper for python built-in help
readelf — Get headers information from an ELF file
refsearch — Search for all references to a value in memory ranges
reload — Reload PEDA sources, keep current options untouch
ropgadget — Get common ROP gadgets of binary or library
ropsearch — Search for ROP gadgets in memory
searchmem — Search for a pattern in memory; support regex search
session — Save/restore a working gdb session to file as a script
set — Set various PEDA options and other settings
sgrep — Search for full strings contain the given pattern
shellcode — Generate or download common shellcodes.
show — Show various PEDA options and other settings
skeleton — Generate python exploit code template
skipi — Skip execution of next count instructions
snapshot — Save/restore process’s snapshot to/from file
start — Start debugged program and stop at most convenient entry
stepuntil — Step until a desired instruction in specific memory range
strings — Display printable strings in memory
substr — Search for substrings of a given string/number in memory
telescope — Display memory content at an address with smart dereferences
tracecall — Trace function calls made by the program
traceinst — Trace specific instructions executed by the program
unptrace — Disable anti-ptrace detection
utils — Miscelaneous utilities from utils module
vmmap — Get virtual mapping address ranges of section(s) in debugged process
waitfor — Try to attach to new forked process; mimic “attach -waitfor”
xinfo — Display detail information of address/registers
xormem — XOR a memory region with a key
xprint — Extra support to GDB’s print command
xrefs — Search for all call/data access references to a function/variable
xuntil — Continue execution until an address or function
 

둘 다 써보고 편한 것 씁시다~

그리고 어떤 명령어가 있는지만 알아두기로 하고요!

언젠가 써먹을지도 모르잖아요?

 

무단 복제 미워요!

Jangtaejin < [email protected] >

 

2 Replies to “[1st] Peda vs Pwndbg – GDB가 이쁘게 변했어요!

  1. 조만간 명령어들을 한국어로 번역해서 올리도록 하겠습니다.

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다